Update man pages

src/man/k5srvutil.man

@@ -38,28 +38,30 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-e\fP \fIkeysalts\fP]
 .SH DESCRIPTION
 .sp
-k5srvutil allows an administrator to list or change keys currently in
-a keytab or to add new keys to the keytab.
+k5srvutil allows an administrator to list keys currently in
+a keytab, to obtain new keys for a principal currently in a keytab,
+or to delete non\-current keys from a keytab.
 .sp
 \fIoperation\fP must be one of the following:
 .INDENT 0.0
 .TP
 .B \fBlist\fP
-Lists the keys in a keytab showing version number and principal
+Lists the keys in a keytab, showing version number and principal
 name.
 .TP
 .B \fBchange\fP
 Uses the kadmin protocol to update the keys in the Kerberos
 database to new randomly\-generated keys, and updates the keys in
 the keytab to match.  If a key\(aqs version number doesn\(aqt match the
 version number stored in the Kerberos server\(aqs database, then the
-operation will fail.  Old keys are retained in the keytab so that
-existing tickets continue to work.  If the \fB\-i\fP flag is given,
-k5srvutil will prompt for confirmation before changing each key.
-If the \fB\-k\fP option is given, the old and new keys will be
-displayed.  Ordinarily, keys will be generated with the default
-encryption types and key salts.  This can be overridden with the
-\fB\-e\fP option.
+operation will fail.  If the \fB\-i\fP flag is given, k5srvutil will
+prompt for confirmation before changing each key.  If the \fB\-k\fP
+option is given, the old and new keys will be displayed.
+Ordinarily, keys will be generated with the default encryption
+types and key salts.  This can be overridden with the \fB\-e\fP
+option.  Old keys are retained in the keytab so that existing
+tickets continue to work, but \fBdelold\fP should be used after
+such tickets expire, to prevent attacks against the old keys.
 .TP
 .B \fBdelold\fP
 Deletes keys that are not the most recent version from the keytab.

src/man/kadmin.man

@@ -284,11 +284,12 @@ Options:
 (\fIgetdate\fP string) The password expiration date.
 .TP
 .B \fB\-maxlife\fP \fImaxlife\fP
-(\fIgetdate\fP string) The maximum ticket life for the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life
+for the principal.
 .TP
 .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
-(\fIgetdate\fP string) The maximum renewable life of tickets for
-the principal.
+(\fIduration\fP or \fIgetdate\fP string) The maximum renewable
+life of tickets for the principal.
 .TP
 .B \fB\-kvno\fP \fIkvno\fP
 The initial key version number.
@@ -717,7 +718,7 @@ Example:
 .nf
 .ft C
 set_string host/foo.mit.edu session_enctypes aes128\-cts
-set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]
+set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
 .ft P
 .fi
 .UNINDENT
@@ -751,10 +752,12 @@ The following options are available:
 .INDENT 0.0
 .TP
 .B \fB\-maxlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the maximum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the maximum
+lifetime of a password.
 .TP
 .B \fB\-minlife\fP \fItime\fP
-(\fIgetdate\fP string) Sets the minimum lifetime of a password.
+(\fIduration\fP or \fIgetdate\fP string) Sets the minimum
+lifetime of a password.
 .TP
 .B \fB\-minlength\fP \fIlength\fP
 Sets the minimum length of a password.
@@ -780,21 +783,21 @@ resets to 0 after a successful attempt to authenticate.  A
 .INDENT 0.0
 .TP
 .B \fB\-failurecountinterval\fP \fIfailuretime\fP
-(\fIgetdate\fP string) Sets the allowable time between
-authentication failures.  If an authentication failure happens
-after \fIfailuretime\fP has elapsed since the previous failure,
-the number of authentication failures is reset to 1.  A
+(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time
+between authentication failures.  If an authentication failure
+happens after \fIfailuretime\fP has elapsed since the previous
+failure, the number of authentication failures is reset to 1.  A
 \fIfailuretime\fP value of 0 (the default) means forever.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \fB\-lockoutduration\fP \fIlockouttime\fP
-(\fIgetdate\fP string) Sets the duration for which the principal
-is locked from authenticating if too many authentication failures
-occur without the specified failure count interval elapsing.
-A duration of 0 (the default) means the principal remains locked
-out until it is administratively unlocked with \fBmodprinc
-\-unlock\fP\&.
+(\fIduration\fP or \fIgetdate\fP string) Sets the duration for
+which the principal is locked from authenticating if too many
+authentication failures occur without the specified failure count
+interval elapsing.  A duration of 0 (the default) means the
+principal remains locked out until it is administratively unlocked
+with \fBmodprinc \-unlock\fP\&.
 .TP
 .B \fB\-allowedkeysalts\fP
 Specifies the key/salt tuples supported for long\-term keys when

src/man/kadmind.man

@@ -42,6 +42,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 [\fB\-P\fP \fIpid_file\fP]
 [\fB\-p\fP \fIkdb5_util_path\fP]
 [\fB\-K\fP \fIkprop_path\fP]
+[\fB\-k\fP \fIkprop_port\fP]
 [\fB\-F\fP \fIdump_file\fP]
 .SH DESCRIPTION
 .sp
@@ -125,6 +126,11 @@ KDB in response to full resync requests when iprop is enabled.
 specifies the path to the kprop command to use to send full dumps
 to slaves in response to full resync requests.
 .TP
+.B \fB\-k\fP \fIkprop_port\fP
+specifies the port by which the kprop process that is spawned by kadmind
+connects to the slave kpropd, in order to transfer the dump file during
+an iprop full resync request.
+.TP
 .B \fB\-F\fP \fIdump_file\fP
 specifies the file path to be used for dumping the KDB in response
 to full resync requests when iprop is enabled.

src/man/kdb5_util.man

@@ -184,6 +184,14 @@ This may recover principals that do not dump normally, in cases
 where database corruption has occurred.  In cases of such
 corruption, this option will probably retrieve more principals
 than the \fB\-rev\fP option will.
+.sp
+Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
+option.
+
+.sp
+Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
+doing a normal dump instead of a recursive traversal.
+
 .UNINDENT
 .SS load
 .INDENT 0.0

src/man/kdc.conf.man

@@ -88,7 +88,7 @@ _
 .TE
 .SS [kdcdefaults]
 .sp
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
 default values for realm variables, to be used if the [realms]
 subsection does not contain a relation for the tag.  See the
 \fI\%[realms]\fP section for the definitions of these relations.
@@ -113,6 +113,11 @@ subsection does not contain a relation for the tag.  See the
 .B \fBkdc_max_dgram_reply_size\fP
 Specifies the maximum packet size that can be sent over UDP.  The
 default value is 4096 bytes.
+.TP
+.B \fBkdc_tcp_listen_backlog\fP
+(Integer.)  Set the size of the listen queue length for the KDC
+daemon.  The value may be limited by OS settings.  The default
+value is 5.
 .UNINDENT
 .SS [realms]
 .sp
@@ -964,15 +969,27 @@ DES with HMAC/sha1 (weak)
 T}
 _
 T{
-aes256\-cts\-hmac\-sha1\-96 aes256\-cts AES\-256
+aes256\-cts\-hmac\-sha1\-96 aes256\-cts aes256\-sha1
+T}	T{
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha1\-96 aes128\-cts aes128\-sha1
 T}	T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
 T}
 _
 T{
-aes128\-cts\-hmac\-sha1\-96 aes128\-cts AES\-128
+aes256\-cts\-hmac\-sha384\-192 aes256\-sha2
 T}	T{
-CTS mode with 96\-bit SHA\-1 HMAC
+AES\-256 CTS mode with 192\-bit SHA\-384 HMAC
+T}
+_
+T{
+aes128\-cts\-hmac\-sha256\-128 aes128\-sha2
+T}	T{
+AES\-128 CTS mode with 128\-bit SHA\-256 HMAC
 T}
 _
 T{
@@ -1044,8 +1061,13 @@ front.
 While \fBaes128\-cts\fP and \fBaes256\-cts\fP are supported for all Kerberos
 operations, they are not supported by very old versions of our GSSAPI
 implementation (krb5\-1.3.1 and earlier).  Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+.sp
+The \fBaes128\-sha2\fP and \fBaes256\-sha2\fP encryption types are new in
+release 1.15.  Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
 .SH KEYSALT LISTS
 .sp
 Kerberos keys for users are usually derived from passwords.  Kerberos

src/man/kinit.man

@@ -56,7 +56,10 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .SH DESCRIPTION
 .sp
 kinit obtains and caches an initial ticket\-granting ticket for
-\fIprincipal\fP\&.
+\fIprincipal\fP\&.  If \fIprincipal\fP is absent, kinit chooses an appropriate
+principal name based on existing credential cache contents or the
+local username of the user invoking kinit.  Some options modify the
+choice of principal name.
 .SH OPTIONS
 .INDENT 0.0
 .TP

src/man/krb5.conf.man

@@ -111,10 +111,10 @@ includedir DIRNAME
 \fIFILENAME\fP or \fIDIRNAME\fP should be an absolute path. The named file or
 directory must exist and be readable.  Including a directory includes
 all files within the directory whose names consist solely of
-alphanumeric characters, dashes, or underscores, or any filename
-ending in ".conf".  Included profile files are syntactically
-independent of their parents, so each included file must begin with a
-section header.
+alphanumeric characters, dashes, or underscores.  Starting in release
+1.15, files with names ending in ".conf" are also included.  Included
+profile files are syntactically independent of their parents, so each
+included file must begin with a section header.
 .sp
 The krb5.conf file can specify that configuration should be obtained
 from a loadable module, rather than the file itself, using the
@@ -303,6 +303,13 @@ it (besides the initial ticket request, which has no encrypted
 data), and anything the fake KDC sends will not be trusted without
 verification using some secret that it won\(aqt know.
 .TP
+.B \fBdns_uri_lookup\fP
+Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm.  SRV records are used as a
+fallback if no URI records were found.  The default value is true.
+New in release 1.15.
+.TP
 .B \fBerr_fmt\fP
 This relation allows for custom error message formatting.  If a
 value is set, error messages will be formatted by substituting a