1 files changed, 190 insertions, 62 deletions
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8
index cf7ebe8..06fe3d0 100644
--- a/crypto/heimdal/kadmin/kadmin.8
+++ b/crypto/heimdal/kadmin/kadmin.8
@@ -1,37 +1,37 @@
-.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.Dd September 10, 2000
+.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $
+.\"
+.Dd Feb  22, 2007
 .Dt KADMIN 8
 .Os HEIMDAL
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nd Kerberos administration utility
 .Sh SYNOPSIS
 .Nm
+.Bk -words
 .Oo Fl p Ar string \*(Ba Xo
 .Fl -principal= Ns Ar string
 .Xc
@@ -71,6 +72,7 @@
 .Op Fl h | Fl -help
 .Op Fl v | Fl -version
 .Op Ar command
+.Ek
 .Sh DESCRIPTION
 The
 .Nm
@@ -128,7 +130,18 @@ If no
 .Ar command
 is given on the command line,
 .Nm
-will prompt for commands to process. Commands include:
+will prompt for commands to process. Some of the commands that take
+one or more principals as argument
+.Ns ( Nm delete ,
+.Nm ext_keytab ,
+.Nm get ,
+.Nm modify ,
+and
+.Nm passwd )
+will accept a glob style wildcard, and perform the operation on all
+matching principals.
+.Pp
+Commands include:
 .\" not using a list here, since groff apparently gets confused
 .\" with nested Xo/Xc
 .Bd -ragged -offset indent
@@ -148,36 +161,33 @@ will prompt for commands to process. Commands include:
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-creates a new principal
+Adds a new principal to the database. The options not passed on the
+command line will be promped for.
 .Ed
 .Pp
-.Nm passwd
+.Nm add_enctype
 .Op Fl r | Fl -random-key
-.Op Fl -random-password
-.Oo Fl p Ar string \*(Ba Xo
-.Fl -password= Ns Ar string
-.Xc
-.Oc
-.Op Fl -key= Ns Ar string
-.Ar principal...
+.Ar principal enctypes...
 .Pp
 .Bd -ragged -offset indent
-changes the password of an existing principal
+Adds a new encryption type to the principal, only random key are
+supported.
 .Ed
 .Pp
 .Nm delete
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-removes a principal
+Removes a principal.
 .Ed
 .Pp
 .Nm del_enctype
 .Ar principal enctypes...
 .Pp
 .Bd -ragged -offset indent
-removes some enctypes from a principal. This can be useful the service
-belonging to the principal is known to not handle certain enctypes
+Removes some enctypes from a principal; this can be useful if the
+service belonging to the principal is known to not handle certain
+enctypes.
 .Ed
 .Pp
 .Nm ext_keytab
@@ -188,26 +198,49 @@ belonging to the principal is known to not handle certain enctypes
 .Ar principal...
 .Pp
 .Bd -ragged -offset indent
-creates a keytab with the keys of the specified principals
+Creates a keytab with the keys of the specified principals.
 .Ed
 .Pp
 .Nm get
 .Op Fl l | Fl -long
 .Op Fl s | Fl -short
 .Op Fl t | Fl -terse
-.Ar expression...
+.Op Fl o Ar string | Fl -column-info= Ns Ar string
+.Ar principal...
 .Pp
 .Bd -ragged -offset indent
-lists the principals that match the expressions (which are shell glob
-like), long format gives more information, and terse just prints the
-names
-.Ed
+Lists the matching principals, short prints the result as a table,
+while long format produces a more verbose output. Which columns to
+print can be selected with the
+.Fl o
+option. The argument is a comma separated list of column names
+optionally appended with an equal sign
+.Pq Sq =
+and a column header. Which columns are printed by default differ
+slightly between short and long output.
 .Pp
-.Nm rename
-.Ar from to
+The default terse output format is similar to
+.Fl s o Ar principal= ,
+just printing the names of matched principals.
 .Pp
-.Bd -ragged -offset indent
-renames a principal
+Possible column names include:
+.Li principal ,
+.Li princ_expire_time ,
+.Li pw_expiration ,
+.Li last_pwd_change ,
+.Li max_life ,
+.Li max_rlife ,
+.Li mod_time ,
+.Li mod_name ,
+.Li attributes ,
+.Li kvno ,
+.Li mkvno ,
+.Li last_success ,
+.Li last_failed ,
+.Li fail_auth_count ,
+.Li policy ,
+and
+.Li keytypes .
 .Ed
 .Pp
 .Nm modify
@@ -220,16 +253,91 @@ renames a principal
 .Op Fl -expiration-time= Ns Ar time
 .Op Fl -pw-expiration-time= Ns Ar time
 .Op Fl -kvno= Ns Ar number
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+Modifies certain attributes of a principal. If run without command
+line options, you will be prompted. With command line options, it will
+only change the ones specified.
+.Pp
+Possible attributes are:
+.Li new-princ ,
+.Li support-desmd5 ,
+.Li pwchange-service ,
+.Li disallow-svr ,
+.Li requires-pw-change ,
+.Li requires-hw-auth ,
+.Li requires-pre-auth ,
+.Li disallow-all-tix ,
+.Li disallow-dup-skey ,
+.Li disallow-proxiable ,
+.Li disallow-renewable ,
+.Li disallow-tgt-based ,
+.Li disallow-forwardable ,
+.Li disallow-postdated
+.Pp
+Attributes may be negated with a "-", e.g., 
+.Pp 
+kadmin -l modify -a -disallow-proxiable user
+.Ed
+.Pp
+.Nm passwd
+.Op Fl r | Fl -random-key
+.Op Fl -random-password
+.Oo Fl p Ar string \*(Ba Xo
+.Fl -password= Ns Ar string
+.Xc
+.Oc
+.Op Fl -key= Ns Ar string
+.Ar principal...
+.Pp
+.Bd -ragged -offset indent
+Changes the password of an existing principal.
+.Ed
+.Pp
+.Nm password-quality
 .Ar principal
+.Ar password
 .Pp
 .Bd -ragged -offset indent
-modifies certain attributes of a principal
+Run the password quality check function locally.
+You can run this on the host that is configured to run the kadmind
+process to verify that your configuration file is correct.
+The verification is done locally, if kadmin is run in remote mode,
+no rpc call is done to the server.
 .Ed
 .Pp
 .Nm privileges
 .Pp
 .Bd -ragged -offset indent
-lists the operations you are allowed to perform
+Lists the operations you are allowed to perform. These include
+.Li add ,
+.Li add_enctype ,
+.Li change-password ,
+.Li delete ,
+.Li del_enctype ,
+.Li get ,
+.Li list ,
+and
+.Li modify .
+.Ed
+.Pp
+.Nm rename
+.Ar from to
+.Pp
+.Bd -ragged -offset indent
+Renames a principal. This is normally transparent, but since keys are
+salted with the principal name, they will have a non-standard salt,
+and clients which are unable to cope with this will fail. Kerberos 4
+suffers from this.
+.Ed
+.Pp
+.Nm check
+.Op Ar realm
+.Pp
+.Bd -ragged -offset indent
+Check database for strange configurations on important principals. If
+no realm is given, the default realm is used.
 .Ed
 .Pp
 .Ed
@@ -241,9 +349,12 @@ When running in local mode, the following commands can also be used:
 .Op Ar dump-file
 .Pp
 .Bd -ragged -offset indent
-writes the database in
+Writes the database in
 .Dq human readable
-form to the specified file, or standard out
+form to the specified file, or standard out. If the database is
+encrypted, the dump will also have encrypted keys, unless
+.Fl -decrypt
+is used.
 .Ed
 .Pp
 .Nm init
@@ -252,24 +363,41 @@ form to the specified file, or standard out
 .Ar realm
 .Pp
 .Bd -ragged -offset indent
-initializes the Kerberos database with entries for a new realm. It's
-possible to have more than one realm served by one server
+Initializes the Kerberos database with entries for a new realm. It's
+possible to have more than one realm served by one server.
 .Ed
 .Pp
 .Nm load
 .Ar file
 .Pp
 .Bd -ragged -offset indent
-reads a previously dumped database, and re-creates that database from scratch
+Reads a previously dumped database, and re-creates that database from
+scratch.
 .Ed
 .Pp
 .Nm merge
 .Ar file
 .Pp
 .Bd -ragged -offset indent
-similar to
-.Nm list
-but just modifies the database with the entries in the dump file
+Similar to
+.Nm load
+but just modifies the database with the entries in the dump file.
+.Ed
+.Pp
+.Nm stash
+.Oo Fl e Ar enctype \*(Ba Xo
+.Fl -enctype= Ns Ar enctype
+.Xc
+.Oc
+.Oo Fl k Ar keyfile \*(Ba Xo
+.Fl -key-file= Ns Ar keyfile
+.Xc
+.Oc
+.Op Fl -convert-file
+.Op Fl -master-key-fd= Ns Ar fd
+.Pp
+.Bd -ragged -offset indent
+Writes the Kerberos master key to a file used by the KDC.
 .Ed
 .Pp
 .Ed