[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Password expiration (+ Doc patch)

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: Password expiration (+ Doc patch)
From: joda@pdc.kth.se (Johan Danielsson)
Date: Thu, 18 Mar 2004 08:23:16 +0100
Cc: Heimdal <heimdal-discuss@sics.se>
In-Reply-To: <p05210607bc7e64cd4410@[192.168.0.134]> (Henry B. Hotz'smessage of "Wed, 17 Mar 2004 13:09:50 -0800")
References: <1079102606.9672.18.camel@columbus> <40520C71.8040601@gmx.de><p05210602bc7dca2a7c8d@[192.168.0.134]><xof8yhz7k9j.fsf@blubb.pdc.kth.se><p05210607bc7e64cd4410@[192.168.0.134]>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (berkeley-unix)

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

>          Password expires: never

...but it only does if it already had an expiration date; try setting
one first.

> Shouldn't that be ".It Li" instead of just ".It" to make [kadmin] look
> like [appdefaults]?  You can shoot me for stylistic nit-picking now.

Better?

/Johan

--- krb5.conf.5	2004/03/09 19:48:53	1.44
+++ krb5.conf.5	2004/03/18 07:20:43
@@ -148,8 +148,8 @@
 Default is 300 seconds (five minutes).
 .It Li kdc_timeout = Va time
 Maximum time to wait for a reply from the kdc, default is 3 seconds.
-.It v4_name_convert
-.It v4_instance_resolve
+.It Li v4_name_convert
+.It Li v4_instance_resolve
 These are described in the
 .Xr krb5_425_conv_principal  3
 manual page.
@@ -330,71 +330,74 @@
 .El
 .It Li [kdc]
 .Bl -tag -width "xxx" -offset indent
-.It database Li = {
+.It Li database Li = {
 .Bl -tag -width "xxx" -offset indent
-.It dbname Li = Va DATABASENAME
+.It Li dbname Li = Va DATABASENAME
 Use this database for this realm.
-.It realm Li = Va REALM
+.It Li realm Li = Va REALM
 Specifies the realm that will be stored in this database.
-.It mkey_file Li = Pa FILENAME
+.It Li mkey_file Li = Pa FILENAME
 Use this keytab file for the master key of this database.
 If not specified
 .Va DATABASENAME Ns .mkey
 will be used.
-.It acl_file Li = PA FILENAME
+.It Li acl_file Li = PA FILENAME
 Use this file for the ACL list of this database.
-.It log_file Li = Pa FILENAME
+.It Li log_file Li = Pa FILENAME
 Use this file as the log of changes performed to the database.
 This file is used by
 .Nm ipropd-master
 for propagating changes to slaves.
 .El
 .It Li }
-.It max-request = Va SIZE
+.It Li max-request = Va SIZE
 Maximum size of a kdc request.
-.It require-preauth = Va BOOL
+.It Li require-preauth = Va BOOL
 If set pre-authentication is required.
 Since krb4 requests are not pre-authenticated they will be rejected.
-.It ports = Va "list of ports"
+.It Li ports = Va "list of ports"
 List of ports the kdc should listen to.
-.It addresses = Va "list of interfaces"
+.It Li addresses = Va "list of interfaces"
 List of addresses the kdc should bind to.
-.It enable-kerberos4 = Va BOOL
+.It Li enable-kerberos4 = Va BOOL
 Turn on Kerberos 4 support.
-.It v4-realm = Va REALM
+.It Li v4-realm = Va REALM
 To what realm v4 requests should be mapped.
-.It enable-524 = Va BOOL
+.It Li enable-524 = Va BOOL
 Should the Kerberos 524 converting facility be turned on.
 Default is same as
 .Va enable-kerberos4 .
-.It enable-http = Va BOOL
+.It Li enable-http = Va BOOL
 Should the kdc answer kdc-requests over http.
-.It enable-kaserver = Va BOOL
+.It Li enable-kaserver = Va BOOL
 If this kdc should emulate the AFS kaserver.
-.It check-ticket-addresses = Va BOOL
+.It Li check-ticket-addresses = Va BOOL
 verify the addresses in the tickets used in tgs requests.
 .\" XXX
-.It allow-null-ticket-addresses = Va BOOL
+.It Li allow-null-ticket-addresses = Va BOOL
 Allow addresses-less tickets.
 .\" XXX
-.It allow-anonymous = Va BOOL
+.It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
-.It encode_as_rep_as_tgs_rep = Va BOOL
+.It Li encode_as_rep_as_tgs_rep = Va BOOL
 Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
 .\" XXX
-.It kdc_warn_pwexpire = Va TIME
+.It Li kdc_warn_pwexpire = Va TIME
 The time before expiration that the user should be warned that her
 password is about to expire.
-.It logging = Va Logging
+.It Li logging = Va Logging
 What type of logging the kdc should use, see also [logging]/kdc.
-.It use_2b = Va principal list
+.It Li use_2b = Va principal list
 List of principals to use AFS 2b tokens for.
 .El
 .It Li [kadmin]
 .Bl -tag -width "xxx" -offset indent
-.It require-preauth = Va BOOL
+.It Li require-preauth = Va BOOL
 If pre-authentication is required to talk to the kadmin server.
-.It default_keys = Va keytypes...
+.It Li password_lifetime = Va time
+If a principal already have its password set for expiration, this is
+the time it will be valid for after a change.
+.It Li default_keys = Va keytypes...
 for each entry in
 .Va default_keys
 try to parse it as a sequence of
@@ -409,14 +412,14 @@
 default salt string (for that principal and encryption type).
 Additional special values of keytypes are:
 .Bl -tag -width "xxx" -offset indent
-.It v5
+.It Li v5
 The Kerberos 5 salt
 .Va pw-salt
-.It v4
+.It Li v4
 The Kerberos 4 salt
 .Va des:pw-salt:
 .El
-.It use_v4_salt = Va BOOL
+.It Li use_v4_salt = Va BOOL
 When true, this is the same as
 .Pp
 .Va default_keys = Va des3:pw-salt Va v4

Follow-Ups:
- Re: Password expiration (+ Doc patch)
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- AES keys?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- Enabling GSSAPI support in Cyrus-SASL
  - From: Robert Fitzpatrick <robert@webtent.com>
- Re: Enabling GSSAPI support in Cyrus-SASL
  - From: Harry Rüter <harry_rueter@gmx.de>
- Password expiration
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Password expiration
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Password expiration (+ Doc patch)
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: scalability of heimdal replication
Next by Date: Re: scalability of heimdal replication
Prev by thread: Re: Password expiration (+ Doc patch)
Next by thread: Re: Password expiration (+ Doc patch)
Index(es):
- Date
- Thread