.\" Man page generated from reStructuredText.
.
-.TH "K5IDENTITY" "5" " " "1.15" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.16" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "K5LOGIN" "5" " " "1.15" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.16" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "K5SRVUTIL" "1" " " "1.15" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.16" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.
[\fB\-e\fP \fIkeysalts\fP]
.SH DESCRIPTION
.sp
-k5srvutil allows an administrator to list or change keys currently in
-a keytab or to add new keys to the keytab.
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non\-current keys from a keytab.
.sp
\fIoperation\fP must be one of the following:
.INDENT 0.0
.TP
.B \fBlist\fP
-Lists the keys in a keytab showing version number and principal
+Lists the keys in a keytab, showing version number and principal
name.
.TP
.B \fBchange\fP
database to new randomly\-generated keys, and updates the keys in
the keytab to match. If a key\(aqs version number doesn\(aqt match the
version number stored in the Kerberos server\(aqs database, then the
-operation will fail. Old keys are retained in the keytab so that
-existing tickets continue to work. If the \fB\-i\fP flag is given,
-k5srvutil will prompt for confirmation before changing each key.
-If the \fB\-k\fP option is given, the old and new keys will be
-displayed. Ordinarily, keys will be generated with the default
-encryption types and key salts. This can be overridden with the
-\fB\-e\fP option.
+operation will fail. If the \fB\-i\fP flag is given, k5srvutil will
+prompt for confirmation before changing each key. If the \fB\-k\fP
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts. This can be overridden with the \fB\-e\fP
+option. Old keys are retained in the keytab so that existing
+tickets continue to work, but \fBdelold\fP should be used after
+such tickets expire, to prevent attacks against the old keys.
.TP
.B \fBdelold\fP
Deletes keys that are not the most recent version from the keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KADM5.ACL" "5" " " "1.15" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.16" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KADMIN" "1" " " "1.15" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.
(\fIgetdate\fP string) The password expiration date.
.TP
.B \fB\-maxlife\fP \fImaxlife\fP
-(\fIgetdate\fP string) The maximum ticket life for the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+for the principal.
.TP
.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIgetdate\fP string) The maximum renewable life of tickets for
-the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+life of tickets for the principal.
.TP
.B \fB\-kvno\fP \fIkvno\fP
The initial key version number.
Enables One Time Passwords (OTP) preauthentication for a client
\fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
of objects, each having optional \fBtype\fP and \fBusername\fP fields.
+.TP
+.B \fBpkinit_cert_match\fP
+Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication. The matching expression
+is in the same format as those used by the \fBpkinit_cert_match\fP
+option in \fIkrb5.conf(5)\fP\&. (New in release 1.16.)
.UNINDENT
.sp
This command requires the \fBmodify\fP privilege.
.nf
.ft C
set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]
+set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
.ft P
.fi
.UNINDENT
.INDENT 0.0
.TP
.B \fB\-maxlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the maximum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+lifetime of a password.
.TP
.B \fB\-minlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the minimum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+lifetime of a password.
.TP
.B \fB\-minlength\fP \fIlength\fP
Sets the minimum length of a password.
.INDENT 0.0
.TP
.B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIgetdate\fP string) Sets the allowable time between
-authentication failures. If an authentication failure happens
-after \fIfailuretime\fP has elapsed since the previous failure,
-the number of authentication failures is reset to 1. A
+(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+between authentication failures. If an authentication failure
+happens after \fIfailuretime\fP has elapsed since the previous
+failure, the number of authentication failures is reset to 1. A
\fIfailuretime\fP value of 0 (the default) means forever.
.UNINDENT
.INDENT 0.0
.TP
.B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIgetdate\fP string) Sets the duration for which the principal
-is locked from authenticating if too many authentication failures
-occur without the specified failure count interval elapsing.
-A duration of 0 (the default) means the principal remains locked
-out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP\&.
+(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing. A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with \fBmodprinc \-unlock\fP\&.
.TP
.B \fB\-allowedkeysalts\fP
Specifies the key/salt tuples supported for long\-term keys when
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KADMIND" "8" " " "1.15" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.
[\fB\-P\fP \fIpid_file\fP]
[\fB\-p\fP \fIkdb5_util_path\fP]
[\fB\-K\fP \fIkprop_path\fP]
+[\fB\-k\fP \fIkprop_port\fP]
[\fB\-F\fP \fIdump_file\fP]
.SH DESCRIPTION
.sp
specifies the path to the kprop command to use to send full dumps
to slaves in response to full resync requests.
.TP
+.B \fB\-k\fP \fIkprop_port\fP
+specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.
+.TP
.B \fB\-F\fP \fIdump_file\fP
specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_LDAP_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KDB5_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.
where database corruption has occurred. In cases of such
corruption, this option will probably retrieve more principals
than the \fB\-rev\fP option will.
+.sp
+Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
+option.
+
+.sp
+Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.
+
.UNINDENT
.SS load
.INDENT 0.0
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KDC.CONF" "5" " " "1.15" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.16" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.
.TE
.SS [kdcdefaults]
.sp
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
default values for realm variables, to be used if the [realms]
subsection does not contain a relation for the tag. See the
\fI\%[realms]\fP section for the definitions of these relations.
.B \fBkdc_max_dgram_reply_size\fP
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
+.TP
+.B \fBkdc_tcp_listen_backlog\fP
+(Integer.) Set the size of the listen queue length for the KDC
+daemon. The value may be limited by OS settings. The default
+value is 5.
.UNINDENT
.SS [realms]
.sp
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
.TP
+.B \fBencrypted_challenge_indicator\fP
+(String.) Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre\-authentication. New in 1.16.
+.TP
.B \fBhost_based_services\fP
(Whitespace\- or comma\-separated list.) Lists services which will
get host\-based referral processing even if the server principal is
T}
_
T{
-aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256
+aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
+T} T{
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
T}
_
T{
-aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128
+aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
T} T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
+T} T{
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
T}
_
T{
T{
aes
T} T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
T}
_
T{
While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5\-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+.sp
+The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
.SH KEYSALT LISTS
.sp
Kerberos keys for users are usually derived from passwords. Kerberos
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KDESTROY" "1" " " "1.15" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KINIT" "1" " " "1.15" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.
.SH DESCRIPTION
.sp
kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP\&.
+\fIprincipal\fP\&. If \fIprincipal\fP is absent, kinit chooses an appropriate
+principal name based on existing credential cache contents or the
+local username of the user invoking kinit. Some options modify the
+choice of principal name.
.SH OPTIONS
.INDENT 0.0
.TP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KLIST" "1" " " "1.15" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.16" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KPASSWD" "1" " " "1.15" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KPROP" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a slave server
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KPROPD" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 slave KDC update server
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KPROPLOG" "8" " " "1.15" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.16" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KRB5-CONFIG" "1" " " "1.15" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.16" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KRB5.CONF" "5" " " "1.15" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.16" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.
\fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores, or any filename
-ending in ".conf". Included profile files are syntactically
+alphanumeric characters, dashes, or underscores. Starting in release
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
independent of their parents, so each included file must begin with a
section header.
.sp
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won\(aqt know.
.TP
+.B \fBdns_uri_lookup\fP
+Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. SRV records are used as a
+fallback if no URI records were found. The default value is true.
+New in release 1.15.
+.TP
.B \fBerr_fmt\fP
This relation allows for custom error message formatting. If a
value is set, error messages will be formatted by substituting a
This module authorizes a principal to a local account if the
principal name maps to the local account name.
.UNINDENT
+.SS certauth interface
+.sp
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBpkinit_san\fP
+This module authorizes the certificate if it contains a PKINIT
+Subject Alternative Name for the requested client principal, or a
+Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP
+is set to true for the realm.
+.TP
+.B \fBpkinit_eku\fP
+This module rejects the certificate if it does not contain an
+Extended Key Usage attribute consistent with the
+\fBpkinit_eku_checking\fP value for the realm.
+.TP
+.B \fBdbmatch\fP
+This module authorizes or rejects the certificate according to
+whether it matches the \fBpkinit_cert_match\fP string attribute on
+the client principal, if that attribute is present.
+.UNINDENT
.SH PKINIT OPTIONS
.sp
\fBNOTE:\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KRB5KDC" "8" " " "1.15" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.16" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KSU" "1" " " "1.15" "MIT Kerberos"
+.TH "KSU" "1" " " "1.16" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KSWITCH" "1" " " "1.15" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KTUTIL" "1" " " "1.15" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.16" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "KVNO" "1" " " "1.15" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.16" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "SCLIENT" "1" " " "1.15" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.16" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
.\" Man page generated from reStructuredText.
.
-.TH "SSERVER" "8" " " "1.15" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.16" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
.\" Generated by docutils manpage writer.
.
projects / thirdparty / krb5.git / commitdiff
