From: Tom Yu Date: Wed, 24 Sep 2014 18:43:56 +0000 (-0400) Subject: Update manpages X-Git-Tag: krb5-1.13-beta1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c832e5dffca879f3a0c0b0f29413092a6977f338;p=thirdparty%2Fkrb5.git Update manpages --- diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 3f83afce30..7fbe7d5d57 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -310,13 +310,11 @@ historically used by Kerberos V4. .B \fBkdc_tcp_ports\fP (Whitespace\- or comma\-separated list.) Lists the ports on which the Kerberos server should listen for TCP connections, as a -comma\-separated list of integers. If this relation is not -specified, the compiled\-in default is not to listen for TCP -connections at all. -.sp -If you wish to change this (note that the current implementation -has little protection against denial\-of\-service attacks), the -standard port number assigned for Kerberos TCP traffic is port 88. +comma\-separated list of integers. To disable listening on TCP, +set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&. +If this relation is not specified, the default is to listen on TCP +port 88 (the standard port). Prior to release 1.13, the default +was not to listen for TCP connections at all. .TP .B \fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the diff --git a/src/man/kinit.man b/src/man/kinit.man index 560460c86a..ae1a448447 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -123,6 +123,11 @@ with the validated ticket. requests renewal of the ticket\-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. +.sp +Note that renewable tickets that have expired as reported by +\fIklist(1)\fP may sometimes be renewed using this option, +because the KDC applies a grace period to account for client\-KDC +clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting. .TP .B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] requests a ticket, obtained from a key in the local host\(aqs keytab. diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index 6647ae5674..f6a87d450e 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -216,6 +216,12 @@ Kerberos which interact with credential caches on the same host. Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. +.sp +The clockskew setting is also used when evaluating ticket start +and expiration times. For example, tickets that have reached +their expiration time can still be used (and renewed if they are +renewable tickets) if they have been expired for a shorter +duration than the \fBclockskew\fP setting. .TP .B \fBdefault_ccache_name\fP This relation specifies the name of the default credential cache.