From 4385cd757dec4a641a7c516abe976675cec5971e Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Thu, 18 Mar 2004 07:22:44 +0000 Subject: [PATCH] add a bunch of Li and document [kadmin] password_lifetime; from Henry B. Hotz git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13535 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/krb5/krb5.conf.5 | 61 +++++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 5f0d127e8..5dc478179 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -148,8 +148,8 @@ times. Default is 300 seconds (five minutes). .It Li kdc_timeout = Va time Maximum time to wait for a reply from the kdc, default is 3 seconds. -.It v4_name_convert -.It v4_instance_resolve +.It Li v4_name_convert +.It Li v4_instance_resolve These are described in the .Xr krb5_425_conv_principal 3 manual page. @@ -330,71 +330,74 @@ manual page for a list of defined destinations. .El .It Li [kdc] .Bl -tag -width "xxx" -offset indent -.It database Li = { +.It Li database Li = { .Bl -tag -width "xxx" -offset indent -.It dbname Li = Va DATABASENAME +.It Li dbname Li = Va DATABASENAME Use this database for this realm. -.It realm Li = Va REALM +.It Li realm Li = Va REALM Specifies the realm that will be stored in this database. -.It mkey_file Li = Pa FILENAME +.It Li mkey_file Li = Pa FILENAME Use this keytab file for the master key of this database. If not specified .Va DATABASENAME Ns .mkey will be used. -.It acl_file Li = PA FILENAME +.It Li acl_file Li = PA FILENAME Use this file for the ACL list of this database. -.It log_file Li = Pa FILENAME +.It Li log_file Li = Pa FILENAME Use this file as the log of changes performed to the database. This file is used by .Nm ipropd-master for propagating changes to slaves. .El .It Li } -.It max-request = Va SIZE +.It Li max-request = Va SIZE Maximum size of a kdc request. -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If set pre-authentication is required. Since krb4 requests are not pre-authenticated they will be rejected. -.It ports = Va "list of ports" +.It Li ports = Va "list of ports" List of ports the kdc should listen to. -.It addresses = Va "list of interfaces" +.It Li addresses = Va "list of interfaces" List of addresses the kdc should bind to. -.It enable-kerberos4 = Va BOOL +.It Li enable-kerberos4 = Va BOOL Turn on Kerberos 4 support. -.It v4-realm = Va REALM +.It Li v4-realm = Va REALM To what realm v4 requests should be mapped. -.It enable-524 = Va BOOL +.It Li enable-524 = Va BOOL Should the Kerberos 524 converting facility be turned on. Default is same as .Va enable-kerberos4 . -.It enable-http = Va BOOL +.It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It enable-kaserver = Va BOOL +.It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It check-ticket-addresses = Va BOOL +.It Li check-ticket-addresses = Va BOOL verify the addresses in the tickets used in tgs requests. .\" XXX -.It allow-null-ticket-addresses = Va BOOL +.It Li allow-null-ticket-addresses = Va BOOL Allow addresses-less tickets. .\" XXX -.It allow-anonymous = Va BOOL +.It Li allow-anonymous = Va BOOL If the kdc is allowed to hand out anonymous tickets. -.It encode_as_rep_as_tgs_rep = Va BOOL +.It Li encode_as_rep_as_tgs_rep = Va BOOL Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. .\" XXX -.It kdc_warn_pwexpire = Va TIME +.It Li kdc_warn_pwexpire = Va TIME The time before expiration that the user should be warned that her password is about to expire. -.It logging = Va Logging +.It Li logging = Va Logging What type of logging the kdc should use, see also [logging]/kdc. -.It use_2b = Va principal list +.It Li use_2b = Va principal list List of principals to use AFS 2b tokens for. .El .It Li [kadmin] .Bl -tag -width "xxx" -offset indent -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If pre-authentication is required to talk to the kadmin server. -.It default_keys = Va keytypes... +.It Li password_lifetime = Va time +If a principal already have its password set for expiration, this is +the time it will be valid for after a change. +.It Li default_keys = Va keytypes... for each entry in .Va default_keys try to parse it as a sequence of @@ -409,14 +412,14 @@ is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are: .Bl -tag -width "xxx" -offset indent -.It v5 +.It Li v5 The Kerberos 5 salt .Va pw-salt -.It v4 +.It Li v4 The Kerberos 4 salt .Va des:pw-salt: .El -.It use_v4_salt = Va BOOL +.It Li use_v4_salt = Va BOOL When true, this is the same as .Pp .Va default_keys = Va des3:pw-salt Va v4