aboutsummaryrefslogtreecommitdiffstats
path: root/doc/html/_sources
diff options
context:
space:
mode:
Diffstat (limited to 'doc/html/_sources')
-rw-r--r--doc/html/_sources/admin/admin_commands/kadmin_local.txt7
-rw-r--r--doc/html/_sources/admin/admin_commands/kpropd.txt5
-rw-r--r--doc/html/_sources/admin/admin_commands/ktutil.txt2
-rw-r--r--doc/html/_sources/admin/conf_files/kadm5_acl.txt40
-rw-r--r--doc/html/_sources/admin/conf_files/kdc_conf.txt17
-rw-r--r--doc/html/_sources/admin/conf_files/krb5_conf.txt59
-rw-r--r--doc/html/_sources/admin/pkinit.txt20
-rw-r--r--doc/html/_sources/admin/realm_config.txt2
-rw-r--r--doc/html/_sources/appdev/gssapi.txt19
-rw-r--r--doc/html/_sources/appdev/index.txt1
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt15
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt4
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_mk_req.txt2
-rw-r--r--doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt2
-rw-r--r--doc/html/_sources/appdev/refs/types/krb5_timestamp.txt3
-rw-r--r--doc/html/_sources/appdev/y2038.txt28
-rw-r--r--doc/html/_sources/basic/ccache_def.txt2
-rw-r--r--doc/html/_sources/build/options2configure.txt4
-rw-r--r--doc/html/_sources/mitK5features.txt95
-rw-r--r--doc/html/_sources/plugindev/certauth.txt27
-rw-r--r--doc/html/_sources/plugindev/index.txt3
-rw-r--r--doc/html/_sources/plugindev/kadm5_auth.txt35
-rw-r--r--doc/html/_sources/plugindev/kdcpolicy.txt24
28 files changed, 383 insertions, 47 deletions
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
index 50c3b99ea428..9b5ccf4e911a 100644
--- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt
+++ b/doc/html/_sources/admin/admin_commands/kadmin_local.txt
@@ -661,6 +661,13 @@ KDC:
*principal*. The *value* is a JSON string representing an array
of objects, each having optional ``type`` and ``username`` fields.
+**pkinit_cert_match**
+ Specifies a matching expression that defines the certificate
+ attributes required for the client certificate used by the
+ principal during PKINIT authentication. The matching expression
+ is in the same format as those used by the **pkinit_cert_match**
+ option in :ref:`krb5.conf(5)`. (New in release 1.16.)
+
This command requires the **modify** privilege.
Alias: **setstr**
diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt
index 5e01e2f14bc1..5468b06754e1 100644
--- a/doc/html/_sources/admin/admin_commands/kpropd.txt
+++ b/doc/html/_sources/admin/admin_commands/kpropd.txt
@@ -14,6 +14,7 @@ SYNOPSIS
[**-F** *principal_database*]
[**-p** *kdb5_util_prog*]
[**-P** *port*]
+[**--pid-file**\ =\ *pid_file*]
[**-d**]
[**-t**]
@@ -104,6 +105,10 @@ OPTIONS
Allows the user to specify the path to the kpropd.acl file; by
default the path used is |kdcdir|\ ``/kpropd.acl``.
+**--pid-file**\ =\ *pid_file*
+ In standalone mode, write the process ID of the daemon into
+ *pid_file*.
+
ENVIRONMENT
-----------
diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt
index d55ddc8944c6..2eb19ded2769 100644
--- a/doc/html/_sources/admin/admin_commands/ktutil.txt
+++ b/doc/html/_sources/admin/admin_commands/ktutil.txt
@@ -87,7 +87,7 @@ add_entry
~~~~~~~~~
**add_entry** {**-key**\|\ **-password**} **-p** *principal*
- **-k** *kvno* **-e** *enctype*
+ **-k** *kvno* **-e** *enctype* [**-s** *salt*]
Add *principal* to keylist using key or password.
diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
index d23fb8a5789e..290bf0e037a7 100644
--- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt
+++ b/doc/html/_sources/admin/conf_files/kadm5_acl.txt
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
*/root@ATHENA.MIT.EDU l * # line 5
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1). He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2). His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
or change the password of their null instance, but not any other
@@ -139,9 +140,22 @@ permission can only be granted globally, not to specific target
principals.
(line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
+
+MODULE BEHAVIOR
+---------------
+
+The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the :ref:`kadm5_auth` section of
+:ref:`krb5.conf(5)`. The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.
+
+To operate without an ACL file, set the *acl_file* variable in
+:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
SEE ALSO
--------
diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt
index 13077ecf4bc2..3af1c3796e6b 100644
--- a/doc/html/_sources/admin/conf_files/kdc_conf.txt
+++ b/doc/html/_sources/admin/conf_files/kdc_conf.txt
@@ -86,9 +86,10 @@ The following tags may be specified in a [realms] subsection:
**acl_file**
(String.) Location of the access control list file that
:ref:`kadmind(8)` uses to determine which principals are allowed
- which permissions on the Kerberos database. The default value is
- |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL
- file see :ref:`kadm5.acl(5)`.
+ which permissions on the Kerberos database. To operate without an
+ ACL file, set this relation to the empty string with ``acl_file =
+ ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more
+ information on Kerberos ACL file see :ref:`kadm5.acl(5)`.
**database_module**
(String.) This relation indicates the name of the configuration
@@ -198,6 +199,11 @@ The following tags may be specified in a [realms] subsection:
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.
+**encrypted_challenge_indicator**
+ (String.) Specifies the authentication indicator value that the KDC
+ asserts into tickets obtained using FAST encrypted challenge
+ pre-authentication. New in 1.16.
+
**host_based_services**
(Whitespace- or comma-separated list.) Lists services which will
get host-based referral processing even if the server principal is
@@ -765,9 +771,6 @@ For information about the syntax of some of these options, see
pkinit is used to authenticate. This option may be specified
multiple times. (New in release 1.14.)
-**pkinit_kdc_ocsp**
- Specifies the location of the KDC's OCSP.
-
**pkinit_pool**
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client's
@@ -824,7 +827,7 @@ camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with
camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC
des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3 The triple DES family: des3-cbc-sha1
-aes The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
+aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
rc4 The RC4 family: arcfour-hmac
camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
==================================================== =========================================================
diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt
index 653aad613cbc..4ed9832c7b17 100644
--- a/doc/html/_sources/admin/conf_files/krb5_conf.txt
+++ b/doc/html/_sources/admin/conf_files/krb5_conf.txt
@@ -55,9 +55,10 @@ following directives at the beginning of a line::
directory must exist and be readable. Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Starting in release
-1.15, files with names ending in ".conf" are also included. Included
-profile files are syntactically independent of their parents, so each
-included file must begin with a section header.
+1.15, files with names ending in ".conf" are also included, unless the
+name begins with ".". Included profile files are syntactically
+independent of their parents, so each included file must begin with a
+section header.
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
@@ -262,7 +263,7 @@ The libdefaults section may contain any of the following relations:
the local user or by root.
**kcm_mach_service**
- On OS X only, determines the name of the bootstrap service used to
+ On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type. If the
value is ``-``, Mach RPC will not be used to contact the KCM
daemon. The default value is ``org.h5l.kcm``.
@@ -744,6 +745,10 @@ disabled with the disable tag):
Uses the service realm to guess an appropriate cache from the
collection
+**hostname**
+ If the service principal is host-based, uses the service hostname
+ to guess an appropriate cache from the collection
+
.. _pwqual:
pwqual interface
@@ -777,6 +782,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory. No plugins are built
in for this interface.
+.. _kadm5_auth:
+
+kadm5_auth interface
+####################
+
+The kadm5_auth section (introduced in release 1.16) controls modules
+for the kadmin authorization interface, which determines whether a
+client principal is allowed to perform a kadmin operation. The
+following built-in modules exist for this interface:
+
+**acl**
+ This module reads the :ref:`kadm5.acl(5)` file, and authorizes
+ operations which are allowed according to the rules in the file.
+
+**self**
+ This module authorizes self-service operations including password
+ changes, creation of new random keys, fetching the client's
+ principal record or string attributes, and fetching the policy
+ record associated with the client principal.
+
.. _clpreauth:
.. _kdcpreauth:
@@ -858,6 +883,32 @@ built-in modules exist for this interface:
This module authorizes a principal to a local account if the
principal name maps to the local account name.
+.. _certauth:
+
+certauth interface
+##################
+
+The certauth section (introduced in release 1.16) controls modules for
+the certificate authorization interface, which determines whether a
+certificate is allowed to preauthenticate a user via PKINIT. The
+following built-in modules exist for this interface:
+
+**pkinit_san**
+ This module authorizes the certificate if it contains a PKINIT
+ Subject Alternative Name for the requested client principal, or a
+ Microsoft UPN SAN matching the principal if **pkinit_allow_upn**
+ is set to true for the realm.
+
+**pkinit_eku**
+ This module rejects the certificate if it does not contain an
+ Extended Key Usage attribute consistent with the
+ **pkinit_eku_checking** value for the realm.
+
+**dbmatch**
+ This module authorizes or rejects the certificate according to
+ whether it matches the **pkinit_cert_match** string attribute on
+ the client principal, if that attribute is present.
+
PKINIT options
--------------
diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt
index 460d75d1e2be..c601c5c9ebba 100644
--- a/doc/html/_sources/admin/pkinit.txt
+++ b/doc/html/_sources/admin/pkinit.txt
@@ -223,6 +223,26 @@ time as follows::
kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
+By default, the KDC requires PKINIT client certificates to have the
+standard Extended Key Usage and Subject Alternative Name attributes
+for PKINIT. Starting in release 1.16, it is possible to authorize
+client certificates based on the subject or other criteria instead of
+the standard PKINIT Subject Alternative Name, by setting the
+**pkinit_cert_match** string attribute on each client principal entry.
+For example::
+
+ kadmin set_string user@REALM pkinit_cert_match "<SUBJECT>CN=user@REALM$"
+
+The **pkinit_cert_match** string attribute follows the syntax used by
+the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the
+use of non-PKINIT client certificates, it will also be necessary to
+disable key usage checking using the **pkinit_eku_checking** relation;
+for example::
+
+ [kdcdefaults]
+ pkinit_eku_checking = none
+
+
Configuring the clients
-----------------------
diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt
index c016d720fded..c7d9164f5e78 100644
--- a/doc/html/_sources/admin/realm_config.txt
+++ b/doc/html/_sources/admin/realm_config.txt
@@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query.
The client performs a query for the following URI records:
-* ``_kerberos.REALM`` for fiding KDCs.
+* ``_kerberos.REALM`` for finding KDCs.
* ``_kerberos-adm.REALM`` for finding kadmin services.
* ``_kpasswd.REALM`` for finding password services.
diff --git a/doc/html/_sources/appdev/gssapi.txt b/doc/html/_sources/appdev/gssapi.txt
index 0258f793b99b..c39bbddb9738 100644
--- a/doc/html/_sources/appdev/gssapi.txt
+++ b/doc/html/_sources/appdev/gssapi.txt
@@ -312,6 +312,25 @@ issue a ticket from the client to the target service. The GSSAPI
library will then use this ticket to authenticate to the target
service.
+If an application needs to find out whether a credential it holds is a
+proxy credential and the name of the intermediate service, it can
+query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID
+(new in release 1.16, declared in ``<gssapi/gssapi_krb5.h>``) using
+the gss_inquire_cred_by_oid extension (declared in
+``<gssapi/gssapi_ext.h>``)::
+
+ OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
+ const gss_cred_id_t cred_handle,
+ gss_OID desired_object,
+ gss_buffer_set_t *data_set);
+
+If the call succeeds and *cred_handle* is a proxy credential,
+*data_set* will be set to a single-element buffer set containing the
+unparsed principal name of the intermediate service. If *cred_handle*
+is not a proxy credential, *data_set* will be set to an empty buffer
+set. If the library does not support the query,
+gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**.
+
AEAD message wrapping
---------------------
diff --git a/doc/html/_sources/appdev/index.txt b/doc/html/_sources/appdev/index.txt
index 3d62045ca870..961bb1e9e23a 100644
--- a/doc/html/_sources/appdev/index.txt
+++ b/doc/html/_sources/appdev/index.txt
@@ -5,6 +5,7 @@ For application developers
:maxdepth: 1
gssapi.rst
+ y2038.rst
h5l_mit_apidiff.rst
init_creds.rst
princ_handle.rst
diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
index 7d5bf4cf03ee..4dc9e0afb9a0 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt
@@ -1,5 +1,5 @@
-krb5_auth_con_initivector
-=========================
+krb5_auth_con_initivector - Cause an auth context to use cipher state.
+========================================================================
..
@@ -10,30 +10,31 @@ krb5_auth_con_initivector
:param:
- **context**
+ **[in]** **context** - Library context
- **auth_context**
+ **[in]** **auth_context** - Authentication context
..
+:retval:
+ - 0 Success; otherwise - Kerberos error codes
-..
+..
-DEPRECATED Not replaced.
+Prepare *auth_context* to use cipher state when :c:func:`krb5_mk_priv()` or :c:func:`krb5_rd_priv()` encrypt or decrypt data.
-RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
index a6273bbb2c75..fab6d70594f3 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt
@@ -3,7 +3,7 @@ krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.
..
-.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)
..
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
index 85efec065a5e..011fe47837fd 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt
@@ -27,7 +27,7 @@ krb5_init_creds_free - Free an initial credentials context.
-
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
index 05c26f3759b4..291fa509269d 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt
@@ -34,6 +34,10 @@ This function synchronously obtains credentials using a context created by :c:fu
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
index 6bbbeed869e4..c703124106db 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt
@@ -44,6 +44,10 @@ This function creates a new context for acquiring initial credentials. Use :c:fu
+Any subsequent calls to :c:func:`krb5_init_creds_step()` , :c:func:`krb5_init_creds_get()` , or :c:func:`krb5_init_creds_free()` for this initial credentials context must use the same *context* argument as the one passed to this function.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
index d08ffc7d629d..67b9b5d6de0b 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt
@@ -32,7 +32,7 @@ krb5_init_creds_set_service - Specify a service principal for acquiring initial
-This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
+Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored.
diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
index c4e8a202aa53..8008e6724f1a 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt
@@ -50,6 +50,10 @@ If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should tr
+ *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context.
+
+
+
diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
index e3a5da424a8d..695eb79399cb 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt
@@ -3,7 +3,7 @@ krb5_mk_req - Create a KRB_AP_REQ message.
..
-.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
+.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)
..
diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
index d9af52f770ab..338b43a1453e 100644
--- a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
+++ b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt
@@ -62,7 +62,7 @@ If successful, *pac* is marked as verified.
.. note::
- A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
+ A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.
diff --git a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
index e9263e49d1b7..dc3e9eee79ab 100644
--- a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
+++ b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt
@@ -9,8 +9,9 @@ krb5_timestamp
.. c:type:: krb5_timestamp
..
+Represents a timestamp in seconds since the POSIX epoch.
-
+This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t.
Declaration
------------
diff --git a/doc/html/_sources/appdev/y2038.txt b/doc/html/_sources/appdev/y2038.txt
new file mode 100644
index 000000000000..bc4122dad0a4
--- /dev/null
+++ b/doc/html/_sources/appdev/y2038.txt
@@ -0,0 +1,28 @@
+Year 2038 considerations for uses of krb5_timestamp
+===================================================
+
+POSIX time values, which measure the number of seconds since January 1
+1970, will exceed the maximum value representable in a signed 32-bit
+integer in January 2038. This documentation describes considerations
+for consumers of the MIT krb5 libraries.
+
+Applications or libraries which use libkrb5 and consume the timestamps
+included in credentials or other structures make use of the
+:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp
+is a signed 32-bit integer, even on platforms where a larger type is
+natively used to represent time values. To behave properly for time
+values after January 2038, calling code should cast krb5_timestamp
+values to uint32_t, and then to time_t::
+
+ (time_t)(uint32_t)timestamp
+
+Used in this way, krb5_timestamp values can represent time values up
+until February 2106, provided that the platform uses a 64-bit or
+larger time_t type. This usage will also remain safe if a later
+version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit
+integer.
+
+The GSSAPI only uses representations of time intervals, not absolute
+times. Callers of the GSSAPI should require no changes to behave
+correctly after January 2038, provided that they use MIT krb5 release
+1.16 or later.
diff --git a/doc/html/_sources/basic/ccache_def.txt b/doc/html/_sources/basic/ccache_def.txt
index ff857f4f9422..d147f0d7aa99 100644
--- a/doc/html/_sources/basic/ccache_def.txt
+++ b/doc/html/_sources/basic/ccache_def.txt
@@ -64,7 +64,7 @@ library.
KCM client support is new in release 1.13. A KCM daemon has not
yet been implemented in MIT krb5, but the client will interoperate
- with the KCM daemon implemented by Heimdal. OS X 10.7 and higher
+ with the KCM daemon implemented by Heimdal. macOS 10.7 and higher
provides a KCM daemon as part of the operating system, and the
**KCM** cache type is used as the default cache on that platform in
a default build.
diff --git a/doc/html/_sources/build/options2configure.txt b/doc/html/_sources/build/options2configure.txt
index 0fd03072cd2d..ac1a8b9515b0 100644
--- a/doc/html/_sources/build/options2configure.txt
+++ b/doc/html/_sources/build/options2configure.txt
@@ -350,10 +350,6 @@ Optional packages
prng specify ``--with-prng-alg=os``. The default is ``fortuna``.
(See :ref:`mitK5features`)
-**-**\ **-with-pkinit-crypto-impl=**\ *IMPL*
- Use the specified pkinit crypto implementation *IMPL*.
- Defaults to using OpenSSL.
-
**-**\ **-without-libedit**
Do not compile and link against libedit. Some utilities will no
longer offer command history or completion in interactive mode if
diff --git a/doc/html/_sources/mitK5features.txt b/doc/html/_sources/mitK5features.txt
index b4e4b8b9b780..9df7e34d65be 100644
--- a/doc/html/_sources/mitK5features.txt
+++ b/doc/html/_sources/mitK5features.txt
@@ -19,8 +19,8 @@ Quick facts
License - :ref:`mitK5license`
Releases:
- - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/
- - Supported: http://web.mit.edu/kerberos/krb5-1.14/
+ - Latest stable: http://web.mit.edu/kerberos/krb5-1.16/
+ - Supported: http://web.mit.edu/kerberos/krb5-1.15/
- Release cycle: 9 -- 12 months
Supported platforms \/ OS distributions:
@@ -162,7 +162,7 @@ Release 1.13
- Add client support for the Kerberos Cache Manager protocol. If
the host is running a Heimdal kcm daemon, caches served by the
daemon can be accessed with the KCM: cache type.
- - When built on OS X 10.7 and higher, use "KCM:" as the default
+ - When built on macOS 10.7 and higher, use "KCM:" as the default
cachetype, unless overridden by command-line options or
krb5-config values.
- Add support for doing unlocked database dumps for the DB2 KDC
@@ -309,6 +309,95 @@ Release 1.15
- Add support for the AES-SHA2 enctypes, which allows sites to
conform to Suite B crypto requirements.
+Release 1.16
+
+* Administrator experience:
+
+ - The KDC can match PKINIT client certificates against the
+ "pkinit_cert_match" string attribute on the client principal
+ entry, using the same syntax as the existing "pkinit_cert_match"
+ profile option.
+
+ - The ktutil addent command supports the "-k 0" option to ignore the
+ key version, and the "-s" option to use a non-default salt string.
+
+ - kpropd supports a --pid-file option to write a pid file at
+ startup, when it is run in standalone mode.
+
+ - The "encrypted_challenge_indicator" realm option can be used to
+ attach an authentication indicator to tickets obtained using FAST
+ encrypted challenge pre-authentication.
+
+ - Localization support can be disabled at build time with the
+ --disable-nls configure option.
+
+* Developer experience:
+
+ - The kdcpolicy pluggable interface allows modules control whether
+ tickets are issued by the KDC.
+
+ - The kadm5_auth pluggable interface allows modules to control
+ whether kadmind grants access to a kadmin request.
+
+ - The certauth pluggable interface allows modules to control which
+ PKINIT client certificates can authenticate to which client
+ principals.
+
+ - KDB modules can use the client and KDC interface IP addresses to
+ determine whether to allow an AS request.
+
+ - GSS applications can query the bit strength of a krb5 GSS context
+ using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+ gss_inquire_sec_context_by_oid().
+
+ - GSS applications can query the impersonator name of a krb5 GSS
+ credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+ gss_inquire_cred_by_oid().
+
+ - kdcpreauth modules can query the KDC for the canonicalized
+ requested client principal name, or match a principal name against
+ the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+ - The client library will continue to try pre-authentication
+ mechanisms after most failure conditions.
+
+ - The KDC will issue trivially renewable tickets (where the
+ renewable lifetime is equal to or less than the ticket lifetime)
+ if requested by the client, to be friendlier to scripts.
+
+ - The client library will use a random nonce for TGS requests
+ instead of the current system time.
+
+ - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+ (previously only UCS-2 was supported).
+
+ - When matching PKINIT client certificates, UPN SANs will be matched
+ correctly as UPNs, with canonicalization.
+
+* User experience:
+
+ - Dates after the year 2038 are accepted (provided that the platform
+ time facilities support them), through the year 2106.
+
+ - Automatic credential cache selection based on the client realm
+ will take into account the fallback realm and the service
+ hostname.
+
+ - Referral and alternate cross-realm TGTs will not be cached,
+ avoiding some scenarios where they can be added to the credential
+ cache multiple times.
+
+ - A German translation has been added.
+
+* Code quality:
+
+ - The build is warning-clean under clang with the configured warning
+ options.
+
+ - The automated test suite runs cleanly under AddressSanitizer.
+
`Pre-authentication mechanisms`
- PW-SALT :rfc:`4120#section-5.2.7.3`
diff --git a/doc/html/_sources/plugindev/certauth.txt b/doc/html/_sources/plugindev/certauth.txt
new file mode 100644
index 000000000000..8a7f7c5ebad6
--- /dev/null
+++ b/doc/html/_sources/plugindev/certauth.txt
@@ -0,0 +1,27 @@
+.. _certauth_plugin:
+
+PKINIT certificate authorization interface (certauth)
+=====================================================
+
+The certauth interface was first introduced in release 1.16. It
+allows customization of the X.509 certificate attribute requirements
+placed on certificates used by PKINIT enabled clients. For a detailed
+description of the certauth interface, see the header file
+``<krb5/certauth_plugin.h>``
+
+A certauth module implements the **authorize** method to determine
+whether a client's certificate is authorized to authenticate a client
+principal. **authorize** receives the DER-encoded certificate, the
+requested client principal, and a pointer to the client's
+krb5_db_entry (for modules that link against libkdb5). It returns the
+authorization status and optionally outputs a list of authentication
+indicator strings to be added to the ticket. A module must use its
+own internal or library-provided ASN.1 certificate decoder.
+
+A module can optionally create and destroy module data with the
+**init** and **fini** methods. Module data objects last for the
+lifetime of the KDC process.
+
+If a module allocates and returns a list of authentication indicators
+from **authorize**, it must also implement the **free_ind** method
+to free the list.
diff --git a/doc/html/_sources/plugindev/index.txt b/doc/html/_sources/plugindev/index.txt
index 3fb921778cb5..5e7834635f42 100644
--- a/doc/html/_sources/plugindev/index.txt
+++ b/doc/html/_sources/plugindev/index.txt
@@ -25,11 +25,14 @@ Contents
ccselect.rst
pwqual.rst
kadm5_hook.rst
+ kadm5_auth.rst
hostrealm.rst
localauth.rst
locate.rst
profile.rst
gssapi.rst
internal.rst
+ certauth.rst
+ kdcpolicy.rst
.. TODO: GSSAPI mechanism plugins
diff --git a/doc/html/_sources/plugindev/kadm5_auth.txt b/doc/html/_sources/plugindev/kadm5_auth.txt
new file mode 100644
index 000000000000..b4839617bd2f
--- /dev/null
+++ b/doc/html/_sources/plugindev/kadm5_auth.txt
@@ -0,0 +1,35 @@
+.. _kadm5_auth_plugin:
+
+kadmin authorization interface (kadm5_auth)
+===========================================
+
+The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations. For a detailed description of the kadm5_auth
+interface, see the header file ``<krb5/kadm5_auth_plugin.h>``.
+
+A module can create and destroy per-process state objects by
+implementing the **init** and **fini** methods. State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type. A
+module should typically cast this to an internal type for the state
+object.
+
+The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation. Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access. Access is granted if at least one module
+grants access and no module authoritatively denies access.
+
+The **addprinc** and **modprinc** methods can also impose restrictions
+on the principal operation by returning a ``struct
+kadm5_auth_restrictions`` object. The module should also implement
+the **free_restrictions** method if it dynamically allocates
+restrictions objects for principal operations.
+
+kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include ``<kadm5/admin.h>`` to gain
+access to the structure definitions for those objects. As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.
diff --git a/doc/html/_sources/plugindev/kdcpolicy.txt b/doc/html/_sources/plugindev/kdcpolicy.txt
new file mode 100644
index 000000000000..74f21f08fbf4
--- /dev/null
+++ b/doc/html/_sources/plugindev/kdcpolicy.txt
@@ -0,0 +1,24 @@
+.. _kdcpolicy_plugin:
+
+KDC policy interface (kdcpolicy)
+================================
+
+The kdcpolicy interface was first introduced in release 1.16. It
+allows modules to veto otherwise valid AS and TGS requests or restrict
+the lifetime and renew time of the resulting ticket. For a detailed
+description of the kdcpolicy interface, see the header file
+``<krb5/kdcpolicy_plugin.h>``.
+
+The optional **check_as** and **check_tgs** functions allow the module
+to perform access control. Additionally, a module can create and
+destroy module data with the **init** and **fini** methods. Module
+data objects last for the lifetime of the KDC process, and are
+provided to all other methods. The data has the type
+krb5_kdcpolicy_moddata, which should be cast to the appropriate
+internal type.
+
+kdcpolicy modules can optionally inspect principal entries. To do
+this, the module must also include ``<kdb.h>`` to gain access to the
+principal entry structure definition. As the KDB interface is
+explicitly not as stable as other public interfaces, modules which do
+this may not retain compatibility across releases.