[27793] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.11]: Document preauth flags for service principals
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri May 31 15:28:23 2013
Date: Fri, 31 May 2013 15:28:17 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201305311928.r4VJSHGL001604@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/a1faf888a98ea215c6a8589769f43ed024c6597f
commit a1faf888a98ea215c6a8589769f43ed024c6597f
Author: Ben Kaduk <kaduk@mit.edu>
Date: Thu May 30 18:49:36 2013 -0400
Document preauth flags for service principals
These flags are overloaded to mean different things for clients and
servers; previously we only documented the client behavior.
(cherry picked from commit 7425e9b69566c241c54eb2686fb37f216122423f)
ticket: 7653
version_fixed: 1.11.3
status: resolved
doc/admin/admin_commands/kadmin_local.rst | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 6fee616..bbfb023 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -237,12 +237,18 @@ Options:
{-\|+}\ **requires_preauth**
**+requires_preauth** requires this principal to preauthenticate
before being allowed to kinit. **-requires_preauth** clears this
- flag.
+ flag. When **+requires_preauth** is set on a service principal,
+ the KDC will only issue service tickets for that service principal
+ if the client's initial authentication was performed using
+ preauthentication.
{-\|+}\ **requires_hwauth**
**+requires_hwauth** requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
- **-requires_hwauth** clears this flag.
+ **-requires_hwauth** clears this flag. When **+requires_hwauth** is
+ set on a service principal, the KDC will only issue service tickets
+ for that service principal if the client's initial authentication was
+ performed using a hardware device to preauthenticate.
{-\|+}\ **ok_as_delegate**
**+ok_as_delegate** sets the **okay as delegate** flag on tickets
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5