1 files changed, 84 insertions, 49 deletions

diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
index 9ee85aa..c9f8771 100644
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -1,42 +1,44 @@
-.\" Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
 .\"
-.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $
+.\" $Id: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $
 .\"
-.Dd April 11, 1999
+.Dd March  9, 2004
 .Dt KRB5.CONF 5
 .Os HEIMDAL
 .Sh NAME
-.Nm /etc/krb5.conf
+.Nm krb5.conf
 .Nd configuration file for Kerberos 5
+.Sh SYNOPSIS
+.In krb5.h
 .Sh DESCRIPTION
 The
 .Nm
@@ -88,7 +90,8 @@ values can be a list of year, month, day, hour, min, second.
 Example: 1 month 2 days 30 min.
 .It etypes
 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
-des3-cbc-sha1.
+des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and
+aes256-cts-hmac-sha1-96 .
 .It address
 an address can be either a IPv4 or a IPv6 address.
 .El
@@ -124,6 +127,13 @@ addresses, making the tickets valid from any address.
 Default ticket lifetime.
 .It Li renew_lifetime = Va time
 Default renewable ticket lifetime.
+.It Li encrypt = Va boolean
+Use encryption, when available.
+.It Li forward = Va boolean
+Forward credentials to remote host (for
+.Xr rsh 1 ,
+.Xr telnet 1 ,
+etc).
 .El
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
@@ -147,23 +157,14 @@ manual page.
 .Bl -tag -width "xxx" -offset indent
 .It Va destination-realm Li = Va next-hop-realm
 .It ...
-.El
-Normally, all requests to realms different from the one of the current
-client are sent to this KDC to get cross-realm tickets.
-If this KDC does not have a cross-realm key with the desired realm and
-the hierarchical path to that realm does not work, a path can be
-configured using this directive.
-The text shown above instructs the KDC to try to obtain a cross-realm
-ticket to
-.Va next-hop-realm
-when the desired realm is
-.Va destination-realm .
-This configuration should preferably be done on the KDC where it will
-help all its clients but can also be done on the client itself.
 .It Li }
-.It Li default_etypes = Va etypes...
+.El
+This is deprecated, see the 
+.Li capaths
+section below.
+.It Li default_etypes = Va etypes ...
 A list of default encryption types to use.
-.It Li default_etypes_des = Va etypes...
+.It Li default_etypes_des = Va etypes ...
 A list of default encryption types to use when requesting a DES credential.
 .It Li default_keytab_name = Va keytab
 The keytab to use if no other is specified, default is
@@ -193,7 +194,7 @@ fatal error.
 The application has to be able to read the corresponding service key
 for this to work.
 Some applications, like
-.Xr su 8 ,
+.Xr su 1 ,
 enable this option unconditionally.
 .It Li warn_pwexpire = Va time
 How soon to warn for expiring password.
@@ -202,7 +203,7 @@ Default is seven days.
 A HTTP-proxy to use when talking to the KDC via HTTP.
 .It Li dns_proxy = Va proxy-spec
 Enable using DNS via HTTP.
-.It Li extra_addresses = Va address...
+.It Li extra_addresses = Va address ...
 A list of addresses to get tickets for along with all local addresses.
 .It Li time_format = Va string
 How to print time strings in logs, this string is passed to
@@ -223,6 +224,13 @@ Also get Kerberos 4 tickets in
 .Nm login ,
 and other programs.
 This option is also valid in the [realms] section.
+.It Li fcc-mit-ticketflags = Va boolean
+Use MIT compatible format for file credential cache.
+It's the field ticketflags that is stored in reverse bit order for
+older than Heimdal 0.7.
+Setting this flag to
+.Dv TRUE
+make it store the MIT way, this is default for Heimdal 0.7.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.
@@ -259,13 +267,13 @@ specifies over what medium the kdc should be
 contacted.
 Possible services are
 .Dq udp ,
-.Dq tcp , 
+.Dq tcp ,
 and
 .Dq http .
 Http can also be written as
 .Dq http:// .
 Default service is
-.Dq udp 
+.Dq udp
 and
 .Dq tcp .
 .It Li admin_server = Va host[:port]
@@ -283,9 +291,31 @@ If it is not mentioned, the krb524 port on the kdcs will be tried.
 .It Li default_domain
 See
 .Xr krb5_425_conv_principal 3 .
+.It Li tgs_require_subkey
+a boolan variable that defaults to false.
+Old DCE secd (pre 1.1) might need this to be true.
 .El
 .It Li }
 .El
+.It Li [capaths]
+.Bl -tag -width "xxx" -offset indent
+.It Va client-realm Li = {
+.Bl -tag -width "xxx" -offset indent
+.It Va server-realm Li = Va hop-realm ...
+This serves two purposes. First the first listed
+.Va hop-realm
+tells a client which realm it should contact in order to ultimately
+obtain credentials for a service in the
+.Va server-realm .
+Secondly, it tells the KDC (and other servers) which realms are
+allowed in a multi-hop traversal from
+.Va client-realm 
+to
+.Va server-realm .
+Except for the client case, the order of the realms are not important.
+.El
+.It Va }
+.El
 .It Li [logging]
 .Bl -tag -width "xxx" -offset indent
 .It Va entity Li = Va destination
@@ -397,7 +427,12 @@ and is only left for backwards compatibility.
 .Sh ENVIRONMENT
 .Ev KRB5_CONFIG
 points to the configuration file to read.
-.Sh EXAMPLE
+.Sh FILES
+.Bl -tag -width "/etc/krb5.conf"
+.It Pa /etc/krb5.conf
+configuration file for Kerberos 5.
+.El
+.Sh EXAMPLES
 .Bd -literal -offset indent
 [libdefaults]
 	default_realm = FOO.SE