aklog: require opt-in to enable single-DES in libkrb5

[openafs.git] / doc / man-pages / pod1 / aklog.pod

diff --git a/doc/man-pages/pod1/aklog.pod b/doc/man-pages/pod1/aklog.pod
index e6b78a2..0d67ea1 100644 (file)
--- a/doc/man-pages/pod1/aklog.pod
+++ b/doc/man-pages/pod1/aklog.pod
@@ -8,11 +8,11 @@ aklog - Obtain tokens for authentication to AFS
 <div class="synopsis">
 
 B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
-    [B<-force>] [B<-524>] [B<-setpag>]
+    [B<-force>] [B<-524>] [B<-setpag>] [B<-insecure_des>]
     S<<< [[B<-cell> | B<-c>] <I<cell>> [B<-k> <I<Kerberos realm>>]]+ >>>
 
 B<aklog> [B<-d>] [B<-hosts>] [B<-zsubs>] [B<-noprdb>] [B<-noauth>] [B<-linked>]
-    [B<-force>] [B<-524>] [B<-setpag>] [B<-path> | B<-p>] <I<path>>+
+    [B<-force>] [B<-524>] [B<-setpag>] [B<-insecure_des>] [B<-path> | B<-p>] <I<path>>+
 
 =for html
 </div>
@@ -36,13 +36,15 @@ specified with B<-k>.  B<-k> cannot be used in B<-path> mode (see below).
 When a Kerberos 5 cross-realm trust is used, B<aklog> looks up the AFS ID
 corresponding to the name (Kerberos principal) of the person invoking the
 command, and if the user doesn't exist and the
-system:authuser@FOREIGN.REALM PTS group exists, then it attempts automatic
+C<system:authuser@FOREIGN.REALM> PTS group exists, then it attempts automatic
 registration of the user with the foreign cell.  The user is then added to
-the system:authuser@FOREIGN.REALM PTS group if registration is successful.
+the C<system:authuser@FOREIGN.REALM> PTS group if registration is successful.
 Automatic registration in the foreign cell will fail if the group quota
-for the system:authuser@FOREIGN.REALM group is less than one.  Each
+for the C<system:authuser@FOREIGN.REALM> group is less than one.  Each
 automatic registration decrements the group quota by one.
 
+=head1 CAUTIONS
+
 When using B<aklog>, be aware that AFS uses the Kerberos v4 principal
 naming format, not the Kerberos v5 format, when referring to principals in
 PTS ACLs, F<UserList>, and similar locations.  AFS will internally map
@@ -54,6 +56,15 @@ entry for the Kerberos v5 principal C<user/admin>, refer to it as
 C<user.admin>, and for the principal C<host/shell.example.com>, refer to
 it as C<rcmd.shell>.
 
+The B<aklog> mapping of Kerberos v5 principal to Kerberos v4 principal and
+the determination that a Kerberos realm is foreign is performed in the
+absence of the actual AFS server configuration.  If the B<aklog> mapping
+of Kerberos v5 principal to Kerberos v4 principal or the foreign realm
+determination is wrong, the PTS name-to-id lookup will produce the wrong
+AFS ID for the user.  The AFS ID is only used for display purposes and
+should not be trusted.  Use the B<-noprdb> switch to disable the PTS
+name-to-id lookup.
+
 =head1 OPTIONS
 
 =over 4
@@ -108,6 +119,11 @@ normally won't be necessary.
 
 If the AFS cell is linked to another AFS cell, get tokens for both.
 
+-item B<-insecure_des>
+
+Configure libkrb5 to allow the use of the (insecure) single-DES encryption
+types.  When rxkad-k5 is in use, this is not needed.
+
 =item B<-noauth>
 
 Don't actually authenticate, just do everything else B<aklog> does up to