diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin')
42 files changed, 887 insertions, 934 deletions
diff --git a/crypto/krb5/doc/html/admin/admin_commands/index.html b/crypto/krb5/doc/html/admin/admin_commands/index.html index 42935051839f..43ebdc628847 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/index.html +++ b/crypto/krb5/doc/html/admin/admin_commands/index.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Administration programs — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="administration-programs"> -<h1>Administration programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1> +<h1>Administration programs<a class="headerlink" href="#administration-programs" title="Link to this heading">¶</a></h1> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> @@ -156,8 +154,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html b/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html index e2e3bc5f54d1..5ee67e70c4d4 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html +++ b/crypto/krb5/doc/html/admin/admin_commands/k5srvutil.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>k5srvutil — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,16 +51,16 @@ <div class="body" role="main"> <section id="k5srvutil"> -<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1> +<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>k5srvutil</strong> <em>operation</em> [<strong>-i</strong>] [<strong>-f</strong> <em>filename</em>] [<strong>-e</strong> <em>keysalts</em>]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab.</p> @@ -100,12 +98,12 @@ the <strong>-f</strong> option.</p> place.</p> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -201,8 +199,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html b/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html index 1b6e42b31ac4..b0545f3426a5 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kadmin_local.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kadmin — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kadmin"> -<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1> +<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p id="kadmin-synopsis"><strong>kadmin</strong> [<strong>-O</strong>|<strong>-N</strong>] [<strong>-r</strong> <em>realm</em>] @@ -76,7 +74,7 @@ [command args…]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC @@ -101,7 +99,7 @@ the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server.</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <dl class="simple" id="kadmin-options"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>Use <em>realm</em> as the default database realm.</p> </dd> @@ -185,7 +183,7 @@ option cannot be used in combination with a query in the remaining arguments.</p> </section> <section id="database-options"> -<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Permalink to this headline">¶</a></h2> +<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Link to this heading">¶</a></h2> <p>Database options can be used to override database-specific defaults. Supported options for the DB2 module are:</p> <blockquote> @@ -241,12 +239,12 @@ are printed to standard error. New in release 1.12.</p> </div></blockquote> </section> <section id="commands"> -<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> <p>When using the remote client, available commands may be restricted according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file on the admin server.</p> <section id="add-principal"> -<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> +<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></p> </div></blockquote> @@ -408,7 +406,7 @@ principal container configured in the realm.</p></li> </div> </section> <section id="modify-principal"> -<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></p> </div></blockquote> @@ -427,7 +425,7 @@ to its password policy) so that it can successfully authenticate.</p> </dl> </section> <section id="rename-principal"> -<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></p> </div></blockquote> @@ -437,18 +435,31 @@ given.</p> <p>This command requires the <strong>add</strong> and <strong>delete</strong> privileges.</p> <p>Alias: <strong>renprinc</strong></p> </section> +<section id="add-alias"> +<span id="id4"></span><h3>add_alias<a class="headerlink" href="#add-alias" title="Link to this heading">¶</a></h3> +<blockquote> +<div><p><strong>add_alias</strong> <em>alias_princ</em> <em>target_princ</em></p> +</div></blockquote> +<p>Create an alias <em>alias_princ</em> pointing to <em>target_princ</em>. Aliases may +be chained (that is, <em>target_princ</em> may itself be an alias) up to a +depth of 10.</p> +<p>This command requires the <strong>add</strong> privilege for <em>alias_princ</em> and the +<strong>modify</strong> privilege for <em>target_princ</em>.</p> +<p>(New in release 1.22.)</p> +<p>Aliases: <strong>alias</strong></p> +</section> <section id="delete-principal"> -<span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></p> </div></blockquote> -<p>Deletes the specified <em>principal</em> from the database. This command -prompts for deletion, unless the <strong>-force</strong> option is given.</p> +<p>Deletes the specified <em>principal</em> or alias from the database. This +command prompts for deletion, unless the <strong>-force</strong> option is given.</p> <p>This command requires the <strong>delete</strong> privilege.</p> <p>Alias: <strong>delprinc</strong></p> </section> <section id="change-password"> -<span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> +<span id="id6"></span><h3>change_password<a class="headerlink" href="#change-password" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>change_password</strong> [<em>options</em>] <em>principal</em></p> </div></blockquote> @@ -484,7 +495,7 @@ necessary except perhaps for <code class="docutils literal notranslate"><span cl </div> </section> <section id="purgekeys"> -<span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> +<span id="id7"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></p> </div></blockquote> @@ -496,7 +507,7 @@ is new in release 1.12.</p> <p>This command requires the <strong>modify</strong> privilege.</p> </section> <section id="get-principal"> -<span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> +<span id="id8"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></p> </div></blockquote> @@ -532,7 +543,7 @@ running the the program to be the same as the one being listed.</p> </div> </section> <section id="list-principals"> -<span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> +<span id="id9"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>list_principals</strong> [<em>expression</em>]</p> </div></blockquote> @@ -556,7 +567,7 @@ expression.</p> </div> </section> <section id="get-strings"> -<span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> +<span id="id10"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>get_strings</strong> <em>principal</em></p> </div></blockquote> @@ -565,7 +576,7 @@ expression.</p> <p>Alias: <strong>getstrs</strong></p> </section> <section id="set-string"> -<span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> +<span id="id11"></span><h3>set_string<a class="headerlink" href="#set-string" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></p> </div></blockquote> @@ -612,7 +623,7 @@ entry.</p> </div> </section> <section id="del-string"> -<span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> +<span id="id12"></span><h3>del_string<a class="headerlink" href="#del-string" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>del_string</strong> <em>principal</em> <em>key</em></p> </div></blockquote> @@ -621,7 +632,7 @@ entry.</p> <p>Alias: <strong>delstr</strong></p> </section> <section id="add-policy"> -<span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> +<span id="id13"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>add_policy</strong> [<em>options</em>] <em>policy</em></p> </div></blockquote> @@ -685,7 +696,7 @@ a value of ‘-‘.</p> </div> </section> <section id="modify-policy"> -<span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<span id="id14"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></p> </div></blockquote> @@ -695,7 +706,7 @@ for <strong>add_policy</strong>.</p> <p>Alias: <strong>modpol</strong></p> </section> <section id="delete-policy"> -<span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> +<span id="id15"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></p> </div></blockquote> @@ -713,7 +724,7 @@ kadmin: </div> </section> <section id="get-policy"> -<span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> +<span id="id16"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></p> </div></blockquote> @@ -742,7 +753,7 @@ With the LDAP KDC database module, the reference count field is not meaningful.</p> </section> <section id="list-policies"> -<span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<span id="id17"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>list_policies</strong> [<em>expression</em>]</p> </div></blockquote> @@ -768,7 +779,7 @@ printed.</p> </div> </section> <section id="ktadd"> -<span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> +<span id="id18"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Link to this heading">¶</a></h3> <blockquote> <div><div class="line-block"> <div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> @@ -811,7 +822,7 @@ salt types.</p> </div> </section> <section id="ktremove"> -<span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> +<span id="id19"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</p> </div></blockquote> @@ -840,37 +851,37 @@ used.</p> </div> </section> <section id="lock"> -<h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> +<h3>lock<a class="headerlink" href="#lock" title="Link to this heading">¶</a></h3> <p>Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module.</p> </section> <section id="unlock"> -<h3>unlock<a class="headerlink" href="#unlock" title="Permalink to this headline">¶</a></h3> +<h3>unlock<a class="headerlink" href="#unlock" title="Link to this heading">¶</a></h3> <p>Release the exclusive database lock.</p> </section> <section id="list-requests"> -<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3> +<h3>list_requests<a class="headerlink" href="#list-requests" title="Link to this heading">¶</a></h3> <p>Lists available for kadmin requests.</p> <p>Aliases: <strong>lr</strong>, <strong>?</strong></p> </section> <section id="quit"> -<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3> +<h3>quit<a class="headerlink" href="#quit" title="Link to this heading">¶</a></h3> <p>Exit program. If the database was locked, the lock is released.</p> <p>Aliases: <strong>exit</strong>, <strong>q</strong></p> </section> </section> <section id="history"> -<h2>HISTORY<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> +<h2>HISTORY<a class="headerlink" href="#history" title="Link to this heading">¶</a></h2> <p>The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.</p> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -894,6 +905,7 @@ variables.</p> <li><a class="reference internal" href="#add-principal">add_principal</a></li> <li><a class="reference internal" href="#modify-principal">modify_principal</a></li> <li><a class="reference internal" href="#rename-principal">rename_principal</a></li> +<li><a class="reference internal" href="#add-alias">add_alias</a></li> <li><a class="reference internal" href="#delete-principal">delete_principal</a></li> <li><a class="reference internal" href="#change-password">change_password</a></li> <li><a class="reference internal" href="#purgekeys">purgekeys</a></li> @@ -994,8 +1006,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kadmind.html b/crypto/krb5/doc/html/admin/admin_commands/kadmind.html index 66b384d775c4..d43a7f3ddcd3 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kadmind.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kadmind.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kadmind — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kadmind"> -<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1> +<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>kadmind</strong> [<strong>-x</strong> <em>db_args</em>] [<strong>-r</strong> <em>realm</em>] @@ -70,7 +68,7 @@ [<strong>-F</strong> <em>dump_file</em>]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server @@ -105,7 +103,7 @@ name). In release 1.13, this principal is automatically created and registered into the datebase.</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <dl class="simple"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used.</p> @@ -150,12 +148,19 @@ to full resync requests when iprop is enabled.</p> </dl> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> +<p>As of release 1.22, kadmind supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +<strong>kadmind_listen</strong> or <strong>kpasswd_listen</strong> variables or equivalents) or +they will be ignored. Any configured listener addresses that do not +correspond to caller-provided sockets will be ignored if socket +activation is used.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> @@ -253,8 +258,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html b/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html index 7b6321b5b8d9..09765e3e4991 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kdb5_ldap_util.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kdb5_ldap_util — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kdb5-ldap-util"> -<span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Permalink to this headline">¶</a></h1> +<span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p id="kdb5-ldap-util-synopsis"><strong>kdb5_ldap_util</strong> [<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]] [<strong>-H</strong> <em>ldapuri</em>] @@ -63,12 +61,12 @@ [<em>command_options</em>]</p> </section> <section id="description"> -<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies.</p> </section> <section id="command-line-options"> -<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> +<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Link to this heading">¶</a></h2> <dl class="simple" id="kdb5-ldap-util-options"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm to be operated on.</p> </dd> @@ -87,9 +85,9 @@ server in the same manner as :ref:kadmind(8)` would given the parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </section> <section id="commands"> -<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> <section id="create"> -<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3> +<h3>create<a class="headerlink" href="#create" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-create"> <div><p><strong>create</strong> [<strong>-subtrees</strong> <em>subtree_dn_list</em>] @@ -164,7 +162,7 @@ documented in the description of the <strong>add_principal</strong> command in </div> </section> <section id="modify"> -<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-modify"> <div><p><strong>modify</strong> [<strong>-subtrees</strong> <em>subtree_dn_list</em>] @@ -207,7 +205,7 @@ documented in the description of the <strong>add_principal</strong> command in </div> </section> <section id="view"> -<span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-view"> <div><p><strong>view</strong></p> </div></blockquote> @@ -227,7 +225,7 @@ documented in the description of the <strong>add_principal</strong> command in </div> </section> <section id="destroy"> -<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy"> <div><p><strong>destroy</strong> [<strong>-f</strong>]</p> </div></blockquote> @@ -248,7 +246,7 @@ shell% </div> </section> <section id="list"> -<span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-list"> <div><p><strong>list</strong></p> </div></blockquote> @@ -265,7 +263,7 @@ shell% </div> </section> <section id="stashsrvpw"> -<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-stashsrvpw"> <div><p><strong>stashsrvpw</strong> [<strong>-f</strong> <em>filename</em>] @@ -297,7 +295,7 @@ name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or </div> </section> <section id="create-policy"> -<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-create-policy"> <div><p><strong>create_policy</strong> [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] @@ -331,7 +329,7 @@ command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span </div> </section> <section id="modify-policy"> -<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-modify-policy"> <div><p><strong>modify_policy</strong> [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] @@ -351,7 +349,7 @@ command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span </div> </section> <section id="view-policy"> -<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-view-policy"> <div><p><strong>view_policy</strong> <em>policy_name</em></p> @@ -369,7 +367,7 @@ command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span </div> </section> <section id="destroy-policy"> -<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy-policy"> <div><p><strong>destroy_policy</strong> [<strong>-force</strong>] @@ -394,7 +392,7 @@ This will delete the policy object 'tktpolicy', are you sure? </div> </section> <section id="list-policy"> -<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-ldap-util-list-policy"> <div><p><strong>list_policy</strong></p> </div></blockquote> @@ -411,12 +409,12 @@ This will delete the policy object 'tktpolicy', are you sure? </section> </section> <section id="environment"> -<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -527,8 +525,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html b/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html index eb50fcd78b51..6b894aba1765 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kdb5_util.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kdb5_util — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kdb5-util"> -<span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Permalink to this headline">¶</a></h1> +<span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p id="kdb5-util-synopsis"><strong>kdb5_util</strong> [<strong>-r</strong> <em>realm</em>] [<strong>-d</strong> <em>dbname</em>] @@ -69,7 +67,7 @@ <em>command</em> [<em>command_options</em>]</p> </section> <section id="description"> -<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>kdb5_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5_util can create a Kerberos master @@ -82,7 +80,7 @@ may not exist yet or the stash file may be corrupt.</p> commands.</p> </section> <section id="command-line-options"> -<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> +<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Link to this heading">¶</a></h2> <dl class="simple" id="kdb5-util-options"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the Kerberos realm of the database.</p> </dd> @@ -119,9 +117,9 @@ supported options.</p> </dl> </section> <section id="commands"> -<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> <section id="create"> -<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3> +<h3>create<a class="headerlink" href="#create" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-util-create"> <div><p><strong>create</strong> [<strong>-s</strong>]</p> </div></blockquote> @@ -131,7 +129,7 @@ exists. If the command is successful, the database is opened just as if it had already existed when the program was first run.</p> </section> <section id="destroy"> -<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-util-destroy"> <div><p><strong>destroy</strong> [<strong>-f</strong>]</p> </div></blockquote> @@ -140,7 +138,7 @@ unlinking the files, after prompting the user for confirmation. With the <strong>-f</strong> argument, does not prompt the user.</p> </section> <section id="stash"> -<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-util-stash"> <div><p><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</p> </div></blockquote> @@ -149,7 +147,7 @@ argument can be used to override the <em>keyfile</em> specified in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </section> <section id="dump"> -<span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-util-dump"> <div><p><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-verbose</strong>] [<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> @@ -204,7 +202,7 @@ doing a normal dump instead of a recursive traversal.</p> </dl> </section> <section id="load"> -<span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Link to this heading">¶</a></h3> <blockquote id="kdb5-util-load"> <div><p><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>] [<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></p> @@ -247,7 +245,7 @@ completion.</p> </dl> </section> <section id="ark"> -<span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Permalink to this headline">¶</a></h3> +<span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></p> </div></blockquote> @@ -257,7 +255,7 @@ preserved. The <strong>-e</strong> option specifies the list of encryption and salt types to be used for the new keys.</p> </section> <section id="add-mkey"> -<h3>add_mkey<a class="headerlink" href="#add-mkey" title="Permalink to this headline">¶</a></h3> +<h3>add_mkey<a class="headerlink" href="#add-mkey" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</p> </div></blockquote> @@ -274,7 +272,7 @@ kdb5_util <strong>stash</strong> command. Once those steps are complete, the ke is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p> </section> <section id="use-mkey"> -<h3>use_mkey<a class="headerlink" href="#use-mkey" title="Permalink to this headline">¶</a></h3> +<h3>use_mkey<a class="headerlink" href="#use-mkey" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</p> </div></blockquote> @@ -288,7 +286,7 @@ active immediately. The format for <em>time</em> is <a class="reference interna principal keys to be encrypted in the new master key.</p> </section> <section id="list-mkeys"> -<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Permalink to this headline">¶</a></h3> +<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>list_mkeys</strong></p> </div></blockquote> @@ -298,7 +296,7 @@ each mkey, similar to the output of <a class="reference internal" href="kadmin_l <code class="docutils literal notranslate"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p> </section> <section id="purge-mkeys"> -<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3> +<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</p> </div></blockquote> @@ -316,7 +314,7 @@ not actually purging any keys.</p> </dl> </section> <section id="update-princ-encryption"> -<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Permalink to this headline">¶</a></h3> +<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>] [<em>princ-pattern</em>]</p> @@ -332,7 +330,7 @@ needed updating or not. The <strong>-n</strong> option performs a dry run, only showing the actions which would have been taken.</p> </section> <section id="tabdump"> -<h3>tabdump<a class="headerlink" href="#tabdump" title="Permalink to this headline">¶</a></h3> +<h3>tabdump<a class="headerlink" href="#tabdump" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>] <em>dumptype</em></p> @@ -365,6 +363,14 @@ output</p> </dl> <p>Dump types:</p> <dl> +<dt><strong>alias</strong></dt><dd><p>principal alias information</p> +<dl class="simple"> +<dt><strong>aliasname</strong></dt><dd><p>the name of the alias</p> +</dd> +<dt><strong>targetname</strong></dt><dd><p>the target of the alias</p> +</dd> +</dl> +</dd> <dt><strong>keydata</strong></dt><dd><p>principal encryption key information, including actual key data (which is still encrypted in the master key)</p> <dl class="simple"> @@ -480,12 +486,12 @@ K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 </section> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -597,8 +603,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kprop.html b/crypto/krb5/doc/html/admin/admin_commands/kprop.html index 71d2f701bc71..b78c0fa60f7e 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kprop.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kprop.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kprop — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kprop"> -<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1> +<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>kprop</strong> [<strong>-r</strong> <em>realm</em>] [<strong>-f</strong> <em>file</em>] @@ -65,14 +63,14 @@ <em>replica_host</em></p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by <em>replica_host</em>. The dump file must be created by <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <dl class="simple"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p> </dd> @@ -90,12 +88,12 @@ on the remote host.</p> </dl> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> @@ -193,8 +191,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kpropd.html b/crypto/krb5/doc/html/admin/admin_commands/kpropd.html index 4b9a07f09fc4..2fc3bbd9b3f6 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kpropd.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kpropd.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kpropd — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kpropd"> -<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1> +<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>kpropd</strong> [<strong>-r</strong> <em>realm</em>] [<strong>-A</strong> <em>admin_server</em>] @@ -70,7 +68,7 @@ [<strong>-s</strong> <em>keytab_file</em>]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>The <em>kpropd</em> command runs on the replica KDC server. It listens for update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> program. If incremental propagation is enabled, it periodically requests incremental updates @@ -112,7 +110,7 @@ keytab file.</p> enabled.</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <dl class="simple"> <dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p> </dd> @@ -151,7 +149,7 @@ default the path used is <a class="reference internal" href="../../mitK5defaults </dl> </section> <section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> <dl class="simple"> <dt>kpropd.acl</dt><dd><p>Access file for kpropd; the default location is <code class="docutils literal notranslate"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line @@ -161,12 +159,12 @@ will allow Kerberos database propagation via <a class="reference internal" href= </dl> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, inetd(8)</p> </section> @@ -265,8 +263,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/kproplog.html b/crypto/krb5/doc/html/admin/admin_commands/kproplog.html index 498e58141ff2..b551ef6560ac 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/kproplog.html +++ b/crypto/krb5/doc/html/admin/admin_commands/kproplog.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kproplog — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,14 +51,14 @@ <div class="body" role="main"> <section id="kproplog"> -<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1> +<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>kproplog</strong> [<strong>-h</strong>] [<strong>-e</strong> <em>num</em>] [-v] <strong>kproplog</strong> [-R]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the @@ -79,7 +77,7 @@ only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update.</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <dl> <dt><strong>-R</strong></dt><dd><p>Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. @@ -116,12 +114,12 @@ output generated for one entry:</p> </dl> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -218,8 +216,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html b/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html index b7c6d993d7a9..be54e201c8f5 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html +++ b/crypto/krb5/doc/html/admin/admin_commands/krb5kdc.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>krb5kdc — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="krb5kdc"> -<span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Permalink to this headline">¶</a></h1> +<span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>krb5kdc</strong> [<strong>-x</strong> <em>db_args</em>] [<strong>-d</strong> <em>dbname</em>] @@ -70,12 +68,12 @@ [<strong>-T</strong> <em>time_offset</em>]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC).</p> </section> <section id="options"> -<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading">¶</a></h2> <p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no <strong>-r</strong> option is given, the default @@ -116,7 +114,7 @@ supported arguments.</p> the KDC will operate under. It is intended only for testing purposes.</p> </section> <section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> <p>The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows @@ -134,12 +132,18 @@ options specified on the command line. See the <a class="reference internal" hr description for further details.</p> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> +<p>As of release 1.22, krb5kdc supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +<strong>kdc_listen</strong> variable or equivalent) or they will be ignored. Any +configured listener addresses that do not correspond to +caller-provided sockets will be ignored if socket activation is used.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> @@ -238,8 +242,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/ktutil.html b/crypto/krb5/doc/html/admin/admin_commands/ktutil.html index 93e66f84ad2c..378675cca5d3 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/ktutil.html +++ b/crypto/krb5/doc/html/admin/admin_commands/ktutil.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>ktutil — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,21 +51,21 @@ <div class="body" role="main"> <section id="ktutil"> -<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1> +<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>ktutil</strong></p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.)</p> </section> <section id="commands"> -<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<h2>COMMANDS<a class="headerlink" href="#commands" title="Link to this heading">¶</a></h2> <section id="list"> -<h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> +<h3>list<a class="headerlink" href="#list" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</p> </div></blockquote> @@ -77,7 +75,7 @@ specified, also display the timestamp, key contents, or enctype <p>Alias: <strong>l</strong></p> </section> <section id="read-kt"> -<h3>read_kt<a class="headerlink" href="#read-kt" title="Permalink to this headline">¶</a></h3> +<h3>read_kt<a class="headerlink" href="#read-kt" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>read_kt</strong> <em>keytab</em></p> </div></blockquote> @@ -85,7 +83,7 @@ specified, also display the timestamp, key contents, or enctype <p>Alias: <strong>rkt</strong></p> </section> <section id="write-kt"> -<h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3> +<h3>write_kt<a class="headerlink" href="#write-kt" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>write_kt</strong> <em>keytab</em></p> </div></blockquote> @@ -93,7 +91,7 @@ specified, also display the timestamp, key contents, or enctype <p>Alias: <strong>wkt</strong></p> </section> <section id="clear-list"> -<h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3> +<h3>clear_list<a class="headerlink" href="#clear-list" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>clear_list</strong></p> </div></blockquote> @@ -101,7 +99,7 @@ specified, also display the timestamp, key contents, or enctype <p>Alias: <strong>clear</strong></p> </section> <section id="delete-entry"> -<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Permalink to this headline">¶</a></h3> +<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>delete_entry</strong> <em>slot</em></p> </div></blockquote> @@ -109,7 +107,7 @@ specified, also display the timestamp, key contents, or enctype <p>Alias: <strong>delent</strong></p> </section> <section id="add-entry"> -<h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3> +<h3>add_entry<a class="headerlink" href="#add-entry" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> <strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</p> @@ -123,7 +121,7 @@ overridden with the <strong>-s</strong> option.</p> <p>Alias: <strong>addent</strong></p> </section> <section id="list-requests"> -<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3> +<h3>list_requests<a class="headerlink" href="#list-requests" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>list_requests</strong></p> </div></blockquote> @@ -131,7 +129,7 @@ overridden with the <strong>-s</strong> option.</p> <p>Aliases: <strong>lr</strong>, <strong>?</strong></p> </section> <section id="quit"> -<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3> +<h3>quit<a class="headerlink" href="#quit" title="Link to this heading">¶</a></h3> <blockquote> <div><p><strong>quit</strong></p> </div></blockquote> @@ -140,7 +138,7 @@ overridden with the <strong>-s</strong> option.</p> </section> </section> <section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> <blockquote> <div><div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> @@ -155,12 +153,12 @@ overridden with the <strong>-s</strong> option.</p> </div></blockquote> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </section> </section> @@ -268,8 +266,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/admin_commands/sserver.html b/crypto/krb5/doc/html/admin/admin_commands/sserver.html index b8db93f55852..5ff0a5ecd6ff 100644 --- a/crypto/krb5/doc/html/admin/admin_commands/sserver.html +++ b/crypto/krb5/doc/html/admin/admin_commands/sserver.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>sserver — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,16 +51,16 @@ <div class="body" role="main"> <section id="sserver"> -<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1> +<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Link to this heading">¶</a></h1> <section id="synopsis"> -<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading">¶</a></h2> <p><strong>sserver</strong> [ <strong>-p</strong> <em>port</em> ] [ <strong>-S</strong> <em>keytab</em> ] [ <em>server_port</em> ]</p> </section> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a> are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos @@ -100,7 +98,7 @@ files.</p> </div> </section> <section id="common-error-messages"> -<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2> +<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Link to this heading">¶</a></h2> <ol class="arabic"> <li><p>kinit returns the error:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span> @@ -145,12 +143,12 @@ probably not installed in the proper directory.</p> </ol> </section> <section id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment variables.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, services(5), inetd(8)</p> </section> </section> @@ -247,8 +245,8 @@ variables.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/advanced/index.html b/crypto/krb5/doc/html/admin/advanced/index.html index 5b65f238d3a0..07c786cf195f 100644 --- a/crypto/krb5/doc/html/admin/advanced/index.html +++ b/crypto/krb5/doc/html/admin/advanced/index.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Advanced topics — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="advanced-topics"> -<h1>Advanced topics<a class="headerlink" href="#advanced-topics" title="Permalink to this headline">¶</a></h1> +<h1>Advanced topics<a class="headerlink" href="#advanced-topics" title="Link to this heading">¶</a></h1> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="retiring-des.html">Retiring DES</a></li> @@ -136,8 +134,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/advanced/retiring-des.html b/crypto/krb5/doc/html/admin/advanced/retiring-des.html index 40ba435f4ab4..8dec27ded0a4 100644 --- a/crypto/krb5/doc/html/admin/advanced/retiring-des.html +++ b/crypto/krb5/doc/html/admin/advanced/retiring-des.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Retiring DES — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,15 +51,15 @@ <div class="body" role="main"> <section id="retiring-des"> -<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Permalink to this headline">¶</a></h1> +<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Link to this heading">¶</a></h1> <p>Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be -used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> +used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> <section id="history"> -<h2>History<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> +<h2>History<a class="headerlink" href="#history" title="Link to this heading">¶</a></h2> <p>DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. @@ -76,7 +74,7 @@ consequence, a release prior to 1.18 is required to perform these migrations.</p> </section> <section id="types-of-keys"> -<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Permalink to this headline">¶</a></h2> +<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Link to this heading">¶</a></h2> <ul class="simple"> <li><p>The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos @@ -112,7 +110,7 @@ are created in the Kerberos database for those server principals.</p> </div> </section> <section id="upgrade-procedure"> -<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Permalink to this headline">¶</a></h2> +<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Link to this heading">¶</a></h2> <p>This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. @@ -154,7 +152,7 @@ and the database entries for some “high-value” principals were:</p> <p>The <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key.</p> <section id="the-krbtgt-key-and-kdc-keys"> -<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Permalink to this headline">¶</a></h3> +<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Link to this heading">¶</a></h3> <p>Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>—if this principal’s key is compromised, so is the @@ -240,7 +238,7 @@ are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action.</p> </section> <section id="adding-strong-keys-to-application-servers"> -<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Permalink to this headline">¶</a></h3> +<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Link to this heading">¶</a></h3> <p>Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This @@ -267,7 +265,7 @@ practice.</p> </div> </section> <section id="adding-strong-keys-by-default"> -<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Permalink to this headline">¶</a></h3> +<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Link to this heading">¶</a></h3> <p>Once the high-visibility services have been rekeyed, it is probably appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to generate keys with the new encryption types by default. This enables server administrators to generate @@ -321,7 +319,7 @@ or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption.</p> </section> <section id="removing-des-keys-from-usage"> -<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Permalink to this headline">¶</a></h3> +<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Link to this heading">¶</a></h3> <p>This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC @@ -397,7 +395,7 @@ all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p> </section> <section id="support-for-legacy-services"> -<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Permalink to this headline">¶</a></h3> +<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Link to this heading">¶</a></h3> <p>If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain enabled on the KDC. Client machines need not have this setting, @@ -418,7 +416,7 @@ user to contact the helpdesk for access.</p> </section> </section> <section id="the-database-master-key"> -<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Permalink to this headline">¶</a></h2> +<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Link to this heading">¶</a></h2> <p>This procedure does not alter <code class="docutils literal notranslate"><span class="pre">K/M@REALM</span></code>, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of @@ -524,8 +522,8 @@ converted to the new master key.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/appl_servers.html b/crypto/krb5/doc/html/admin/appl_servers.html index 4b92f4f547e6..b6da7ebb3b80 100644 --- a/crypto/krb5/doc/html/admin/appl_servers.html +++ b/crypto/krb5/doc/html/admin/appl_servers.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Application servers — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="application-servers"> -<h1>Application servers<a class="headerlink" href="#application-servers" title="Permalink to this headline">¶</a></h1> +<h1>Application servers<a class="headerlink" href="#application-servers" title="Link to this heading">¶</a></h1> <p>If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos @@ -61,7 +59,7 @@ database (see <a class="reference internal" href="database.html#principals"><spa that contains the host’s key. You also need to make sure the host’s clock is within your maximum clock skew of the KDCs.</p> <section id="keytabs"> -<h2>Keytabs<a class="headerlink" href="#keytabs" title="Permalink to this headline">¶</a></h2> +<h2>Keytabs<a class="headerlink" href="#keytabs" title="Link to this heading">¶</a></h2> <p>A keytab is a host’s copy of its own keylist, which is analogous to a user’s password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal @@ -73,7 +71,7 @@ network in the clear. Ideally, you should run the <a class="reference internal" command to extract a keytab on the host on which the keytab is to reside.</p> <section id="adding-principals-to-keytabs"> -<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Permalink to this headline">¶</a></h3> +<span id="add-princ-kt"></span><h3>Adding principals to keytabs<a class="headerlink" href="#adding-principals-to-keytabs" title="Link to this heading">¶</a></h3> <p>To generate a keytab, or to add a principal to an existing keytab, use the <strong>ktadd</strong> command from kadmin. Here is a sample session, using configuration files that enable only AES encryption:</p> @@ -84,7 +82,7 @@ configuration files that enable only AES encryption:</p> </div> </section> <section id="removing-principals-from-keytabs"> -<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Permalink to this headline">¶</a></h3> +<h3>Removing principals from keytabs<a class="headerlink" href="#removing-principals-from-keytabs" title="Link to this heading">¶</a></h3> <p>To remove a principal from an existing keytab, use the kadmin <strong>ktremove</strong> command:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">host</span><span class="o">/</span><span class="n">daffodil</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> @@ -94,7 +92,7 @@ configuration files that enable only AES encryption:</p> </div> </section> <section id="using-a-keytab-to-acquire-client-credentials"> -<h3>Using a keytab to acquire client credentials<a class="headerlink" href="#using-a-keytab-to-acquire-client-credentials" title="Permalink to this headline">¶</a></h3> +<h3>Using a keytab to acquire client credentials<a class="headerlink" href="#using-a-keytab-to-acquire-client-credentials" title="Link to this heading">¶</a></h3> <p>While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another.</p> @@ -126,7 +124,7 @@ specified credential cache, and refresh them before they expire.</p></li> </section> </section> <section id="clock-skew"> -<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Permalink to this headline">¶</a></h2> +<h2>Clock Skew<a class="headerlink" href="#clock-skew" title="Link to this heading">¶</a></h2> <p>A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; @@ -137,7 +135,7 @@ clocks.</p> variable in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> </section> <section id="getting-dns-information-correct"> -<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Permalink to this headline">¶</a></h2> +<h2>Getting DNS information correct<a class="headerlink" href="#getting-dns-information-correct" title="Link to this heading">¶</a></h2> <p>Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this @@ -172,7 +170,7 @@ file), and then <a class="reference internal" href="../user/user_commands/klist. principal of <code class="docutils literal notranslate"><span class="pre">host/daffodil.mit.edu@ATHENA.MIT.EDU</span></code>.</p> </section> <section id="configuring-your-firewall-to-work-with-kerberos-v5"> -<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Permalink to this headline">¶</a></h2> +<span id="conf-firewall"></span><h2>Configuring your firewall to work with Kerberos V5<a class="headerlink" href="#configuring-your-firewall-to-work-with-kerberos-v5" title="Link to this heading">¶</a></h2> <p>If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you @@ -282,8 +280,8 @@ point for learning to configure firewalls.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/auth_indicator.html b/crypto/krb5/doc/html/admin/auth_indicator.html index 1ac39373b5ff..0a8e684e45a5 100644 --- a/crypto/krb5/doc/html/admin/auth_indicator.html +++ b/crypto/krb5/doc/html/admin/auth_indicator.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Authentication indicators — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="authentication-indicators"> -<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Permalink to this headline">¶</a></h1> +<span id="auth-indicator"></span><h1>Authentication indicators<a class="headerlink" href="#authentication-indicators" title="Link to this heading">¶</a></h1> <p>As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a>. These @@ -177,8 +175,8 @@ attribute.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/backup_host.html b/crypto/krb5/doc/html/admin/backup_host.html index ebf2954afb05..987b9e652e51 100644 --- a/crypto/krb5/doc/html/admin/backup_host.html +++ b/crypto/krb5/doc/html/admin/backup_host.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Backups of secure hosts — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="backups-of-secure-hosts"> -<h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Permalink to this headline">¶</a></h1> +<h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Link to this heading">¶</a></h1> <p>When you back up a secure host, you should exclude the host’s keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose @@ -66,7 +64,7 @@ If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host’s root password.</p> <section id="backing-up-the-kerberos-database"> -<h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Permalink to this headline">¶</a></h2> +<h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Link to this heading">¶</a></h2> <p>As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the @@ -160,8 +158,8 @@ corrupted, you can load the most recent dump onto the primary KDC. <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/conf_files/index.html b/crypto/krb5/doc/html/admin/conf_files/index.html index 57c59b1edae7..a309e76072c9 100644 --- a/crypto/krb5/doc/html/admin/conf_files/index.html +++ b/crypto/krb5/doc/html/admin/conf_files/index.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Configuration Files — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="configuration-files"> -<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1> +<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Link to this heading">¶</a></h1> <p>Kerberos uses configuration files to allow administrators to specify settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to all applications using the Kerboros library, on clients and servers. @@ -63,7 +61,7 @@ used by applications accessing the KDC database directly. <a class="reference i is also only used on the KDC, it controls permissions for modifying the KDC database.</p> <section id="contents"> -<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2> +<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> @@ -154,8 +152,8 @@ KDC database.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html b/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html index 611864b3c535..17e628141aa1 100644 --- a/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html +++ b/crypto/krb5/doc/html/admin/conf_files/kadm5_acl.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kadm5.acl — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="kadm5-acl"> -<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1> +<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Link to this heading">¶</a></h1> <section id="description"> -<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading">¶</a></h2> <p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls @@ -65,7 +63,7 @@ which principals can operate on which other principals.</p> variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </section> <section id="syntax"> -<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2> +<h2>SYNTAX<a class="headerlink" href="#syntax" title="Link to this heading">¶</a></h2> <p>Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate"><span class="pre">#</span></code>) are ignored. Lines containing ACL entries have the format:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="n">permissions</span> <span class="p">[</span><span class="n">target_principal</span> <span class="p">[</span><span class="n">restrictions</span><span class="p">]</span> <span class="p">]</span> @@ -89,10 +87,6 @@ counterparts. If the character is <em>upper-case</em>, then the operation is disallowed. If the character is <em>lower-case</em>, then the operation is permitted.</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 2%" /> -<col style="width: 98%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>a</p></td> <td><p>[Dis]allows the addition of principals or policies</p></td> @@ -178,7 +172,7 @@ restarted for changes to take effect.</p> </div> </section> <section id="example"> -<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Link to this heading">¶</a></h2> <p>Here is an example of a kadm5.acl file:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">*/</span><span class="n">admin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">*</span> <span class="c1"># line 1</span> <span class="n">joeadmin</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">ADMCIL</span> <span class="c1"># line 2</span> @@ -213,7 +207,7 @@ any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.</p> </section> <section id="module-behavior"> -<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2> +<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Link to this heading">¶</a></h2> <p>The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><span class="std std-ref">kadm5_auth interface</span></a> section of <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. The ACL file will positively authorize @@ -224,7 +218,7 @@ operations in addition to those authorized by the ACL file.</p> <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to the empty string with <code class="docutils literal notranslate"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></code>.</p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a></p> </section> </section> @@ -313,8 +307,8 @@ operations in addition to those authorized by the ACL file.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html b/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html index dc6876d608ec..e6bc02ccbb55 100644 --- a/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html +++ b/crypto/krb5/doc/html/admin/conf_files/kdc_conf.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>kdc.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="kdc-conf"> -<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1> +<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h1> <p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> for programs which are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program. @@ -66,18 +64,14 @@ environment variable <strong>KRB5_KDC_PROFILE</strong>.</p> <p>Please note that you need to restart the KDC daemon for any configuration changes to take effect.</p> <section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> +<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> <p>The kdc.conf file is set up in the same format as the <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file.</p> </section> <section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> +<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> <p>The kdc.conf file may contain the following sections:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 29%" /> -<col style="width: 71%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p><a class="reference internal" href="#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a></p></td> <td><p>Default values for KDC behavior</p></td> @@ -97,7 +91,7 @@ changes to take effect.</p> </tbody> </table> <section id="kdcdefaults"> -<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Link to this heading">¶</a></h3> <p>Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms"><span class="std std-ref">[realms]</span></a> section for @@ -128,7 +122,7 @@ challenge. (New in release 1.17.)</p> </dl> </section> <section id="realms"> -<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3> +<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> <p>Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how @@ -306,14 +300,16 @@ default value will not use values from the [dbmodules] section.)</p> </dd> <dt><strong>kadmind_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address at the port specified -in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in -release 1.15.</p> +Each entry may be an interface address, a port number, an address +and port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kadmin RPC connections, set this +relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kadmind_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in <strong>kadmind_port</strong>, or the standard kadmin +port (749). New in release 1.15.</p> </dd> <dt><strong>kadmind_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for this realm. Port numbers specified in @@ -323,16 +319,18 @@ assigned port for kadmind is 749, which is used by default.</p> <dt><strong>key_stash_file</strong></dt><dd><p>(String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/.k5.REALM</span></code>, where <em>REALM</em> is the Kerberos realm.</p> </dd> -<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the UDP -listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. If the KDC daemon fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address on the standard port. -New in release 1.15.</p> +<dt><strong>kdc_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the listening +addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. If no port is specified, the standard port (88) is used. +To disable listening on UDP, set this relation to the empty string +with <code class="docutils literal notranslate"><span class="pre">kdc_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If the KDC daemon fails to bind to any +of the specified addresses, it will fail to start. The default is +to bind to the wildcard address on the standard port. New in +release 1.15.</p> </dd> <dt><strong>kdc_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -342,15 +340,10 @@ if that relation is not defined.</p> </dd> <dt><strong>kdc_tcp_listen</strong></dt><dd><p>(Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. -If the KDC daemon fails to bind to any of the specified addresses, -it will fail to start. The default is to bind to the wildcard -address on the standard port. New in release 1.15.</p> +The syntax is identical to that of <strong>kdc_listen</strong>. To disable +listening on TCP, set this relation to the empty string with +<code class="docutils literal notranslate"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. The default is to bind to the same +addresses and ports as for UDP. New in release 1.15.</p> </dd> <dt><strong>kdc_tcp_ports</strong></dt><dd><p>(Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -358,15 +351,18 @@ release 1.15, this relation lists the ports for the release 1.15 and later, it has the same meaning as <strong>kdc_tcp_listen</strong> if that relation is not defined.</p> </dd> -<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening addresses -and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each entry may be -an interface address, a port number, or an address and port number -separated by a colon. If the address contains colons, enclose it -in square brackets. If no address is specified, the wildcard -address is used. If kadmind fails to bind to any of the specified -addresses, it will fail to start. The default is to bind to the -wildcard address at the port specified in <strong>kpasswd_port</strong>, or the -standard kpasswd port (464). New in release 1.15.</p> +<dt><strong>kpasswd_listen</strong></dt><dd><p>(Comma-separated list.) Specifies the kpasswd listening +addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kpasswd requests, set this +relation to the empty string with <code class="docutils literal notranslate"><span class="pre">kpasswd_listen</span> <span class="pre">=</span> <span class="pre">""</span></code>. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in <strong>kpasswd_port</strong>, or the standard kpasswd +port (464). New in release 1.15.</p> </dd> <dt><strong>kpasswd_port</strong></dt><dd><p>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon is to listen for password change requests for this realm. @@ -433,7 +429,7 @@ possible values, see <a class="reference internal" href="#keysalt-lists"><span c </dl> </section> <section id="dbdefaults"> -<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Link to this heading">¶</a></h3> <p>The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the <a class="reference internal" href="#dbmodules"><span class="std std-ref">[dbmodules]</span></a> section for the @@ -455,7 +451,7 @@ definitions of these relations.</p> </ul> </section> <section id="dbmodules"> -<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Link to this heading">¶</a></h3> <p>The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm’s @@ -569,7 +565,7 @@ modules. The value should be an absolute path.</p> </dl> </section> <section id="logging"> -<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3> +<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Link to this heading">¶</a></h3> <p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> perform logging. It may contain the following relations:</p> @@ -631,7 +627,7 @@ to the file <code class="docutils literal notranslate"><span class="pre">/var/ad To disable logging entirely, specify <code class="docutils literal notranslate"><span class="pre">default</span> <span class="pre">=</span> <span class="pre">DEVICE=/dev/null</span></code>.</p> </section> <section id="otp"> -<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Link to this heading">¶</a></h3> <p>Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server.</p> @@ -691,7 +687,7 @@ something applicable for your situation:</p> </section> </section> <section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2> +<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> <div class="admonition note"> <p class="admonition-title">Note</p> <p>The following are pkinit-specific options. These values may @@ -725,8 +721,11 @@ the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times.</p> </dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum number of bits the KDC is willing to accept -for a client’s Diffie-Hellman key. The default is 2048.</p> +<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the minimum strength of Diffie-Hellman group the KDC is +willing to accept for key exchange. Valid values in order of +increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. +The default is 2048. (P-256, P-384, and P-521 are new in release +1.22.)</p> </dd> <dt><strong>pkinit_allow_upn</strong></dt><dd><p>Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative @@ -734,7 +733,7 @@ Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false.</p> <p>Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently +the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently no option to disable SAN checking in the KDC.</p> </dd> <dt><strong>pkinit_eku_checking</strong></dt><dd><p>This option specifies what Extended Key Usage (EKU) values the KDC @@ -743,7 +742,7 @@ recognized in the kdc.conf file are:</p> <dl class="simple"> <dt><strong>kpClientAuth</strong></dt><dd><p>This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as -defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> +defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> </dd> <dt><strong>scLogin</strong></dt><dd><p>If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be @@ -791,16 +790,12 @@ in PKINIT requests. The default value is false. (New in release </dl> </section> <section id="encryption-types"> -<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2> +<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h2> <p>Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as “weak” and “deprecated” are available for compatibility but not recommended for use.</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 30%" /> -<col style="width: 70%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>des3-cbc-raw</p></td> <td><p>Triple DES cbc mode raw (weak)</p></td> @@ -866,7 +861,7 @@ these newer encryption types must not be given keys of these encryption types in the KDC database.</p> </section> <section id="keysalt-lists"> -<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2> +<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Link to this heading">¶</a></h2> <p>Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype (“keysalt”) pairs, known as <em>keysalt @@ -884,10 +879,6 @@ the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 25%" /> -<col style="width: 75%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>normal</p></td> <td><p>default for Kerberos Version 5</p></td> @@ -905,7 +896,7 @@ follows:</p> </table> </section> <section id="sample-kdc-conf-file"> -<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2> +<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Link to this heading">¶</a></h2> <p>Here’s an example of a kdc.conf file:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span> <span class="n">kdc_listen</span> <span class="o">=</span> <span class="mi">88</span> @@ -945,11 +936,11 @@ follows:</p> </div> </section> <section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kdc.conf</span></code></p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></p> </section> </section> @@ -1049,8 +1040,8 @@ follows:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html b/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html index 7c922675d149..f1438242431d 100644 --- a/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html +++ b/crypto/krb5/doc/html/admin/conf_files/krb5_conf.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>krb5.conf — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="krb5-conf"> -<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1> +<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h1> <p>The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos @@ -67,7 +65,7 @@ also be specified in <strong>KRB5_CONFIG</strong>; all files within the director whose names consist solely of alphanumeric characters, dashes, or underscores will be read.</p> <section id="structure"> -<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2> +<h2>Structure<a class="headerlink" href="#structure" title="Link to this heading">¶</a></h2> <p>The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in @@ -83,11 +81,6 @@ the form:</p> <span class="p">}</span> </pre></div> </div> -<p>Placing a ‘*’ after the closing bracket of a section name indicates -that the section is <em>final</em>, meaning that if the same section appears -within a later file specified in <strong>KRB5_CONFIG</strong>, it will be ignored. -A subsection can be marked as final by placing a ‘*’ after either the -tag name or the closing brace.</p> <p>The krb5.conf file can include other files using either of the following directives at the beginning of a line:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">include</span> <span class="n">FILENAME</span> @@ -104,6 +97,15 @@ independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order.</p> +<p>Placing a ‘*’ after the closing bracket of a section name indicates +that the section is <em>final</em>, meaning that if the same section appears +again later, it will be ignored. A subsection can be marked as final +by placing a ‘*’ after either the tag name or the closing brace. A +relation can be marked as final by placing a ‘*’ after the tag name. +Prior to release 1.22, only sections and subsections can be marked as +final, and the flag only causes values to be ignored if they appear in +later files specified in <strong>KRB5_CONFIG</strong>, not if they appear later +within the same file or an included file.</p> <p>The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -117,13 +119,9 @@ to the module at initialization time. If krb5.conf uses a module directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> should also use one if it exists.</p> </section> <section id="sections"> -<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2> +<h2>Sections<a class="headerlink" href="#sections" title="Link to this heading">¶</a></h2> <p>The krb5.conf file may contain the following sections:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 26%" /> -<col style="width: 74%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p><a class="reference internal" href="#libdefaults"><span class="std std-ref">[libdefaults]</span></a></p></td> <td><p>Settings used by the Kerberos V5 library</p></td> @@ -148,7 +146,7 @@ directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span c <p>Additionally, krb5.conf may include any of the relations described in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but it is not a recommended practice.</p> <section id="libdefaults"> -<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Link to this heading">¶</a></h3> <p>The libdefaults section may contain any of the following relations:</p> <dl> <dt><strong>allow_des3</strong></dt><dd><p>Permit the KDC to issue tickets with des3-cbc-sha1 session keys. @@ -258,6 +256,11 @@ it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won’t know.</p> </dd> +<dt><strong>dns_lookup_realm</strong></dt><dd><p>Indicate whether DNS TXT records should be used to map hostnames +to realm names for hostnames not listed in the [domain_realm] +section, and to determine the default realm if <strong>default_realm</strong> +is not set. The default value is false.</p> +</dd> <dt><strong>dns_uri_lookup</strong></dt><dd><p>Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a @@ -378,26 +381,30 @@ set. The default is not to search domain components.</p> <dt><strong>renew_lifetime</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0.</p> </dd> +<dt><strong>request_timeout</strong></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> string.) Sets the maximum total time for KDC and +password change requests. This timeout does not affect the +intervals between requests, so setting a low timeout may result in +fewer requests being attempted and/or some servers not being +contacted. A value of 0 indicates no specific maximum, in which +case requests will time out if no server responds after several +tries. The default value is 0. (New in release 1.22.)</p> +</dd> <dt><strong>spake_preauth_groups</strong></dt><dd><p>A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are:</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 27%" /> -<col style="width: 73%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>edwards25519</p></td> -<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td> +<td><p>Edwards25519 curve (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7748.html"><strong>RFC 7748</strong></a>)</p></td> </tr> <tr class="row-even"><td><p>P-256</p></td> -<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> +<td><p>NIST P-256 curve (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> </tr> <tr class="row-odd"><td><p>P-384</p></td> -<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> +<td><p>NIST P-384 curve (<span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> </tr> <tr class="row-even"><td><p>P-521</p></td> -<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> +<td><p>NIST P-521 curve (<span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5480.html"><strong>RFC 5480</strong></a>)</p></td> </tr> </tbody> </table> @@ -426,7 +433,7 @@ default value is false.</p> </dl> </section> <section id="realms"> -<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Link to this heading">¶</a></h3> <p>Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the @@ -516,19 +523,20 @@ to a value conforming to one of the previous values. For example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_PROXY_CA</span></code>, where environment variable <code class="docutils literal notranslate"><span class="pre">X509_PROXY_CA</span></code> has been set to <code class="docutils literal notranslate"><span class="pre">FILE:/tmp/my_proxy.pem</span></code>.</p> </dd> -<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for that realm. An -optional port number, separated from the hostname by a colon, may -be included. If the name or address contains colons (for example, -if it is an IPv6 address), enclose it in square brackets to +<dt><strong>kdc</strong></dt><dd><p>The name or address of a host running a KDC for the realm, or a +UNIX domain socket path of a locally running KDC. An optional +port number, separated from the hostname by a colon, may be +included. If the name or address contains colons (for example, if +it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs.</p> </dd> -<dt><strong>kpasswd_server</strong></dt><dd><p>Points to the server where all the password changes are performed. -If there is no such entry, DNS will be queried (unless forbidden -by <strong>dns_lookup_kdc</strong>). Finally, port 464 on the <strong>admin_server</strong> -host will be tried.</p> +<dt><strong>kpasswd_server</strong></dt><dd><p>The location of the password change server for the realm, using +the same syntax as <strong>kdc</strong>. If there is no such entry, DNS will +be queried (unless forbidden by <strong>dns_lookup_kdc</strong>). Finally, +port 464 on the <strong>admin_server</strong> host will be tried.</p> </dd> <dt><strong>master_kdc</strong></dt><dd><p>The name for <strong>primary_kdc</strong> prior to release 1.19. Its value is used as a fallback if <strong>primary_kdc</strong> is not specified.</p> @@ -540,6 +548,9 @@ primary KDC, in case the user’s password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19.</p> </dd> +<dt><strong>sitename</strong></dt><dd><p>Specifies the name of the host’s site for the purpose of DNS-based +KDC discovery for this realm. New in release 1.22.</p> +</dd> <dt><strong>v4_instance_convert</strong></dt><dd><p>This subsection allows the administrator to configure exceptions to the <strong>default_domain</strong> mapping rule. It contains V4 instances (the tag name) which should be translated to some specific @@ -555,7 +566,7 @@ is the Kerberos V4 realm name.</p> </dl> </section> <section id="domain-realm"> -<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Link to this heading">¶</a></h3> <p>The [domain_realm] section provides a translation from hostnames to Kerberos realms. Each tag is a domain name, providing the mapping for that domain and all subdomains. If the tag begins with a period @@ -584,7 +595,7 @@ hostname’s domain portion converted to uppercase, unless the parent domain to be used.</p> </section> <section id="capaths"> -<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3> +<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Link to this heading">¶</a></h3> <p>In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms.</p> @@ -660,7 +671,7 @@ the order of values to determine the path. The order of values is not important to servers.</p> </section> <section id="appdefaults"> -<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Link to this heading">¶</a></h3> <p>Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application.</p> @@ -694,7 +705,7 @@ that application’s man pages. The application defaults specified here are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p> </section> <section id="plugins"> -<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3> +<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Link to this heading">¶</a></h3> <blockquote> <div><ul class="simple"> <li><p><a class="reference internal" href="#pwqual">pwqual</a> interface</p></li> @@ -734,7 +745,7 @@ order of those tags overrides the normal module order.</p> <p>The following subsections are currently supported within the [plugins] section:</p> <section id="ccselect-interface"> -<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4> +<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Link to this heading">¶</a></h4> <p>The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built-in modules exist (and may be @@ -752,7 +763,7 @@ to guess an appropriate cache from the collection</p> </dl> </section> <section id="pwqual-interface"> -<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4> +<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Link to this heading">¶</a></h4> <p>The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built-in modules exist for this interface:</p> @@ -769,7 +780,7 @@ was built with Hesiod support)</p> </dl> </section> <section id="kadm5-hook-interface"> -<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4> +<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Link to this heading">¶</a></h4> <p>The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos @@ -777,7 +788,7 @@ with another database such as Active Directory. No plugins are built in for this interface.</p> </section> <section id="kadm5-auth-interface"> -<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4> +<span id="kadm5-auth"></span><h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Link to this heading">¶</a></h4> <p>The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The @@ -794,7 +805,7 @@ record associated with the client principal.</p> </dl> </section> <section id="clpreauth-and-kdcpreauth-interfaces"> -<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4> +<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Link to this heading">¶</a></h4> <p>The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces:</p> @@ -808,7 +819,7 @@ built-in modules exist for these interfaces:</p> </dl> </section> <section id="hostrealm-interface"> -<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4> +<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Link to this heading">¶</a></h4> <p>The hostrealm section (introduced in release 1.12) controls modules for the host-to-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following @@ -830,7 +841,7 @@ produce a result.</p> </dl> </section> <section id="localauth-interface"> -<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4> +<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Link to this heading">¶</a></h4> <p>The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following @@ -858,7 +869,7 @@ principal name maps to the local account name.</p> </dl> </section> <section id="certauth-interface"> -<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4> +<span id="certauth"></span><h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Link to this heading">¶</a></h4> <p>The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The @@ -882,7 +893,7 @@ the client principal, if that attribute is present.</p> </section> </section> <section id="pkinit-options"> -<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2> +<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Link to this heading">¶</a></h2> <div class="admonition note"> <p class="admonition-title">Note</p> <p>The following are PKINIT-specific options. These values may @@ -917,7 +928,7 @@ A realm-specific value overrides, not adds to, a generic </li> </ol> <section id="specifying-pkinit-identity-information"> -<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3> +<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Link to this heading">¶</a></h3> <p>The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows:</p> <dl> @@ -960,8 +971,10 @@ module-name is specified, the default is <a class="reference internal" href="../ a particular smard card reader or token if there is more than one available. <code class="docutils literal notranslate"><span class="pre">certid=</span></code> and/or <code class="docutils literal notranslate"><span class="pre">certlabel=</span></code> may be specified to force the selection of a particular certificate on the device. -See the <strong>pkinit_cert_match</strong> configuration option for more ways -to select a particular certificate to use for PKINIT.</p> +Specifier values must not contain colon characters, as colons are +always treated as separators. See the <strong>pkinit_cert_match</strong> +configuration option for more ways to select a particular +certificate to use for PKINIT.</p> </dd> <dt><strong>ENV:</strong><em>envvar</em></dt><dd><p><em>envvar</em> specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For @@ -971,7 +984,7 @@ example, <code class="docutils literal notranslate"><span class="pre">ENV:X509_P </dl> </section> <section id="pkinit-krb5-conf-options"> -<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3> +<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Link to this heading">¶</a></h3> <dl> <dt><strong>pkinit_anchors</strong></dt><dd><p>Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be @@ -986,7 +999,7 @@ attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate.</p> -<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a> +<p>The Subject and Issuer comparison strings are the <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2253.html"><strong>RFC 2253</strong></a> string representations from the certificate Subject DN and Issuer DN values.</p> <p>The syntax of the matching rules is:</p> @@ -1044,7 +1057,7 @@ issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are:</p> <dl class="simple"> <dt><strong>kpKDC</strong></dt><dd><p>This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> +the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>.</p> </dd> <dt><strong>kpServerAuth</strong></dt><dd><p>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value @@ -1056,9 +1069,10 @@ option is not recommended.</p> </dd> </dl> </dd> -<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the size of the Diffie-Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, and 4096. -The default is 2048.</p> +<dt><strong>pkinit_dh_min_bits</strong></dt><dd><p>Specifies the group of the Diffie-Hellman key the client will +attempt to use. The acceptable values are 1024, 2048, P-256, +4096, P-384, and P-521. The default is 2048. (P-256, P-384, and +P-521 are new in release 1.22.)</p> </dd> <dt><strong>pkinit_identities</strong></dt><dd><p>Specifies the location(s) to be used to find the user’s X.509 identity information. If this option is specified multiple times, @@ -1069,7 +1083,7 @@ Note that these values are not used if the user specifies <dt><strong>pkinit_kdc_hostname</strong></dt><dd><p>The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as -defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple +defined in <span class="target" id="index-6"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate).</p> </dd> @@ -1100,16 +1114,12 @@ multiple times.</p> </section> </section> <section id="parameter-expansion"> -<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2> +<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Link to this heading">¶</a></h2> <p>Starting with release 1.11, several variables, such as <strong>default_keytab_name</strong>, allow parameters to be expanded. Valid parameters are:</p> <blockquote> <div><table class="docutils align-default"> -<colgroup> -<col style="width: 25%" /> -<col style="width: 75%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>%{TEMP}</p></td> <td><p>Temporary directory</p></td> @@ -1164,7 +1174,7 @@ Valid parameters are:</p> </div></blockquote> </section> <section id="sample-krb5-conf-file"> -<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2> +<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Link to this heading">¶</a></h2> <p>Here is an example of a generic krb5.conf file:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> <span class="n">default_realm</span> <span class="o">=</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> @@ -1199,11 +1209,11 @@ Valid parameters are:</p> </div> </section> <section id="files"> -<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<h2>FILES<a class="headerlink" href="#files" title="Link to this heading">¶</a></h2> <p><code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code></p> </section> <section id="see-also"> -<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading">¶</a></h2> <p>syslog(3)</p> </section> </section> @@ -1316,8 +1326,8 @@ Valid parameters are:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/conf_ldap.html b/crypto/krb5/doc/html/admin/conf_ldap.html index c5b390b54adf..d43a45cfd90c 100644 --- a/crypto/krb5/doc/html/admin/conf_ldap.html +++ b/crypto/krb5/doc/html/admin/conf_ldap.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Configuring Kerberos with OpenLDAP back-end — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="configuring-kerberos-with-openldap-back-end"> -<span id="conf-ldap"></span><h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Permalink to this headline">¶</a></h1> +<span id="conf-ldap"></span><h1>Configuring Kerberos with OpenLDAP back-end<a class="headerlink" href="#configuring-kerberos-with-openldap-back-end" title="Link to this heading">¶</a></h1> <blockquote> <div><ol class="arabic"> <li><p>Make sure the LDAP server is using local authentication @@ -161,9 +159,10 @@ details.</p></li> </ol> </div></blockquote> <p>With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no administrative utilities for -creating aliases, so it must be done by direct manipulation of the -LDAP entries.</p> +entries. Beginning in release 1.22, aliases can be added with the +kadmin <strong>add_alias</strong> command, but it is also possible (in release 1.7 +or later) to provide aliases through direct manipulation of the LDAP +entries.</p> <p>An entry with aliases contains multiple values of the <em>krbPrincipalName</em> attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, @@ -251,8 +250,8 @@ for initial ticket requests.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/database.html b/crypto/krb5/doc/html/admin/database.html index 2c668f64551d..82bf7a225306 100644 --- a/crypto/krb5/doc/html/admin/database.html +++ b/crypto/krb5/doc/html/admin/database.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Database administration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="database-administration"> -<h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink to this headline">¶</a></h1> +<h1>Database administration<a class="headerlink" href="#database-administration" title="Link to this heading">¶</a></h1> <p>A Kerberos database contains all of a realm’s Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> @@ -87,7 +85,7 @@ from the KDC, and uses that service ticket to authenticate to KADM5.</p> <p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for the available kadmin and kadmin.local commands and options.</p> <section id="principals"> -<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Link to this heading">¶</a></h2> <p>Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal.</p> <p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> @@ -133,9 +131,12 @@ password policies as would apply to password changes made through <strong>get_principal</strong> command.</p> <p>To generate a listing of principals, use the kadmin <strong>list_principals</strong> command.</p> +<p>To give a principal additional names, use the kadmin <strong>add_alias</strong> +command to create aliases to the principal (new in release 1.22). +Aliases can be removed with the <strong>delete_principal</strong> command.</p> </section> <section id="policies"> -<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> +<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Link to this heading">¶</a></h2> <p>A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old @@ -159,7 +160,7 @@ deleted afterwards. kadmin will warn when associated a principal with a nonexistent policy, and will annotate the policy name with “[does not exist]” in the <strong>get_principal</strong> output.</p> <section id="updating-the-history-key"> -<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> +<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Link to this heading">¶</a></h3> <p>If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the <code class="docutils literal notranslate"><span class="pre">kadmin/history</span></code> principal.</p> @@ -179,7 +180,7 @@ rollover support for stored old keys.</p> </section> </section> <section id="privileges"> -<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> +<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Link to this heading">¶</a></h2> <p>Administrative privileges for the Kerberos database are stored in the file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> <div class="admonition note"> @@ -194,7 +195,7 @@ only when he actually needs to use those permissions.</p> </div> </section> <section id="operations-on-the-kerberos-database"> -<span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Permalink to this headline">¶</a></h2> +<span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Link to this heading">¶</a></h2> <p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command is the primary tool for administrating the Kerberos database when using the DB2 or LMDB modules (see <a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types</span></a>). Creating a database is described in @@ -218,7 +219,7 @@ OK, deleting database '/var/krb5kdc/principal'... </pre></div> </div> <section id="dumping-and-loading-a-kerberos-database"> -<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Permalink to this headline">¶</a></h3> +<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Link to this heading">¶</a></h3> <p>To dump a Kerberos database into a text file for backup or transfer purposes, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command on one of the KDCs:</p> @@ -256,7 +257,7 @@ given, <em>kdb5_util</em> will overwrite the existing database.</p> </div> </section> <section id="updating-the-master-key"> -<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> +<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Link to this heading">¶</a></h3> <p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps:</p> @@ -309,7 +310,7 @@ old master key.</p></li> </section> </section> <section id="operations-on-the-ldap-database"> -<span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Permalink to this headline">¶</a></h2> +<span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Link to this heading">¶</a></h2> <p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a> command is the primary tool for administrating the Kerberos database when using the LDAP module. Creating an LDAP Kerberos database is describe in <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a>.</p> @@ -342,7 +343,7 @@ OK, deleting database of 'KRBTEST.COM'... </pre></div> </div> <section id="ticket-policy-operations"> -<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> +<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Link to this heading">¶</a></h3> <p>Unlike the DB2 and LMDB modules, the LDAP module supports ticket policy objects, which can be associated with principals to restrict maximum ticket lifetimes and set mandatory principal flags. Ticket @@ -394,7 +395,7 @@ This will delete the policy object 'users', are you sure? </section> </section> <section id="cross-realm-authentication"> -<span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Permalink to this headline">¶</a></h2> +<span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Link to this heading">¶</a></h2> <p>In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. @@ -434,7 +435,7 @@ at least 26 characters of random ASCII text.</p> </div> </section> <section id="changing-the-krbtgt-key"> -<span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Permalink to this headline">¶</a></h2> +<span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Link to this heading">¶</a></h2> <p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>. The key for this principal is created when the Kerberos database is initialized and need not be changed. @@ -476,9 +477,9 @@ krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug.</p> </section> <section id="incremental-database-propagation"> -<span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2> +<span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Link to this heading">¶</a></h2> <section id="overview"> -<h3>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h3> +<h3>Overview<a class="headerlink" href="#overview" title="Link to this heading">¶</a></h3> <p>At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support @@ -493,11 +494,6 @@ check. By default, this check is done every two minutes.</p> <p>Incremental propagation uses the following entries in the per-realm data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 4%" /> -<col style="width: 3%" /> -<col style="width: 94%" /> -</colgroup> <tbody> <tr class="row-odd"><td><p>iprop_enable</p></td> <td><p><em>boolean</em></p></td> @@ -566,7 +562,7 @@ both directions, without an intervening NAT.</p></li> </ul> </section> <section id="sun-mit-incremental-propagation-differences"> -<h3>Sun/MIT incremental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differences" title="Permalink to this headline">¶</a></h3> +<h3>Sun/MIT incremental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differences" title="Link to this heading">¶</a></h3> <p>Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based @@ -686,8 +682,8 @@ config file, and the per-replica dump files are stored in <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/dbtypes.html b/crypto/krb5/doc/html/admin/dbtypes.html index af0f101fcb6b..ce0f45850902 100644 --- a/crypto/krb5/doc/html/admin/dbtypes.html +++ b/crypto/krb5/doc/html/admin/dbtypes.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Database types — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="database-types"> -<span id="dbtypes"></span><h1>Database types<a class="headerlink" href="#database-types" title="Permalink to this headline">¶</a></h1> +<span id="dbtypes"></span><h1>Database types<a class="headerlink" href="#database-types" title="Link to this heading">¶</a></h1> <p>A Kerberos database can be implemented with one of three built-in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following @@ -79,7 +77,7 @@ LDAP, create the new database using <code class="docutils literal notranslate">< from the dump file using <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">load</span> <span class="pre">-update</span></code>. Then restart the <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> and <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> services.</p> <section id="berkeley-database-module-db2"> -<h2>Berkeley database module (db2)<a class="headerlink" href="#berkeley-database-module-db2" title="Permalink to this headline">¶</a></h2> +<h2>Berkeley database module (db2)<a class="headerlink" href="#berkeley-database-module-db2" title="Link to this heading">¶</a></h2> <p>The default KDB module is <code class="docutils literal notranslate"><span class="pre">db2</span></code>, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with <code class="docutils literal notranslate"><span class="pre">principal</span></code> then the four files @@ -116,7 +114,7 @@ the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation.</p> </section> <section id="lightning-memory-mapped-database-module-klmdb"> -<h2>Lightning Memory-Mapped Database module (klmdb)<a class="headerlink" href="#lightning-memory-mapped-database-module-klmdb" title="Permalink to this headline">¶</a></h2> +<h2>Lightning Memory-Mapped Database module (klmdb)<a class="headerlink" href="#lightning-memory-mapped-database-module-klmdb" title="Link to this heading">¶</a></h2> <p>The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname @@ -171,7 +169,7 @@ primary database.</p> <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>lock</strong> command.</p> </section> <section id="ldap-module-kldap"> -<h2>LDAP module (kldap)<a class="headerlink" href="#ldap-module-kldap" title="Permalink to this headline">¶</a></h2> +<h2>LDAP module (kldap)<a class="headerlink" href="#ldap-module-kldap" title="Link to this heading">¶</a></h2> <p>The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a> for details.</p> @@ -264,8 +262,8 @@ requests.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/dictionary.html b/crypto/krb5/doc/html/admin/dictionary.html index c9b441390e21..12ff2f2187ad 100644 --- a/crypto/krb5/doc/html/admin/dictionary.html +++ b/crypto/krb5/doc/html/admin/dictionary.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Addressing dictionary attack risks — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="addressing-dictionary-attack-risks"> -<span id="dictionary"></span><h1>Addressing dictionary attack risks<a class="headerlink" href="#addressing-dictionary-attack-risks" title="Permalink to this headline">¶</a></h1> +<span id="dictionary"></span><h1>Addressing dictionary attack risks<a class="headerlink" href="#addressing-dictionary-attack-risks" title="Link to this heading">¶</a></h1> <p>Kerberos initial authentication is normally secured using the client principal’s long-term key, which for users is generally derived from a password. Using a pasword-derived long-term key carries the risk of a @@ -202,8 +200,8 @@ and dictionary attacks are usually not a concern.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/enctypes.html b/crypto/krb5/doc/html/admin/enctypes.html index cfe92410fdba..39ea0772bda7 100644 --- a/crypto/krb5/doc/html/admin/enctypes.html +++ b/crypto/krb5/doc/html/admin/enctypes.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Encryption types — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,13 +51,13 @@ <div class="body" role="main"> <section id="encryption-types"> -<span id="enctypes"></span><h1>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h1> +<span id="enctypes"></span><h1>Encryption types<a class="headerlink" href="#encryption-types" title="Link to this heading">¶</a></h1> <p>Kerberos can use a variety of cipher algorithms to protect data. A Kerberos <strong>encryption type</strong> (also known as an <strong>enctype</strong>) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data.</p> <section id="enctypes-in-requests"> -<h2>Enctypes in requests<a class="headerlink" href="#enctypes-in-requests" title="Permalink to this headline">¶</a></h2> +<h2>Enctypes in requests<a class="headerlink" href="#enctypes-in-requests" title="Link to this heading">¶</a></h2> <p>Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and TGS-REQs. The client uses the AS-REQ to obtain initial tickets (typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to @@ -84,7 +82,7 @@ session key selection and the reply-encrypting key selection. For the TGS-REQ, this list only affects the session key selection.</p> </section> <section id="session-key-selection"> -<span id="id1"></span><h2>Session key selection<a class="headerlink" href="#session-key-selection" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Session key selection<a class="headerlink" href="#session-key-selection" title="Link to this heading">¶</a></h2> <p>The KDC chooses the session key enctype by taking the intersection of its <strong>permitted_enctypes</strong> list, the list of long-term keys for the most recent kvno of the service, and the client’s requested list of @@ -98,7 +96,7 @@ long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. See <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a> in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for details.</p> </section> <section id="choosing-enctypes-for-a-service"> -<h2>Choosing enctypes for a service<a class="headerlink" href="#choosing-enctypes-for-a-service" title="Permalink to this headline">¶</a></h2> +<h2>Choosing enctypes for a service<a class="headerlink" href="#choosing-enctypes-for-a-service" title="Link to this heading">¶</a></h2> <p>Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5-1.11, it is also useful to generate an @@ -112,7 +110,7 @@ independently of the set of long-term keys that the KDC has stored for a service principal.</p> </section> <section id="configuration-variables"> -<h2>Configuration variables<a class="headerlink" href="#configuration-variables" title="Permalink to this headline">¶</a></h2> +<h2>Configuration variables<a class="headerlink" href="#configuration-variables" title="Link to this heading">¶</a></h2> <p>The following <code class="docutils literal notranslate"><span class="pre">[libdefaults]</span></code> settings in <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> will affect how enctypes are chosen.</p> <dl class="simple"> @@ -165,15 +163,9 @@ passwords</p> </dl> </section> <section id="enctype-compatibility"> -<h2>Enctype compatibility<a class="headerlink" href="#enctype-compatibility" title="Permalink to this headline">¶</a></h2> +<h2>Enctype compatibility<a class="headerlink" href="#enctype-compatibility" title="Link to this heading">¶</a></h2> <p>See <a class="reference internal" href="conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> for additional information about enctypes.</p> <table class="docutils align-default"> -<colgroup> -<col style="width: 51%" /> -<col style="width: 20%" /> -<col style="width: 16%" /> -<col style="width: 14%" /> -</colgroup> <thead> <tr class="row-odd"><th class="head"><p>enctype</p></th> <th class="head"><p>weak?</p></th> @@ -256,7 +248,7 @@ disable <code class="docutils literal notranslate"><span class="pre">des3-cbc-sh it.</p> </section> <section id="migrating-away-from-older-encryption-types"> -<h2>Migrating away from older encryption types<a class="headerlink" href="#migrating-away-from-older-encryption-types" title="Permalink to this headline">¶</a></h2> +<h2>Migrating away from older encryption types<a class="headerlink" href="#migrating-away-from-older-encryption-types" title="Link to this heading">¶</a></h2> <p>Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed @@ -378,8 +370,8 @@ be ignored.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/env_variables.html b/crypto/krb5/doc/html/admin/env_variables.html index d7bbc8f5b002..b0c410511f5d 100644 --- a/crypto/krb5/doc/html/admin/env_variables.html +++ b/crypto/krb5/doc/html/admin/env_variables.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Environment variables — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="environment-variables"> -<h1>Environment variables<a class="headerlink" href="#environment-variables" title="Permalink to this headline">¶</a></h1> +<h1>Environment variables<a class="headerlink" href="#environment-variables" title="Link to this heading">¶</a></h1> <p>This content has moved to <a class="reference internal" href="../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>.</p> </section> @@ -129,8 +127,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/host_config.html b/crypto/krb5/doc/html/admin/host_config.html index 709c6dcf7263..244bea57db4a 100644 --- a/crypto/krb5/doc/html/admin/host_config.html +++ b/crypto/krb5/doc/html/admin/host_config.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Host configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,13 +51,13 @@ <div class="body" role="main"> <section id="host-configuration"> -<h1>Host configuration<a class="headerlink" href="#host-configuration" title="Permalink to this headline">¶</a></h1> +<h1>Host configuration<a class="headerlink" href="#host-configuration" title="Link to this heading">¶</a></h1> <p>All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Here we describe some of the behavior changes you might want to make.</p> <section id="default-realm"> -<h2>Default realm<a class="headerlink" href="#default-realm" title="Permalink to this headline">¶</a></h2> +<h2>Default realm<a class="headerlink" href="#default-realm" title="Link to this heading">¶</a></h2> <p>In the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section, the <strong>default_realm</strong> realm relation sets the default Kerberos realm. For example:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span> @@ -89,7 +87,7 @@ default realm, and <strong>auth_to_local</strong> relations can be used as described below to use the second realm for login authorization.</p> </section> <section id="login-authorization"> -<span id="id1"></span><h2>Login authorization<a class="headerlink" href="#login-authorization" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Login authorization<a class="headerlink" href="#login-authorization" title="Link to this heading">¶</a></h2> <p>If a host runs a Kerberos-enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account.</p> @@ -158,7 +156,7 @@ An example use of <strong>auth_to_local_names</strong> might be:</p> modules; see <a class="reference internal" href="../plugindev/hostrealm.html#hostrealm-plugin"><span class="std std-ref">Host-to-realm interface (hostrealm)</span></a> for details.</p> </section> <section id="plugin-module-configuration"> -<span id="plugin-config"></span><h2>Plugin module configuration<a class="headerlink" href="#plugin-module-configuration" title="Permalink to this headline">¶</a></h2> +<span id="plugin-config"></span><h2>Plugin module configuration<a class="headerlink" href="#plugin-module-configuration" title="Link to this heading">¶</a></h2> <p>Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the <a class="reference internal" href="conf_files/krb5_conf.html#plugins"><span class="std std-ref">[plugins]</span></a> @@ -212,7 +210,7 @@ each time.</p> <p>Some Kerberos interfaces use different mechanisms to register plugin modules.</p> <section id="kdc-location-modules"> -<h3>KDC location modules<a class="headerlink" href="#kdc-location-modules" title="Permalink to this headline">¶</a></h3> +<h3>KDC location modules<a class="headerlink" href="#kdc-location-modules" title="Link to this heading">¶</a></h3> <p>For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the “libkrb5” subdirectory of the krb5 plugin directory, which defaults to @@ -221,7 +219,7 @@ locator plugin would be registered by placing its shared object in <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LIBDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5/plugins/libkrb5/winbind_krb5_locator.so</span></code>.</p> </section> <section id="gssapi-mechanism-modules"> -<span id="gssapi-plugin-config"></span><h3>GSSAPI mechanism modules<a class="headerlink" href="#gssapi-mechanism-modules" title="Permalink to this headline">¶</a></h3> +<span id="gssapi-plugin-config"></span><h3>GSSAPI mechanism modules<a class="headerlink" href="#gssapi-mechanism-modules" title="Link to this heading">¶</a></h3> <p>GSSAPI mechanism modules are registered using the file <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal notranslate"><span class="pre">/gss/mech</span></code> or configuration files in the <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal notranslate"><span class="pre">/gss/mech.d</span></code> directory with a <code class="docutils literal notranslate"><span class="pre">.conf</span></code> @@ -242,7 +240,7 @@ other mechanisms.</p> used as the sole mechanism configuration filename.</p> </section> <section id="configuration-profile-modules"> -<span id="profile-plugin-config"></span><h3>Configuration profile modules<a class="headerlink" href="#configuration-profile-modules" title="Permalink to this headline">¶</a></h3> +<span id="profile-plugin-config"></span><h3>Configuration profile modules<a class="headerlink" href="#configuration-profile-modules" title="Link to this heading">¶</a></h3> <p>A configuration profile module replaces the information source for <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> itself. To use a profile module, begin krb5.conf with the line:</p> @@ -338,8 +336,8 @@ take over, and the rest of krb5.conf will be ignored.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/https.html b/crypto/krb5/doc/html/admin/https.html index 7047915be95b..3c1c24feb43d 100644 --- a/crypto/krb5/doc/html/admin/https.html +++ b/crypto/krb5/doc/html/admin/https.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>HTTPS proxy configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="https-proxy-configuration"> -<span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Permalink to this headline">¶</a></h1> +<span id="https"></span><h1>HTTPS proxy configuration<a class="headerlink" href="#https-proxy-configuration" title="Link to this heading">¶</a></h1> <p>In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS @@ -70,7 +68,7 @@ and servers.</p> Microsoft Windows Server, and a WSGI implementation named <cite>kdcproxy</cite> is available in the python package index.</p> <section id="configuring-the-clients"> -<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2> +<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Link to this heading">¶</a></h2> <p>To use an HTTPS proxy, a client host must trust the CA which issued that proxy’s SSL certificate. If that CA’s certificate is not in the system-wide default set of trusted certificates, configure the @@ -169,8 +167,8 @@ as <code class="docutils literal notranslate"><span class="pre">kinit</span></co <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/index.html b/crypto/krb5/doc/html/admin/index.html index 0e2bf2f4b6e8..3b6687a56713 100644 --- a/crypto/krb5/doc/html/admin/index.html +++ b/crypto/krb5/doc/html/admin/index.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>For administrators — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="for-administrators"> -<h1>For administrators<a class="headerlink" href="#for-administrators" title="Permalink to this headline">¶</a></h1> +<h1>For administrators<a class="headerlink" href="#for-administrators" title="Link to this heading">¶</a></h1> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="install.html">Installation guide</a></li> @@ -162,8 +160,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/install.html b/crypto/krb5/doc/html/admin/install.html index 3c27a0105a24..4fb8c1575526 100644 --- a/crypto/krb5/doc/html/admin/install.html +++ b/crypto/krb5/doc/html/admin/install.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Installation guide — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="installation-guide"> -<h1>Installation guide<a class="headerlink" href="#installation-guide" title="Permalink to this headline">¶</a></h1> +<h1>Installation guide<a class="headerlink" href="#installation-guide" title="Link to this heading">¶</a></h1> <section id="contents"> -<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2> +<h2>Contents<a class="headerlink" href="#contents" title="Link to this heading">¶</a></h2> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="install_kdc.html">Installing KDCs</a><ul> @@ -84,7 +82,7 @@ </div> </section> <section id="additional-references"> -<h2>Additional references<a class="headerlink" href="#additional-references" title="Permalink to this headline">¶</a></h2> +<h2>Additional references<a class="headerlink" href="#additional-references" title="Link to this heading">¶</a></h2> <ol class="arabic simple"> <li><p>Debian: <a class="reference external" href="http://techpubs.spinlocksolutions.com/dklar/kerberos.html">Setting up MIT Kerberos 5</a></p></li> <li><p>Solaris: <a class="reference external" href="https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html">Configuring the Kerberos Service</a></p></li> @@ -173,8 +171,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/install_appl_srv.html b/crypto/krb5/doc/html/admin/install_appl_srv.html index 14536e42d0e1..4ee80b824cf8 100644 --- a/crypto/krb5/doc/html/admin/install_appl_srv.html +++ b/crypto/krb5/doc/html/admin/install_appl_srv.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>UNIX Application Servers — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="unix-application-servers"> -<h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Permalink to this headline">¶</a></h1> +<h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Link to this heading">¶</a></h1> <p>An application server is a host that provides one or more services over the network. Application servers can be “secure” or “insecure.” A “secure” host is set up to require authentication from every client @@ -67,7 +65,7 @@ some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5’s single sign-on capability.</p> <section id="the-keytab-file"> -<span id="keytab-file"></span><h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Permalink to this headline">¶</a></h2> +<span id="keytab-file"></span><h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Link to this heading">¶</a></h2> <p>All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>. The keytab file is an local copy of the host’s key. The keytab file @@ -103,7 +101,7 @@ copy of the keytab file onto the destination host (<code class="docutils literal the above example) without sending it unencrypted over the network.</p> </section> <section id="some-advice-about-secure-hosts"> -<h2>Some advice about secure hosts<a class="headerlink" href="#some-advice-about-secure-hosts" title="Permalink to this headline">¶</a></h2> +<h2>Some advice about secure hosts<a class="headerlink" href="#some-advice-about-secure-hosts" title="Link to this heading">¶</a></h2> <p>Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the @@ -201,8 +199,8 @@ readable only by root.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/install_clients.html b/crypto/krb5/doc/html/admin/install_clients.html index 928576e3789b..57dec1f64e63 100644 --- a/crypto/krb5/doc/html/admin/install_clients.html +++ b/crypto/krb5/doc/html/admin/install_clients.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="installing-and-configuring-unix-client-machines"> -<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Permalink to this headline">¶</a></h1> +<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Link to this heading">¶</a></h1> <p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>. All of these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">BINDIR</span></a>.</p> @@ -68,7 +66,7 @@ password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd.</p> <section id="client-machine-configuration-files"> -<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Permalink to this headline">¶</a></h2> +<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Link to this heading">¶</a></h2> <p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file. At a minimum, it should define a <strong>default_realm</strong> setting in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>. If you are not using DNS SRV records @@ -183,8 +181,8 @@ krb5.conf.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/install_kdc.html b/crypto/krb5/doc/html/admin/install_kdc.html index 6f2519132958..24e753728717 100644 --- a/crypto/krb5/doc/html/admin/install_kdc.html +++ b/crypto/krb5/doc/html/admin/install_kdc.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Installing KDCs — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="installing-kdcs"> -<h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Permalink to this headline">¶</a></h1> +<h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Link to this heading">¶</a></h1> <p>When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains @@ -83,7 +81,7 @@ database.</p></li> </ul> </div> <section id="install-and-configure-the-primary-kdc"> -<h2>Install and configure the primary KDC<a class="headerlink" href="#install-and-configure-the-primary-kdc" title="Permalink to this headline">¶</a></h2> +<h2>Install and configure the primary KDC<a class="headerlink" href="#install-and-configure-the-primary-kdc" title="Link to this heading">¶</a></h2> <p>Install Kerberos either from the OS-provided packages or from the source (See <a class="reference internal" href="../build/doing_build.html#do-build"><span class="std std-ref">Building within a single tree</span></a>).</p> <div class="admonition note"> @@ -103,7 +101,7 @@ paths to your system environment.</p> </div> </section> <section id="edit-kdc-configuration-files"> -<h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Permalink to this headline">¶</a></h2> +<h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Link to this heading">¶</a></h2> <p>Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> and <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. @@ -122,7 +120,7 @@ example:</p> </pre></div> </div> <section id="krb5-conf"> -<h3>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h3> +<h3>krb5.conf<a class="headerlink" href="#krb5-conf" title="Link to this heading">¶</a></h3> <p>If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames"><span class="std std-ref">Mapping hostnames onto Kerberos realms</span></a>), you must specify the <strong>default_realm</strong> in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a> section. If you are not using DNS URI or SRV records (see @@ -145,7 +143,7 @@ tag must be set in the </div> </section> <section id="kdc-conf"> -<h3>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h3> +<h3>kdc.conf<a class="headerlink" href="#kdc-conf" title="Link to this heading">¶</a></h3> <p>The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging.</p> @@ -187,7 +185,7 @@ your Kerberos realm and server respectively.</p> </section> </section> <section id="create-the-kdc-database"> -<span id="create-db"></span><h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Permalink to this headline">¶</a></h2> +<span id="create-db"></span><h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Link to this heading">¶</a></h2> <p>You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command on the primary KDC to create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition"><span class="std std-ref">stash file</span></a>.</p> <div class="admonition note"> @@ -237,7 +235,7 @@ option.</p></li> <a class="reference internal" href="database.html#db-operations"><span class="std std-ref">Operations on the Kerberos database</span></a>.</p> </section> <section id="add-administrators-to-the-acl-file"> -<span id="admin-acl"></span><h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Permalink to this headline">¶</a></h2> +<span id="admin-acl"></span><h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Link to this heading">¶</a></h2> <p>Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> daemon to control which @@ -247,7 +245,7 @@ variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-con <p>For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> </section> <section id="add-administrators-to-the-kerberos-database"> -<span id="addadmin-kdb"></span><h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Permalink to this headline">¶</a></h2> +<span id="addadmin-kdb"></span><h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Link to this heading">¶</a></h2> <p>Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You <em>must</em> add at least one principal now to allow communication @@ -275,7 +273,7 @@ is created:</p> </div> </section> <section id="start-the-kerberos-daemons-on-the-primary-kdc"> -<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the primary KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-primary-kdc" title="Permalink to this headline">¶</a></h2> +<span id="start-kdc-daemons"></span><h2>Start the Kerberos daemons on the primary KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-primary-kdc" title="Link to this heading">¶</a></h2> <p>At this point, you are ready to start the Kerberos KDC (<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>) and administrative daemons on the primary KDC. To do so, type:</p> @@ -310,7 +308,7 @@ against the principals that you have created on the previous step </div> </section> <section id="install-the-replica-kdcs"> -<h2>Install the replica KDCs<a class="headerlink" href="#install-the-replica-kdcs" title="Permalink to this headline">¶</a></h2> +<h2>Install the replica KDCs<a class="headerlink" href="#install-the-replica-kdcs" title="Link to this heading">¶</a></h2> <p>You are now ready to start configuring the replica KDCs.</p> <div class="admonition note"> <p class="admonition-title">Note</p> @@ -321,7 +319,7 @@ the replica KDCs, unless these instructions specify otherwise.</p> </div> <section id="create-host-keytabs-for-replica-kdcs"> -<span id="replica-host-key"></span><h3>Create host keytabs for replica KDCs<a class="headerlink" href="#create-host-keytabs-for-replica-kdcs" title="Permalink to this headline">¶</a></h3> +<span id="replica-host-key"></span><h3>Create host keytabs for replica KDCs<a class="headerlink" href="#create-host-keytabs-for-replica-kdcs" title="Link to this heading">¶</a></h3> <p>Each KDC needs a <code class="docutils literal notranslate"><span class="pre">host</span></code> key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers.</p> @@ -374,7 +372,7 @@ temporary keytab file for that machine’s keytab:</p> <code class="docutils literal notranslate"><span class="pre">/etc/krb5.keytab</span></code> on the host <code class="docutils literal notranslate"><span class="pre">kerberos-1.mit.edu</span></code>.</p> </section> <section id="configure-replica-kdcs"> -<h3>Configure replica KDCs<a class="headerlink" href="#configure-replica-kdcs" title="Permalink to this headline">¶</a></h3> +<h3>Configure replica KDCs<a class="headerlink" href="#configure-replica-kdcs" title="Link to this heading">¶</a></h3> <p>Database propagation copies the contents of the primary’s database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica @@ -427,7 +425,7 @@ you’ll need to propagate the database from the primary server.</p> of the primary’s database.</p> </section> <section id="propagate-the-database-to-each-replica-kdc"> -<span id="kprop-to-replicas"></span><h3>Propagate the database to each replica KDC<a class="headerlink" href="#propagate-the-database-to-each-replica-kdc" title="Permalink to this headline">¶</a></h3> +<span id="kprop-to-replicas"></span><h3>Propagate the database to each replica KDC<a class="headerlink" href="#propagate-the-database-to-each-replica-kdc" title="Link to this heading">¶</a></h3> <p>First, create a dump file of the database on the primary KDC, as follows:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_util</span> <span class="n">dump</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">replica_datatrans</span> @@ -470,7 +468,7 @@ start the krb5kdc daemon:</p> the KDCs’ <code class="docutils literal notranslate"><span class="pre">/etc/rc</span></code> or <code class="docutils literal notranslate"><span class="pre">/etc/inittab</span></code> files, so they will start the krb5kdc daemon automatically at boot time.</p> <section id="propagation-failed"> -<h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Permalink to this headline">¶</a></h4> +<h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Link to this heading">¶</a></h4> <p>You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot"><span class="std std-ref">Troubleshooting</span></a> section.</p> @@ -483,7 +481,7 @@ to be redirected to <a class="reference internal" href="troubleshoot.html#troubl </section> </section> <section id="add-kerberos-principals-to-the-database"> -<h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Permalink to this headline">¶</a></h2> +<h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Link to this heading">¶</a></h2> <p>Once your KDCs are set up and running, you are ready to use <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described @@ -494,7 +492,7 @@ if your primary KDC has a disk crash. See the following section for the instructions.</p> </section> <section id="switching-primary-and-replica-kdcs"> -<span id="switch-primary-replica"></span><h2>Switching primary and replica KDCs<a class="headerlink" href="#switching-primary-and-replica-kdcs" title="Permalink to this headline">¶</a></h2> +<span id="switch-primary-replica"></span><h2>Switching primary and replica KDCs<a class="headerlink" href="#switching-primary-and-replica-kdcs" title="Link to this heading">¶</a></h2> <p>You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash.</p> @@ -521,7 +519,7 @@ client machine in your Kerberos realm.</p></li> </ol> </section> <section id="incremental-database-propagation"> -<h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2> +<h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Link to this heading">¶</a></h2> <p>If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See <a class="reference internal" href="database.html#incr-db-prop"><span class="std std-ref">Incremental database propagation</span></a> for details.</p> @@ -629,8 +627,8 @@ set up incremental propagation to replica KDCs. See <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/lockout.html b/crypto/krb5/doc/html/admin/lockout.html index 8f6d4507ead1..3bedd7fb93dd 100644 --- a/crypto/krb5/doc/html/admin/lockout.html +++ b/crypto/krb5/doc/html/admin/lockout.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Account lockout — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,14 +51,14 @@ <div class="body" role="main"> <section id="account-lockout"> -<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Permalink to this headline">¶</a></h1> +<span id="lockout"></span><h1>Account lockout<a class="headerlink" href="#account-lockout" title="Link to this heading">¶</a></h1> <p>As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal’s password by brute force, but also makes it easy for an attacker to deny access to a principal.</p> <section id="configuring-account-lockout"> -<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>Configuring account lockout<a class="headerlink" href="#configuring-account-lockout" title="Link to this heading">¶</a></h2> <p>Account lockout only works for principals with the <strong>+requires_preauth</strong> flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it @@ -92,7 +90,7 @@ associating it with a principal:</p> </div> </section> <section id="testing-account-lockout"> -<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>Testing account lockout<a class="headerlink" href="#testing-account-lockout" title="Link to this heading">¶</a></h2> <p>To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if <strong>maxfailure</strong> is set to 2, you @@ -109,7 +107,7 @@ kinit: Client's credentials have been revoked while getting initial credenti </div> </section> <section id="account-lockout-principal-state"> -<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Permalink to this headline">¶</a></h2> +<h2>Account lockout principal state<a class="headerlink" href="#account-lockout-principal-state" title="Link to this heading">¶</a></h2> <p>A principal entry keeps three pieces of state related to account lockout:</p> <ul class="simple"> @@ -138,7 +136,7 @@ with the <strong>-unlock</strong> option to the <strong>modprinc</strong> kadmin <p>This command will reset the number of failed attempts to 0.</p> </section> <section id="kdc-replication-and-account-lockout"> -<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>KDC replication and account lockout<a class="headerlink" href="#kdc-replication-and-account-lockout" title="Link to this heading">¶</a></h2> <p>The account lockout state of a principal is not replicated by either traditional <a class="reference internal" href="admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> or incremental propagation. Because of this, the number of attempts an attacker can make within a time period @@ -157,7 +155,7 @@ LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply.</p> </section> <section id="kdc-performance-and-account-lockout"> -<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<span id="disable-lockout"></span><h2>KDC performance and account lockout<a class="headerlink" href="#kdc-performance-and-account-lockout" title="Link to this heading">¶</a></h2> <p>In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from @@ -180,7 +178,7 @@ impossible to observe the last successful authentication time with kadmin.</p> </section> <section id="kdc-setup-and-account-lockout"> -<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Permalink to this headline">¶</a></h2> +<h2>KDC setup and account lockout<a class="headerlink" href="#kdc-setup-and-account-lockout" title="Link to this heading">¶</a></h2> <p>To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be @@ -269,8 +267,8 @@ read access, account lockout will not function.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/otp.html b/crypto/krb5/doc/html/admin/otp.html index 042a0d037d91..0014ca1aaa2e 100644 --- a/crypto/krb5/doc/html/admin/otp.html +++ b/crypto/krb5/doc/html/admin/otp.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>OTP Preauthentication — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="otp-preauthentication"> -<span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Permalink to this headline">¶</a></h1> +<span id="otp-preauth"></span><h1>OTP Preauthentication<a class="headerlink" href="#otp-preauthentication" title="Link to this heading">¶</a></h1> <p>OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. @@ -66,7 +64,7 @@ passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication.</p> <section id="defining-token-types"> -<h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Permalink to this headline">¶</a></h2> +<h2>Defining token types<a class="headerlink" href="#defining-token-types" title="Link to this heading">¶</a></h2> <p>Token types are defined in either <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> or <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> according to the following format:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> @@ -95,7 +93,7 @@ will be annotated with the specified authentication indicator (see add multiple indicators.</p> </section> <section id="the-default-token-type"> -<h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Permalink to this headline">¶</a></h2> +<h2>The default token type<a class="headerlink" href="#the-default-token-type" title="Link to this heading">¶</a></h2> <p>A default token type is used internally when no token type is specified for a given user. It is defined as follows:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">otp</span><span class="p">]</span> @@ -108,16 +106,16 @@ given user. It is defined as follows:</p> simply by defining a configuration with the same name.</p> </section> <section id="token-instance-configuration"> -<h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Permalink to this headline">¶</a></h2> +<h2>Token instance configuration<a class="headerlink" href="#token-instance-configuration" title="Link to this heading">¶</a></h2> <p>To enable OTP for a client principal, the administrator must define the <strong>otp</strong> string attribute for that principal. (See <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>.) The <strong>otp</strong> user string is a JSON string of the format:</p> <div class="highlight-xml notranslate"><div class="highlight"><pre><span></span>[{ - "type": <span class="nt"><string></span>, - "username": <span class="nt"><string></span>, - "indicators": [<span class="nt"><string></span>, ...] - }, ...] +<span class="w"> </span>"type":<span class="w"> </span><span class="nt"><string></span>, +<span class="w"> </span>"username":<span class="w"> </span><span class="nt"><string></span>, +<span class="w"> </span>"indicators":<span class="w"> </span>[<span class="nt"><string></span>,<span class="w"> </span>...] +<span class="w"> </span>},<span class="w"> </span>...] </pre></div> </div> <p>This is an array of token objects. Both fields of token objects are @@ -132,7 +130,7 @@ indicators specified in the token type.</p> equivalent to one DEFAULT token (<code class="docutils literal notranslate"><span class="pre">[{}]</span></code>).</p> </section> <section id="other-considerations"> -<h2>Other considerations<a class="headerlink" href="#other-considerations" title="Permalink to this headline">¶</a></h2> +<h2>Other considerations<a class="headerlink" href="#other-considerations" title="Link to this heading">¶</a></h2> <ol class="arabic simple"> <li><p>FAST is required for OTP to work.</p></li> </ol> @@ -217,8 +215,8 @@ equivalent to one DEFAULT token (<code class="docutils literal notranslate"><spa <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/pkinit.html b/crypto/krb5/doc/html/admin/pkinit.html index 40791a2e8f76..2a30ed7c391d 100644 --- a/crypto/krb5/doc/html/admin/pkinit.html +++ b/crypto/krb5/doc/html/admin/pkinit.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>PKINIT configuration — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,14 +51,14 @@ <div class="body" role="main"> <section id="pkinit-configuration"> -<span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration" title="Permalink to this headline">¶</a></h1> +<span id="pkinit"></span><h1>PKINIT configuration<a class="headerlink" href="#pkinit-configuration" title="Link to this heading">¶</a></h1> <p>PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal.</p> <section id="creating-certificates"> -<h2>Creating certificates<a class="headerlink" href="#creating-certificates" title="Permalink to this headline">¶</a></h2> +<h2>Creating certificates<a class="headerlink" href="#creating-certificates" title="Link to this heading">¶</a></h2> <p>PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are @@ -72,7 +70,7 @@ this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC.</p> <section id="generating-a-certificate-authority-certificate"> -<h3>Generating a certificate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certificate" title="Permalink to this headline">¶</a></h3> +<h3>Generating a certificate authority certificate<a class="headerlink" href="#generating-a-certificate-authority-certificate" title="Link to this heading">¶</a></h3> <p>You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">cakey</span><span class="o">.</span><span class="n">pem</span> <span class="mi">2048</span> @@ -94,7 +92,7 @@ each client host. cakey.pem will be required to create KDC and client certificates.</p> </section> <section id="generating-a-kdc-certificate"> -<h3>Generating a KDC certificate<a class="headerlink" href="#generating-a-kdc-certificate" title="Permalink to this headline">¶</a></h3> +<h3>Generating a KDC certificate<a class="headerlink" href="#generating-a-kdc-certificate" title="Link to this heading">¶</a></h3> <p>A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:</p> @@ -146,7 +144,7 @@ name in the Subject Alternative Name extension, so it will appear as anything is wrong with the KDC certificate.</p> </section> <section id="generating-client-certificates"> -<h3>Generating client certificates<a class="headerlink" href="#generating-client-certificates" title="Permalink to this headline">¶</a></h3> +<h3>Generating client certificates<a class="headerlink" href="#generating-client-certificates" title="Link to this heading">¶</a></h3> <p>PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file @@ -215,7 +213,7 @@ to the first and second components when running <code class="docutils literal no </section> </section> <section id="configuring-the-kdc"> -<h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Permalink to this headline">¶</a></h2> +<h2>Configuring the KDC<a class="headerlink" href="#configuring-the-kdc" title="Link to this heading">¶</a></h2> <p>The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC’s <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file, either in the @@ -276,7 +274,7 @@ for example:</p> </div> </section> <section id="configuring-the-clients"> -<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Permalink to this headline">¶</a></h2> +<h2>Configuring the clients<a class="headerlink" href="#configuring-the-clients" title="Link to this heading">¶</a></h2> <p>Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate @@ -317,7 +315,7 @@ Configure the following relations in the client host’s possible to run <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">username</span></code> without entering a password.</p> </section> <section id="anonymous-pkinit"> -<span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Anonymous PKINIT<a class="headerlink" href="#anonymous-pkinit" title="Link to this heading">¶</a></h2> <p>Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an @@ -351,7 +349,7 @@ appropriate <a class="reference internal" href="conf_files/kdc_conf.html#kdc-rea will have the client name <code class="docutils literal notranslate"><span class="pre">WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS</span></code>.</p> </section> <section id="freshness-tokens"> -<h2>Freshness tokens<a class="headerlink" href="#freshness-tokens" title="Permalink to this headline">¶</a></h2> +<h2>Freshness tokens<a class="headerlink" href="#freshness-tokens" title="Link to this heading">¶</a></h2> <p>Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key @@ -458,8 +456,8 @@ and verify that authentication is unsuccessful.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/princ_dns.html b/crypto/krb5/doc/html/admin/princ_dns.html index 845f788e300b..fe10f1cefc68 100644 --- a/crypto/krb5/doc/html/admin/princ_dns.html +++ b/crypto/krb5/doc/html/admin/princ_dns.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Principal names and DNS — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,13 +51,13 @@ <div class="body" role="main"> <section id="principal-names-and-dns"> -<h1>Principal names and DNS<a class="headerlink" href="#principal-names-and-dns" title="Permalink to this headline">¶</a></h1> +<h1>Principal names and DNS<a class="headerlink" href="#principal-names-and-dns" title="Link to this heading">¶</a></h1> <p>Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client’s name for the service is different from what the service thinks its name is.</p> <section id="service-principal-names"> -<h2>Service principal names<a class="headerlink" href="#service-principal-names" title="Permalink to this headline">¶</a></h2> +<h2>Service principal names<a class="headerlink" href="#service-principal-names" title="Link to this heading">¶</a></h2> <p>A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a service name and a hostname. For example, <code class="docutils literal notranslate"><span class="pre">imap/imap.example.com</span></code> @@ -77,7 +75,7 @@ for administrators to set up load balancing for some sorts of services based on rotating <code class="docutils literal notranslate"><span class="pre">CNAME</span></code> records in DNS.</p> </section> <section id="service-principal-canonicalization"> -<h2>Service principal canonicalization<a class="headerlink" href="#service-principal-canonicalization" title="Permalink to this headline">¶</a></h2> +<h2>Service principal canonicalization<a class="headerlink" href="#service-principal-canonicalization" title="Link to this heading">¶</a></h2> <p>In the MIT krb5 client library, canonicalization of host-based service principals is controlled by the <strong>dns_canonicalize_hostname</strong>, <strong>rnds</strong>, and <strong>qualify_shortname</strong> variables in <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>.</p> @@ -104,7 +102,7 @@ canonicalized according to the rules for dot is removed.</p> </section> <section id="reverse-dns-mismatches"> -<h2>Reverse DNS mismatches<a class="headerlink" href="#reverse-dns-mismatches" title="Permalink to this headline">¶</a></h2> +<h2>Reverse DNS mismatches<a class="headerlink" href="#reverse-dns-mismatches" title="Link to this heading">¶</a></h2> <p>Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise @@ -114,7 +112,7 @@ reverse DNS to match, it is best to set <code class="docutils literal notranslat machines.</p> </section> <section id="overriding-application-behavior"> -<h2>Overriding application behavior<a class="headerlink" href="#overriding-application-behavior" title="Permalink to this headline">¶</a></h2> +<h2>Overriding application behavior<a class="headerlink" href="#overriding-application-behavior" title="Link to this heading">¶</a></h2> <p>Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant @@ -130,7 +128,7 @@ matches the service name and realm name (if given). This setting defaults to “false” and is available in releases krb5-1.10 and later.</p> </section> <section id="provisioning-keytabs"> -<h2>Provisioning keytabs<a class="headerlink" href="#provisioning-keytabs" title="Permalink to this headline">¶</a></h2> +<h2>Provisioning keytabs<a class="headerlink" href="#provisioning-keytabs" title="Link to this heading">¶</a></h2> <p>One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that <code class="docutils literal notranslate"><span class="pre">getaddrinfo()</span></code> reports for all known aliases for the host. If the @@ -139,9 +137,9 @@ additional service principal entry should be in the keytab for this different hostname.</p> </section> <section id="specific-application-advice"> -<h2>Specific application advice<a class="headerlink" href="#specific-application-advice" title="Permalink to this headline">¶</a></h2> +<h2>Specific application advice<a class="headerlink" href="#specific-application-advice" title="Link to this heading">¶</a></h2> <section id="secure-shell-ssh"> -<h3>Secure shell (ssh)<a class="headerlink" href="#secure-shell-ssh" title="Permalink to this headline">¶</a></h3> +<h3>Secure shell (ssh)<a class="headerlink" href="#secure-shell-ssh" title="Link to this heading">¶</a></h3> <p>Setting <code class="docutils literal notranslate"><span class="pre">GSSAPIStrictAcceptorCheck</span> <span class="pre">=</span> <span class="pre">no</span></code> in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking @@ -150,7 +148,7 @@ for the keytab entry that matches the host’s own idea of its name krb5-1.10 or later.</p> </section> <section id="openldap-ldapsearch-etc"> -<h3>OpenLDAP (ldapsearch, etc.)<a class="headerlink" href="#openldap-ldapsearch-etc" title="Permalink to this headline">¶</a></h3> +<h3>OpenLDAP (ldapsearch, etc.)<a class="headerlink" href="#openldap-ldapsearch-etc" title="Link to this heading">¶</a></h3> <p>OpenLDAP’s SASL implementation performs reverse DNS lookup in order to canonicalize service principal names, even if <strong>rdns</strong> is set to <code class="docutils literal notranslate"><span class="pre">false</span></code> in the Kerberos configuration. To disable this behavior, @@ -244,8 +242,8 @@ add <code class="docutils literal notranslate"><span class="pre">SASL_NOCANON</s <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/realm_config.html b/crypto/krb5/doc/html/admin/realm_config.html index f90ab88f9897..a1fe446b2d63 100644 --- a/crypto/krb5/doc/html/admin/realm_config.html +++ b/crypto/krb5/doc/html/admin/realm_config.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Realm configuration decisions — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="realm-configuration-decisions"> -<h1>Realm configuration decisions<a class="headerlink" href="#realm-configuration-decisions" title="Permalink to this headline">¶</a></h1> +<h1>Realm configuration decisions<a class="headerlink" href="#realm-configuration-decisions" title="Link to this heading">¶</a></h1> <p>Before installing Kerberos V5, it is necessary to consider the following issues:</p> <ul class="simple"> @@ -68,7 +66,7 @@ not be using the default ports.</p></li> to the replica KDCs.</p></li> </ul> <section id="realm-name"> -<h2>Realm name<a class="headerlink" href="#realm-name" title="Permalink to this headline">¶</a></h2> +<h2>Realm name<a class="headerlink" href="#realm-name" title="Link to this heading">¶</a></h2> <p>Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters.</p> <p>For example, hosts in the domain <code class="docutils literal notranslate"><span class="pre">example.com</span></code> would be in the @@ -84,7 +82,7 @@ descriptive names which end with your domain name, such as:</p> </div> </section> <section id="mapping-hostnames-onto-kerberos-realms"> -<span id="mapping-hostnames"></span><h2>Mapping hostnames onto Kerberos realms<a class="headerlink" href="#mapping-hostnames-onto-kerberos-realms" title="Permalink to this headline">¶</a></h2> +<span id="mapping-hostnames"></span><h2>Mapping hostnames onto Kerberos realms<a class="headerlink" href="#mapping-hostnames-onto-kerberos-realms" title="Link to this heading">¶</a></h2> <p>Mapping hostnames onto Kerberos realms is done in one of three ways.</p> <p>The first mechanism works through a set of rules in the <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. You can specify @@ -124,7 +122,7 @@ would be:</p> you may wish to set it up anyway, for use when interacting with other sites.</p> </section> <section id="ports-for-the-kdc-and-admin-services"> -<h2>Ports for the KDC and admin services<a class="headerlink" href="#ports-for-the-kdc-and-admin-services" title="Permalink to this headline">¶</a></h2> +<h2>Ports for the KDC and admin services<a class="headerlink" href="#ports-for-the-kdc-and-admin-services" title="Link to this heading">¶</a></h2> <p>The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host’s @@ -134,7 +132,7 @@ port numbers used by the Kerberos V5 programs, refer to the <a class="reference internal" href="appl_servers.html#conf-firewall"><span class="std std-ref">Configuring your firewall to work with Kerberos V5</span></a>.</p> </section> <section id="replica-kdcs"> -<h2>Replica KDCs<a class="headerlink" href="#replica-kdcs" title="Permalink to this headline">¶</a></h2> +<h2>Replica KDCs<a class="headerlink" href="#replica-kdcs" title="Link to this heading">¶</a></h2> <p>Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, @@ -157,14 +155,14 @@ localized disasters.</p></li> </ul> </section> <section id="hostnames-for-kdcs"> -<span id="kdc-hostnames"></span><h2>Hostnames for KDCs<a class="headerlink" href="#hostnames-for-kdcs" title="Permalink to this headline">¶</a></h2> +<span id="kdc-hostnames"></span><h2>Hostnames for KDCs<a class="headerlink" href="#hostnames-for-kdcs" title="Link to this heading">¶</a></h2> <p>MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as <code class="docutils literal notranslate"><span class="pre">kerberos</span></code> for the primary KDC and <code class="docutils literal notranslate"><span class="pre">kerberos-1</span></code>, <code class="docutils literal notranslate"><span class="pre">kerberos-2</span></code>, … for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.</p> <p>As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS -using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is +using SRV records (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2782.html"><strong>RFC 2782</strong></a>), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the @@ -226,11 +224,17 @@ using the <strong>kdc</strong>, <strong>master_kdc</strong>, <strong>admin_serve <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites.</p> +<p>Clients can be configured with the <strong>sitename</strong> realm variable (new in +release 1.22). If a site name is set, the client first attempts SRV +record lookups with “.*sitename*._sites” inserted after the service +and protocol name and before the Kerberos realm. Site-specific +records may indicate servers more proximal to the client, allowing for +faster access.</p> </section> <section id="kdc-discovery"> -<span id="id1"></span><h2>KDC Discovery<a class="headerlink" href="#kdc-discovery" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>KDC Discovery<a class="headerlink" href="#kdc-discovery" title="Link to this heading">¶</a></h2> <p>As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc7553.html"><strong>RFC 7553</strong></a>). Limitations with the SRV record format may +records (<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7553.html"><strong>RFC 7553</strong></a>). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm’s KDCs with a single query.</p> @@ -269,9 +273,11 @@ include a port and/or path extension.</p></li> <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found.</p> +<p>The <strong>sitename</strong> variable in the <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section of +<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> applies to URI lookups as well as SRV lookups.</p> </section> <section id="database-propagation"> -<span id="db-prop"></span><h2>Database propagation<a class="headerlink" href="#database-propagation" title="Permalink to this headline">¶</a></h2> +<span id="db-prop"></span><h2>Database propagation<a class="headerlink" href="#database-propagation" title="Link to this heading">¶</a></h2> <p>The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need @@ -370,8 +376,8 @@ the database to additional replicas.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/spake.html b/crypto/krb5/doc/html/admin/spake.html index 39c9ee58c3b2..de215dfbc571 100644 --- a/crypto/krb5/doc/html/admin/spake.html +++ b/crypto/krb5/doc/html/admin/spake.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>SPAKE Preauthentication — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="spake-preauthentication"> -<span id="spake"></span><h1>SPAKE Preauthentication<a class="headerlink" href="#spake-preauthentication" title="Permalink to this headline">¶</a></h1> +<span id="spake"></span><h1>SPAKE Preauthentication<a class="headerlink" href="#spake-preauthentication" title="Link to this heading">¶</a></h1> <p>SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">password dictionary attacks</span></a>. Unlike <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a>, it does not @@ -175,8 +173,8 @@ used.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/troubleshoot.html b/crypto/krb5/doc/html/admin/troubleshoot.html index 493abbf0b9c9..812508f5b31e 100644 --- a/crypto/krb5/doc/html/admin/troubleshoot.html +++ b/crypto/krb5/doc/html/admin/troubleshoot.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Troubleshooting — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,9 +51,9 @@ <div class="body" role="main"> <section id="troubleshooting"> -<span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h1> +<span id="troubleshoot"></span><h1>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Link to this heading">¶</a></h1> <section id="trace-logging"> -<span id="id1"></span><h2>Trace logging<a class="headerlink" href="#trace-logging" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Trace logging<a class="headerlink" href="#trace-logging" title="Link to this heading">¶</a></h2> <p>Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the <strong>KRB5_TRACE</strong> environment variable @@ -80,9 +78,9 @@ of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno- </div> </section> <section id="list-of-errors"> -<h2>List of errors<a class="headerlink" href="#list-of-errors" title="Permalink to this headline">¶</a></h2> +<h2>List of errors<a class="headerlink" href="#list-of-errors" title="Link to this heading">¶</a></h2> <section id="frequently-seen-errors"> -<h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Permalink to this headline">¶</a></h3> +<h3>Frequently seen errors<a class="headerlink" href="#frequently-seen-errors" title="Link to this heading">¶</a></h3> <ol class="arabic simple"> <li><p><a class="reference internal" href="#init-creds-etype-nosupp"><span class="std std-ref">KDC has no support for encryption type while getting initial credentials</span></a></p></li> <li><p><a class="reference internal" href="#cert-chain-etype-nosupp"><span class="std std-ref">credential verification failed: KDC has no support for encryption type</span></a></p></li> @@ -90,7 +88,7 @@ of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno- </ol> </section> <section id="errors-seen-by-admins"> -<h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Permalink to this headline">¶</a></h3> +<h3>Errors seen by admins<a class="headerlink" href="#errors-seen-by-admins" title="Link to this heading">¶</a></h3> <ol class="arabic simple" id="prop-failed-start"> <li><p><a class="reference internal" href="#kprop-no-route"><span class="std std-ref">kprop: No route to host while connecting to server</span></a></p></li> <li><p><a class="reference internal" href="#kprop-con-refused"><span class="std std-ref">kprop: Connection refused while connecting to server</span></a></p></li> @@ -98,10 +96,10 @@ of the <a class="reference internal" href="../user/user_commands/kvno.html#kvno- </ol> <hr class="docutils" id="prop-failed-end" /> <section id="kdc-has-no-support-for-encryption-type-while-getting-initial-credentials"> -<span id="init-creds-etype-nosupp"></span><h4>KDC has no support for encryption type while getting initial credentials<a class="headerlink" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials" title="Permalink to this headline">¶</a></h4> +<span id="init-creds-etype-nosupp"></span><h4>KDC has no support for encryption type while getting initial credentials<a class="headerlink" href="#kdc-has-no-support-for-encryption-type-while-getting-initial-credentials" title="Link to this heading">¶</a></h4> </section> <section id="credential-verification-failed-kdc-has-no-support-for-encryption-type"> -<span id="cert-chain-etype-nosupp"></span><h4>credential verification failed: KDC has no support for encryption type<a class="headerlink" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type" title="Permalink to this headline">¶</a></h4> +<span id="cert-chain-etype-nosupp"></span><h4>credential verification failed: KDC has no support for encryption type<a class="headerlink" href="#credential-verification-failed-kdc-has-no-support-for-encryption-type" title="Link to this heading">¶</a></h4> <p>This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key @@ -110,7 +108,7 @@ by adding <code class="docutils literal notranslate"><span class="pre">allow_wea section of <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>.</p> </section> <section id="cannot-create-cert-chain-certificate-has-expired"> -<span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Permalink to this headline">¶</a></h4> +<span id="err-cert-chain-cert-expired"></span><h4>Cannot create cert chain: certificate has expired<a class="headerlink" href="#cannot-create-cert-chain-certificate-has-expired" title="Link to this heading">¶</a></h4> <p>This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired.</p> @@ -126,13 +124,13 @@ gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys.</p> </section> <section id="kprop-no-route-to-host-while-connecting-to-server"> -<span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Permalink to this headline">¶</a></h4> +<span id="kprop-no-route"></span><h4>kprop: No route to host while connecting to server<a class="headerlink" href="#kprop-no-route-to-host-while-connecting-to-server" title="Link to this heading">¶</a></h4> <p>Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754.</p> </section> <section id="kprop-connection-refused-while-connecting-to-server"> -<span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Permalink to this headline">¶</a></h4> +<span id="kprop-con-refused"></span><h4>kprop: Connection refused while connecting to server<a class="headerlink" href="#kprop-connection-refused-while-connecting-to-server" title="Link to this heading">¶</a></h4> <p>If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new @@ -140,7 +138,7 @@ configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running.</p> </section> <section id="kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server"> -<span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Permalink to this headline">¶</a></h4> +<span id="kprop-sendauth-exchange"></span><h4>kprop: Server rejected authentication (during sendauth exchange) while authenticating to server<a class="headerlink" href="#kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server" title="Link to this heading">¶</a></h4> <p>Make sure that:</p> <ol class="arabic simple"> <li><p>The time is synchronized between the primary and replica KDCs.</p></li> @@ -242,8 +240,8 @@ location on the replica.</p></li> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/admin/various_envs.html b/crypto/krb5/doc/html/admin/various_envs.html index 14d3c5350354..ce0e0a7a727d 100644 --- a/crypto/krb5/doc/html/admin/various_envs.html +++ b/crypto/krb5/doc/html/admin/various_envs.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Various links — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,21 +51,21 @@ <div class="body" role="main"> <section id="various-links"> -<h1>Various links<a class="headerlink" href="#various-links" title="Permalink to this headline">¶</a></h1> +<h1>Various links<a class="headerlink" href="#various-links" title="Link to this heading">¶</a></h1> <section id="whitepapers"> -<h2>Whitepapers<a class="headerlink" href="#whitepapers" title="Permalink to this headline">¶</a></h2> +<h2>Whitepapers<a class="headerlink" href="#whitepapers" title="Link to this heading">¶</a></h2> <ol class="arabic simple"> <li><p><a class="reference external" href="https://kerberos.org/software/whitepapers.html">https://kerberos.org/software/whitepapers.html</a></p></li> </ol> </section> <section id="tutorials"> -<h2>Tutorials<a class="headerlink" href="#tutorials" title="Permalink to this headline">¶</a></h2> +<h2>Tutorials<a class="headerlink" href="#tutorials" title="Link to this heading">¶</a></h2> <ol class="arabic simple"> <li><p>Fulvio Ricciardi <<a class="reference external" href="https://www.kerberos.org/software/tutorial.html">https://www.kerberos.org/software/tutorial.html</a>>_</p></li> </ol> </section> <section id="troubleshooting"> -<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h2> +<h2>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Link to this heading">¶</a></h2> <ol class="arabic simple"> <li><p><a class="reference external" href="https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting">https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting</a></p></li> <li><p><a class="reference external" href="https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html">https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html</a></p></li> @@ -155,8 +153,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> |