diff options
Diffstat (limited to 'crypto/krb5/doc/html/formats')
| -rw-r--r-- | crypto/krb5/doc/html/formats/ccache_file_format.html | 37 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/cookie.html | 85 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/database_formats.html | 587 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/freshness_token.html | 35 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/index.html | 26 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/keytab_file_format.html | 27 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/rcache_file_format.html | 27 |
7 files changed, 707 insertions, 117 deletions
diff --git a/crypto/krb5/doc/html/formats/ccache_file_format.html b/crypto/krb5/doc/html/formats/ccache_file_format.html index 0218ef0c4934..2ef78d2d26f0 100644 --- a/crypto/krb5/doc/html/formats/ccache_file_format.html +++ b/crypto/krb5/doc/html/formats/ccache_file_format.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Credential cache file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="credential-cache-file-format"> -<span id="ccache-file-format"></span><h1>Credential cache file format<a class="headerlink" href="#credential-cache-file-format" title="Permalink to this headline">¶</a></h1> +<span id="ccache-file-format"></span><h1>Credential cache file format<a class="headerlink" href="#credential-cache-file-format" title="Link to this heading">¶</a></h1> <p>There are four versions of the file format used by the FILE credential cache type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 through @@ -63,7 +61,7 @@ representations. Versions 3 and 4 always use big-endian byte order.</p> header (in version 4 only), the default principal name, and a sequence of credentials.</p> <section id="header-format"> -<h2>Header format<a class="headerlink" href="#header-format" title="Permalink to this headline">¶</a></h2> +<h2>Header format<a class="headerlink" href="#header-format" title="Link to this heading">¶</a></h2> <p>The header appears only in format version 4. It begins with a 16-bit integer giving the length of the entire header, followed by a sequence of fields. Each field consists of a 16-bit tag, a 16-bit length, and @@ -77,7 +75,7 @@ client should give the current time on the KDC, if that offset has not changed since the initial authentication.</p> </section> <section id="principal-format"> -<span id="cache-principal-format"></span><h2>Principal format<a class="headerlink" href="#principal-format" title="Permalink to this headline">¶</a></h2> +<span id="cache-principal-format"></span><h2>Principal format<a class="headerlink" href="#principal-format" title="Link to this heading">¶</a></h2> <p>The default principal is marshalled using the following informal grammar:</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="p">:</span><span class="o">:=</span> @@ -98,7 +96,7 @@ parsed according to the above grammar in order to find the sequence of credentials which follows.</p> </section> <section id="credential-format"> -<span id="ccache-credential-format"></span><h2>Credential format<a class="headerlink" href="#credential-format" title="Permalink to this headline">¶</a></h2> +<span id="ccache-credential-format"></span><h2>Credential format<a class="headerlink" href="#credential-format" title="Link to this heading">¶</a></h2> <p>The credential format uses the following informal grammar (referencing the <code class="docutils literal notranslate"><span class="pre">principal</span></code> and <code class="docutils literal notranslate"><span class="pre">data</span></code> types from the previous section):</p> <div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">credential</span> <span class="p">:</span><span class="o">:=</span> @@ -148,7 +146,7 @@ end of the sequence of credentials; the sequence ends when the file ends.</p> </section> <section id="credential-cache-configuration-entries"> -<h2>Credential cache configuration entries<a class="headerlink" href="#credential-cache-configuration-entries" title="Permalink to this headline">¶</a></h2> +<h2>Credential cache configuration entries<a class="headerlink" href="#credential-cache-configuration-entries" title="Link to this heading">¶</a></h2> <p>Configuration entries are encoded as credential entries. The client principal of the entry is the default principal of the cache. The server principal has the realm <code class="docutils literal notranslate"><span class="pre">X-CACHECONF:</span></code> and two or three @@ -174,9 +172,9 @@ entries because of the endtime.</p></li> <p>The following configuration keys are currently used in MIT krb5:</p> <dl class="simple"> <dt>fast_avail</dt><dd><p>The presence of this key with a non-empty value indicates that the -KDC asserted support for FAST (see <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>) during the initial +KDC asserted support for FAST (see <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a>) during the initial authentication, using the negotiation method described in -<span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6806.html"><strong>RFC 6806</strong></a> section 11. This key is not associated with any +<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6806.html"><strong>RFC 6806</strong></a> section 11. This key is not associated with any principal.</p> </dd> <dt>pa_config_data</dt><dd><p>The value of this key contains a JSON object representation of @@ -246,6 +244,7 @@ realm is used.</p> <li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -271,8 +270,8 @@ realm is used.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/formats/cookie.html b/crypto/krb5/doc/html/formats/cookie.html index f35a5e6e3f59..e5f148c4758c 100644 --- a/crypto/krb5/doc/html/formats/cookie.html +++ b/crypto/krb5/doc/html/formats/cookie.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>KDC cookie format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,26 +51,26 @@ <div class="body" role="main"> <section id="kdc-cookie-format"> -<h1>KDC cookie format<a class="headerlink" href="#kdc-cookie-format" title="Permalink to this headline">¶</a></h1> -<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a> section 5.2 specifies a pa-data type PA-FX-COOKIE, which +<h1>KDC cookie format<a class="headerlink" href="#kdc-cookie-format" title="Link to this heading">¶</a></h1> +<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a> section 5.2 specifies a pa-data type PA-FX-COOKIE, which clients are required to reflect back to the KDC during pre-authentication. The MIT krb5 KDC uses the following formats for cookies.</p> <section id="trivial-cookie-version-0"> -<h2>Trivial cookie (version 0)<a class="headerlink" href="#trivial-cookie-version-0" title="Permalink to this headline">¶</a></h2> +<h2>Trivial cookie (version 0)<a class="headerlink" href="#trivial-cookie-version-0" title="Link to this heading">¶</a></h2> <p>If there is no pre-authentication mechanism state information to save, a trivial cookie containing the value “MIT” is used. A trivial cookie is needed to indicate that the conversation can continue.</p> </section> <section id="secure-cookie-version-1"> -<h2>Secure cookie (version 1)<a class="headerlink" href="#secure-cookie-version-1" title="Permalink to this headline">¶</a></h2> +<h2>Secure cookie (version 1)<a class="headerlink" href="#secure-cookie-version-1" title="Link to this heading">¶</a></h2> <p>In release 1.14 and later, a secure cookie can be sent if there is any mechanism state to save for the next request. A secure cookie contains the concatenation of the following:</p> <ul class="simple"> <li><p>the four bytes “MIT1”</p></li> <li><p>a four-byte big-endian kvno value</p></li> -<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext</p></li> +<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext</p></li> </ul> <p>The ciphertext is encrypted in the cookie key with key usage number 513. The cookie key is derived from a key in the local krbtgt @@ -80,21 +78,21 @@ principal entry for the realm (e.g. <code class="docutils literal notranslate">< if the request is to the <code class="docutils literal notranslate"><span class="pre">KRBTEST.COM</span></code> realm). The first krbtgt key for the indicated kvno value is combined with the client principal as follows:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">cookie</span><span class="o">-</span><span class="n">key</span> <span class="o"><-</span> <span class="n">random</span><span class="o">-</span><span class="n">to</span><span class="o">-</span><span class="n">key</span><span class="p">(</span><span class="n">PRF</span><span class="o">+</span><span class="p">(</span><span class="n">tgt</span><span class="o">-</span><span class="n">key</span><span class="p">,</span> <span class="s2">"COOKIE"</span> <span class="o">|</span> <span class="n">client</span><span class="o">-</span><span class="n">princ</span><span class="p">))</span> +<div class="highlight-abnf notranslate"><div class="highlight"><pre><span></span><span class="nc">cookie-key</span><span class="w"> </span><-<span class="w"> </span><span class="nc">random-to-key</span><span class="p">(</span><span class="nc">PRF</span>+<span class="p">(</span><span class="nc">tgt-key</span>,<span class="w"> </span><span class="l">"COOKIE"</span><span class="w"> </span>|<span class="w"> </span><span class="nc">client-princ</span><span class="p">))</span> </pre></div> </div> -<p>where <strong>random-to-key</strong> is the <span class="target" id="index-2"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> random-to-key operation for -the krbtgt key’s encryption type, <strong>PRF+</strong> is defined in <span class="target" id="index-3"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>, +<p>where <strong>random-to-key</strong> is the <span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> random-to-key operation for +the krbtgt key’s encryption type, <strong>PRF+</strong> is defined in <span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a>, and <code class="docutils literal notranslate"><span class="pre">|</span></code> denotes concatenation. <em>client-princ</em> is the request client -principal name with realm, marshalled according to <span class="target" id="index-4"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc1964.html"><strong>RFC 1964</strong></a> section +principal name with realm, marshalled according to <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc1964.html"><strong>RFC 1964</strong></a> section 2.1.1.</p> <p>The plain text of the encrypted part of a cookie is the DER encoding of the following ASN.1 type:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SecureCookie</span> <span class="p">:</span><span class="o">:=</span> <span class="n">SEQUENCE</span> <span class="p">{</span> - <span class="n">time</span> <span class="n">INTEGER</span><span class="p">,</span> - <span class="n">data</span> <span class="n">SEQUENCE</span> <span class="n">OF</span> <span class="n">PA</span><span class="o">-</span><span class="n">DATA</span><span class="p">,</span> - <span class="o">...</span> -<span class="p">}</span> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>SecureCookie <span class="o">::=</span> SEQUENCE { + time INTEGER, + data SEQUENCE OF PA-DATA, + ... +} </pre></div> </div> <p>The time field represents the cookie creation time; for brevity, it is @@ -107,20 +105,28 @@ relevant to a request by comparing the request pa-data types to the cookie data types.</p> </section> <section id="spake-cookie-format-version-1"> -<h2>SPAKE cookie format (version 1)<a class="headerlink" href="#spake-cookie-format-version-1" title="Permalink to this headline">¶</a></h2> +<h2>SPAKE cookie format (version 1)<a class="headerlink" href="#spake-cookie-format-version-1" title="Link to this heading">¶</a></h2> <p>Inside the SecureCookie wrapper, a data value of type 151 contains -state for SPAKE pre-authentication. This data is the concatenation of -the following:</p> -<ul class="simple"> -<li><p>a two-byte big-endian version number with the value 1</p></li> -<li><p>a two-byte big-endian stage number</p></li> -<li><p>a four-byte big-endian group number</p></li> -<li><p>a four-byte big-endian length and data for the SPAKE value</p></li> -<li><p>a four-byte big-endian length and data for the transcript hash</p></li> -<li><p>zero or more second factor records, each consisting of: -- a four-byte big-endian second-factor type -- a four-byte big-endian length and data</p></li> -</ul> +state for SPAKE pre-authentication. This data has the following +binary format with big-endian integer encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>cookie <span class="o">::=</span> + version (16 bits) [with the value 1] + stage number (16 bits) + group number (32 bits) + SPAKE value length (32 bits) + SPAKE value + transcript hash length (32 bits) + transcript hash + second factor record 1 (factor-record) + second factor record 2 (factor-record) + ... + +factor-record <span class="o">::=</span> + second factor type (32 bits) + second factor data length (32 bits) + second factor data +</pre></div> +</div> <p>The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during an exchange, 2 for the second, etc..</p> @@ -173,6 +179,7 @@ corresponding to the factor type chosen by the client.</p> <li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l2 current"><a class="current reference internal" href="#">KDC cookie format</a></li> <li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -198,8 +205,8 @@ corresponding to the factor type chosen by the client.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/formats/database_formats.html b/crypto/krb5/doc/html/formats/database_formats.html new file mode 100644 index 000000000000..782a004b1370 --- /dev/null +++ b/crypto/krb5/doc/html/formats/database_formats.html @@ -0,0 +1,587 @@ +<!DOCTYPE html> + +<html lang="en" data-content_root="../"> + <head> + <meta charset="utf-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> + + <title>Kerberos Database (KDB) Formats — MIT Kerberos Documentation</title> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="next" title="MIT Kerberos features" href="../mitK5features.html" /> + <link rel="prev" title="PKINIT freshness tokens" href="freshness_token.html" /> + </head><body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="freshness_token.html" title="PKINIT freshness tokens" + accesskey="P">previous</a> | + <a href="../mitK5features.html" title="MIT Kerberos features" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Kerberos Database (KDB) Formats">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body" role="main"> + + <section id="kerberos-database-kdb-formats"> +<h1>Kerberos Database (KDB) Formats<a class="headerlink" href="#kerberos-database-kdb-formats" title="Link to this heading">¶</a></h1> +<section id="dump-format"> +<h2>Dump format<a class="headerlink" href="#dump-format" title="Link to this heading">¶</a></h2> +<p>Files created with the <a class="reference internal" href="../admin/admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command begin with +a versioned header “kdb5_util load_dump version 7”. This version has +been in use since MIT krb5 release 1.11; some previous versions are +supported but are not described here.</p> +<p>Each subsequent line of the dump file contains one or more +tab-separated fields describing either a principal entry or a policy +entry. The fields of a principal entry line are:</p> +<ul class="simple"> +<li><p>the word “princ”</p></li> +<li><p>the string “38” (this was originally a length field)</p></li> +<li><p>the length of the principal name in string form</p></li> +<li><p>the decimal number of tag-length data elements</p></li> +<li><p>the decimal number of key-data elements</p></li> +<li><p>the string “0” (this was originally an extension length field)</p></li> +<li><p>the principal name in string form</p></li> +<li><p>the principal attributes as a decimal number; when converted to +binary, the bits from least significant to most significant are:</p> +<ul> +<li><p>disallow_postdated</p></li> +<li><p>disallow_forwardable</p></li> +<li><p>disallow_tgt_based</p></li> +<li><p>disallow_renewable</p></li> +<li><p>disallow_proxiable</p></li> +<li><p>disallow_dup_skey</p></li> +<li><p>disallow_all_tix</p></li> +<li><p>requires_preauth</p></li> +<li><p>requires_hwauth</p></li> +<li><p>requires_pwchange</p></li> +<li><p>disallow_svr</p></li> +<li><p>pwchange_service</p></li> +<li><p>support_desmd5</p></li> +<li><p>new_princ</p></li> +<li><p>ok_as_delegate</p></li> +<li><p>ok_to_auth_as_delegate</p></li> +<li><p>no_auth_data_required</p></li> +<li><p>lockdown_keys</p></li> +</ul> +</li> +<li><p>the maximum ticket lifetime, as a decimal number of seconds</p></li> +<li><p>the maximum renewable ticket lifetime, as a decimal number of seconds</p></li> +<li><p>the principal expiration time, as a decimal POSIX timestamp</p></li> +<li><p>the password expiration time, as a decimal POSIX timestamp</p></li> +<li><p>the last successful authentication time, as a decimal POSIX +timestamp</p></li> +<li><p>the last failed authentication time, as a decimal POSIX timestamp</p></li> +<li><p>the decimal number of failed authentications since the last +successful authentication time</p></li> +<li><p>for each tag-length data value:</p> +<ul> +<li><p>the tag value in decimal</p></li> +<li><p>the length in decimal</p></li> +<li><p>the data as a lowercase hexadecimal byte string, or “-1” if the length is 0</p></li> +</ul> +</li> +<li><p>for each key-data element:</p> +<ul> +<li><p>the string “2” if this element has non-normal salt type, “1” +otherwise</p></li> +<li><p>the key version number of this element</p></li> +<li><p>the encryption type</p></li> +<li><p>the length of the encrypted key value</p></li> +<li><p>the encrypted key as a lowercase hexadecimal byte string</p></li> +<li><p>if this element has non-normal salt type:</p> +<ul> +<li><p>the salt type</p></li> +<li><p>the length of the salt data</p></li> +<li><p>the salt data as a lowercase hexadecimal byte string, or the +string “-1” if the salt data length is 0</p></li> +</ul> +</li> +</ul> +</li> +<li><p>the string “-1;” (this was originally an extension field)</p></li> +</ul> +<p>The fields of a policy entry line are:</p> +<ul class="simple"> +<li><p>the string “policy”</p></li> +<li><p>the policy name</p></li> +<li><p>the minimum password lifetime as a decimal number of seconds</p></li> +<li><p>the maximum password lifetime as a decimal number of seconds</p></li> +<li><p>the minimum password length, in decimal</p></li> +<li><p>the minimum number of character classes, in decimal</p></li> +<li><p>the number of historical keys to be stored, in decimal</p></li> +<li><p>the policy reference count (no longer used)</p></li> +<li><p>the maximum number of failed authentications before lockout</p></li> +<li><p>the time interval after which the failed authentication count is +reset, as a decimal number of seconds</p></li> +<li><p>the lockout duration, as a decimal number of seconds</p></li> +<li><p>the required principal attributes, in decimal (currently unenforced)</p></li> +<li><p>the maximum ticket lifetime as a decimal number of seconds +(currently unenforced)</p></li> +<li><p>the maximum renewable lifetime as a decimal number of seconds +(currently unenforced)</p></li> +<li><p>the allowed key/salt types, or “-” if unrestricted</p></li> +<li><p>the number of tag-length values</p></li> +<li><p>for each tag-length data value:</p> +<ul> +<li><p>the tag value in decimal</p></li> +<li><p>the length in decimal</p></li> +<li><p>the data as a lowercase hexadecimal byte string, or “-1” if the +length is 0</p></li> +</ul> +</li> +</ul> +</section> +<section id="tag-length-data-formats"> +<h2>Tag-length data formats<a class="headerlink" href="#tag-length-data-formats" title="Link to this heading">¶</a></h2> +<p>The currently defined tag-length data types are:</p> +<ul class="simple"> +<li><p>(1) last password change: a four-byte little-endian POSIX timestamp +giving the last password change time</p></li> +<li><p>(2) last modification data: a four-byte little-endian POSIX +timestamp followed by a zero-terminated principal name in string +form, giving the time of the last principal change and the principal +who performed it</p></li> +<li><p>(3) kadmin data: the XDR encoding of a per-principal kadmin data +record (see below)</p></li> +<li><p>(8) master key version: a two-byte little-endian integer containing +the master key version used to encrypt this principal’s key data</p></li> +<li><ol class="arabic simple" start="9"> +<li><p>active kvno: see below</p></li> +</ol> +</li> +<li><ol class="arabic simple" start="10"> +<li><p>master key auxiliary data: see below</p></li> +</ol> +</li> +<li><p>(11) string attributes: one or more iterations of a zero-terminated +string key followed by a zero-terminated string value</p></li> +<li><p>(12) alias target principal: a zero-terminated principal name in +string form</p></li> +<li><ol class="arabic simple" start="255"> +<li><p>LDAP object information: see below</p></li> +</ol> +</li> +<li><p>(768) referral padata: a DER-encoded PA-SVR-REFERRAL-DATA to be sent +to a TGS-REQ client within encrypted padata (see Appendix A of +<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc1606.html"><strong>RFC 1606</strong></a>)</p></li> +<li><p>(1792) last admin unlock: a four-byte little-endian POSIX timestamp +giving the time of the last administrative account unlock</p></li> +<li><p>(32767) database arguments: a zero-terminated key=value string (may +appear multiple times); used by the kadmin protocol to +communicate -x arguments to kadmind</p></li> +</ul> +<section id="per-principal-kadmin-data"> +<h3>Per-principal kadmin data<a class="headerlink" href="#per-principal-kadmin-data" title="Link to this heading">¶</a></h3> +<p>Per-principal kadmin data records use a modified XDR encoding of the +kadmin_data type defined as follows:</p> +<div class="highlight-c notranslate"><div class="highlight"><pre><span></span><span class="k">struct</span><span class="w"> </span><span class="nc">key_data</span><span class="w"> </span><span class="p">{</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">numfields</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">kvno</span><span class="p">;</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">enctype</span><span class="p">;</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">salttype</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">keylen</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">saltlen</span><span class="p">;</span> +<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">key</span><span class="o"><></span><span class="p">;</span> +<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">salt</span><span class="o"><></span><span class="p">;</span> +<span class="p">};</span> + +<span class="k">struct</span><span class="w"> </span><span class="nc">hist_entry</span><span class="w"> </span><span class="p">{</span> +<span class="w"> </span><span class="n">key_data</span><span class="w"> </span><span class="n">keys</span><span class="o"><></span><span class="p">;</span> +<span class="p">};</span> + +<span class="k">struct</span><span class="w"> </span><span class="nc">kadmin_data</span><span class="w"> </span><span class="p">{</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">version_number</span><span class="p">;</span> +<span class="w"> </span><span class="n">nullstring</span><span class="w"> </span><span class="n">policy</span><span class="p">;</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">aux_attributes</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">old_key_next</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">admin_history_kvno</span><span class="p">;</span> +<span class="w"> </span><span class="n">hist_entry</span><span class="w"> </span><span class="n">old_keysets</span><span class="o"><></span><span class="p">;</span> +<span class="p">};</span> +</pre></div> +</div> +<p>The type “nullstring” uses a custom string encoder where the length +field is zero or the string length plus one; a length of zero +indicates that no policy object is specified for the principal. The +field “version_number” contains 0x12345C01. The aux_attributes field +contains the bit 0x800 if a policy object is associated with the +principal.</p> +<p>Within a key_data record, numfields is 2 if the key data has +non-normal salt type, 1 otherwise.</p> +</section> +<section id="active-kvno-and-master-key-auxiliary-data"> +<h3>Active kvno and master key auxiliary data<a class="headerlink" href="#active-kvno-and-master-key-auxiliary-data" title="Link to this heading">¶</a></h3> +<p>These types only appear in the entry of the master key principal +(K/M). They use little-endian binary integer encoding.</p> +<p>The active kvno table determines which master key version is active +for a given timestamp. It uses the following binary format:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>active-key-version-table <span class="o">::=</span> + version (16 bits) [with the value 1] + version entry 1 (key-version-entry) + version entry 2 (key-version-entry) + ... + +key-version-entry <span class="o">::=</span> + key version (16 bits) + timestamp (32 bits) [when this key version becomes active] +</pre></div> +</div> +<p>The master key auxiliary data record contains copies of the current +master key encrypted in each older master key. It uses the following +binary format:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>master-key-aux <span class="o">::=</span> + version (16 bits) [with the value 1] + key entry 1 (key-entry) + key entry 2 (key-entry) + ... + +key-entry <span class="o">::=</span> + old master key version (16 bits) + latest master key version (16 bits) + latest master key encryption type (16 bits) + encrypted key length (16 bits) + encrypted key contents +</pre></div> +</div> +</section> +<section id="ldap-object-information"> +<h3>LDAP object information<a class="headerlink" href="#ldap-object-information" title="Link to this heading">¶</a></h3> +<p>This type appears in principal entries retrieved with the LDAP KDB +module. The value uses the following binary format, using big-endian +integer encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>ldap-principal-data <span class="o">::=</span> + record 1 (ldap-tl-data) + record 2 (ldap-tl-data) + ... + +ldap-tl-data <span class="o">::=</span> + type (8 bits) + length (16 bits) + data +</pre></div> +</div> +<p>The currently defined ldap-tl-data types are (all integers are +big-endian):</p> +<ul class="simple"> +<li><p>(1) principal type: 16 bits containing the value 1, indicating that +the LDAP object containing the principal entry is a standalone +principal object</p></li> +<li><p>(2) principal count: 16 bits containing the number of +krbPrincipalName values in the LDAP object</p></li> +<li><p>(3) user DN: the string representation of the distinguished name of +the LDAP object</p></li> +<li><p>(5) attribute mask: 16 bits indicating which Kerberos-specific LDAP +attributes are present in the LDAP object (see below)</p></li> +<li><p>(7) link DN: the string representation of the distinguished name of +an LDAP object this object is linked to; may appear multiple times</p></li> +</ul> +<p>When converted to binary, the attribute mask bits, from least +significant to most significant, correspond to the following LDAP +attributes:</p> +<ul class="simple"> +<li><p>krbMaxTicketLife</p></li> +<li><p>krbMaxRenewableAge</p></li> +<li><p>krbTicketFlags</p></li> +<li><p>krbPrincipalExpiration</p></li> +<li><p>krbTicketPolicyReference</p></li> +<li><p>krbPrincipalAuthInd</p></li> +<li><p>krbPwdPolicyReference</p></li> +<li><p>krbPasswordExpiration</p></li> +<li><p>krbPrincipalKey</p></li> +<li><p>krbLastPwdChange</p></li> +<li><p>krbExtraData</p></li> +<li><p>krbLastSuccessfulAuth</p></li> +<li><p>krbLastFailedAuth</p></li> +<li><p>krbLoginFailedCount</p></li> +<li><p>krbLastAdminUnlock</p></li> +<li><p>krbPwdHistory</p></li> +</ul> +</section> +</section> +<section id="alias-principal-entries"> +<h2>Alias principal entries<a class="headerlink" href="#alias-principal-entries" title="Link to this heading">¶</a></h2> +<p>To allow aliases to be represented in dump files and within the +incremental update protocol, the krb5 database library supports the +concept of an alias principal entry. An alias principal entry +contains an alias target principal in its tag-length data, has its +attributes set to disallow_all_tix, and has zero or empty values for +all other fields. The database glue library recognizes alias entries +and iteratively looks up the alias target up to a depth of 10 chained +aliases. (Added in release 1.22.)</p> +</section> +<section id="db2-principal-and-policy-formats"> +<h2>DB2 principal and policy formats<a class="headerlink" href="#db2-principal-and-policy-formats" title="Link to this heading">¶</a></h2> +<p>The DB2 KDB module uses the string form of a principal name, with zero +terminator, as a lookup key for principal entries. Principal entry +values use the following binary format with little-endian integer +encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>db2-principal-entry <span class="o">::=</span> + len (16 bits) [always has the value 38] + attributes (32 bits) + max ticket lifetime (32 bits) + max renewable lifetime (32 bits) + principal expiration timestamp (32 bits) + password expiration timestamp (32 bits) + last successful authentication timestamp (32 bits) + last failed authentication timestamp (32 bits) + failed authentication counter (32 bits) + number of tag-length elements (16 bits) + number of key-data elements (16 bits) + length of string-form principal with zero terminator (16 bits) + string-form principal with zero terminator + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + key-data entry 1 (key-data) + key-data entry 2 (key-data) + ... + +tag-length-data <span class="o">::=</span> + type tag (16 bits) + data length (16 bits) + data + +key-data <span class="o">::=</span> + salt indicator (16 bits) [1 for default salt, 2 otherwise] + key version (16 bits) + encryption type (16 bits) + encrypted key length (16 bits) + encrypted key + salt type (16 bits) [omitted if salt indicator is 1] + salt data length (16 bits) [omitted if salt indicator is 1] + salt data [omitted if salt indicator is 1] +</pre></div> +</div> +<p>DB2 policy entries reside in a separate database file. The lookup key +is the policy name with zero terminator. Policy entry values use a +modified XDR encoding of the policy type defined as follows:</p> +<div class="highlight-c notranslate"><div class="highlight"><pre><span></span><span class="k">struct</span><span class="w"> </span><span class="nc">tl_data</span><span class="w"> </span><span class="p">{</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">type</span><span class="p">;</span> +<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">data</span><span class="o"><></span><span class="p">;</span> +<span class="w"> </span><span class="n">tl_data</span><span class="w"> </span><span class="o">*</span><span class="n">next</span><span class="p">;</span> +<span class="p">};</span> + +<span class="k">struct</span><span class="w"> </span><span class="nc">policy</span><span class="w"> </span><span class="p">{</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">version_number</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_life</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_pw_life</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_length</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_classes</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">history_num</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">refcount</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_fail</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">failcount_interval</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">lockout_duration</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">attributes</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_ticket_life</span><span class="p">;</span> +<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_renewable_life</span><span class="p">;</span> +<span class="w"> </span><span class="n">nullstring</span><span class="w"> </span><span class="n">allowed_keysalts</span><span class="p">;</span> +<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">n_tl_data</span><span class="p">;</span> +<span class="w"> </span><span class="n">tl_data</span><span class="w"> </span><span class="o">*</span><span class="n">tag_length_data</span><span class="p">;</span> +<span class="p">};</span> +</pre></div> +</div> +<p>The type “nullstring” uses the same custom encoder as in the +per-principal kadmin data.</p> +<p>The field “version_number” contains 0x12345D01, 0x12345D02, or +0x12345D03 for versions 1, 2, and 3 respectively. Versions 1 and 2 +omit the fields “attributes” through “tag_length_data”. Version 1 +also omits the fields “max_fail” through “lockout_duration”. Encoding +uses the lowest version that can represent the policy entry.</p> +<p>The field “refcount” is no longer used and its value is ignored.</p> +</section> +<section id="lmdb-principal-and-policy-formats"> +<h2>LMDB principal and policy formats<a class="headerlink" href="#lmdb-principal-and-policy-formats" title="Link to this heading">¶</a></h2> +<p>In the LMDB KDB module, principal entries are stored in the +“principal” database within the main LMDB environment (typically named +“principal.mdb”), with the exception of lockout-related fields which +are stored in the “lockout” table of the lockout LMDB environment +(typically named “principal.lockout.mdb”). For both databases the key +is the principal name in string form, with no zero terminator. Values +in the “principal” database use the following binary format with +little-endian integer encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-principal-entry <span class="o">::=</span> + attributes (32 bits) + max ticket lifetime (32 bits) + max renewable lifetime (32 bits) + principal expiration timestamp (32 bits) + password expiration timestamp (32 bits) + number of tag-length elements (16 bits) + number of key-data elements (16 bits) + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + key-data entry 1 (key-data) + key-data entry 2 (key-data) + ... + +tag-length-data <span class="o">::=</span> + type tag (16 bits) + data length (16 bits) + data value + +key-data <span class="o">::=</span> + salt indicator (16 bits) [1 for default salt, 2 otherwise] + key version (16 bits) + encryption type (16 bits) + encrypted key length (16 bits) + encrypted key + salt type (16 bits) [omitted if salt indicator is 1] + salt data length (16 bits) [omitted if salt indicator is 1] + salt data [omitted if salt indicator is 1] +</pre></div> +</div> +<p>Values in the “lockout” database have the following binary format with +little-endian integer encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-lockout-entry <span class="o">::=</span> + last successful authentication timestamp (32 bits) + last failed authentication timestamp (32 bits) + failed authentication counter (32 bits) +</pre></div> +</div> +<p>In the “policy” database, the lookup key is the policy name with no +zero terminator. Values in this database use the following binary +format with little-endian integer encoding:</p> +<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-policy-entry <span class="o">::=</span> + minimum password lifetime (32 bits) + maximum password lifetime (32 bits) + minimum password length (32 bits) + minimum character classes (32 bits) + number of historical keys (32 bits) + maximum failed authentications before lockout (32 bits) + time interval to reset failed authentication counter (32 bits) + lockout duration (32 bits) + required principal attributes (32 bits) [currently unenforced] + maximum ticket lifetime (32 bits) [currently unenforced] + maximum renewable lifetime (32 bits) [currently unenforced] + allowed key/salt type specification length [32 bits] + allowed key/salt type specification + number of tag-length values (16 bits) + tag-length entry 1 (tag-length-data) + tag-length entry 2 (tag-length-data) + ... + +tag-length-data <span class="o">::=</span> + type tag (16 bits) + data length (16 bits) + data value +</pre></div> +</div> +</section> +</section> + + + <div class="clearer"></div> + </div> + </div> + </div> + </div> + <div class="sidebar"> + + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Kerberos Database (KDB) Formats</a><ul> +<li><a class="reference internal" href="#dump-format">Dump format</a></li> +<li><a class="reference internal" href="#tag-length-data-formats">Tag-length data formats</a><ul> +<li><a class="reference internal" href="#per-principal-kadmin-data">Per-principal kadmin data</a></li> +<li><a class="reference internal" href="#active-kvno-and-master-key-auxiliary-data">Active kvno and master key auxiliary data</a></li> +<li><a class="reference internal" href="#ldap-object-information">LDAP object information</a></li> +</ul> +</li> +<li><a class="reference internal" href="#alias-principal-entries">Alias principal entries</a></li> +<li><a class="reference internal" href="#db2-principal-and-policy-formats">DB2 principal and policy formats</a></li> +<li><a class="reference internal" href="#lmdb-principal-and-policy-formats">LMDB principal and policy formats</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> +<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> +<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> +<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> +<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Kerberos Database (KDB) Formats</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="freshness_token.html" title="PKINIT freshness tokens" + >previous</a> | + <a href="../mitK5features.html" title="MIT Kerberos features" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Kerberos Database (KDB) Formats">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/freshness_token.html b/crypto/krb5/doc/html/formats/freshness_token.html index dda48da4c2e9..2099077df29e 100644 --- a/crypto/krb5/doc/html/formats/freshness_token.html +++ b/crypto/krb5/doc/html/formats/freshness_token.html @@ -1,24 +1,22 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>PKINIT freshness tokens — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="MIT Kerberos features" href="../mitK5features.html" /> + <link rel="next" title="Kerberos Database (KDB) Formats" href="database_formats.html" /> <link rel="prev" title="KDC cookie format" href="cookie.html" /> </head><body> <div class="header-wrapper"> @@ -33,7 +31,7 @@ accesskey="C">Contents</a> | <a href="cookie.html" title="KDC cookie format" accesskey="P">previous</a> | - <a href="../mitK5features.html" title="MIT Kerberos features" + <a href="database_formats.html" title="Kerberos Database (KDB) Formats" accesskey="N">next</a> | <a href="../genindex.html" title="General Index" accesskey="I">index</a> | @@ -53,8 +51,8 @@ <div class="body" role="main"> <section id="pkinit-freshness-tokens"> -<h1>PKINIT freshness tokens<a class="headerlink" href="#pkinit-freshness-tokens" title="Permalink to this headline">¶</a></h1> -<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc8070.html"><strong>RFC 8070</strong></a> specifies a pa-data type PA_AS_FRESHNESS, which clients +<h1>PKINIT freshness tokens<a class="headerlink" href="#pkinit-freshness-tokens" title="Link to this heading">¶</a></h1> +<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8070.html"><strong>RFC 8070</strong></a> specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following @@ -62,7 +60,7 @@ format for freshness tokens (starting in release 1.17):</p> <ul class="simple"> <li><p>a four-byte big-endian POSIX timestamp</p></li> <li><p>a four-byte big-endian key version number</p></li> -<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> checksum, with no ASN.1 wrapper</p></li> +<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> checksum, with no ASN.1 wrapper</p></li> </ul> <p>The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. <code class="docutils literal notranslate"><span class="pre">krbtgt/KRBTEST.COM@KRBTEST.COM</span></code> @@ -100,6 +98,7 @@ checksum is 514.</p> <li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l2 current"><a class="current reference internal" href="#">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -125,8 +124,8 @@ checksum is 514.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> @@ -134,7 +133,7 @@ checksum is 514.</p> >Contents</a> | <a href="cookie.html" title="KDC cookie format" >previous</a> | - <a href="../mitK5features.html" title="MIT Kerberos features" + <a href="database_formats.html" title="Kerberos Database (KDB) Formats" >next</a> | <a href="../genindex.html" title="General Index" >index</a> | diff --git a/crypto/krb5/doc/html/formats/index.html b/crypto/krb5/doc/html/formats/index.html index ac18e3217ce6..ac41016ce786 100644 --- a/crypto/krb5/doc/html/formats/index.html +++ b/crypto/krb5/doc/html/formats/index.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Protocols and file formats — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="protocols-and-file-formats"> -<h1>Protocols and file formats<a class="headerlink" href="#protocols-and-file-formats" title="Permalink to this headline">¶</a></h1> +<h1>Protocols and file formats<a class="headerlink" href="#protocols-and-file-formats" title="Link to this heading">¶</a></h1> <div class="toctree-wrapper compound"> <ul> <li class="toctree-l1"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> @@ -61,6 +59,7 @@ <li class="toctree-l1"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l1"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l1"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l1"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </div> </section> @@ -93,6 +92,7 @@ <li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -118,8 +118,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/formats/keytab_file_format.html b/crypto/krb5/doc/html/formats/keytab_file_format.html index 69572421641b..7c74e1a1ac0e 100644 --- a/crypto/krb5/doc/html/formats/keytab_file_format.html +++ b/crypto/krb5/doc/html/formats/keytab_file_format.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Keytab file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="keytab-file-format"> -<span id="id1"></span><h1>Keytab file format<a class="headerlink" href="#keytab-file-format" title="Permalink to this headline">¶</a></h1> +<span id="id1"></span><h1>Keytab file format<a class="headerlink" href="#keytab-file-format" title="Link to this heading">¶</a></h1> <p>There are two versions of the file format used by the FILE keytab type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 or 2). @@ -66,7 +64,7 @@ to or less than the record length. A negative length indicates a zero-filled hole whose size is the inverse of the length. A length of 0 indicates the end of the file.</p> <section id="key-entry-format"> -<h2>Key entry format<a class="headerlink" href="#key-entry-format" title="Permalink to this headline">¶</a></h2> +<h2>Key entry format<a class="headerlink" href="#key-entry-format" title="Link to this heading">¶</a></h2> <p>A key entry may be smaller in size than the record length which precedes it, because it may have replaced a hole which is larger than the key entry. Key entries use the following informal grammar:</p> @@ -130,6 +128,7 @@ value of the 32-bit integer contained in those bytes is non-zero.</p> <li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> <li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -155,8 +154,8 @@ value of the 32-bit integer contained in those bytes is non-zero.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> diff --git a/crypto/krb5/doc/html/formats/rcache_file_format.html b/crypto/krb5/doc/html/formats/rcache_file_format.html index bacb4db800c3..85ffdae3b8fc 100644 --- a/crypto/krb5/doc/html/formats/rcache_file_format.html +++ b/crypto/krb5/doc/html/formats/rcache_file_format.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Replay cache file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> - <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> - <script src="../_static/jquery.js"></script> - <script src="../_static/underscore.js"></script> - <script src="../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> + <script src="../_static/documentation_options.js?v=236fef3b"></script> + <script src="../_static/doctools.js?v=888ff710"></script> + <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../about.html" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> @@ -53,7 +51,7 @@ <div class="body" role="main"> <section id="replay-cache-file-format"> -<h1>Replay cache file format<a class="headerlink" href="#replay-cache-file-format" title="Permalink to this headline">¶</a></h1> +<h1>Replay cache file format<a class="headerlink" href="#replay-cache-file-format" title="Link to this heading">¶</a></h1> <p>This section documents the second version of the replay cache file format, used by the “file2” replay cache type (new in release 1.18). The first version of the file replay cache format is not documented.</p> @@ -62,7 +60,7 @@ POSIX or Windows file lock, obtained when the file is opened and released when it is closed. Replay cache files are automatically created when first accessed.</p> <p>For each store operation, a tag is derived from the checksum part of -the <span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext of the authenticator. The checksum is +the <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext of the authenticator. The checksum is coerced to a fixed length of 12 bytes, either through truncation or right-padding with zero bytes. A four-byte timestamp is appended to the tag to produce a total record length of 16 bytes.</p> @@ -124,6 +122,7 @@ new entry is written to the earliest candidate available for writing.</p> <li class="toctree-l2 current"><a class="current reference internal" href="#">Replay cache file format</a></li> <li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> <li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> +<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> @@ -149,8 +148,8 @@ new entry is written to the earliest candidate available for writing.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> |