xref: /freebsd/crypto/krb5/doc/pdf/basic.tex (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9)

%% Generated by Sphinx.
\def\sphinxdocclass{report}
\documentclass[letterpaper,10pt,english]{sphinxmanual}
\ifdefined\pdfpxdimen
   \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
\fi \sphinxpxdimen=.75bp\relax
\ifdefined\pdfimageresolution
    \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax
\fi
%% let collapsible pdf bookmarks panel have high depth per default
\PassOptionsToPackage{bookmarksdepth=5}{hyperref}

\PassOptionsToPackage{warn}{textcomp}
\usepackage[utf8]{inputenc}
\ifdefined\DeclareUnicodeCharacter
% support both utf8 and utf8x syntaxes
  \ifdefined\DeclareUnicodeCharacterAsOptional
    \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}}
  \else
    \let\sphinxDUC\DeclareUnicodeCharacter
  \fi
  \sphinxDUC{00A0}{\nobreakspace}
  \sphinxDUC{2500}{\sphinxunichar{2500}}
  \sphinxDUC{2502}{\sphinxunichar{2502}}
  \sphinxDUC{2514}{\sphinxunichar{2514}}
  \sphinxDUC{251C}{\sphinxunichar{251C}}
  \sphinxDUC{2572}{\textbackslash}
\fi
\usepackage{cmap}
\usepackage[T1]{fontenc}
\usepackage{amsmath,amssymb,amstext}
\usepackage{babel}



\usepackage{tgtermes}
\usepackage{tgheros}
\renewcommand{\ttdefault}{txtt}



\usepackage[Bjarne]{fncychap}
\usepackage{sphinx}

\fvset{fontsize=auto}
\usepackage{geometry}


% Include hyperref last.
\usepackage{hyperref}
% Fix anchor placement for figures with captions.
\usepackage{hypcap}% it must be loaded after hyperref.
% Set up styles of URL: it should be placed after hyperref.
\urlstyle{same}


\usepackage{sphinxmessages}
\setcounter{tocdepth}{0}



\title{Kerberos Concepts}
\date{ }
\release{1.21.3}
\author{MIT}
\newcommand{\sphinxlogo}{\vbox{}}
\renewcommand{\releasename}{Release}
\makeindex
\begin{document}

\pagestyle{empty}
\sphinxmaketitle
\pagestyle{plain}
\sphinxtableofcontents
\pagestyle{normal}
\phantomsection\label{\detokenize{basic/index::doc}}



\chapter{Credential cache}
\label{\detokenize{basic/ccache_def:credential-cache}}\label{\detokenize{basic/ccache_def:ccache-definition}}\label{\detokenize{basic/ccache_def::doc}}
\sphinxAtStartPar
A credential cache (or “ccache”) holds Kerberos credentials while they
remain valid and, generally, while the user’s session lasts, so that
authenticating to a service multiple times (e.g., connecting to a web
or mail server more than once) doesn’t require contacting the KDC
every time.

\sphinxAtStartPar
A credential cache usually contains one initial ticket which is
obtained using a password or another form of identity verification.
If this ticket is a ticket\sphinxhyphen{}granting ticket, it can be used to obtain
additional credentials without the password.  Because the credential
cache does not store the password, less long\sphinxhyphen{}term damage can be done
to the user’s account if the machine is compromised.

\sphinxAtStartPar
A credentials cache stores a default client principal name, set when
the cache is created.  This is the name shown at the top of the
\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} output.

\sphinxAtStartPar
Each normal cache entry includes a service principal name, a client
principal name (which, in some ccache types, need not be the same as
the default), lifetime information, and flags, along with the
credential itself.  There are also other entries, indicated by special
names, that store additional information.


\section{ccache types}
\label{\detokenize{basic/ccache_def:ccache-types}}
\sphinxAtStartPar
The credential cache interface, like the {\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} and
{\hyperref[\detokenize{basic/rcache_def:rcache-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{replay cache}}}} interfaces, uses \sphinxtitleref{TYPE:value} strings to
indicate the type of credential cache and any associated cache naming
data to use.

\sphinxAtStartPar
There are several kinds of credentials cache supported in the MIT
Kerberos library.  Not all are supported on every platform.  In most
cases, it should be correct to use the default type built into the
library.
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
\sphinxstylestrong{API} is only implemented on Windows.  It communicates with a
server process that holds the credentials in memory for the user,
rather than writing them to disk.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{DIR} points to the storage location of the collection of the
credential caches in \sphinxstyleemphasis{FILE:} format. It is most useful when dealing
with multiple Kerberos realms and KDCs.  For release 1.10 the
directory must already exist.  In post\sphinxhyphen{}1.10 releases the
requirement is for parent directory to exist and the current
process must have permissions to create the directory if it does
not exist. See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details.  New in release 1.10.
The following residual forms are supported:
\begin{itemize}
\item {}
\sphinxAtStartPar
DIR:dirname

\item {}
\sphinxAtStartPar
DIR::dirpath/filename \sphinxhyphen{} a single cache within the directory

\end{itemize}

\sphinxAtStartPar
Switching to a ccache of the latter type causes it to become the
primary for the directory.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{FILE} caches are the simplest and most portable. A simple flat
file format is used to store one credential after another.  This is
the default ccache type if no type is specified in a ccache name.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{KCM} caches work by contacting a daemon process called \sphinxcode{\sphinxupquote{kcm}}
to perform cache operations.  If the cache name is just \sphinxcode{\sphinxupquote{KCM:}},
the default cache as determined by the KCM daemon will be used.
Newly created caches must generally be named \sphinxcode{\sphinxupquote{KCM:uid:name}},
where \sphinxstyleemphasis{uid} is the effective user ID of the running process.

\sphinxAtStartPar
KCM client support is new in release 1.13.  A KCM daemon has not
yet been implemented in MIT krb5, but the client will interoperate
with the KCM daemon implemented by Heimdal.  macOS 10.7 and higher
provides a KCM daemon as part of the operating system, and the
\sphinxstylestrong{KCM} cache type is used as the default cache on that platform in
a default build.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{KEYRING} is Linux\sphinxhyphen{}specific, and uses the kernel keyring support
to store credential data in unswappable kernel memory where only
the current user should be able to access it.  The following
residual forms are supported:
\begin{itemize}
\item {}
\sphinxAtStartPar
KEYRING:name

\item {}
\sphinxAtStartPar
KEYRING:process:name \sphinxhyphen{} process keyring

\item {}
\sphinxAtStartPar
KEYRING:thread:name \sphinxhyphen{}  thread keyring

\end{itemize}

\sphinxAtStartPar
Starting with release 1.12 the \sphinxstyleemphasis{KEYRING} type supports collections.
The following new residual forms were added:
\begin{itemize}
\item {}
\sphinxAtStartPar
KEYRING:session:name \sphinxhyphen{} session keyring

\item {}
\sphinxAtStartPar
KEYRING:user:name \sphinxhyphen{} user keyring

\item {}
\sphinxAtStartPar
KEYRING:persistent:uidnumber \sphinxhyphen{} persistent per\sphinxhyphen{}UID collection.
Unlike the user keyring, this collection survives after the user
logs out, until the cache credentials expire.  This type of
ccache requires support from the kernel; otherwise, it will fall
back to the user keyring.

\end{itemize}

\sphinxAtStartPar
See {\hyperref[\detokenize{basic/ccache_def:col-ccache}]{\sphinxcrossref{\DUrole{std,std-ref}{Collections of caches}}}} for details.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{MEMORY} caches are for storage of credentials that don’t need to
be made available outside of the current process.  For example, a
memory ccache is used by \DUrole{xref,std,std-ref}{kadmin(1)} to store the
administrative ticket used to contact the admin server.  Memory
ccaches are faster than file ccaches and are automatically
destroyed when the process exits.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{MSLSA} is a Windows\sphinxhyphen{}specific cache type that accesses the
Windows credential store.

\end{enumerate}


\section{Collections of caches}
\label{\detokenize{basic/ccache_def:collections-of-caches}}\label{\detokenize{basic/ccache_def:col-ccache}}
\sphinxAtStartPar
Some credential cache types can support collections of multiple
caches.  One of the caches in the collection is designated as the
\sphinxstyleemphasis{primary} and will be used when the collection is resolved as a cache.
When a collection\sphinxhyphen{}enabled cache type is the default cache for a
process, applications can search the specified collection for a
specific client principal, and GSSAPI applications will automatically
select between the caches in the collection based on criteria such as
the target service realm.

\sphinxAtStartPar
Credential cache collections are new in release 1.10, with support
from the \sphinxstylestrong{DIR} and \sphinxstylestrong{API} ccache types.  Starting in release 1.12,
collections are also supported by the \sphinxstylestrong{KEYRING} ccache type.
Collections are supported by the \sphinxstylestrong{KCM} ccache type in release 1.13.


\subsection{Tool alterations to use cache collection}
\label{\detokenize{basic/ccache_def:tool-alterations-to-use-cache-collection}}\begin{itemize}
\item {}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kdestroy(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will destroy all caches in the collection.

\item {}
\sphinxAtStartPar
If the default cache type supports switching, \DUrole{xref,std,std-ref}{kinit(1)}
\sphinxstyleemphasis{princname} will search the collection for a matching cache and
store credentials there, or will store credentials in a new unique
cache of the default type if no existing cache for the principal
exists.  Either way, kinit will switch to the selected cache.

\item {}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}l} will list the caches in the collection.

\item {}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{klist(1)} \sphinxstyleemphasis{\sphinxhyphen{}A} will show the content of all caches in the
collection.

\item {}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}p princname} will search the collection for a
matching cache and switch to it.

\item {}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kswitch(1)} \sphinxstyleemphasis{\sphinxhyphen{}c cachename} will switch to a specified cache.

\end{itemize}


\section{Default ccache name}
\label{\detokenize{basic/ccache_def:default-ccache-name}}
\sphinxAtStartPar
The default credential cache name is determined by the following, in
descending order of priority:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
The \sphinxstylestrong{KRB5CCNAME} environment variable.  For example,
\sphinxcode{\sphinxupquote{KRB5CCNAME=DIR:/mydir/}}.

\item {}
\sphinxAtStartPar
The \sphinxstylestrong{default\_ccache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}.

\item {}
\sphinxAtStartPar
The hardcoded default, \DUrole{xref,std,std-ref}{DEFCCNAME}.

\end{enumerate}


\chapter{keytab}
\label{\detokenize{basic/keytab_def:keytab}}\label{\detokenize{basic/keytab_def:keytab-definition}}\label{\detokenize{basic/keytab_def::doc}}
\sphinxAtStartPar
A keytab (short for “key table”) stores long\sphinxhyphen{}term keys for one or more
principals.  Keytabs are normally represented by files in a standard
format, although in rare cases they can be represented in other ways.
Keytabs are used most often to allow server applications to accept
authentications from clients, but can also be used to obtain initial
credentials for client applications.

\sphinxAtStartPar
Keytabs are named using the format \sphinxstyleemphasis{type}\sphinxcode{\sphinxupquote{:}}\sphinxstyleemphasis{value}.  Usually
\sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}} and \sphinxstyleemphasis{value} is the absolute pathname of the file.
The other possible value for \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{MEMORY}}, which indicates a
temporary keytab stored in the memory of the current process.

\sphinxAtStartPar
A keytab contains one or more entries, where each entry consists of a
timestamp (indicating when the entry was written to the keytab), a
principal name, a key version number, an encryption type, and the
encryption key itself.

\sphinxAtStartPar
A keytab can be displayed using the \DUrole{xref,std,std-ref}{klist(1)} command with the
\sphinxcode{\sphinxupquote{\sphinxhyphen{}k}} option.  Keytabs can be created or appended to by extracting
keys from the KDC database using the \DUrole{xref,std,std-ref}{kadmin(1)} \DUrole{xref,std,std-ref}{ktadd}
command.  Keytabs can be manipulated using the \DUrole{xref,std,std-ref}{ktutil(1)} and
\DUrole{xref,std,std-ref}{k5srvutil(1)} commands.


\section{Default keytab}
\label{\detokenize{basic/keytab_def:default-keytab}}
\sphinxAtStartPar
The default keytab is used by server applications if the application
does not request a specific keytab.  The name of the default keytab is
determined by the following, in decreasing order of preference:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
The \sphinxstylestrong{KRB5\_KTNAME} environment variable.

\item {}
\sphinxAtStartPar
The \sphinxstylestrong{default\_keytab\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}.

\item {}
\sphinxAtStartPar
The hardcoded default, \DUrole{xref,std,std-ref}{DEFKTNAME}.

\end{enumerate}


\section{Default client keytab}
\label{\detokenize{basic/keytab_def:default-client-keytab}}
\sphinxAtStartPar
The default client keytab is used, if it is present and readable, to
automatically obtain initial credentials for GSSAPI client
applications.  The principal name of the first entry in the client
keytab is used by default when obtaining initial credentials.  The
name of the default client keytab is determined by the following, in
decreasing order of preference:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
The \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable.

\item {}
\sphinxAtStartPar
The \sphinxstylestrong{default\_client\_keytab\_name} profile variable in
\DUrole{xref,std,std-ref}{libdefaults}.

\item {}
\sphinxAtStartPar
The hardcoded default, \DUrole{xref,std,std-ref}{DEFCKTNAME}.

\end{enumerate}


\chapter{replay cache}
\label{\detokenize{basic/rcache_def:replay-cache}}\label{\detokenize{basic/rcache_def:rcache-definition}}\label{\detokenize{basic/rcache_def::doc}}
\sphinxAtStartPar
A replay cache (or “rcache”) keeps track of all authenticators
recently presented to a service.  If a duplicate authentication
request is detected in the replay cache, an error message is sent to
the application program.

\sphinxAtStartPar
The replay cache interface, like the credential cache and
{\hyperref[\detokenize{basic/keytab_def:keytab-definition}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab}}}} interfaces, uses \sphinxtitleref{type:residual} strings to
indicate the type of replay cache and any associated cache naming
data to use.


\section{Background information}
\label{\detokenize{basic/rcache_def:background-information}}
\sphinxAtStartPar
Some Kerberos or GSSAPI services use a simple authentication mechanism
where a message is sent containing an authenticator, which establishes
the encryption key that the client will use for talking to the
service.  But nothing about that prevents an eavesdropper from
recording the messages sent by the client, establishing a new
connection, and re\sphinxhyphen{}sending or “replaying” the same messages; the
replayed authenticator will establish the same encryption key for the
new session, and the following messages will be decrypted and
processed.  The attacker may not know what the messages say, and can’t
generate new messages under the same encryption key, but in some
instances it may be harmful to the user (or helpful to the attacker)
to cause the server to see the same messages again a second time.  For
example, if the legitimate client sends “delete first message in
mailbox”, a replay from an attacker may delete another, different
“first” message.  (Protocol design to guard against such problems has
been discussed in \index{RFC@\spxentry{RFC}!RFC 4120\#section\sphinxhyphen{}10@\spxentry{RFC 4120\#section\sphinxhyphen{}10}}\sphinxhref{https://tools.ietf.org/html/rfc4120.html\#section-10}{\sphinxstylestrong{RFC 4120\#section\sphinxhyphen{}10}}.)

\sphinxAtStartPar
Even if one protocol uses further protection to verify that the client
side of the connection actually knows the encryption keys (and thus is
presumably a legitimate user), if another service uses the same
service principal name, it may be possible to record an authenticator
used with the first protocol and “replay” it against the second.

\sphinxAtStartPar
The replay cache mitigates these attacks somewhat, by keeping track of
authenticators that have been seen until their five\sphinxhyphen{}minute window
expires.  Different authenticators generated by multiple connections
from the same legitimate client will generally have different
timestamps, and thus will not be considered the same.

\sphinxAtStartPar
This mechanism isn’t perfect.  If a message is sent to one application
server but a man\sphinxhyphen{}in\sphinxhyphen{}the\sphinxhyphen{}middle attacker can prevent it from actually
arriving at that server, the attacker could then use the authenticator
(once!) against a different service on the same host.  This could be a
problem if the message from the client included something more than
authentication in the first message that could be useful to the
attacker (which is uncommon; in most protocols the server has to
indicate a successful authentication before the client sends
additional messages), or if the simple act of presenting the
authenticator triggers some interesting action in the service being
attacked.


\section{Replay cache types}
\label{\detokenize{basic/rcache_def:replay-cache-types}}
\sphinxAtStartPar
Unlike the credential cache and keytab interfaces, replay cache types
are in lowercase.  The following types are defined:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
\sphinxstylestrong{none} disables the replay cache.  The residual value is ignored.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{file2} (new in release 1.18) uses a hash\sphinxhyphen{}based format to store
replay records.  The file may grow to accommodate hash collisions.
The residual value is the filename.

\item {}
\sphinxAtStartPar
\sphinxstylestrong{dfl} is the default type if no environment variable or
configuration specifies a different type.  It stores replay data in
a file2 replay cache with a filename based on the effective uid.
The residual value is ignored.

\end{enumerate}

\sphinxAtStartPar
For the dfl type, the location of the replay cache file is determined
as follows:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
The directory is taken from the \sphinxstylestrong{KRB5RCACHEDIR} environment
variable, or the \sphinxstylestrong{TMPDIR} environment variable, or a temporary
directory determined at configuration time such as \sphinxcode{\sphinxupquote{/var/tmp}}, in
descending order of preference.

\item {}
\sphinxAtStartPar
The filename is \sphinxcode{\sphinxupquote{krb5\_EUID.rcache2}} where EUID is the effective
uid of the process.

\item {}
\sphinxAtStartPar
The file is opened without following symbolic links, and ownership
of the file is verified to match the effective uid.

\end{enumerate}

\sphinxAtStartPar
On Windows, the directory for the dfl type is the local appdata
directory, unless overridden by the \sphinxstylestrong{KRB5RCACHEDIR} environment
variable.  The filename on Windows is \sphinxcode{\sphinxupquote{krb5.rcache2}}, and the file
is opened normally.


\section{Default replay cache name}
\label{\detokenize{basic/rcache_def:default-replay-cache-name}}
\sphinxAtStartPar
The default replay cache name is determined by the following, in
descending order of priority:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {}
\sphinxAtStartPar
The \sphinxstylestrong{KRB5RCACHENAME} environment variable (new in release 1.18).

\item {}
\sphinxAtStartPar
The \sphinxstylestrong{KRB5RCACHETYPE} environment variable.  If this variable is
set, the residual value is empty.

\item {}
\sphinxAtStartPar
The \sphinxstylestrong{default\_rcache\_name} profile variable in \DUrole{xref,std,std-ref}{libdefaults}
(new in release 1.18).

\item {}
\sphinxAtStartPar
If none of the above are set, the default replay cache name is
\sphinxcode{\sphinxupquote{dfl:}}.

\end{enumerate}


\chapter{stash file}
\label{\detokenize{basic/stash_file_def:stash-file}}\label{\detokenize{basic/stash_file_def:stash-definition}}\label{\detokenize{basic/stash_file_def::doc}}
\sphinxAtStartPar
The stash file is a local copy of the master key that resides in
encrypted form on the KDC’s local disk.  The stash file is used to
authenticate the KDC to itself automatically before starting the
\DUrole{xref,std,std-ref}{kadmind(8)} and \DUrole{xref,std,std-ref}{krb5kdc(8)} daemons (e.g., as part of the
machine’s boot sequence).  The stash file, like the keytab file (see
\DUrole{xref,std,std-ref}{keytab\_file}) is a potential point\sphinxhyphen{}of\sphinxhyphen{}entry for a break\sphinxhyphen{}in, and
if compromised, would allow unrestricted access to the Kerberos
database.  If you choose to install a stash file, it should be
readable only by root, and should exist only on the KDC’s local disk.
The file should not be part of any backup of the machine, unless
access to the backup data is secured as tightly as access to the
master password itself.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up.
This means that the KDC will not be able to start automatically, such as after a system reboot.
\end{sphinxadmonition}


\chapter{Supported date and time formats}
\label{\detokenize{basic/date_format:supported-date-and-time-formats}}\label{\detokenize{basic/date_format:datetime}}\label{\detokenize{basic/date_format::doc}}

\section{Time duration}
\label{\detokenize{basic/date_format:time-duration}}\label{\detokenize{basic/date_format:duration}}
\sphinxAtStartPar
This format is used to express a time duration in the Kerberos
configuration files and user commands.  The allowed formats are:
\begin{quote}


\begin{savenotes}\sphinxattablestart
\centering
\begin{tabulary}{\linewidth}[t]{|T|T|T|}
\hline

\sphinxAtStartPar
Format
&
\sphinxAtStartPar
Example
&
\sphinxAtStartPar
Value
\\
\hline
\sphinxAtStartPar
h:m{[}:s{]}
&
\sphinxAtStartPar
36:00
&
\sphinxAtStartPar
36 hours
\\
\hline
\sphinxAtStartPar
NdNhNmNs
&
\sphinxAtStartPar
8h30s
&
\sphinxAtStartPar
8 hours 30 seconds
\\
\hline
\sphinxAtStartPar
N (number of seconds)
&
\sphinxAtStartPar
3600
&
\sphinxAtStartPar
1 hour
\\
\hline
\end{tabulary}
\par
\sphinxattableend\end{savenotes}
\end{quote}

\sphinxAtStartPar
Here \sphinxstyleemphasis{N} denotes a number, \sphinxstyleemphasis{d} \sphinxhyphen{} days, \sphinxstyleemphasis{h} \sphinxhyphen{} hours, \sphinxstyleemphasis{m} \sphinxhyphen{} minutes,
\sphinxstyleemphasis{s} \sphinxhyphen{} seconds.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The time interval should not exceed 2147483647 seconds.
\end{sphinxadmonition}

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{Request} \PYG{n}{a} \PYG{n}{ticket} \PYG{n}{valid} \PYG{k}{for} \PYG{n}{one} \PYG{n}{hour}\PYG{p}{,} \PYG{n}{five} \PYG{n}{hours}\PYG{p}{,} \PYG{l+m+mi}{30} \PYG{n}{minutes}
\PYG{o+ow}{and} \PYG{l+m+mi}{10} \PYG{n}{days} \PYG{n}{respectively}\PYG{p}{:}

  \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3600}
  \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{5}\PYG{p}{:}\PYG{l+m+mi}{00}
  \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{30}\PYG{n}{m}
  \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10d 0h 0m 0s}\PYG{l+s+s2}{\PYGZdq{}}
\end{sphinxVerbatim}


\section{getdate time}
\label{\detokenize{basic/date_format:getdate-time}}\label{\detokenize{basic/date_format:getdate}}
\sphinxAtStartPar
Some of the kadmin and kdb5\_util commands take a date\sphinxhyphen{}time in a
human\sphinxhyphen{}readable format.  Some of the acceptable date\sphinxhyphen{}time
strings are:
\begin{quote}


\begin{savenotes}\sphinxattablestart
\centering
\begin{tabulary}{\linewidth}[t]{|T|T|T|}
\hline
\sphinxstyletheadfamily &\sphinxstyletheadfamily
\sphinxAtStartPar
Format
&\sphinxstyletheadfamily
\sphinxAtStartPar
Example
\\
\hline\sphinxmultirow{3}{4}{%
\begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
\sphinxAtStartPar
Date
\par
\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
}%
&
\sphinxAtStartPar
mm/dd/yy
&
\sphinxAtStartPar
07/27/12
\\
\cline{2-3}\sphinxtablestrut{4}&
\sphinxAtStartPar
month dd, yyyy
&
\sphinxAtStartPar
Jul 27, 2012
\\
\cline{2-3}\sphinxtablestrut{4}&
\sphinxAtStartPar
yyyy\sphinxhyphen{}mm\sphinxhyphen{}dd
&
\sphinxAtStartPar
2012\sphinxhyphen{}07\sphinxhyphen{}27
\\
\hline\sphinxmultirow{2}{11}{%
\begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
\sphinxAtStartPar
Absolute
time
\par
\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
}%
&
\sphinxAtStartPar
HH:mm{[}:ss{]}pp
&
\sphinxAtStartPar
08:30 PM
\\
\cline{2-3}\sphinxtablestrut{11}&
\sphinxAtStartPar
hh:mm{[}:ss{]}
&
\sphinxAtStartPar
20:30
\\
\hline
\sphinxAtStartPar
Relative
time
&
\sphinxAtStartPar
N tt
&
\sphinxAtStartPar
30 sec
\\
\hline\sphinxmultirow{2}{19}{%
\begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
\sphinxAtStartPar
Time zone
\par
\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
}%
&
\sphinxAtStartPar
Z
&
\sphinxAtStartPar
EST
\\
\cline{2-3}\sphinxtablestrut{19}&
\sphinxAtStartPar
z
&
\sphinxAtStartPar
\sphinxhyphen{}0400
\\
\hline
\end{tabulary}
\par
\sphinxattableend\end{savenotes}
\end{quote}

\sphinxAtStartPar
(See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.)

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{Create} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{expires} \PYG{n}{on} \PYG{n}{the} \PYG{n}{date} \PYG{n}{indicated}\PYG{p}{:}
    \PYG{n}{addprinc} \PYG{n}{test1} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{3/27/12 10:00:07 EST}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{addprinc} \PYG{n}{test2} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{January 23, 2015 10:05pm}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{addprinc} \PYG{n}{test3} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{22:00 GMT}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Add} \PYG{n}{a} \PYG{n}{principal} \PYG{n}{that} \PYG{n}{will} \PYG{n}{expire} \PYG{o+ow}{in} \PYG{l+m+mi}{30} \PYG{n}{minutes}\PYG{p}{:}
    \PYG{n}{addprinc} \PYG{n}{test4} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{30 minutes}\PYG{l+s+s2}{\PYGZdq{}}
\end{sphinxVerbatim}


\section{Absolute time}
\label{\detokenize{basic/date_format:absolute-time}}\label{\detokenize{basic/date_format:abstime}}
\sphinxAtStartPar
This rarely used date\sphinxhyphen{}time format can be noted in one of the
following ways:
\begin{quote}


\begin{savenotes}\sphinxattablestart
\centering
\begin{tabulary}{\linewidth}[t]{|T|T|T|}
\hline
\sphinxstyletheadfamily
\sphinxAtStartPar
Format
&\sphinxstyletheadfamily
\sphinxAtStartPar
Example
&\sphinxstyletheadfamily
\sphinxAtStartPar
Value
\\
\hline
\sphinxAtStartPar
yyyymmddhhmmss
&
\sphinxAtStartPar
20141231235900
&\sphinxmultirow{5}{6}{%
\begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
\sphinxAtStartPar
One minute
before 2015
\par
\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
}%
\\
\cline{1-2}
\sphinxAtStartPar
yyyy.mm.dd.hh.mm.ss
&
\sphinxAtStartPar
2014.12.31.23.59.00
&\sphinxtablestrut{6}\\
\cline{1-2}
\sphinxAtStartPar
yymmddhhmmss
&
\sphinxAtStartPar
141231235900
&\sphinxtablestrut{6}\\
\cline{1-2}
\sphinxAtStartPar
yy.mm.dd.hh.mm.ss
&
\sphinxAtStartPar
14.12.31.23.59.00
&\sphinxtablestrut{6}\\
\cline{1-2}
\sphinxAtStartPar
dd\sphinxhyphen{}month\sphinxhyphen{}yyyy:hh:mm:ss
&
\sphinxAtStartPar
31\sphinxhyphen{}Dec\sphinxhyphen{}2014:23:59:00
&\sphinxtablestrut{6}\\
\hline
\sphinxAtStartPar
hh:mm:ss
&
\sphinxAtStartPar
20:00:00
&\sphinxmultirow{2}{17}{%
\begin{varwidth}[t]{\sphinxcolwidth{1}{3}}
\sphinxAtStartPar
8 o’clock in
the evening
\par
\vskip-\baselineskip\vbox{\hbox{\strut}}\end{varwidth}%
}%
\\
\cline{1-2}
\sphinxAtStartPar
hhmmss
&
\sphinxAtStartPar
200000
&\sphinxtablestrut{17}\\
\hline
\end{tabulary}
\par
\sphinxattableend\end{savenotes}
\end{quote}

\sphinxAtStartPar
(See {\hyperref[\detokenize{basic/date_format:abbreviation}]{\sphinxcrossref{\DUrole{std,std-ref}{Abbreviations used in this document}}}}.)

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{Set} \PYG{n}{the} \PYG{n}{default} \PYG{n}{expiration} \PYG{n}{date} \PYG{n}{to} \PYG{n}{July} \PYG{l+m+mi}{27}\PYG{p}{,} \PYG{l+m+mi}{2012} \PYG{n}{at} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{30}
\PYG{n}{default\PYGZus{}principal\PYGZus{}expiration} \PYG{o}{=} \PYG{l+m+mi}{20120727203000}
\end{sphinxVerbatim}


\subsection{Abbreviations used in this document}
\label{\detokenize{basic/date_format:abbreviations-used-in-this-document}}\label{\detokenize{basic/date_format:abbreviation}}
\begin{DUlineblock}{0em}
\item[] \sphinxstyleemphasis{month}  : locale’s month name or its abbreviation;
\item[] \sphinxstyleemphasis{dd}   : day of month (01\sphinxhyphen{}31);
\item[] \sphinxstyleemphasis{HH}   : hours (00\sphinxhyphen{}12);
\item[] \sphinxstyleemphasis{hh}   : hours (00\sphinxhyphen{}23);
\item[] \sphinxstyleemphasis{mm}   : in time \sphinxhyphen{} minutes (00\sphinxhyphen{}59); in date \sphinxhyphen{} month (01\sphinxhyphen{}12);
\item[] \sphinxstyleemphasis{N}    : number;
\item[] \sphinxstyleemphasis{pp}   : AM or PM;
\item[] \sphinxstyleemphasis{ss}   : seconds  (00\sphinxhyphen{}60);
\item[] \sphinxstyleemphasis{tt}   : time units (hours, minutes, min, seconds, sec);
\item[] \sphinxstyleemphasis{yyyy} : year;
\item[] \sphinxstyleemphasis{yy}   : last two digits of the year;
\item[] \sphinxstyleemphasis{Z}    : alphabetic time zone abbreviation;
\item[] \sphinxstyleemphasis{z}    : numeric time zone;
\end{DUlineblock}

\begin{sphinxadmonition}{note}{Note:}\begin{itemize}
\item {}
\sphinxAtStartPar
If the date specification contains spaces, you may need to
enclose it in double quotes;

\item {}
\sphinxAtStartPar
All keywords are case\sphinxhyphen{}insensitive.

\end{itemize}
\end{sphinxadmonition}



\renewcommand{\indexname}{Index}
\printindex
\end{document}