Update man pages

src/man/k5identity.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5IDENTITY" "5" " " "1.15" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5identity \- Kerberos V5 client principal selection rules
 .
@@ -98,6 +98,6 @@ kerberos(1), \fIkrb5.conf(5)\fP
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/k5login.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5LOGIN" "5" " " "1.15" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5login \- Kerberos V5 acl file for host access
 .
@@ -91,6 +91,6 @@ kerberos(1)
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/k5srvutil.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "K5SRVUTIL" "1" " " "1.15" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 k5srvutil \- host key table (keytab) manipulation utility
 .
@@ -38,28 +38,30 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-e\fP \fIkeysalts\fP]
 .SH DESCRIPTION
 .sp
-k5srvutil allows an administrator to list or change keys currently in
-a keytab or to add new keys to the keytab.
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non\-current keys from a keytab.
 .sp
 \fIoperation\fP must be one of the following:
 .INDENT 0.0
 .TP
 .B \fBlist\fP
-Lists the keys in a keytab showing version number and principal
+Lists the keys in a keytab, showing version number and principal
 name.
 .TP
 .B \fBchange\fP
 Uses the kadmin protocol to update the keys in the Kerberos
 database to new randomly\-generated keys, and updates the keys in
 the keytab to match.  If a key\(aqs version number doesn\(aqt match the
 version number stored in the Kerberos server\(aqs database, then the
-operation will fail.  Old keys are retained in the keytab so that
-existing tickets continue to work.  If the \fB\-i\fP flag is given,
-k5srvutil will prompt for confirmation before changing each key.
-If the \fB\-k\fP option is given, the old and new keys will be
-displayed.  Ordinarily, keys will be generated with the default
-encryption types and key salts.  This can be overridden with the
-\fB\-e\fP option.
+operation will fail.  If the \fB\-i\fP flag is given, k5srvutil will
+prompt for confirmation before changing each key.  If the \fB\-k\fP
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts.  This can be overridden with the \fB\-e\fP
+option.  Old keys are retained in the keytab so that existing
+tickets continue to work, but \fBdelold\fP should be used after
+such tickets expire, to prevent attacks against the old keys.
 .TP
 .B \fBdelold\fP
 Deletes keys that are not the most recent version from the keytab.
@@ -84,6 +86,6 @@ place.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kadm5.acl.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADM5.ACL" "5" " " "1.15" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadm5.acl \- Kerberos ACL file
 .
@@ -262,6 +262,6 @@ tickets with a life of longer than 9 hours.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kadmin.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIN" "1" " " "1.15" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadmin \- Kerberos V5 database administration program
 .
@@ -284,11 +284,12 @@ Options:
 (\fIgetdate\fP string) The password expiration date.
 .TP
 .B \fB\-maxlife\fP \fImaxlife\fP
-(\fIgetdate\fP string) The maximum ticket life for the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+for the principal.
 .TP
 .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIgetdate\fP string) The maximum renewable life of tickets for
-the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+life of tickets for the principal.
 .TP
 .B \fB\-kvno\fP \fIkvno\fP
 The initial key version number.
@@ -704,6 +705,13 @@ accepted values.
 Enables One Time Passwords (OTP) preauthentication for a client
 \fIprincipal\fP\&.  The \fIvalue\fP is a JSON string representing an array
 of objects, each having optional \fBtype\fP and \fBusername\fP fields.
+.TP
+.B \fBpkinit_cert_match\fP
+Specifies a matching expression that defines the certificate
+attributes required for the client certificate used by the
+principal during PKINIT authentication.  The matching expression
+is in the same format as those used by the \fBpkinit_cert_match\fP
+option in \fIkrb5.conf(5)\fP\&.  (New in release 1.16.)
 .UNINDENT
 .sp
 This command requires the \fBmodify\fP privilege.
@@ -717,7 +725,7 @@ Example:
 .nf
 .ft C
 set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]
+set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
 .ft P
 .fi
 .UNINDENT
@@ -751,10 +759,12 @@ The following options are available:
 .INDENT 0.0
 .TP
 .B \fB\-maxlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the maximum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+lifetime of a password.
 .TP
 .B \fB\-minlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the minimum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+lifetime of a password.
 .TP
 .B \fB\-minlength\fP \fIlength\fP
 Sets the minimum length of a password.
@@ -780,21 +790,21 @@ resets to 0 after a successful attempt to authenticate.  A
 .INDENT 0.0
 .TP
 .B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIgetdate\fP string) Sets the allowable time between
-authentication failures.  If an authentication failure happens
-after \fIfailuretime\fP has elapsed since the previous failure,
-the number of authentication failures is reset to 1.  A
+(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+between authentication failures.  If an authentication failure
+happens after \fIfailuretime\fP has elapsed since the previous
+failure, the number of authentication failures is reset to 1.  A
 \fIfailuretime\fP value of 0 (the default) means forever.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIgetdate\fP string) Sets the duration for which the principal
-is locked from authenticating if too many authentication failures
-occur without the specified failure count interval elapsing.
-A duration of 0 (the default) means the principal remains locked
-out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP\&.
+(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing.  A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with \fBmodprinc \-unlock\fP\&.
 .TP
 .B \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when
@@ -1064,6 +1074,6 @@ interface to the OpenVision Kerberos administration program.
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kadmind.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KADMIND" "8" " " "1.15" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kadmind \- KADM5 administration server
 .
@@ -42,6 +42,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-P\fP \fIpid_file\fP]
 [\fB\-p\fP \fIkdb5_util_path\fP]
 [\fB\-K\fP \fIkprop_path\fP]
+[\fB\-k\fP \fIkprop_port\fP]
 [\fB\-F\fP \fIdump_file\fP]
 .SH DESCRIPTION
 .sp
@@ -125,6 +126,11 @@ KDB in response to full resync requests when iprop is enabled.
 specifies the path to the kprop command to use to send full dumps
 to slaves in response to full resync requests.
 .TP
+.B \fB\-k\fP \fIkprop_port\fP
+specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.
+.TP
 .B \fB\-F\fP \fIdump_file\fP
 specifies the file path to be used for dumping the KDB in response
 to full resync requests when iprop is enabled.
@@ -139,6 +145,6 @@ specifies database\-specific arguments.  See \fIDatabase Options\fP in \fIkadmin
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kdb5_ldap_util.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_LDAP_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdb5_ldap_util \- Kerberos configuration utility
 .
@@ -544,6 +544,6 @@ userpolicy
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kdb5_util.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDB5_UTIL" "8" " " "1.15" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdb5_util \- Kerberos database maintenance utility
 .
@@ -184,6 +184,14 @@ This may recover principals that do not dump normally, in cases
 where database corruption has occurred.  In cases of such
 corruption, this option will probably retrieve more principals
 than the \fB\-rev\fP option will.
+.sp
+Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
+option.
+
+.sp
+Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.
+
 .UNINDENT
 .SS load
 .INDENT 0.0
@@ -544,6 +552,6 @@ bar@EXAMPLE.COM     1       1       des\-cbc\-crc     normal  \-1
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .

src/man/kdc.conf.man

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "KDC.CONF" "5" " " "1.15" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.16" "MIT Kerberos"
 .SH NAME
 kdc.conf \- Kerberos V5 KDC configuration file
 .
@@ -88,7 +88,7 @@ _
 .TE
 .SS [kdcdefaults]
 .sp
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
 default values for realm variables, to be used if the [realms]
 subsection does not contain a relation for the tag.  See the
 \fI\%[realms]\fP section for the definitions of these relations.
@@ -113,6 +113,11 @@ subsection does not contain a relation for the tag.  See the
 .B \fBkdc_max_dgram_reply_size\fP
 Specifies the maximum packet size that can be sent over UDP.  The
 default value is 4096 bytes.
+.TP
+.B \fBkdc_tcp_listen_backlog\fP
+(Integer.)  Set the size of the listen queue length for the KDC
+daemon.  The value may be limited by OS settings.  The default
+value is 5.
 .UNINDENT
 .SS [realms]
 .sp
@@ -254,6 +259,11 @@ per line, with no additional whitespace.  If none is specified or
 if there is no policy assigned to the principal, no dictionary
 checks of passwords will be performed.
 .TP
+.B \fBencrypted_challenge_indicator\fP
+(String.)  Specifies the authentication indicator value that the KDC
+asserts into tickets obtained using FAST encrypted challenge
+pre\-authentication.  New in 1.16.
+.TP
 .B \fBhost_based_services\fP
 (Whitespace\- or comma\-separated list.)  Lists services which will
 get host\-based referral processing even if the server principal is
@@ -964,15 +974,27 @@ DES with HMAC/sha1 (weak)
 T}
 _
 T{
-aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256
+aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
+T}	T{
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
 T}	T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
 T}
 _
 T{
-aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128
+aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
 T}	T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
+T}	T{
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
 T}
 _
 T{
@@ -1014,7 +1036,7 @@ _
 T{
 aes
 T}	T{
-The AES family: aes256\-cts\-hmac\-sha1\-96 and aes128\-cts\-hmac\-sha1\-96
+The AES family: aes256\-cts\-hmac\-sha1\-96, aes128\-cts\-hmac\-sha1\-96, aes256\-cts\-hmac\-sha384\-192, and aes128\-cts\-hmac\-sha256\-128
 T}
 _
 T{
@@ -1044,8 +1066,13 @@ front.
 While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
 operations, they are not supported by very old versions of our GSSAPI
 implementation (krb5\-1.3.1 and earlier).  Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+.sp
+The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
+release 1.15.  Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
 .SH KEYSALT LISTS
 .sp
 Kerberos keys for users are usually derived from passwords.  Kerberos
@@ -1169,6 +1196,6 @@ Here\(aqs an example of a kdc.conf file:
 .SH AUTHOR
 MIT
 .SH COPYRIGHT
-1985-2016, MIT
+1985-2017, MIT
 .\" Generated by docutils manpage writer.
 .