[28609] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.13]: Update manpages
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Sep 26 08:44:40 2014
Date: Fri, 26 Sep 2014 08:44:35 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201409261244.s8QCiZCQ015511@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c832e5dffca879f3a0c0b0f29413092a6977f338
commit c832e5dffca879f3a0c0b0f29413092a6977f338
Author: Tom Yu <tlyu@mit.edu>
Date: Wed Sep 24 14:43:56 2014 -0400
Update manpages
src/man/kdc.conf.man | 12 +++++-------
src/man/kinit.man | 5 +++++
src/man/krb5.conf.man | 6 ++++++
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 3f83afc..7fbe7d5 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -310,13 +310,11 @@ historically used by Kerberos V4.
.B \fBkdc_tcp_ports\fP
(Whitespace\- or comma\-separated list.) Lists the ports on which
the Kerberos server should listen for TCP connections, as a
-comma\-separated list of integers. If this relation is not
-specified, the compiled\-in default is not to listen for TCP
-connections at all.
-.sp
-If you wish to change this (note that the current implementation
-has little protection against denial\-of\-service attacks), the
-standard port number assigned for Kerberos TCP traffic is port 88.
+comma\-separated list of integers. To disable listening on TCP,
+set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&.
+If this relation is not specified, the default is to listen on TCP
+port 88 (the standard port). Prior to release 1.13, the default
+was not to listen for TCP connections at all.
.TP
.B \fBmaster_key_name\fP
(String.) Specifies the name of the principal associated with the
diff --git a/src/man/kinit.man b/src/man/kinit.man
index 560460c..ae1a448 100644
--- a/src/man/kinit.man
+++ b/src/man/kinit.man
@@ -123,6 +123,11 @@ with the validated ticket.
requests renewal of the ticket\-granting ticket. Note that an
expired ticket cannot be renewed, even if the ticket is still
within its renewable life.
+.sp
+Note that renewable tickets that have expired as reported by
+\fIklist(1)\fP may sometimes be renewed using this option,
+because the KDC applies a grace period to account for client\-KDC
+clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting.
.TP
.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP]
requests a ticket, obtained from a key in the local host\(aqs keytab.
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
index 6647ae5..f6a87d4 100644
--- a/src/man/krb5.conf.man
+++ b/src/man/krb5.conf.man
@@ -216,6 +216,12 @@ Kerberos which interact with credential caches on the same host.
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid. The default value is 300 seconds, or five minutes.
+.sp
+The clockskew setting is also used when evaluating ticket start
+and expiration times. For example, tickets that have reached
+their expiration time can still be used (and renewed if they are
+renewable tickets) if they have been expired for a shorter
+duration than the \fBclockskew\fP setting.
.TP
.B \fBdefault_ccache_name\fP
This relation specifies the name of the default credential cache.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
