Update man pages to reference kerberos(7)

Resolves: #1143767
2018-10-24 15:07:14 -04:00 · 2018-10-24 15:07:14 -04:00 · 3ce8c381c3
commit 3ce8c381c3
parent d760ebeab2
4 changed files with 1381 additions and 1 deletions
--- a/Bring-back-general-kerberos-man-page.patch
+++ b/Bring-back-general-kerberos-man-page.patch
@ -0,0 +1,468 @@
+From 67653084e8770fe4af4e06848452e83dc37b7ade Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 9 Oct 2018 17:05:10 -0400
+Subject: [PATCH] Bring back general kerberos man page
+
+Restore the content of kerberos(1) as it stood in
+0f81e372a2830c9170f6e08dfa956841d0ebdfb1.  Convert to ReST to match
+the other man pages, and install it as the more appropriate
+kerberos(7).
+
+Build kerberos(7) and check it in to avoid breaking the build.
+
+ticket: 8755 (new)
+tags: pullup
+target_version: 1.16-next
+
+(cherry picked from commit c38197ee9808503f86ccffd4a2bd94389e17df0b)
+---
+ doc/conf.py                       |   1 +
+ doc/user/user_config/index.rst    |   1 +
+ doc/user/user_config/kerberos.rst | 148 ++++++++++++++++++++++++
+ src/Makefile.in                   |   4 +-
+ src/config/pre.in                 |   2 +
+ src/man/Makefile.in               |  14 ++-
+ src/man/kerberos.man              | 180 ++++++++++++++++++++++++++++++
+ 7 files changed, 345 insertions(+), 5 deletions(-)
+ create mode 100644 doc/user/user_config/kerberos.rst
+ create mode 100644 src/man/kerberos.man
+
+diff --git a/doc/conf.py b/doc/conf.py
+index 0555808e6..f8bf588b6 100644
+--- a/doc/conf.py
+++ b/doc/conf.py
+@@ -292,6 +292,7 @@ man_pages = [
+     ('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1),
+     ('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
+     ('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5),
+    ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7),
+     ('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8),
+     ('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1),
+     ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a slave server', [u'MIT'], 8),
+diff --git a/doc/user/user_config/index.rst b/doc/user/user_config/index.rst
+index 6b3d4393b..ad0dc1a72 100644
+--- a/doc/user/user_config/index.rst
+++ b/doc/user/user_config/index.rst
+@@ -8,5 +8,6 @@ been disabled by your host's configuration):
+ .. toctree::
+    :maxdepth: 1
+ 
+   kerberos.rst
+    k5login.rst
+    k5identity.rst
+diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst
+new file mode 100644
+index 000000000..6c4453b3b
+--- /dev/null
+++ b/doc/user/user_config/kerberos.rst
+@@ -0,0 +1,148 @@
+.. _kerberos(7):
+
+kerberos
+========
+
+DESCRIPTION
+-----------
+
+The Kerberos system authenticates individual users in a network
+environment.  After authenticating yourself to Kerberos, you can use
+Kerberos-enabled programs without having to present passwords.
+
+If you enter your username and :ref:`kinit(1)` responds with this
+message:
+
+kinit(v5): Client not found in Kerberos database while getting initial
+credentials
+
+you haven't been registered as a Kerberos user.  See your system
+administrator.
+
+A Kerberos name usually contains three parts.  The first is the
+**primary**, which is usually a user's or service's name.  The second
+is the **instance**, which in the case of a user is usually null.
+Some users may have privileged instances, however, such as ``root`` or
+``admin``.  In the case of a service, the instance is the fully
+qualified name of the machine on which it runs; i.e. there can be an
+rlogin service running on the machine ABC, which is different from the
+rlogin service running on the machine XYZ.  The third part of a
+Kerberos name is the **realm**.  The realm corresponds to the Kerberos
+service providing authentication for the principal.
+
+When writing a Kerberos name, the principal name is separated from the
+instance (if not null) by a slash, and the realm (if not the local
+realm) follows, preceded by an "@" sign.  The following are examples
+of valid Kerberos names::
+
+    david
+    jennifer/admin
+    joeuser@BLEEP.COM
+    cbrown/root@FUBAR.ORG
+
+When you authenticate yourself with Kerberos you get an initial
+Kerberos **ticket**.  (A Kerberos ticket is an encrypted protocol
+message that provides authentication.)  Kerberos uses this ticket for
+network utilities such as rlogin and rcp.  The ticket transactions are
+done transparently, so you don't have to worry about their management.
+
+Note, however, that tickets expire.  Privileged tickets, such as those
+with the instance ``root``, expire in a few minutes, while tickets
+that carry more ordinary privileges may be good for several hours or a
+day, depending on the installation's policy.  If your login session
+extends beyond the time limit, you will have to re-authenticate
+yourself to Kerberos to get new tickets.  Use the :ref:`kinit(1)`
+command to re-authenticate yourself.
+
+If you use the kinit command to get your tickets, make sure you use
+the kdestroy command to destroy your tickets before you end your login
+session.  You should put the kdestroy command in your ``.logout`` file
+so that your tickets will be destroyed automatically when you logout.
+For more information about the kinit and kdestroy commands, see the
+:ref:`kinit(1)` and :ref:`kdestroy(1)` manual pages.
+
+Kerberos tickets can be forwarded.  In order to forward tickets, you
+must request **forwardable** tickets when you kinit.  Once you have
+forwardable tickets, most Kerberos programs have a command line option
+to forward them to the remote host.
+
+ENVIRONMENT VARIABLES
+---------------------
+
+Several environment variables affect the operation of Kerberos-enabled
+programs.  These inclide:
+
+**KRB5CCNAME**
+    Specifies the location of the credential cache, in the form
+    *TYPE*:*residual*.  If no *type* prefix is present, the **FILE**
+    type is assumed and *residual* is the pathname of the cache file.
+    A collection of multiple caches may be used by specifying the
+    **dir** type and the pathname of a private directory (which must
+    already exist).  The default cache file is /tmp/krb5cc_*uid*,
+    where *uid* is the decimal user ID of the user.
+
+**KRB5_KTNAME**
+    Specifies the location of the keytab file, in the form
+    *TYPE*:*residual*.  If no *type* is present, the **FILE** type is
+    assumed and *residual* is the pathname of the keytab file.  The
+    default keytab file is ``/etc/krb5.keytab``.
+
+**KRB5_CONFIG**
+    Specifies the location of the Kerberos configuration file.  The
+    default is ``/etc/krb5.conf``.
+
+**KRB5_KDC_PROFILE**
+    Specifies the location of the KDC configuration file, which
+    contains additional configuration directives for the Key
+    Distribution Center daemon and associated programs.  The default
+    is ``/usr/local/var/krb5kdc/kdc.conf``.
+
+**KRB5RCACHETYPE**
+    Specifies the default type of replay cache to use for servers.
+    Valid types include **dfl** for the normal file type and **none**
+    for no replay cache.
+
+**KRB5RCACHEDIR**
+    Specifies the default directory for replay caches used by servers.
+    The default is the value of the **TMPDIR** environment variable,
+    or ``/var/tmp`` if **TMPDIR** is not set.
+
+**KRB5_TRACE**
+    Specifies a filename to write trace log output to.  Trace logs can
+    help illuminate decisions made internally by the Kerberos
+    libraries.  The default is not to write trace log output anywhere.
+
+Most environment variables are disabled for certain programs, such as
+login system programs and setuid programs, which are designed to be
+secure when run within an untrusted process environment.
+
+SEE ALSO
+--------
+
+:ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`,
+:ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`,
+:ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`,
+:ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`
+
+BUGS
+----
+
+AUTHORS
+-------
+
+| Steve Miller, MIT Project Athena/Digital Equipment Corporation
+| Clifford Neuman, MIT Project Athena
+| Greg Hudson, MIT Kerberos Consortium
+
+HISTORY
+-------
+
+The MIT Kerberos 5 implementation was developed at MIT, with
+contributions from many outside parties.  It is currently maintained
+by the MIT Kerberos Consortium.
+
+RESTRICTIONS
+------------
+
+Copyright 1985, 1986, 1989-1996, 2002, 2011 Masachusetts Institute of
+Technology
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 79b8d5f98..745cbc497 100644
+--- a/src/Makefile.in
+++ b/src/Makefile.in
+@@ -62,9 +62,9 @@ world:
+ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
+ 		$(ADMIN_BINDIR) $(SERVER_BINDIR) $(CLIENT_BINDIR) \
+ 		$(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \
+-		$(FILE_MANDIR) \
+		$(FILE_MANDIR) $(OVERVIEW_MANDIR) \
+ 		$(ADMIN_CATDIR) $(SERVER_CATDIR) $(CLIENT_CATDIR) \
+-		$(FILE_CATDIR) \
+		$(FILE_CATDIR) $(OVERVIEW_CATDIR) \
+ 		$(KRB5_LIBDIR) $(KRB5_INCDIR) \
+ 		$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \
+ 		$(KRB5_AD_MODULE_DIR) \
+diff --git a/src/config/pre.in b/src/config/pre.in
+index 6317d3564..42bccf14c 100644
+--- a/src/config/pre.in
+++ b/src/config/pre.in
+@@ -210,6 +210,8 @@ ADMIN_CATDIR = $(KRB5MANROOT)/cat8
+ SERVER_CATDIR = $(KRB5MANROOT)/cat8
+ CLIENT_CATDIR = $(KRB5MANROOT)/cat1
+ FILE_CATDIR = $(KRB5MANROOT)/cat5
+OVERVIEW_MANDIR = $(KRB5MANROOT)/man7
+OVERVIEW_CATDIR = $(KRB5MANROOT)/cat7
+ KRB5_LIBDIR = @libdir@
+ KRB5_INCDIR = @includedir@
+ MODULE_DIR = @libdir@/krb5/plugins
+diff --git a/src/man/Makefile.in b/src/man/Makefile.in
+index 4bc670bad..e3722b1cd 100644
+--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
+@@ -15,7 +15,7 @@ MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
+ 	kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
+ 	kdestroy.sub kinit.sub klist.sub kpasswd.sub kprop.sub kpropd.sub \
+ 	kproplog.sub krb5.conf.sub krb5-config.sub krb5kdc.sub ksu.sub \
+-	kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub
+	kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub kerberos.sub
+ 
+ docsrc=$(top_srcdir)/../doc
+ 
+@@ -56,9 +56,11 @@ all: $(MANSUBS)
+ clean:
+ 	rm -rf $(MANSUBS) rst_man
+ 
+-install: install-clientman install-fileman install-adminman install-serverman
+install: install-clientman install-fileman install-adminman \
+	install-overviewman install-serverman
+ 
+-install-catman: install-clientcat install-filecat install-admincat install-servercat
+install-catman: install-clientcat install-filecat install-admincat \
+	install-overviewcat install-servercat
+ 
+ install-clientman:
+ 	$(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1
+@@ -85,6 +87,9 @@ install-fileman:
+ 	$(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5
+ 	$(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5
+ 
+install-overviewman:
+	$(INSTALL_DATA) kerberos.sub $(DESTDIR)$(OVERVIEW_MANDIR)/kerberos.7
+
+ install-adminman:
+ 	$(INSTALL_DATA) $(srcdir)/kadmin.local.8 \
+ 		$(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8
+@@ -127,6 +132,9 @@ install-filecat:
+ 	$(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5
+ 	$(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5
+ 
+install-overviewcat:
+	$(GROFF_MAN) kerberos.sub > $(DESTDIR)$(OVERVIEW_CATDIR)/kerberos.7
+
+ install-admincat:
+ 	($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \
+ 		$(LN_S) $(CLIENT_CATDIR)/kadmin.1 \
+diff --git a/src/man/kerberos.man b/src/man/kerberos.man
+new file mode 100644
+index 000000000..7b2b5d932
+--- /dev/null
+++ b/src/man/kerberos.man
+@@ -0,0 +1,180 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos"
+.SH NAME
+kerberos \- Overview of using Kerberos
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The Kerberos system authenticates individual users in a network
+environment.  After authenticating yourself to Kerberos, you can use
+Kerberos\-enabled programs without having to present passwords.
+.sp
+If you enter your username and kinit(1) responds with this
+message:
+.sp
+kinit(v5): Client not found in Kerberos database while getting initial
+credentials
+.sp
+you haven\(aqt been registered as a Kerberos user.  See your system
+administrator.
+.sp
+A Kerberos name usually contains three parts.  The first is the
+\fBprimary\fP, which is usually a user\(aqs or service\(aqs name.  The second
+is the \fBinstance\fP, which in the case of a user is usually null.
+Some users may have privileged instances, however, such as \fBroot\fP or
+\fBadmin\fP\&.  In the case of a service, the instance is the fully
+qualified name of the machine on which it runs; i.e. there can be an
+rlogin service running on the machine ABC, which is different from the
+rlogin service running on the machine XYZ.  The third part of a
+Kerberos name is the \fBrealm\fP\&.  The realm corresponds to the Kerberos
+service providing authentication for the principal.
+.sp
+When writing a Kerberos name, the principal name is separated from the
+instance (if not null) by a slash, and the realm (if not the local
+realm) follows, preceded by an "@" sign.  The following are examples
+of valid Kerberos names:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+david
+jennifer/admin
+joeuser@BLEEP.COM
+cbrown/root@FUBAR.ORG
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When you authenticate yourself with Kerberos you get an initial
+Kerberos \fBticket\fP\&.  (A Kerberos ticket is an encrypted protocol
+message that provides authentication.)  Kerberos uses this ticket for
+network utilities such as rlogin and rcp.  The ticket transactions are
+done transparently, so you don\(aqt have to worry about their management.
+.sp
+Note, however, that tickets expire.  Privileged tickets, such as those
+with the instance \fBroot\fP, expire in a few minutes, while tickets
+that carry more ordinary privileges may be good for several hours or a
+day, depending on the installation\(aqs policy.  If your login session
+extends beyond the time limit, you will have to re\-authenticate
+yourself to Kerberos to get new tickets.  Use the kinit(1)
+command to re\-authenticate yourself.
+.sp
+If you use the kinit command to get your tickets, make sure you use
+the kdestroy command to destroy your tickets before you end your login
+session.  You should put the kdestroy command in your \fB\&.logout\fP file
+so that your tickets will be destroyed automatically when you logout.
+For more information about the kinit and kdestroy commands, see the
+kinit(1) and kdestroy(1) manual pages.
+.sp
+Kerberos tickets can be forwarded.  In order to forward tickets, you
+must request \fBforwardable\fP tickets when you kinit.  Once you have
+forwardable tickets, most Kerberos programs have a command line option
+to forward them to the remote host.
+.SH ENVIRONMENT VARIABLES
+.sp
+Several environment variables affect the operation of Kerberos\-enabled
+programs.  These inclide:
+.INDENT 0.0
+.TP
+\fBKRB5CCNAME\fP
+Specifies the location of the credential cache, in the form
+\fITYPE\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the \fBFILE\fP
+type is assumed and \fIresidual\fP is the pathname of the cache file.
+A collection of multiple caches may be used by specifying the
+\fBdir\fP type and the pathname of a private directory (which must
+already exist).  The default cache file is /tmp/krb5cc_*uid*,
+where \fIuid\fP is the decimal user ID of the user.
+.TP
+\fBKRB5_KTNAME\fP
+Specifies the location of the keytab file, in the form
+\fITYPE\fP:\fIresidual\fP\&.  If no \fItype\fP is present, the \fBFILE\fP type is
+assumed and \fIresidual\fP is the pathname of the keytab file.  The
+default keytab file is \fB/etc/krb5.keytab\fP\&.
+.TP
+\fBKRB5_CONFIG\fP
+Specifies the location of the Kerberos configuration file.  The
+default is \fB/etc/krb5.conf\fP\&.
+.TP
+\fBKRB5_KDC_PROFILE\fP
+Specifies the location of the KDC configuration file, which
+contains additional configuration directives for the Key
+Distribution Center daemon and associated programs.  The default
+is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&.
+.TP
+\fBKRB5RCACHETYPE\fP
+Specifies the default type of replay cache to use for servers.
+Valid types include \fBdfl\fP for the normal file type and \fBnone\fP
+for no replay cache.
+.TP
+\fBKRB5RCACHEDIR\fP
+Specifies the default directory for replay caches used by servers.
+The default is the value of the \fBTMPDIR\fP environment variable,
+or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
+.TP
+\fBKRB5_TRACE\fP
+Specifies a filename to write trace log output to.  Trace logs can
+help illuminate decisions made internally by the Kerberos
+libraries.  The default is not to write trace log output anywhere.
+.UNINDENT
+.sp
+Most environment variables are disabled for certain programs, such as
+login system programs and setuid programs, which are designed to be
+secure when run within an untrusted process environment.
+.SH SEE ALSO
+.sp
+kdestroy(1), kinit(1), klist(1),
+kswitch(1), kpasswd(1), ksu(1),
+krb5.conf(5), kdc.conf(5), kadmin(1),
+kadmind(8), kdb5_util(8), krb5kdc(8)
+.SH BUGS
+.SH AUTHORS
+.nf
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+Clifford Neuman, MIT Project Athena
+Greg Hudson, MIT Kerberos Consortium
+.fi
+.sp
+.SH HISTORY
+.sp
+The MIT Kerberos 5 implementation was developed at MIT, with
+contributions from many outside parties.  It is currently maintained
+by the MIT Kerberos Consortium.
+.SH RESTRICTIONS
+.sp
+Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of
+Technology
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+1985-2018, MIT
+.\" Generated by docutils manpage writer.
+.
--- a/Modernize-kerberos-7.patch
+++ b/Modernize-kerberos-7.patch
@ -0,0 +1,429 @@
+From a6baae6bfddb5a56c64e19e5bff9f0455dc89e53 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 15 Oct 2018 13:20:30 -0400
+Subject: [PATCH] Modernize kerberos(7)
+
+Update environment variable descriptions, using env_variables.rst as a
+guide.  Replace the content in env_variables.rst with a pointer to
+documentation at kerberos(7) so that we don't break external links and
+don't duplicate content.
+
+Replace references to rlogin.  Clarify and modernize other language.
+
+ticket: 8755
+(cherry picked from commit cdccdefa2d74d3abf5a8ae126e423af9d467d34f)
+---
+ doc/admin/env_variables.rst       |  44 +------------
+ doc/user/user_config/kerberos.rst | 106 ++++++++++++++++++------------
+ src/man/kerberos.man              | 104 +++++++++++++++++------------
+ 3 files changed, 128 insertions(+), 126 deletions(-)
+
+diff --git a/doc/admin/env_variables.rst b/doc/admin/env_variables.rst
+index 0c146d3e3..a2d15bea8 100644
+--- a/doc/admin/env_variables.rst
+++ b/doc/admin/env_variables.rst
+@@ -1,46 +1,4 @@
+ Environment variables
+ =====================
+ 
+-The following environment variables can be used during runtime:
+-
+-**KRB5_CONFIG**
+-    Main Kerberos configuration file.  Multiple filenames can be
+-    specified, separated by a colon; all files which are present will
+-    be read.  (See :ref:`mitK5defaults` for the default path.)
+-
+-**KRB5_KDC_PROFILE**
+-    KDC configuration file.  (See :ref:`mitK5defaults` for the default
+-    name.)
+-
+-**KRB5_KTNAME**
+-    Default keytab file name.  (See :ref:`mitK5defaults` for the
+-    default name.)
+-
+-**KRB5_CLIENT_KTNAME**
+-    Default client keytab file name.  (See :ref:`mitK5defaults` for
+-    the default name.)
+-
+-**KRB5CCNAME**
+-    Default name for the credentials cache file, in the form *type*\:\
+-    *residual*.  The type of the default cache may determine the
+-    availability of a cache collection.  For instance, a default cache
+-    of type ``DIR`` causes caches within the directory to be present
+-    in the global cache collection.
+-
+-**KRB5RCACHETYPE**
+-    Default replay cache type.  Defaults to ``dfl``.  A value of
+-    ``none`` disables the replay cache.
+-
+-**KRB5RCACHEDIR**
+-    Default replay cache directory.  (See :ref:`mitK5defaults` for the
+-    default location.)
+-
+-**KPROP_PORT**
+-    :ref:`kprop(8)` port to use.  Defaults to 754.
+-
+-**KRB5_TRACE**
+-    Filename for trace-logging output (introduced in release 1.9).
+-    For example, ``env KRB5_TRACE=/dev/stdout kinit`` would send
+-    tracing information for kinit to ``/dev/stdout``.  Some programs
+-    may ignore this variable (particularly setuid or login system
+-    programs).
+This content has moved to :ref:`kerberos(7)`.
+diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst
+index 6c4453b3b..56412f099 100644
+--- a/doc/user/user_config/kerberos.rst
+++ b/doc/user/user_config/kerberos.rst
+@@ -8,12 +8,12 @@ DESCRIPTION
+ 
+ The Kerberos system authenticates individual users in a network
+ environment.  After authenticating yourself to Kerberos, you can use
+-Kerberos-enabled programs without having to present passwords.
+Kerberos-enabled programs without having to present passwords or
+certificates to those programs.
+ 
+-If you enter your username and :ref:`kinit(1)` responds with this
+-message:
+If you receive the following response from :ref:`kinit(1)`:
+ 
+-kinit(v5): Client not found in Kerberos database while getting initial
+kinit: Client not found in Kerberos database while getting initial
+ credentials
+ 
+ you haven't been registered as a Kerberos user.  See your system
+@@ -25,10 +25,13 @@ is the **instance**, which in the case of a user is usually null.
+ Some users may have privileged instances, however, such as ``root`` or
+ ``admin``.  In the case of a service, the instance is the fully
+ qualified name of the machine on which it runs; i.e. there can be an
+-rlogin service running on the machine ABC, which is different from the
+-rlogin service running on the machine XYZ.  The third part of a
+-Kerberos name is the **realm**.  The realm corresponds to the Kerberos
+-service providing authentication for the principal.
+ssh service running on the machine ABC (ssh/ABC@REALM), which is
+different from the ssh service running on the machine XYZ
+(ssh/XYZ@REALM).  The third part of a Kerberos name is the **realm**.
+The realm corresponds to the Kerberos service providing authentication
+for the principal.  Realms are conventionally all-uppercase, and often
+match the end of hostnames in the realm (for instance, host01.example.com
+might be in realm EXAMPLE.COM).
+ 
+ When writing a Kerberos name, the principal name is separated from the
+ instance (if not null) by a slash, and the realm (if not the local
+@@ -43,64 +46,72 @@ of valid Kerberos names::
+ When you authenticate yourself with Kerberos you get an initial
+ Kerberos **ticket**.  (A Kerberos ticket is an encrypted protocol
+ message that provides authentication.)  Kerberos uses this ticket for
+-network utilities such as rlogin and rcp.  The ticket transactions are
+-done transparently, so you don't have to worry about their management.
+network utilities such as ssh.  The ticket transactions are done
+transparently, so you don't have to worry about their management.
+ 
+-Note, however, that tickets expire.  Privileged tickets, such as those
+-with the instance ``root``, expire in a few minutes, while tickets
+-that carry more ordinary privileges may be good for several hours or a
+-day, depending on the installation's policy.  If your login session
+-extends beyond the time limit, you will have to re-authenticate
+-yourself to Kerberos to get new tickets.  Use the :ref:`kinit(1)`
+-command to re-authenticate yourself.
+Note, however, that tickets expire.  Administrators may configure more
+privileged tickets, such as those with service or instance of ``root``
+or ``admin``, to expire in a few minutes, while tickets that carry
+more ordinary privileges may be good for several hours or a day.  If
+your login session extends beyond the time limit, you will have to
+re-authenticate yourself to Kerberos to get new tickets using the
+:ref:`kinit(1)` command.
+ 
+-If you use the kinit command to get your tickets, make sure you use
+-the kdestroy command to destroy your tickets before you end your login
+-session.  You should put the kdestroy command in your ``.logout`` file
+-so that your tickets will be destroyed automatically when you logout.
+-For more information about the kinit and kdestroy commands, see the
+-:ref:`kinit(1)` and :ref:`kdestroy(1)` manual pages.
+Some tickets are **renewable** beyond their initial lifetime.  This
+means that ``kinit -R`` can extend their lifetime without requiring
+you to re-authenticate.
+
+If you wish to delete your local tickets, use the :ref:`kdestroy(1)`
+command.
+ 
+ Kerberos tickets can be forwarded.  In order to forward tickets, you
+ must request **forwardable** tickets when you kinit.  Once you have
+ forwardable tickets, most Kerberos programs have a command line option
+-to forward them to the remote host.
+to forward them to the remote host.  This can be useful for, e.g.,
+running kinit on your local machine and then sshing into another to do
+work.  Note that this should not be done on untrusted machines since
+they will then have your tickets.
+ 
+ ENVIRONMENT VARIABLES
+ ---------------------
+ 
+ Several environment variables affect the operation of Kerberos-enabled
+-programs.  These inclide:
+programs.  These include:
+ 
+ **KRB5CCNAME**
+-    Specifies the location of the credential cache, in the form
+-    *TYPE*:*residual*.  If no *type* prefix is present, the **FILE**
+-    type is assumed and *residual* is the pathname of the cache file.
+-    A collection of multiple caches may be used by specifying the
+-    **dir** type and the pathname of a private directory (which must
+-    already exist).  The default cache file is /tmp/krb5cc_*uid*,
+-    where *uid* is the decimal user ID of the user.
+    Default name for the credentials cache file, in the form
+    *TYPE*:*residual*.  The type of the default cache may determine
+    the availability of a cache collection.  ``FILE`` is not a
+    collection type; ``KEYRING``, ``DIR``, and ``KCM`` are.
+
+    If not set, the value of **default_ccache_name** from
+    configuration files (see **KRB5_CONFIG**) will be used.  If that
+    is also not set, the default *type* is ``FILE``, and the
+    *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the
+    decimal user ID of the user.
+ 
+ **KRB5_KTNAME**
+-    Specifies the location of the keytab file, in the form
+    Specifies the location of the default keytab file, in the form
+     *TYPE*:*residual*.  If no *type* is present, the **FILE** type is
+-    assumed and *residual* is the pathname of the keytab file.  The
+-    default keytab file is ``/etc/krb5.keytab``.
+    assumed and *residual* is the pathname of the keytab file.  If
+    unset, |keytab| will be used.
+ 
+ **KRB5_CONFIG**
+     Specifies the location of the Kerberos configuration file.  The
+-    default is ``/etc/krb5.conf``.
+    default is |sysconfdir|\ ``/krb5.conf``.  Multiple filenames can
+    be specified, separated by a colon; all files which are present
+    will be read.
+ 
+ **KRB5_KDC_PROFILE**
+     Specifies the location of the KDC configuration file, which
+     contains additional configuration directives for the Key
+     Distribution Center daemon and associated programs.  The default
+-    is ``/usr/local/var/krb5kdc/kdc.conf``.
+    is |kdcdir|\ ``/kdc.conf``.
+ 
+ **KRB5RCACHETYPE**
+     Specifies the default type of replay cache to use for servers.
+-    Valid types include **dfl** for the normal file type and **none**
+-    for no replay cache.
+    Valid types include ``dfl`` for the normal file type and ``none``
+    for no replay cache.  The default is ``dfl``.
+ 
+ **KRB5RCACHEDIR**
+     Specifies the default directory for replay caches used by servers.
+@@ -110,7 +121,17 @@ programs.  These inclide:
+ **KRB5_TRACE**
+     Specifies a filename to write trace log output to.  Trace logs can
+     help illuminate decisions made internally by the Kerberos
+-    libraries.  The default is not to write trace log output anywhere.
+    libraries.  For example, ``env KRB5_TRACE=/dev/stderr kinit``
+    would send tracing information for :ref:`kinit(1)` to
+    ``/dev/stderr``.  The default is not to write trace log output
+    anywhere.
+
+**KRB5_CLIENT_KTNAME**
+    Default client keytab file name.  If unset, |ckeytab| will be
+    used).
+
+**KPROP_PORT**
+    :ref:`kprop(8)` port to use.  Defaults to 754.
+ 
+ Most environment variables are disabled for certain programs, such as
+ login system programs and setuid programs, which are designed to be
+@@ -133,6 +154,7 @@ AUTHORS
+ | Steve Miller, MIT Project Athena/Digital Equipment Corporation
+ | Clifford Neuman, MIT Project Athena
+ | Greg Hudson, MIT Kerberos Consortium
+| Robbie Harwood, Red Hat, Inc.
+ 
+ HISTORY
+ -------
+@@ -144,5 +166,5 @@ by the MIT Kerberos Consortium.
+ RESTRICTIONS
+ ------------
+ 
+-Copyright 1985, 1986, 1989-1996, 2002, 2011 Masachusetts Institute of
+-Technology
+Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts
+Institute of Technology
+diff --git a/src/man/kerberos.man b/src/man/kerberos.man
+index 7b2b5d932..026f4604a 100644
+--- a/src/man/kerberos.man
+++ b/src/man/kerberos.man
+@@ -34,12 +34,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+ .sp
+ The Kerberos system authenticates individual users in a network
+ environment.  After authenticating yourself to Kerberos, you can use
+-Kerberos\-enabled programs without having to present passwords.
+Kerberos\-enabled programs without having to present passwords or
+certificates to those programs.
+ .sp
+-If you enter your username and kinit(1) responds with this
+-message:
+If you receive the following response from kinit(1):
+ .sp
+-kinit(v5): Client not found in Kerberos database while getting initial
+kinit: Client not found in Kerberos database while getting initial
+ credentials
+ .sp
+ you haven\(aqt been registered as a Kerberos user.  See your system
+@@ -51,10 +51,13 @@ is the \fBinstance\fP, which in the case of a user is usually null.
+ Some users may have privileged instances, however, such as \fBroot\fP or
+ \fBadmin\fP\&.  In the case of a service, the instance is the fully
+ qualified name of the machine on which it runs; i.e. there can be an
+-rlogin service running on the machine ABC, which is different from the
+-rlogin service running on the machine XYZ.  The third part of a
+-Kerberos name is the \fBrealm\fP\&.  The realm corresponds to the Kerberos
+-service providing authentication for the principal.
+ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is
+different from the ssh service running on the machine XYZ
+(\fI\%ssh/XYZ@REALM\fP).  The third part of a Kerberos name is the \fBrealm\fP\&.
+The realm corresponds to the Kerberos service providing authentication
+for the principal.  Realms are conventionally all\-uppercase, and often
+match the end of hostnames in the realm (for instance, host01.example.com
+might be in realm EXAMPLE.COM).
+ .sp
+ When writing a Kerberos name, the principal name is separated from the
+ instance (if not null) by a slash, and the realm (if not the local
+@@ -77,63 +80,71 @@ cbrown/root@FUBAR.ORG
+ When you authenticate yourself with Kerberos you get an initial
+ Kerberos \fBticket\fP\&.  (A Kerberos ticket is an encrypted protocol
+ message that provides authentication.)  Kerberos uses this ticket for
+-network utilities such as rlogin and rcp.  The ticket transactions are
+-done transparently, so you don\(aqt have to worry about their management.
+network utilities such as ssh.  The ticket transactions are done
+transparently, so you don\(aqt have to worry about their management.
+ .sp
+-Note, however, that tickets expire.  Privileged tickets, such as those
+-with the instance \fBroot\fP, expire in a few minutes, while tickets
+-that carry more ordinary privileges may be good for several hours or a
+-day, depending on the installation\(aqs policy.  If your login session
+-extends beyond the time limit, you will have to re\-authenticate
+-yourself to Kerberos to get new tickets.  Use the kinit(1)
+-command to re\-authenticate yourself.
+Note, however, that tickets expire.  Administrators may configure more
+privileged tickets, such as those with service or instance of \fBroot\fP
+or \fBadmin\fP, to expire in a few minutes, while tickets that carry
+more ordinary privileges may be good for several hours or a day.  If
+your login session extends beyond the time limit, you will have to
+re\-authenticate yourself to Kerberos to get new tickets using the
+kinit(1) command.
+ .sp
+-If you use the kinit command to get your tickets, make sure you use
+-the kdestroy command to destroy your tickets before you end your login
+-session.  You should put the kdestroy command in your \fB\&.logout\fP file
+-so that your tickets will be destroyed automatically when you logout.
+-For more information about the kinit and kdestroy commands, see the
+-kinit(1) and kdestroy(1) manual pages.
+Some tickets are \fBrenewable\fP beyond their initial lifetime.  This
+means that \fBkinit \-R\fP can extend their lifetime without requiring
+you to re\-authenticate.
+.sp
+If you wish to delete your local tickets, use the kdestroy(1)
+command.
+ .sp
+ Kerberos tickets can be forwarded.  In order to forward tickets, you
+ must request \fBforwardable\fP tickets when you kinit.  Once you have
+ forwardable tickets, most Kerberos programs have a command line option
+-to forward them to the remote host.
+to forward them to the remote host.  This can be useful for, e.g.,
+running kinit on your local machine and then sshing into another to do
+work.  Note that this should not be done on untrusted machines since
+they will then have your tickets.
+ .SH ENVIRONMENT VARIABLES
+ .sp
+ Several environment variables affect the operation of Kerberos\-enabled
+-programs.  These inclide:
+programs.  These include:
+ .INDENT 0.0
+ .TP
+ \fBKRB5CCNAME\fP
+-Specifies the location of the credential cache, in the form
+-\fITYPE\fP:\fIresidual\fP\&.  If no \fItype\fP prefix is present, the \fBFILE\fP
+-type is assumed and \fIresidual\fP is the pathname of the cache file.
+-A collection of multiple caches may be used by specifying the
+-\fBdir\fP type and the pathname of a private directory (which must
+-already exist).  The default cache file is /tmp/krb5cc_*uid*,
+-where \fIuid\fP is the decimal user ID of the user.
+Default name for the credentials cache file, in the form
+\fITYPE\fP:\fIresidual\fP\&.  The type of the default cache may determine
+the availability of a cache collection.  \fBFILE\fP is not a
+collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are.
+.sp
+If not set, the value of \fBdefault_ccache_name\fP from
+configuration files (see \fBKRB5_CONFIG\fP) will be used.  If that
+is also not set, the default \fItype\fP is \fBFILE\fP, and the
+\fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the
+decimal user ID of the user.
+ .TP
+ \fBKRB5_KTNAME\fP
+-Specifies the location of the keytab file, in the form
+Specifies the location of the default keytab file, in the form
+ \fITYPE\fP:\fIresidual\fP\&.  If no \fItype\fP is present, the \fBFILE\fP type is
+-assumed and \fIresidual\fP is the pathname of the keytab file.  The
+-default keytab file is \fB/etc/krb5.keytab\fP\&.
+assumed and \fIresidual\fP is the pathname of the keytab file.  If
+unset, \fB@KTNAME@\fP will be used.
+ .TP
+ \fBKRB5_CONFIG\fP
+ Specifies the location of the Kerberos configuration file.  The
+-default is \fB/etc/krb5.conf\fP\&.
+default is \fB@SYSCONFDIR@\fP\fB/krb5.conf\fP\&.  Multiple filenames can
+be specified, separated by a colon; all files which are present
+will be read.
+ .TP
+ \fBKRB5_KDC_PROFILE\fP
+ Specifies the location of the KDC configuration file, which
+ contains additional configuration directives for the Key
+ Distribution Center daemon and associated programs.  The default
+-is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&.
+is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&.
+ .TP
+ \fBKRB5RCACHETYPE\fP
+ Specifies the default type of replay cache to use for servers.
+ Valid types include \fBdfl\fP for the normal file type and \fBnone\fP
+-for no replay cache.
+for no replay cache.  The default is \fBdfl\fP\&.
+ .TP
+ \fBKRB5RCACHEDIR\fP
+ Specifies the default directory for replay caches used by servers.
+@@ -143,7 +154,17 @@ or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
+ \fBKRB5_TRACE\fP
+ Specifies a filename to write trace log output to.  Trace logs can
+ help illuminate decisions made internally by the Kerberos
+-libraries.  The default is not to write trace log output anywhere.
+libraries.  For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP
+would send tracing information for kinit(1) to
+\fB/dev/stderr\fP\&.  The default is not to write trace log output
+anywhere.
+.TP
+\fBKRB5_CLIENT_KTNAME\fP
+Default client keytab file name.  If unset, \fB@CKTNAME@\fP will be
+used).
+.TP
+\fBKPROP_PORT\fP
+kprop(8) port to use.  Defaults to 754.
+ .UNINDENT
+ .sp
+ Most environment variables are disabled for certain programs, such as
+@@ -161,6 +182,7 @@ kadmind(8), kdb5_util(8), krb5kdc(8)
+ Steve Miller, MIT Project Athena/Digital Equipment Corporation
+ Clifford Neuman, MIT Project Athena
+ Greg Hudson, MIT Kerberos Consortium
+Robbie Harwood, Red Hat, Inc.
+ .fi
+ .sp
+ .SH HISTORY
+@@ -170,8 +192,8 @@ contributions from many outside parties.  It is currently maintained
+ by the MIT Kerberos Consortium.
+ .SH RESTRICTIONS
+ .sp
+-Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of
+-Technology
+Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts
+Institute of Technology
+ .SH AUTHOR
+ MIT
+ .SH COPYRIGHT
--- a/Update-man-pages-to-reference-kerberos-7.patch
+++ b/Update-man-pages-to-reference-kerberos-7.patch
@ -0,0 +1,476 @@
+From 92984a6d7208ceab384d5a21d03de08b4cb4c8d8 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 15 Oct 2018 15:19:12 -0400
+Subject: [PATCH] Update man pages to reference kerberos(7)
+
+Remove broken references to old kerberos(1).  Reference kerberos(7)
+from all man pages, and create/update their environment section so
+that it references kerberos(7).
+
+ticket: 8755
+(cherry picked from commit 52cbe198d0d6f0085d4653b2f6a1ecc84d139118)
+[rharwood@redhat.com: conflicts: kvno doesn't have u2u yet, git derped
+on kswitch]
+---
+ doc/admin/admin_commands/k5srvutil.rst      |  9 ++++++++-
+ doc/admin/admin_commands/kadmin_local.rst   |  9 ++++++++-
+ doc/admin/admin_commands/kadmind.rst        |  9 ++++++++-
+ doc/admin/admin_commands/kdb5_ldap_util.rst |  9 ++++++++-
+ doc/admin/admin_commands/kdb5_util.rst      |  9 ++++++++-
+ doc/admin/admin_commands/kprop.rst          |  8 ++++----
+ doc/admin/admin_commands/kpropd.rst         | 10 +++++++++-
+ doc/admin/admin_commands/kproplog.rst       |  7 +++----
+ doc/admin/admin_commands/krb5kdc.rst        |  8 +++-----
+ doc/admin/admin_commands/ktutil.rst         |  9 ++++++++-
+ doc/admin/admin_commands/sserver.rst        |  9 ++++++++-
+ doc/user/user_commands/kdestroy.rst         | 13 +++----------
+ doc/user/user_commands/kinit.rst            | 14 +++-----------
+ doc/user/user_commands/klist.rst            | 13 +++----------
+ doc/user/user_commands/kpasswd.rst          |  9 ++++++++-
+ doc/user/user_commands/krb5-config.rst      |  2 +-
+ doc/user/user_commands/ksu.rst              | 13 +++++++++++++
+ doc/user/user_commands/kswitch.rst          | 14 ++++----------
+ doc/user/user_commands/kvno.rst             |  9 +++------
+ doc/user/user_commands/sclient.rst          |  8 +++++++-
+ 20 files changed, 120 insertions(+), 71 deletions(-)
+
+diff --git a/doc/admin/admin_commands/k5srvutil.rst b/doc/admin/admin_commands/k5srvutil.rst
+index b873d9077..79502cf9e 100644
+--- a/doc/admin/admin_commands/k5srvutil.rst
+++ b/doc/admin/admin_commands/k5srvutil.rst
+@@ -56,7 +56,14 @@ k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in
+ place.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kadmin(1)`, :ref:`ktutil(1)`
+:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
+index 9b5ccf4e9..cefe6054b 100644
+--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
+@@ -996,7 +996,14 @@ The kadmin program was originally written by Tom Yu at MIT, as an
+ interface to the OpenVision Kerberos administration program.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kpasswd(1)`, :ref:`kadmind(8)`
+:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst
+index f5b7733ea..8bfb48a32 100644
+--- a/doc/admin/admin_commands/kadmind.rst
+++ b/doc/admin/admin_commands/kadmind.rst
+@@ -116,8 +116,15 @@ OPTIONS
+     <dboptions>` in :ref:`kadmin(1)` for supported arguments.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+ :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`,
+-:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`
+:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kdb5_ldap_util.rst b/doc/admin/admin_commands/kdb5_ldap_util.rst
+index cbf313f55..343df4dd9 100644
+--- a/doc/admin/admin_commands/kdb5_ldap_util.rst
+++ b/doc/admin/admin_commands/kdb5_ldap_util.rst
+@@ -456,7 +456,14 @@ Example::
+ .. _kdb5_ldap_util_list_policy_end:
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kadmin(1)`
+:ref:`kadmin(1)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst
+index 258498f0d..18a3fb627 100644
+--- a/doc/admin/admin_commands/kdb5_util.rst
+++ b/doc/admin/admin_commands/kdb5_util.rst
+@@ -491,7 +491,14 @@ Examples::
+     bar@EXAMPLE.COM	1	1	des-cbc-crc	normal	-1
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kadmin(1)`
+:ref:`kadmin(1)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kprop.rst b/doc/admin/admin_commands/kprop.rst
+index 726c8cc2f..0bc353239 100644
+--- a/doc/admin/admin_commands/kprop.rst
+++ b/doc/admin/admin_commands/kprop.rst
+@@ -49,12 +49,12 @@ OPTIONS
+ ENVIRONMENT
+ -----------
+ 
+-*kprop* uses the following environment variable:
+-
+-* **KRB5_CONFIG**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ SEE ALSO
+ --------
+ 
+-:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`
+:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`,
+:ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst
+index 5468b0675..03aa8ce90 100644
+--- a/doc/admin/admin_commands/kpropd.rst
+++ b/doc/admin/admin_commands/kpropd.rst
+@@ -129,7 +129,15 @@ kpropd.acl
+     will allow Kerberos database propagation via :ref:`kprop(8)`.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8)
+:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`,
+:ref:`kerberos(7)`, inetd(8)
+diff --git a/doc/admin/admin_commands/kproplog.rst b/doc/admin/admin_commands/kproplog.rst
+index ed906398d..b98e1b29b 100644
+--- a/doc/admin/admin_commands/kproplog.rst
+++ b/doc/admin/admin_commands/kproplog.rst
+@@ -74,12 +74,11 @@ OPTIONS
+ ENVIRONMENT
+ -----------
+ 
+-kproplog uses the following environment variables:
+-
+-* **KRB5_KDC_PROFILE**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ SEE ALSO
+ --------
+ 
+-:ref:`kpropd(8)`
+:ref:`kpropd(8)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst
+index b605b563d..0342d0d18 100644
+--- a/doc/admin/admin_commands/krb5kdc.rst
+++ b/doc/admin/admin_commands/krb5kdc.rst
+@@ -103,14 +103,12 @@ description for further details.
+ ENVIRONMENT
+ -----------
+ 
+-krb5kdc uses the following environment variables:
+-
+-* **KRB5_CONFIG**
+-* **KRB5_KDC_PROFILE**
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ SEE ALSO
+ --------
+ 
+ :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`,
+-:ref:`kdb5_ldap_util(8)`
+:ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst
+index 2eb19ded2..7d8ab4913 100644
+--- a/doc/admin/admin_commands/ktutil.rst
+++ b/doc/admin/admin_commands/ktutil.rst
+@@ -127,7 +127,14 @@ EXAMPLE
+     ktutil:
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kadmin(1)`, :ref:`kdb5_util(8)`
+:ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)`
+diff --git a/doc/admin/admin_commands/sserver.rst b/doc/admin/admin_commands/sserver.rst
+index b4e464466..a8dcf5d5b 100644
+--- a/doc/admin/admin_commands/sserver.rst
+++ b/doc/admin/admin_commands/sserver.rst
+@@ -99,7 +99,14 @@ COMMON ERROR MESSAGES
+    probably not installed in the proper directory.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`sclient(1)`, services(5), inetd(8)
+:ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8)
+diff --git a/doc/user/user_commands/kdestroy.rst b/doc/user/user_commands/kdestroy.rst
+index b8c67aba4..c69d65667 100644
+--- a/doc/user/user_commands/kdestroy.rst
+++ b/doc/user/user_commands/kdestroy.rst
+@@ -53,15 +53,8 @@ when you log out.
+ ENVIRONMENT
+ -----------
+ 
+-kdestroy uses the following environment variable:
+-
+-**KRB5CCNAME**
+-    Location of the default Kerberos 5 credentials (ticket) cache, in
+-    the form *type*:*residual*.  If no *type* prefix is present, the
+-    **FILE** type is assumed.  The type of the default cache may
+-    determine the availability of a cache collection; for instance, a
+-    default cache of type **DIR** causes caches within the directory
+-    to be present in the collection.
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ FILES
+@@ -74,4 +67,4 @@ FILES
+ SEE ALSO
+ --------
+ 
+-:ref:`kinit(1)`, :ref:`klist(1)`
+:ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst
+index 1f696920f..d692e2791 100644
+--- a/doc/user/user_commands/kinit.rst
+++ b/doc/user/user_commands/kinit.rst
+@@ -200,19 +200,11 @@ OPTIONS
+     **disable_freshness**\ [**=yes**]
+         disable sending freshness tokens (for testing purposes only)
+ 
+-
+ ENVIRONMENT
+ -----------
+ 
+-kinit uses the following environment variables:
+-
+-**KRB5CCNAME**
+-    Location of the default Kerberos 5 credentials cache, in the form
+-    *type*:*residual*.  If no *type* prefix is present, the **FILE**
+-    type is assumed.  The type of the default cache may determine the
+-    availability of a cache collection; for instance, a default cache
+-    of type **DIR** causes caches within the directory to be present
+-    in the collection.
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ FILES
+@@ -228,4 +220,4 @@ FILES
+ SEE ALSO
+ --------
+ 
+-:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1)
+:ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/klist.rst b/doc/user/user_commands/klist.rst
+index c24c74132..88e457846 100644
+--- a/doc/user/user_commands/klist.rst
+++ b/doc/user/user_commands/klist.rst
+@@ -105,15 +105,8 @@ value is used to locate the default ticket cache.
+ ENVIRONMENT
+ -----------
+ 
+-klist uses the following environment variable:
+-
+-**KRB5CCNAME**
+-    Location of the default Kerberos 5 credentials (ticket) cache, in
+-    the form *type*:*residual*.  If no *type* prefix is present, the
+-    **FILE** type is assumed.  The type of the default cache may
+-    determine the availability of a cache collection; for instance, a
+-    default cache of type **DIR** causes caches within the directory
+-    to be present in the collection.
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ FILES
+@@ -129,4 +122,4 @@ FILES
+ SEE ALSO
+ --------
+ 
+-:ref:`kinit(1)`, :ref:`kdestroy(1)`
+:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/kpasswd.rst b/doc/user/user_commands/kpasswd.rst
+index 1b6463265..0583bbd05 100644
+--- a/doc/user/user_commands/kpasswd.rst
+++ b/doc/user/user_commands/kpasswd.rst
+@@ -33,7 +33,14 @@ OPTIONS
+     identity of the user invoking the kpasswd command.
+ 
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+ SEE ALSO
+ --------
+ 
+-:ref:`kadmin(1)`, :ref:`kadmind(8)`
+:ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/krb5-config.rst b/doc/user/user_commands/krb5-config.rst
+index ee0fceaa3..2c09141a1 100644
+--- a/doc/user/user_commands/krb5-config.rst
+++ b/doc/user/user_commands/krb5-config.rst
+@@ -80,4 +80,4 @@ the following output::
+ SEE ALSO
+ --------
+ 
+-kerberos(1), cc(1)
+:ref:`kerberos(7)`, cc(1)
+diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst
+index b2f9121f0..29487a838 100644
+--- a/doc/user/user_commands/ksu.rst
+++ b/doc/user/user_commands/ksu.rst
+@@ -385,3 +385,16 @@ AUTHOR OF KSU
+ -------------
+ 
+ GENNADY (ARI) MEDVINSKY
+
+
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+
+SEE ALSO
+--------
+
+:ref:`kerberos(7)`, :ref:`kinit(1)`
+diff --git a/doc/user/user_commands/kswitch.rst b/doc/user/user_commands/kswitch.rst
+index 56e5915ac..010332e6a 100644
+--- a/doc/user/user_commands/kswitch.rst
+++ b/doc/user/user_commands/kswitch.rst
+@@ -32,15 +32,8 @@ OPTIONS
+ ENVIRONMENT
+ -----------
+ 
+-kswitch uses the following environment variables:
+-
+-**KRB5CCNAME**
+-    Location of the default Kerberos 5 credentials (ticket) cache, in
+-    the form *type*:*residual*.  If no *type* prefix is present, the
+-    **FILE** type is assumed.  The type of the default cache may
+-    determine the availability of a cache collection; for instance, a
+-    default cache of type **DIR** causes caches within the directory
+-    to be present in the collection.
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ FILES
+@@ -53,4 +46,5 @@ FILES
+ SEE ALSO
+ --------
+ 
+-:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`), kerberos(1)
+:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`,
+:ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst
+index 31ca24460..f269fb3f9 100644
+--- a/doc/user/user_commands/kvno.rst
+++ b/doc/user/user_commands/kvno.rst
+@@ -63,14 +63,11 @@ OPTIONS
+     delegation is not requested, the service name must match the
+     credentials cache client principal.
+ 
+-
+ ENVIRONMENT
+ -----------
+ 
+-kvno uses the following environment variable:
+-
+-**KRB5CCNAME**
+-    Location of the credentials (ticket) cache.
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+ 
+ 
+ FILES
+@@ -83,4 +80,4 @@ FILES
+ SEE ALSO
+ --------
+ 
+-:ref:`kinit(1)`, :ref:`kdestroy(1)`
+:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)`
+diff --git a/doc/user/user_commands/sclient.rst b/doc/user/user_commands/sclient.rst
+index ebf797253..1e3d38f82 100644
+--- a/doc/user/user_commands/sclient.rst
+++ b/doc/user/user_commands/sclient.rst
+@@ -17,8 +17,14 @@ purposes.  It contacts a sample server :ref:`sserver(8)` and
+ authenticates to it using Kerberos version 5 tickets, then displays
+ the server's response.
+ 
+ENVIRONMENT
+-----------
+
+See :ref:`kerberos(7)` for a description of Kerberos environment
+variables.
+
+ 
+ SEE ALSO
+ --------
+ 
+-:ref:`kinit(1)`, :ref:`sserver(8)`
+:ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)`
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.16.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 24%{?dist}
+Release: 25%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -107,6 +107,9 @@ Patch87: Prefer-TCP-to-UDP-for-password-changes.patch
 Patch88: Correct-kpasswd_server-description-in-krb5.conf-5.patch
 Patch89: Prevent-SIGPIPE-from-socket-writes-on-UNIX-likes.patch
 Patch90: Use-port-sockets.h-macros-in-cc_kcm-sendto_kdc.patch
+Patch91: Bring-back-general-kerberos-man-page.patch
+Patch92: Modernize-kerberos-7.patch
+Patch93: Update-man-pages-to-reference-kerberos-7.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -753,6 +756,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Wed Oct 24 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-25
+- Update man pages to reference kerberos(7)
+- Resolves: #1143767
+
 * Wed Oct 17 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-24
 - Use port-sockets.h macros in cc_kcm, sendto_kdc
 - Resolves: #1631998