From ba6503958624aaf6ef639dc478909c51a6fb5ee2 Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <roland.dowdeswell@twosigma.com>
Date: Wed, 23 Oct 2019 19:38:11 +0100
Subject: [PATCH] Lightly document derived key namespaces

---
 lib/krb5/krb5.conf.5 | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 8da8d9ab4..de21f5015 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -836,7 +836,30 @@ The name of the service.
 .It principal-host-name
 The name of the host.
 .El
+.It Li enable_derived_keys = Va boolean
+Enable the use of derived key namespaces.
+When enabled, principals of the form
+.Pp
+.Ar WELLKNOWN/DERIVED-KEY/<alg>/<namespace>@REALM
+.Pp
+match any request of the form:
+.Ar */*.<namespace>@REALM .
+The keys are derived from the keys in the database and
+the name of the requested principal via the algorithm
+specified by
+.Ar <alg> .
+Currently, only
+.Ar KRB5-CRYPTO-PRFPLUS
+which is implemented by the function
+.Fn krb5_crypto_prfplus .
+.It Li derived_keys_ndots = Va Integer
+The minimum number of dots in a name matched via
+derived key namespaces.
+.It Li derived_keys_maxdots = Va Integer
+The maximim number of dots in a name matched via
+derived key namespaces.
 .El
+.Pp
 The 
 .Li kx509 ,
 .Li kx509_template ,