Also some other small changes and the copyright date range.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
\fBk5srvutil\fP \fIoperation\fP
[\fB\-i\fP]
[\fB\-f\fP \fIfilename\fP]
+[\fB\-e\fP \fIkeysalts\fP]
.SH DESCRIPTION
.sp
k5srvutil allows an administrator to list or change keys currently in
existing tickets continue to work. If the \fB\-i\fP flag is given,
k5srvutil will prompt for confirmation before changing each key.
If the \fB\-k\fP option is given, the old and new keys will be
-displayed.
+displayed. Ordinarily, keys will be generated with the default
+encryption types and key salts. This can be overridden with the
+\fB\-e\fP option.
.TP
.B \fBdelold\fP
Deletes keys that are not the most recent version from the keytab.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
system via the process list; to avoid this, instead stash the
password using the \fBstashsrvpw\fP command of
\fIkdb5_ldap_util(8)\fP.
+.TP
+.B \fB\-x debug=\fP\fIlevel\fP
+sets the OpenLDAP client library debug level. \fIlevel\fP is an
+integer to be interpreted by the library. Debugging messages
+are printed to standard error. New in release 1.12.
.UNINDENT
.UNINDENT
.SH COMMANDS
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
on the system via the process list; to avoid this, instead
stash the password using the \fBstashsrvpw\fP command of
\fIkdb5_ldap_util(8)\fP.
+.TP
+.B \fB\-x debug=\fP\fIlevel\fP
+sets the OpenLDAP client library debug level. \fIlevel\fP is
+an integer to be interpreted by the library. Debugging
+messages are printed to standard error, so this option
+must be used with the \fB\-nofork\fP option to be useful.
+New in release 1.12.
.UNINDENT
.UNINDENT
.UNINDENT
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SS dump
.INDENT 0.0
.INDENT 3.5
-\fBdump\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
-[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP]
-[\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
+\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP]
+[\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP]
+[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP...]]
.UNINDENT
.UNINDENT
.sp
"\-", the dump is sent to standard output. Options:
.INDENT 0.0
.TP
-.B \fB\-old\fP
-causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
-format ("kdb5_edit load_dump version 2.0").
-.TP
-.B \fB\-b6\fP
-causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
-load_dump version 3.0").
-.TP
.B \fB\-b7\fP
causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
load_dump version 4"). This was the dump format produced on
.SS load
.INDENT 0.0
.INDENT 3.5
-\fBload\fP [\fB\-old\fP|\fB\-b6\fP|\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP]
-[\fB\-hash\fP] [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP]
+\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-hash\fP]
+[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP]
.UNINDENT
.UNINDENT
.sp
Options:
.INDENT 0.0
.TP
-.B \fB\-old\fP
-requires the database to be in the Kerberos 5 Beta 5 and earlier
-format ("kdb5_edit load_dump version 2.0").
-.TP
-.B \fB\-b6\fP
-requires the database to be in the Kerberos 5 Beta 6 format
-("kdb5_edit load_dump version 3.0").
-.TP
.B \fB\-b7\fP
requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4").
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
(Delta time string.) Specifies the amount of time to wait for a
full propagation to complete. This is optional in configuration
files, and is used by slave KDCs only. The default value is 5
-minutes (\fB5m\fP).
+minutes (\fB5m\fP). New in release 1.11.
.TP
.B \fBiprop_logfile\fP
(File name.) Specifies where the update log file for the realm
principals support des\-cbc\-crc for session key enctype negotiation
purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is
false, or if des\-cbc\-crc is not a permitted enctype, then this
-variable has no effect. Defaults to true.
+variable has no effect. Defaults to true. New in release 1.11.
.TP
.B \fBreject_bad_transit\fP
(Boolean value.) If set to true, the KDC will check the list of
than the realm\(aqs ticket\-granting service. This option allows
anonymous PKINIT to be enabled for use as FAST armor tickets
without allowing anonymous authentication to services. The
-default value is false.
+default value is false. New in release 1.9.
.TP
.B \fBsupported_enctypes\fP
(List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt
preauthentication. Setting this flag may improve performance.
(Principal entries which do not require preauthentication never
update the "Last successful authentication" field.). First
-introduced in version 1.9.
+introduced in release 1.9.
.TP
.B \fBdisable_lockout\fP
If set to \fBtrue\fP, suppresses KDC updates to the "Last failed
authentication" and "Failed password attempts" fields of principal
entries requiring preauthentication. Setting this flag may
improve performance, but also disables account lockout. First
-introduced in version 1.9.
+introduced in release 1.9.
.TP
.B \fBldap_conns_per_server\fP
This LDAP\-specific tag indicates the number of connections to be
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
--- /dev/null
+.TH "KRB5-CONFIG" "1" " " "1.12" "MIT Kerberos"
+.SH NAME
+krb5-config \- tool for linking against MIT Kerberos libraries
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructuredText.
+.
+.SH SYNOPSIS
+.sp
+\fBkrb5\-config\fP
+[\fB\-\fP\fB\-help\fP | \fB\-\fP\fB\-all\fP | \fB\-\fP\fB\-version\fP | \fB\-\fP\fB\-vendor\fP | \fB\-\fP\fB\-prefix\fP | \fB\-\fP\fB\-exec\-prefix\fP | \fB\-\fP\fB\-defccname\fP | \fB\-\fP\fB\-defktname\fP | \fB\-\fP\fB\-defcktname\fP | \fB\-\fP\fB\-cflags\fP | \fB\-\fP\fB\-libs\fP [\fIlibraries\fP]]
+.SH DESCRIPTION
+.sp
+krb5\-config tells the application programmer what flags to use to compile
+and link programs against the installed Kerberos libraries.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-\fP\fB\-help\fP
+prints a usage message. This is the default behavior when no options
+are specified.
+.TP
+.B \fB\-\fP\fB\-all\fP
+prints the version, vendor, prefix, and exec\-prefix.
+.TP
+.B \fB\-\fP\fB\-version\fP
+prints the version number of the Kerberos installation.
+.TP
+.B \fB\-\fP\fB\-vendor\fP
+prints the name of the vendor of the Kerberos installation.
+.TP
+.B \fB\-\fP\fB\-prefix\fP
+prints the prefix for which the Kerberos installation was built.
+.TP
+.B \fB\-\fP\fB\-exec\-prefix\fP
+prints the prefix for executables for which the Kerberos installation
+was built.
+.TP
+.B \fB\-\fP\fB\-defccname\fP
+prints the built\-in default credentials cache location.
+.TP
+.B \fB\-\fP\fB\-defktname\fP
+prints the built\-in default keytab location.
+.TP
+.B \fB\-\fP\fB\-defcktname\fP
+prints the built\-in default client (initiator) keytab location.
+.TP
+.B \fB\-\fP\fB\-cflags\fP
+prints the compilation flags used to build the Kerberos installation.
+.TP
+.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP]
+prints the compiler options needed to link against \fIlibrary\fP.
+Allowed values for \fIlibrary\fP are:
+.TS
+center;
+|l|l|.
+_
+T{
+krb5
+T} T{
+Kerberos 5 applications (default)
+T}
+_
+T{
+gssapi
+T} T{
+GSSAPI applications with Kerberos 5 bindings
+T}
+_
+T{
+kadm\-client
+T} T{
+Kadmin client
+T}
+_
+T{
+kadm\-server
+T} T{
+Kadmin server
+T}
+_
+T{
+kdb
+T} T{
+Applications that access the Kerberos database
+T}
+_
+.TE
+.UNINDENT
+.SH EXAMPLES
+.sp
+krb5\-config is particularly useful for compiling against a Kerberos
+installation that was installed in a non\-standard location. For example,
+a Kerberos installation that is installed in \fB/opt/krb5/\fP but uses
+libraries in \fB/usr/local/lib/\fP for text localization would produce
+the following output:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+shell% krb5\-config \-\-libs krb5
+\-L/opt/krb5/lib \-Wl,\-rpath \-Wl,/opt/krb5/lib \-L/usr/local/lib \-lkrb5 \-lk5crypto \-lcom_err
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH SEE ALSO
+.sp
+kerberos(1), cc(1)
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+1985-2013, MIT
+.\" Generated by docutils manpage writer.
+.
.B \fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
The default is \fB@CCNAME@\fP. This relation is subject to parameter
-expansion (see below).
+expansion (see below). New in release 1.11.
.TP
.B \fBdefault_client_keytab_name\fP
This relation specifies the name of the default keytab for
obtaining client credentials. The default is \fB@CKTNAME@\fP. This
relation is subject to parameter expansion (see below).
+New in release 1.11.
.TP
.B \fBdefault_keytab_name\fP
This relation specifies the default keytab name to be used by
(if given). This option can improve the administrative
flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments. The
-default value is false.
+default value is false. New in release 1.10.
.TP
.B \fBk5login_authoritative\fP
If this flag is true, principals must be listed in a local user\(aqs
interface uses the [plugins] section; the ones that do are documented
here.
.sp
+New in release 1.9.
+.sp
Each pluggable interface corresponds to a subsection of [plugins].
All subsections support the same tags:
.INDENT 0.0
.B \fBencrypted_timestamp\fP
This module implements the encrypted timestamp mechanism.
.UNINDENT
+.SS localauth interface
+.sp
+The localauth section (introduced in release 1.12) controls modules
+for the local authorization interface, which affects the relationship
+between Kerberos principals and local system accounts. The following
+built\-in modules exist for this interface:
+.INDENT 0.0
+.TP
+.B \fBauth_to_local\fP
+This module processes \fBauth_to_local\fP values in the default
+realm\(aqs section, and applies the default method if no
+\fBauth_to_local\fP values exist.
+.TP
+.B \fBan2ln\fP
+This module authorizes a principal to a local account if the
+principal name maps to the local account name.
+.TP
+.B \fBdefault\fP
+This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP
+values.
+.TP
+.B \fBk5login\fP
+This module authorizes a principal to a local account according to
+the account\(aqs \fI.k5login(5)\fP file.
+.TP
+.B \fBnames\fP
+This module looks for an \fBauth_to_local_names\fP mapping for the
+principal name.
+.TP
+.B \fBrule\fP
+This module implements the \fBRULE\fP type for \fBauth_to_local\fP
+values.
+.UNINDENT
.SH PKINIT OPTIONS
.IP Note
The following are PKINIT\-specific options. These values may
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
system via the process list; to avoid this, instead stash the
password using the \fBstashsrvpw\fP command of
\fIkdb5_ldap_util(8)\fP.
+.TP
+.B \fB\-x debug=\fP\fIlevel\fP
+sets the OpenLDAP client library debug level. \fIlevel\fP is an
+integer to be interpreted by the library. Debugging messages
+are printed to standard error, so this option must be used
+with the \fB\-n\fP option to be useful. New in release 1.12.
.UNINDENT
.UNINDENT
.UNINDENT
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
.SH AUTHOR
MIT
.SH COPYRIGHT
-2012, MIT
+1985-2013, MIT
.\" Generated by docutils manpage writer.
.
projects / thirdparty / krb5.git / commitdiff
