os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Multiple files: Fix 'shared' references

Browse source 
The hier(7) man-page lists /usr/share as the location for
architecture-independent files, so fix a few instances where the
documentation referes to /usr/shared instead of /usr/share.

PR:		253760
This commit is contained in:
Ceri Davies 2021-02-22 19:28:19 +01:00 committed by Daniel Ebdrup Jensen
parent 04a393d530
commit a0f7ad455b
19 changed files with 39 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

2
documentation/content/en/books/handbook/security/_index.adoc
View file

@ -819,7 +819,7 @@ When configuring and troubleshooting Kerberos, keep the following points in mind
* With MITKerberos, to allow a principal to have a ticket life longer than the default lifetime of ten hours, use `modify_principal` at the man:kadmin[8] prompt to change the `maxlife` of both the principal in question and the `krbtgt` principal. The principal can then use `kinit -l` to request a ticket with a longer lifetime.
* When running a packet sniffer on the KDC to aid in troubleshooting while running `kinit` from a workstation, the Ticket Granting Ticket (TGT) is sent immediately, even before the password is typed. This is because the Kerberos server freely transmits a TGT to any unauthorized request. However, every TGT is encrypted in a key derived from the user's password. When a user types their password, it is not sent to the KDC, it is instead used to decrypt the TGT that `kinit` already obtained. If the decryption process results in a valid ticket with a valid time stamp, the user has valid Kerberos credentials. These credentials include a session key for establishing secure communications with the Kerberos server in the future, as well as the actual TGT, which is encrypted with the Kerberos server's own key. This second layer of encryption allows the Kerberos server to verify the authenticity of each TGT.
* Host principals can have a longer ticket lifetime. If the user principal has a lifetime of a week but the host being connected to has a lifetime of nine hours, the user cache will have an expired host principal and the ticket cache will not work as expected.
* When setting up [.filename]#krb5.dict# to prevent specific bad passwords from being used as described in man:kadmind[8], remember that it only applies to principals that have a password policy assigned to them. The format used in [.filename]#krb5.dict# is one string per line. Creating a symbolic link to [.filename]#/usr/shared/dict/words# might be useful.
* When setting up [.filename]#krb5.dict# to prevent specific bad passwords from being used as described in man:kadmind[8], remember that it only applies to principals that have a password policy assigned to them. The format used in [.filename]#krb5.dict# is one string per line. Creating a symbolic link to [.filename]#/usr/share/dict/words# might be useful.
=== Mitigating Kerberos Limitations