diff options
Diffstat (limited to 'crypto/krb5/doc/pdf/basic.tex')
| -rw-r--r-- | crypto/krb5/doc/pdf/basic.tex | 918 |
1 files changed, 0 insertions, 918 deletions
diff --git a/crypto/krb5/doc/pdf/basic.tex b/crypto/krb5/doc/pdf/basic.tex deleted file mode 100644 index 898bc40f3c1d..000000000000 --- a/crypto/krb5/doc/pdf/basic.tex +++ /dev/null @@ -1,918 +0,0 @@ -%% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\ifdefined\pdfpxdimen - \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen -\fi \sphinxpxdimen=.75bp\relax -\ifdefined\pdfimageresolution - \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax -\fi -%% let collapsible pdf bookmarks panel have high depth per default -\PassOptionsToPackage{bookmarksdepth=5}{hyperref} - -\PassOptionsToPackage{warn}{textcomp} -\usepackage[utf8]{inputenc} -\ifdefined\DeclareUnicodeCharacter -% support both utf8 and utf8x syntaxes - \ifdefined\DeclareUnicodeCharacterAsOptional - \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} - \else - \let\sphinxDUC\DeclareUnicodeCharacter - \fi - \sphinxDUC{00A0}{\nobreakspace} - \sphinxDUC{2500}{\sphinxunichar{2500}} - \sphinxDUC{2502}{\sphinxunichar{2502}} - \sphinxDUC{2514}{\sphinxunichar{2514}} - \sphinxDUC{251C}{\sphinxunichar{251C}} - \sphinxDUC{2572}{\textbackslash} -\fi -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{amsmath,amssymb,amstext} -\usepackage{babel} - - - -\usepackage{tgtermes} -\usepackage{tgheros} -\renewcommand{\ttdefault}{txtt} - - - -\usepackage[Bjarne]{fncychap} -\usepackage{sphinx} - -\fvset{fontsize=auto} -\usepackage{geometry} - - -% Include hyperref last. -\usepackage{hyperref} -% Fix anchor placement for figures with captions. -\usepackage{hypcap}% it must be loaded after hyperref. -% Set up styles of URL: it should be placed after hyperref. -\urlstyle{same} - - -\usepackage{sphinxmessages} -\setcounter{tocdepth}{0} - - - -\title{Kerberos Concepts} -\date{ } -\release{1.21.3} -\author{MIT} -\newcommand{\sphinxlogo}{\vbox{}} -\renewcommand{\releasename}{Release} -\makeindex -\begin{document} - -\pagestyle{empty} -\sphinxmaketitle -\pagestyle{plain} -\sphinxtableofcontents -\pagestyle{normal} -\phantomsection\label{\detokenize{basic/index::doc}} - - - -\chapter{Credential cache} -\label{\detokenize{basic/ccache_def:credential-cache}}\label{\detokenize{basic/ccache_def:ccache-definition}}\label{\detokenize{basic/ccache_def::doc}} -\sphinxAtStartPar -A credential cache (or “ccache”) holds Kerberos credentials while they -remain valid and, generally, while the user’s session lasts, so that -authenticating to a service multiple times (e.g., connecting to a web -or mail server more than once) doesn’t require contacting the KDC -every time. - -\sphinxAtStartPar -A credential cache usually contains one initial ticket which is -obtained using a password or another form of identity verification. -If this ticket is a ticket\sphinxhyphen{}granting ticket, it can be used to obtain -additional credentials without the password. Because the credential -cache does not store the password, less long\sphinxhyphen{}term damage can be done -to the user’s account if the machine is compromised. - -\sphinxAtStartPar -A credentials cache stores a default client principal name, set when -the cache is created. This is the name shown at the top of the -\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} output. - -\sphinxAtStartPar -Each normal cache entry includes a service principal name, a client -principal name (which, in some ccache types, need not be the same as -the default), lifetime information, and flags, along with the -credential itself. There are also other entries, indicated by special -names, that store additional information. - - -\section{ccache types} -\label{\detokenize{basic/ccache_def:ccache-types}} -\sphinxAtStartPar -The credential cache interface, like the {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} and -{\hyperref[\detokenize{basic/rcache_def:rcache-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{replay cache}}}} interfaces, uses \sphinxtitleref{TYPE:value} strings to -indicate the type of credential cache and any associated cache naming -data to use. - -\sphinxAtStartPar -There are several kinds of credentials cache supported in the MIT -Kerberos library. Not all are supported on every platform. In most -cases, it should be correct to use the default type built into the -library. -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -\sphinxstylestrong{API} is only implemented on Windows. It communicates with a -server process that holds the credentials in memory for the user, -rather than writing them to disk. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{DIR} points to the storage location of the collection of the -credential caches in \sphinxstyleemphasis{FILE:} format. It is most useful when dealing -with multiple Kerberos realms and KDCs. For release 1.10 the -directory must already exist. In post\sphinxhyphen{}1.10 releases the -requirement is for parent directory to exist and the current -process must have permissions to create the directory if it does -not exist. See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details. New in release 1.10. -The following residual forms are supported: -\begin{itemize} -\item {} -\sphinxAtStartPar -DIR:dirname - -\item {} -\sphinxAtStartPar -DIR::dirpath/filename \sphinxhyphen{} a single cache within the directory - -\end{itemize} - -\sphinxAtStartPar -Switching to a ccache of the latter type causes it to become the -primary for the directory. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{FILE} caches are the simplest and most portable. A simple flat -file format is used to store one credential after another. This is -the default ccache type if no type is specified in a ccache name. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{KCM} caches work by contacting a daemon process called \sphinxcode{\sphinxupquote{kcm}} -to perform cache operations. If the cache name is just \sphinxcode{\sphinxupquote{KCM:}}, -the default cache as determined by the KCM daemon will be used. -Newly created caches must generally be named \sphinxcode{\sphinxupquote{KCM:uid:name}}, -where \sphinxstyleemphasis{uid} is the effective user ID of the running process. - -\sphinxAtStartPar -KCM client support is new in release 1.13. A KCM daemon has not -yet been implemented in MIT krb5, but the client will interoperate -with the KCM daemon implemented by Heimdal. macOS 10.7 and higher -provides a KCM daemon as part of the operating system, and the -\sphinxstylestrong{KCM} cache type is used as the default cache on that platform in -a default build. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{KEYRING} is Linux\sphinxhyphen{}specific, and uses the kernel keyring support -to store credential data in unswappable kernel memory where only -the current user should be able to access it. The following -residual forms are supported: -\begin{itemize} -\item {} -\sphinxAtStartPar -KEYRING:name - -\item {} -\sphinxAtStartPar -KEYRING:process:name \sphinxhyphen{} process keyring - -\item {} -\sphinxAtStartPar -KEYRING:thread:name \sphinxhyphen{} thread keyring - -\end{itemize} - -\sphinxAtStartPar -Starting with release 1.12 the \sphinxstyleemphasis{KEYRING} type supports collections. -The following new residual forms were added: -\begin{itemize} -\item {} -\sphinxAtStartPar -KEYRING:session:name \sphinxhyphen{} session keyring - -\item {} -\sphinxAtStartPar -KEYRING:user:name \sphinxhyphen{} user keyring - -\item {} -\sphinxAtStartPar -KEYRING:persistent:uidnumber \sphinxhyphen{} persistent per\sphinxhyphen{}UID collection. -Unlike the user keyring, this collection survives after the user -logs out, until the cache credentials expire. This type of -ccache requires support from the kernel; otherwise, it will fall -back to the user keyring. - -\end{itemize} - -\sphinxAtStartPar -See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{MEMORY} caches are for storage of credentials that don’t need to -be made available outside of the current process. For example, a -memory ccache is used by \DUrole{xref,std,std-ref}{kadmin(1)} to store the -administrative ticket used to contact the admin server. Memory -ccaches are faster than file ccaches and are automatically -destroyed when the process exits. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{MSLSA} is a Windows\sphinxhyphen{}specific cache type that accesses the -Windows credential store. - -\end{enumerate} - - -\section{Collections of caches} -\label{\detokenize{basic/ccache_def:collections-of-caches}}\label{\detokenize{basic/ccache_def:col-ccache}} -\sphinxAtStartPar -Some credential cache types can support collections of multiple -caches. One of the caches in the collection is designated as the -\sphinxstyleemphasis{primary} and will be used when the collection is resolved as a cache. -When a collection\sphinxhyphen{}enabled cache type is the default cache for a -process, applications can search the specified collection for a -specific client principal, and GSSAPI applications will automatically -select between the caches in the collection based on criteria such as -the target service realm. - -\sphinxAtStartPar -Credential cache collections are new in release 1.10, with support -from the \sphinxstylestrong{DIR} and \sphinxstylestrong{API} ccache types. Starting in release 1.12, -collections are also supported by the \sphinxstylestrong{KEYRING} ccache type. -Collections are supported by the \sphinxstylestrong{KCM} ccache type in release 1.13. - - -\subsection{Tool alterations to use cache collection} -\label{\detokenize{basic/ccache_def:tool-alterations-to-use-cache-collection}}\begin{itemize} -\item {} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{kdestroy(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will destroy all caches in the collection. - -\item {} -\sphinxAtStartPar -If the default cache type supports switching, \DUrole{xref,std,std-ref}{kinit(1)} -\sphinxstyleemphasis{princname} will search the collection for a matching cache and -store credentials there, or will store credentials in a new unique -cache of the default type if no existing cache for the principal -exists. Either way, kinit will switch to the selected cache. - -\item {} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}l} will list the caches in the collection. - -\item {} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will show the content of all caches in the -collection. - -\item {} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}p princname} will search the collection for a -matching cache and switch to it. - -\item {} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}c cachename} will switch to a specified cache. - -\end{itemize} - - -\section{Default ccache name} -\label{\detokenize{basic/ccache_def:default-ccache-name}} -\sphinxAtStartPar -The default credential cache name is determined by the following, in -descending order of priority: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{KRB5CCNAME} environment variable. For example, -\sphinxcode{\sphinxupquote{KRB5CCNAME=DIR:/mydir/}}. - -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{default\_ccache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}. - -\item {} -\sphinxAtStartPar -The hardcoded default, \DUrole{xref,std,std-ref}{DEFCCNAME}. - -\end{enumerate} - - -\chapter{keytab} -\label{\detokenize{basic/keytab_def:keytab}}\label{\detokenize{basic/keytab_def:keytab-definition}}\label{\detokenize{basic/keytab_def::doc}} -\sphinxAtStartPar -A keytab (short for “key table”) stores long\sphinxhyphen{}term keys for one or more -principals. Keytabs are normally represented by files in a standard -format, although in rare cases they can be represented in other ways. -Keytabs are used most often to allow server applications to accept -authentications from clients, but can also be used to obtain initial -credentials for client applications. - -\sphinxAtStartPar -Keytabs are named using the format \sphinxstyleemphasis{type}\sphinxcode{\sphinxupquote{:}}\sphinxstyleemphasis{value}. Usually -\sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}} and \sphinxstyleemphasis{value} is the absolute pathname of the file. -The other possible value for \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{MEMORY}}, which indicates a -temporary keytab stored in the memory of the current process. - -\sphinxAtStartPar -A keytab contains one or more entries, where each entry consists of a -timestamp (indicating when the entry was written to the keytab), a -principal name, a key version number, an encryption type, and the -encryption key itself. - -\sphinxAtStartPar -A keytab can be displayed using the \DUrole{xref,std,std-ref}{klist(1)} command with the -\sphinxcode{\sphinxupquote{\sphinxhyphen{}k}} option. Keytabs can be created or appended to by extracting -keys from the KDC database using the \DUrole{xref,std,std-ref}{kadmin(1)} \DUrole{xref,std,std-ref}{ktadd} -command. Keytabs can be manipulated using the \DUrole{xref,std,std-ref}{ktutil(1)} and -\DUrole{xref,std,std-ref}{k5srvutil(1)} commands. - - -\section{Default keytab} -\label{\detokenize{basic/keytab_def:default-keytab}} -\sphinxAtStartPar -The default keytab is used by server applications if the application -does not request a specific keytab. The name of the default keytab is -determined by the following, in decreasing order of preference: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{KRB5\_KTNAME} environment variable. - -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{default\_keytab\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}. - -\item {} -\sphinxAtStartPar -The hardcoded default, \DUrole{xref,std,std-ref}{DEFKTNAME}. - -\end{enumerate} - - -\section{Default client keytab} -\label{\detokenize{basic/keytab_def:default-client-keytab}} -\sphinxAtStartPar -The default client keytab is used, if it is present and readable, to -automatically obtain initial credentials for GSSAPI client -applications. The principal name of the first entry in the client -keytab is used by default when obtaining initial credentials. The -name of the default client keytab is determined by the following, in -decreasing order of preference: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable. - -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{default\_client\_keytab\_name} profile variable in -\DUrole{xref,std,std-ref}{libdefaults}. - -\item {} -\sphinxAtStartPar -The hardcoded default, \DUrole{xref,std,std-ref}{DEFCKTNAME}. - -\end{enumerate} - - -\chapter{replay cache} -\label{\detokenize{basic/rcache_def:replay-cache}}\label{\detokenize{basic/rcache_def:rcache-definition}}\label{\detokenize{basic/rcache_def::doc}} -\sphinxAtStartPar -A replay cache (or “rcache”) keeps track of all authenticators -recently presented to a service. If a duplicate authentication -request is detected in the replay cache, an error message is sent to -the application program. - -\sphinxAtStartPar -The replay cache interface, like the credential cache and -{\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} interfaces, uses \sphinxtitleref{type:residual} strings to -indicate the type of replay cache and any associated cache naming -data to use. - - -\section{Background information} -\label{\detokenize{basic/rcache_def:background-information}} -\sphinxAtStartPar -Some Kerberos or GSSAPI services use a simple authentication mechanism -where a message is sent containing an authenticator, which establishes -the encryption key that the client will use for talking to the -service. But nothing about that prevents an eavesdropper from -recording the messages sent by the client, establishing a new -connection, and re\sphinxhyphen{}sending or “replaying” the same messages; the -replayed authenticator will establish the same encryption key for the -new session, and the following messages will be decrypted and -processed. The attacker may not know what the messages say, and can’t -generate new messages under the same encryption key, but in some -instances it may be harmful to the user (or helpful to the attacker) -to cause the server to see the same messages again a second time. For -example, if the legitimate client sends “delete first message in -mailbox”, a replay from an attacker may delete another, different -“first” message. (Protocol design to guard against such problems has -been discussed in \index{RFC@\spxentry{RFC}!RFC 4120\#section\sphinxhyphen{}10@\spxentry{RFC 4120\#section\sphinxhyphen{}10}}\sphinxhref{https://tools.ietf.org/html/rfc4120.html\#section-10}{\sphinxstylestrong{RFC 4120\#section\sphinxhyphen{}10}}.) - -\sphinxAtStartPar -Even if one protocol uses further protection to verify that the client -side of the connection actually knows the encryption keys (and thus is -presumably a legitimate user), if another service uses the same -service principal name, it may be possible to record an authenticator -used with the first protocol and “replay” it against the second. - -\sphinxAtStartPar -The replay cache mitigates these attacks somewhat, by keeping track of -authenticators that have been seen until their five\sphinxhyphen{}minute window -expires. Different authenticators generated by multiple connections -from the same legitimate client will generally have different -timestamps, and thus will not be considered the same. - -\sphinxAtStartPar -This mechanism isn’t perfect. If a message is sent to one application -server but a man\sphinxhyphen{}in\sphinxhyphen{}the\sphinxhyphen{}middle attacker can prevent it from actually -arriving at that server, the attacker could then use the authenticator -(once!) against a different service on the same host. This could be a -problem if the message from the client included something more than -authentication in the first message that could be useful to the -attacker (which is uncommon; in most protocols the server has to -indicate a successful authentication before the client sends -additional messages), or if the simple act of presenting the -authenticator triggers some interesting action in the service being -attacked. - - -\section{Replay cache types} -\label{\detokenize{basic/rcache_def:replay-cache-types}} -\sphinxAtStartPar -Unlike the credential cache and keytab interfaces, replay cache types -are in lowercase. The following types are defined: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -\sphinxstylestrong{none} disables the replay cache. The residual value is ignored. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{file2} (new in release 1.18) uses a hash\sphinxhyphen{}based format to store -replay records. The file may grow to accommodate hash collisions. -The residual value is the filename. - -\item {} -\sphinxAtStartPar -\sphinxstylestrong{dfl} is the default type if no environment variable or -configuration specifies a different type. It stores replay data in -a file2 replay cache with a filename based on the effective uid. -The residual value is ignored. - -\end{enumerate} - -\sphinxAtStartPar -For the dfl type, the location of the replay cache file is determined -as follows: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -The directory is taken from the \sphinxstylestrong{KRB5RCACHEDIR} environment -variable, or the \sphinxstylestrong{TMPDIR} environment variable, or a temporary -directory determined at configuration time such as \sphinxcode{\sphinxupquote{/var/tmp}}, in -descending order of preference. - -\item {} -\sphinxAtStartPar -The filename is \sphinxcode{\sphinxupquote{krb5\_EUID.rcache2}} where EUID is the effective -uid of the process. - -\item {} -\sphinxAtStartPar -The file is opened without following symbolic links, and ownership -of the file is verified to match the effective uid. - -\end{enumerate} - -\sphinxAtStartPar -On Windows, the directory for the dfl type is the local appdata -directory, unless overridden by the \sphinxstylestrong{KRB5RCACHEDIR} environment -variable. The filename on Windows is \sphinxcode{\sphinxupquote{krb5.rcache2}}, and the file -is opened normally. - - -\section{Default replay cache name} -\label{\detokenize{basic/rcache_def:default-replay-cache-name}} -\sphinxAtStartPar -The default replay cache name is determined by the following, in -descending order of priority: -\begin{enumerate} -\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}% -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{KRB5RCACHENAME} environment variable (new in release 1.18). - -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{KRB5RCACHETYPE} environment variable. If this variable is -set, the residual value is empty. - -\item {} -\sphinxAtStartPar -The \sphinxstylestrong{default\_rcache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults} -(new in release 1.18). - -\item {} -\sphinxAtStartPar -If none of the above are set, the default replay cache name is -\sphinxcode{\sphinxupquote{dfl:}}. - -\end{enumerate} - - -\chapter{stash file} -\label{\detokenize{basic/stash_file_def:stash-file}}\label{\detokenize{basic/stash_file_def:stash-definition}}\label{\detokenize{basic/stash_file_def::doc}} -\sphinxAtStartPar -The stash file is a local copy of the master key that resides in -encrypted form on the KDC’s local disk. The stash file is used to -authenticate the KDC to itself automatically before starting the -\DUrole{xref,std,std-ref}{kadmind(8)} and \DUrole{xref,std,std-ref}{krb5kdc(8)} daemons (e.g., as part of the -machine’s boot sequence). The stash file, like the keytab file (see -\DUrole{xref,std,std-ref}{keytab\_file}) is a potential point\sphinxhyphen{}of\sphinxhyphen{}entry for a break\sphinxhyphen{}in, and -if compromised, would allow unrestricted access to the Kerberos -database. If you choose to install a stash file, it should be -readable only by root, and should exist only on the KDC’s local disk. -The file should not be part of any backup of the machine, unless -access to the backup data is secured as tightly as access to the -master password itself. - -\begin{sphinxadmonition}{note}{Note:} -\sphinxAtStartPar -If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. -This means that the KDC will not be able to start automatically, such as after a system reboot. -\end{sphinxadmonition} - - -\chapter{Supported date and time formats} -\label{\detokenize{basic/date_format:supported-date-and-time-formats}}\label{\detokenize{basic/date_format:datetime}}\label{\detokenize{basic/date_format::doc}} - -\section{Time duration} -\label{\detokenize{basic/date_format:time-duration}}\label{\detokenize{basic/date_format:duration}} -\sphinxAtStartPar -This format is used to express a time duration in the Kerberos -configuration files and user commands. The allowed formats are: -\begin{quote} - - -\begin{savenotes}\sphinxattablestart -\centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline - -\sphinxAtStartPar -Format -& -\sphinxAtStartPar -Example -& -\sphinxAtStartPar -Value -\\ -\hline -\sphinxAtStartPar -h:m{[}:s{]} -& -\sphinxAtStartPar -36:00 -& -\sphinxAtStartPar -36 hours -\\ -\hline -\sphinxAtStartPar -NdNhNmNs -& -\sphinxAtStartPar -8h30s -& -\sphinxAtStartPar -8 hours 30 seconds -\\ -\hline -\sphinxAtStartPar -N (number of seconds) -& -\sphinxAtStartPar -3600 -& -\sphinxAtStartPar -1 hour -\\ -\hline -\end{tabulary} -\par -\sphinxattableend\end{savenotes} -\end{quote} - -\sphinxAtStartPar -Here \sphinxstyleemphasis{N} denotes a number, \sphinxstyleemphasis{d} \sphinxhyphen{} days, \sphinxstyleemphasis{h} \sphinxhyphen{} hours, \sphinxstyleemphasis{m} \sphinxhyphen{} minutes, -\sphinxstyleemphasis{s} \sphinxhyphen{} seconds. - -\begin{sphinxadmonition}{note}{Note:} -\sphinxAtStartPar -The time interval should not exceed 2147483647 seconds. -\end{sphinxadmonition} - -\sphinxAtStartPar -Examples: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{Request} \PYG{n}{a} \PYG{n}{ticket} \PYG{n}{valid} \PYG{k}{for} \PYG{n}{one} \PYG{n}{hour}\PYG{p}{,} \PYG{n}{five} \PYG{n}{hours}\PYG{p}{,} \PYG{l+m+mi}{30} \PYG{n}{minutes} -\PYG{o+ow}{and} \PYG{l+m+mi}{10} \PYG{n}{days} \PYG{n}{respectively}\PYG{p}{:} - - \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3600} - \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{5}\PYG{p}{:}\PYG{l+m+mi}{00} - \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{30}\PYG{n}{m} - \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10d 0h 0m 0s}\PYG{l+s+s2}{\PYGZdq{}} -\end{sphinxVerbatim} - - -\section{getdate time} -\label{\detokenize{basic/date_format:getdate-time}}\label{\detokenize{basic/date_format:getdate}} -\sphinxAtStartPar -Some of the kadmin and kdb5\_util commands take a date\sphinxhyphen{}time in a -human\sphinxhyphen{}readable format. Some of the acceptable date\sphinxhyphen{}time -strings are: -\begin{quote} - - -\begin{savenotes}\sphinxattablestart -\centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline -\sphinxstyletheadfamily &\sphinxstyletheadfamily -\sphinxAtStartPar -Format -&\sphinxstyletheadfamily -\sphinxAtStartPar -Example -\\ -\hline\sphinxmultirow{3}{4}{% -\begin{varwidth}[t]{\sphinxcolwidth{1}{3}} -\sphinxAtStartPar -Date -\par -\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% -}% -& -\sphinxAtStartPar -mm/dd/yy -& -\sphinxAtStartPar -07/27/12 -\\ -\cline{2-3}\sphinxtablestrut{4}& -\sphinxAtStartPar -month dd, yyyy -& -\sphinxAtStartPar -Jul 27, 2012 -\\ -\cline{2-3}\sphinxtablestrut{4}& -\sphinxAtStartPar -yyyy\sphinxhyphen{}mm\sphinxhyphen{}dd -& -\sphinxAtStartPar -2012\sphinxhyphen{}07\sphinxhyphen{}27 -\\ -\hline\sphinxmultirow{2}{11}{% -\begin{varwidth}[t]{\sphinxcolwidth{1}{3}} -\sphinxAtStartPar -Absolute -time -\par -\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% -}% -& -\sphinxAtStartPar -HH:mm{[}:ss{]}pp -& -\sphinxAtStartPar -08:30 PM -\\ -\cline{2-3}\sphinxtablestrut{11}& -\sphinxAtStartPar -hh:mm{[}:ss{]} -& -\sphinxAtStartPar -20:30 -\\ -\hline -\sphinxAtStartPar -Relative -time -& -\sphinxAtStartPar -N tt -& -\sphinxAtStartPar -30 sec -\\ -\hline\sphinxmultirow{2}{19}{% -\begin{varwidth}[t]{\sphinxcolwidth{1}{3}} -\sphinxAtStartPar -Time zone -\par -\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% -}% -& -\sphinxAtStartPar -Z -& -\sphinxAtStartPar -EST -\\ -\cline{2-3}\sphinxtablestrut{19}& -\sphinxAtStartPar -z -& -\sphinxAtStartPar -\sphinxhyphen{}0400 -\\ -\hline -\end{tabulary} -\par -\sphinxattableend\end{savenotes} -\end{quote} - -\sphinxAtStartPar -(See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.) - -\sphinxAtStartPar -Examples: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{Create} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{expires} \PYG{n}{on} \PYG{n}{the} \PYG{n}{date} \PYG{n}{indicated}\PYG{p}{:} - \PYG{n}{addprinc} \PYG{n}{test1} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{3/27/12 10:00:07 EST}\PYG{l+s+s2}{\PYGZdq{}} - \PYG{n}{addprinc} \PYG{n}{test2} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{January 23, 2015 10:05pm}\PYG{l+s+s2}{\PYGZdq{}} - \PYG{n}{addprinc} \PYG{n}{test3} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{22:00 GMT}\PYG{l+s+s2}{\PYGZdq{}} -\PYG{n}{Add} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{will} \PYG{n}{expire} \PYG{o+ow}{in} \PYG{l+m+mi}{30} \PYG{n}{minutes}\PYG{p}{:} - \PYG{n}{addprinc} \PYG{n}{test4} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{30 minutes}\PYG{l+s+s2}{\PYGZdq{}} -\end{sphinxVerbatim} - - -\section{Absolute time} -\label{\detokenize{basic/date_format:absolute-time}}\label{\detokenize{basic/date_format:abstime}} -\sphinxAtStartPar -This rarely used date\sphinxhyphen{}time format can be noted in one of the -following ways: -\begin{quote} - - -\begin{savenotes}\sphinxattablestart -\centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline -\sphinxstyletheadfamily -\sphinxAtStartPar -Format -&\sphinxstyletheadfamily -\sphinxAtStartPar -Example -&\sphinxstyletheadfamily -\sphinxAtStartPar -Value -\\ -\hline -\sphinxAtStartPar -yyyymmddhhmmss -& -\sphinxAtStartPar -20141231235900 -&\sphinxmultirow{5}{6}{% -\begin{varwidth}[t]{\sphinxcolwidth{1}{3}} -\sphinxAtStartPar -One minute -before 2015 -\par -\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% -}% -\\ -\cline{1-2} -\sphinxAtStartPar -yyyy.mm.dd.hh.mm.ss -& -\sphinxAtStartPar -2014.12.31.23.59.00 -&\sphinxtablestrut{6}\\ -\cline{1-2} -\sphinxAtStartPar -yymmddhhmmss -& -\sphinxAtStartPar -141231235900 -&\sphinxtablestrut{6}\\ -\cline{1-2} -\sphinxAtStartPar -yy.mm.dd.hh.mm.ss -& -\sphinxAtStartPar -14.12.31.23.59.00 -&\sphinxtablestrut{6}\\ -\cline{1-2} -\sphinxAtStartPar -dd\sphinxhyphen{}month\sphinxhyphen{}yyyy:hh:mm:ss -& -\sphinxAtStartPar -31\sphinxhyphen{}Dec\sphinxhyphen{}2014:23:59:00 -&\sphinxtablestrut{6}\\ -\hline -\sphinxAtStartPar -hh:mm:ss -& -\sphinxAtStartPar -20:00:00 -&\sphinxmultirow{2}{17}{% -\begin{varwidth}[t]{\sphinxcolwidth{1}{3}} -\sphinxAtStartPar -8 o’clock in -the evening -\par -\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}% -}% -\\ -\cline{1-2} -\sphinxAtStartPar -hhmmss -& -\sphinxAtStartPar -200000 -&\sphinxtablestrut{17}\\ -\hline -\end{tabulary} -\par -\sphinxattableend\end{savenotes} -\end{quote} - -\sphinxAtStartPar -(See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.) - -\sphinxAtStartPar -Example: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{Set} \PYG{n}{the} \PYG{n}{default} \PYG{n}{expiration} \PYG{n}{date} \PYG{n}{to} \PYG{n}{July} \PYG{l+m+mi}{27}\PYG{p}{,} \PYG{l+m+mi}{2012} \PYG{n}{at} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{30} -\PYG{n}{default\PYGZus{}principal\PYGZus{}expiration} \PYG{o}{=} \PYG{l+m+mi}{20120727203000} -\end{sphinxVerbatim} - - -\subsection{Abbreviations used in this document} -\label{\detokenize{basic/date_format:abbreviations-used-in-this-document}}\label{\detokenize{basic/date_format:abbreviation}} -\begin{DUlineblock}{0em} -\item[] \sphinxstyleemphasis{month} : locale’s month name or its abbreviation; -\item[] \sphinxstyleemphasis{dd} : day of month (01\sphinxhyphen{}31); -\item[] \sphinxstyleemphasis{HH} : hours (00\sphinxhyphen{}12); -\item[] \sphinxstyleemphasis{hh} : hours (00\sphinxhyphen{}23); -\item[] \sphinxstyleemphasis{mm} : in time \sphinxhyphen{} minutes (00\sphinxhyphen{}59); in date \sphinxhyphen{} month (01\sphinxhyphen{}12); -\item[] \sphinxstyleemphasis{N} : number; -\item[] \sphinxstyleemphasis{pp} : AM or PM; -\item[] \sphinxstyleemphasis{ss} : seconds (00\sphinxhyphen{}60); -\item[] \sphinxstyleemphasis{tt} : time units (hours, minutes, min, seconds, sec); -\item[] \sphinxstyleemphasis{yyyy} : year; -\item[] \sphinxstyleemphasis{yy} : last two digits of the year; -\item[] \sphinxstyleemphasis{Z} : alphabetic time zone abbreviation; -\item[] \sphinxstyleemphasis{z} : numeric time zone; -\end{DUlineblock} - -\begin{sphinxadmonition}{note}{Note:}\begin{itemize} -\item {} -\sphinxAtStartPar -If the date specification contains spaces, you may need to -enclose it in double quotes; - -\item {} -\sphinxAtStartPar -All keywords are case\sphinxhyphen{}insensitive. - -\end{itemize} -\end{sphinxadmonition} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document}
\ No newline at end of file |