From: Ben Kaduk <kaduk@mit.edu>
Date: Thu, 30 May 2013 22:49:36 +0000 (-0400)
Subject: Document preauth flags for service principals
X-Git-Tag: krb5-1.12-alpha1~141
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7425e9b69566c241c54eb2686fb37f216122423f;p=thirdparty%2Fkrb5.git

Document preauth flags for service principals

These flags are overloaded to mean different things for clients and
servers; previously we only documented the client behavior.

ticket: 7653 (new)
tags: pullup
target_version: 1.11.4
---

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 3072eec715..39351dfd90 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -242,12 +242,18 @@ Options:
 {-\|+}\ **requires_preauth**
     **+requires_preauth** requires this principal to preauthenticate
     before being allowed to kinit.  **-requires_preauth** clears this
-    flag.
+    flag.  When **+requires_preauth** is set on a service principal,
+    the KDC will only issue service tickets for that service principal
+    if the client's initial authentication was performed using
+    preauthentication.
 
 {-\|+}\ **requires_hwauth**
     **+requires_hwauth** requires this principal to preauthenticate
     using a hardware device before being allowed to kinit.
-    **-requires_hwauth** clears this flag.
+    **-requires_hwauth** clears this flag.  When **+requires_hwauth** is
+    set on a service principal, the KDC will only issue service tickets
+    for that service principal if the client's initial authentication was
+    performed using a hardware device to preauthenticate.
 
 {-\|+}\ **ok_as_delegate**
     **+ok_as_delegate** sets the **okay as delegate** flag on tickets