--- src/kadmin/cli/kadmin.M 2009-05-05 16:47:25.000000000 +0200 +++ src/kadmin/cli/kadmin.M 2009-05-05 16:51:54.000000000 +0200 @@ -253,7 +253,7 @@ maximum ticket life for the principal maximum renewable life of tickets for the principal .TP \fB\-kvno\fP \fIkvno\fP -explicity set the key version number. +explicitly set the key version number. .TP \fB\-policy\fP \fIpolicy\fP policy used by this principal. If no policy is supplied, then if the @@ -452,7 +452,7 @@ all ACLs before reusing. kadmin: .TP ERRORS: -KADM5_AUTH_DELETE (reequires "delete" privilege) +KADM5_AUTH_DELETE (requires "delete" privilege) KADM5_UNK_PRINC (principal does not exist) .RE .fi @@ -596,7 +596,7 @@ names are printed. If the expression do an "@" character followed by the local realm is appended to the expression. Requires the .I list -priviledge. Alias +privilege. Alias .BR listprincs , .BR get_principals , .BR get_princs . @@ -726,7 +726,7 @@ characters \&?, *, and []'s. All policy are printed. If no expression is provided, all existing policy names are printed. Requires the .I list -priviledge. Alias +privilege. Alias .BR listpols , .BR get_policies , .BR getpols . @@ -798,7 +798,7 @@ with the highest kvno are removed. Othe parsed as an integer, and all entries whose kvno match that integer are removed. If the .B \-k -argument is not specifeid, the default keytab +argument is not specified, the default keytab .I /etc/krb5.keytab is used. If the .B \-q --- src/kadmin/server/kadmind.M 2009-05-05 16:11:15.000000000 +0200 +++ src/kadmin/server/kadmind.M 2009-05-05 16:13:08.000000000 +0200 @@ -8,7 +8,7 @@ kadmind \- KADM5 administration server .SH DESCRIPTION This command starts the KADM5 administration server. If the database is db2, the administration server runs on the master Kerberos server, which stores the KDC -prinicpal database and the KADM5 policy database. If the database is LDAP, +principal database and the KADM5 policy database. If the database is LDAP, the administration server and the KDC server need not run on the same machine. .B Kadmind accepts remote requests to administer the information in these @@ -24,10 +24,10 @@ requires a number of configuration files for it to work: .TP "\w'kdc.conf\ \ 'u" kdc.conf -The KDC configuration file contains configuration informatin for the KDC +The KDC configuration file contains configuration information for the KDC and the KADM5 system. .B Kadmind -understands a number of variable settings in this file, some of whch are +understands a number of variable settings in this file, some of which are mandatory and some of which are optional. See the CONFIGURATION VALUES section below. .TP @@ -168,7 +168,7 @@ asterisk ( .B * ) character. .IP operation-mask -Specifies what operations may or may not be peformed by a principal +Specifies what operations may or may not be performed by a principal matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is upper-case, then the operation is disallowed. If the --- src/kadmin/dbutil/kdb5_util.M 2009-05-05 16:13:09.000000000 +0200 +++ src/kadmin/dbutil/kdb5_util.M 2009-05-05 16:15:08.000000000 +0200 @@ -1,6 +1,6 @@ .TH KDB5_UTIL 8 .SH NAME -kdb5_util \- Kerberos database maintainance utility +kdb5_util \- Kerberos database maintenance utility .SH SYNOPSIS .B kdb5_util [\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP] @@ -11,7 +11,7 @@ kdb5_util \- Kerberos database maintaina .I [command_options] .SH DESCRIPTION .B kdb5_util -allows an administrator to perform low-level maintainance procedures on +allows an administrator to perform low-level maintenance procedures on the Kerberos and KADM5 database. Databases can be created, destroyed, and dumped to and loaded from .SM ASCII @@ -20,7 +20,7 @@ files. Additionally, can create a Kerberos master key stash file. .B kdb5_util subsumes the functionality of and makes obsolete the previous database -maintainance programs +maintenance programs .BR kdb5_create , .BR kdb5_edit , .BR kdb5_destroy , @@ -139,12 +139,12 @@ the database will not be changed. .TP .B \-rev dumps in reverse order. This may recover principals that do not dump -normally, in cases where database corruption has occured. +normally, in cases where database corruption has occurred. .TP .B \-recurse causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where -database corruption has occured. In cases of such corruption, this +database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the \fB\-rev\fP option will. .RE @@ -260,7 +260,7 @@ converted to "never" expire in the versi did not match either value, all expiration dates will be preserved. .PP Also, Kerberos 4 stored a single modification time for any change to a -record; Version 5 stores a seperate modification time and last +record; Version 5 stores a separate modification time and last password change time. In practice, Version 4 "modifications" were always password changes. \fIload_v4\fP copies the value into both fields. --- src/config-files/kdc.conf.M 2009-05-05 16:09:45.000000000 +0200 +++ src/config-files/kdc.conf.M 2009-05-05 16:11:15.000000000 +0200 @@ -227,7 +227,7 @@ represents the master key's key type. .IP max_life This .B delta time string -specifes the maximum time period that a ticket may be valid for in +specifies the maximum time period that a ticket may be valid for in this realm. .IP max_renewable_life --- src/appl/bsd/klogind.M 2009-05-05 16:51:57.000000000 +0200 +++ src/appl/bsd/klogind.M 2009-05-05 16:53:15.000000000 +0200 @@ -84,7 +84,7 @@ Create an encrypted session. Require Kerberos V5 clients to present a cryptographic checksum of initial connection information like the name of the user that the client is trying to access in the initial authenticator. This checksum -provides additionl security by preventing an attacker from changing the +provides additional security by preventing an attacker from changing the initial connection information. To benefit from this security, only Kerberos V5 should be trusted; Kerberos V4 and rhosts authentication do not include this checksum. If this option is specified, older Kerberos @@ -97,14 +97,14 @@ checksums are validated if presented. S a checksum from an authenticator without making the authenticator invalid, this default mode is almost as significant of a security improvement as \fB-c\fP if new clients are used. It has the additional -advantage of backwards compatability with some clients. +advantage of backwards compatibility with some clients. Unfortunately, clients before Kerberos V5, Beta5, generate invalid checksums; if these clients are used, the \fB-i\fP option must be used. .IP \fB\-i\fP Ignore authenticator checksums if provided. This option -ignore authenticator checksusm presented by current Kerberos clients +ignore authenticator checksums presented by current Kerberos clients to protect initial connection information; it is the opposite of \fB-c\fP. This option is provided because some older clients--particularly clients predating the release of Kerberos V5 @@ -113,7 +113,7 @@ authentication from succeeding in the de .PP The parent of the login process manipulates the master side of the -pseduo terminal, operating as an intermediary between the login +pseudo terminal, operating as an intermediary between the login process and the client instance of the .I rlogin(1) program. In normal operation, the packet protocol described in --- src/slave/kprop.M 2009-05-05 16:15:09.000000000 +0200 +++ src/slave/kprop.M 2009-05-05 16:15:24.000000000 +0200 @@ -34,7 +34,7 @@ kprop \- propagate a Kerberos V5 princip .SH DESCRIPTION .I kprop is used to propagate a Kerberos V5 database dump file from the master -Kerberos server to a slave Kerberos server, which is specfied by +Kerberos server to a slave Kerberos server, which is specified by .IR slave_host . This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created --- src/slave/kpropd.M 2009-05-05 16:15:25.000000000 +0200 +++ src/slave/kpropd.M 2009-05-05 16:15:51.000000000 +0200 @@ -71,7 +71,7 @@ this: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -However, kpropd can also run as a standalone deamon, if the +However, kpropd can also run as a standalone daemon, if the .B \-S option is turned on. This is done for debugging purposes, or if for some reason the system administrator just doesn't want to run it out of --- src/krb524/krb524d.M 2009-05-05 16:53:17.000000000 +0200 +++ src/krb524/krb524d.M 2009-05-05 16:53:30.000000000 +0200 @@ -43,7 +43,7 @@ krb524d \- Version 5 to Version 4 Creden .SH DESCRIPTION .I krb524d is the Kerberos Version 5 to Version 4 Credentials Conversion daemon. -It works in conjuction with a krb5kdc to allow clients to acquire Kerberos +It works in conjunction with a krb5kdc to allow clients to acquire Kerberos version 4 tickets from Kerberos version 5 tickets without specifying a password. .SH OPTIONS .TP --- src/config-files/krb5.conf.M 2009-05-05 16:29:35.000000000 +0200 +++ src/config-files/krb5.conf.M 2009-05-05 16:31:38.000000000 +0200 @@ -140,7 +140,7 @@ returned by the KDC and in order to corr clock. This corrective factor is only used by the Kerberos library. .IP kdc_req_checksum_type -For compatability with DCE security servers which do not support the +For compatibility with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and earlier. @@ -189,7 +189,7 @@ Specifies the location of the Kerberos V file. Default is "/etc/krb.realms". .IP dns_lookup_kdc -Indicate whether DNS SRV records shoud be used to locate the KDCs and +Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. The default is to use these records. @@ -474,7 +474,7 @@ and sent to the device /dev/tty04. Cross-realm authentication is typically organized hierarchically. This hierarchy is based on the name of the realm, which thus imposes restrictions on the choice of realm names, and on who may participate in -a cross-realm authentication. A non hierarchical orgization may be used, +a cross-realm authentication. A non hierarchical organization may be used, but requires a database to construct the authentication paths between the realms. This section defines that database. .PP @@ -556,11 +556,11 @@ would look like this: .sp In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to -determing the path. (It is not important to the server, since the +determining the path. (It is not important to the server, since the transited field is not sorted.) .PP If this section is not present, or if the client or server cannot find a -client/server path, then normal hierarchical orginization is assumed. +client/server path, then normal hierarchical organization is assumed. .PP This feature is not currently supported by DCE. DCE security servers can be used with Kerberized clients and servers, but versions prior to DCE --- src/appl/bsd/kshd.M 2009-05-05 16:53:32.000000000 +0200 +++ src/appl/bsd/kshd.M 2009-05-05 16:54:33.000000000 +0200 @@ -84,7 +84,7 @@ four variables. Require Kerberos5 clients to present a cryptographic checksum of initial connection information like the name of the user that the client is trying to access in the initial authenticator. -This checksum provides additionl security by preventing an attacker +This checksum provides additional security by preventing an attacker from changing the initial connection information. To benefit from this security, only Kerberos5 should be trusted; Kerberos4 and rhosts authentication do not include this checksum. If this option is @@ -97,14 +97,14 @@ checksums are validated if presented. S a checksum from an authenticator without making the authenticator invalid, this default mode is almost as significant of a security improvement as \fB-c\fP if new clients are used. It has the additional -advantage of backwards compatability with some clients. +advantage of backwards compatibility with some clients. Unfortunately, clients before Kerberos V5, Beta5, generate invalid checksums; if these clients are used, the \fB-i\fP option must be used. .IP \fB\-i\fP Ignore authenticator checksums if provided. This option -ignore authenticator checksusm presented by current Kerberos clients +ignore authenticator checksums presented by current Kerberos clients to protect initial connection information; it is the opposite of \fB-c\fP. This option is provided because some older clients--particularly clients predating the release of Kerberos V5 --- src/clients/ksu/ksu.M 2009-05-05 16:38:05.000000000 +0200 +++ src/clients/ksu/ksu.M 2009-05-05 16:39:21.000000000 +0200 @@ -21,7 +21,7 @@ .\" direct, indirect, or consequential damages with respect to any .\" claim by the user or distributor of the ksu software. .\" -.\" KSU was writen by: Ari Medvinsky, ari@isi.edu +.\" KSU was written by: Ari Medvinsky, ari@isi.edu .\" " .TH KSU 1 .SH NAME @@ -442,7 +442,7 @@ cache, the user will be prompted for a K password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is -if the source user is loged in remotely and does not +if the source user is logged in remotely and does not have a secure channel, the password may get exposed. .TP 10 \fIPRINC_LOOK_AHEAD\fP --- src/appl/bsd/rcp.M 2009-05-05 16:39:48.000000000 +0200 +++ src/appl/bsd/rcp.M 2009-05-05 16:41:29.000000000 +0200 @@ -72,7 +72,7 @@ his login directory. Each line in this principal name of the form .IR principal/instance@realm . If there is a ~/.k5login file, then access is granted to the account if -and only if the originater user is authenticated to one of the +and only if the originating user is authenticated to one of the principals named in the ~/.k5login file. Otherwise, the originating user will be granted access to the account if and only if the authenticated principal name of the user can be mapped to the local @@ -100,7 +100,7 @@ change the default credentials cache fil .I ccachefile .TP \fB\-C\fP \fIconfigfile\fP -change the default configuation file to +change the default configuration file to .I configfile .TP .B \-r --- src/appl/bsd/rsh.M 2009-05-05 16:42:09.000000000 +0200 +++ src/appl/bsd/rsh.M 2009-05-05 16:43:07.000000000 +0200 @@ -46,8 +46,8 @@ his login directory. Each line in this principal name of the form .IR principal/instance@realm . If there is a ~/.k5login file, then access is granted to the account if -and only if the originater user is authenticated to one of the -princiapls named in the ~/.k5login file. Otherwise, the originating +and only if the originating user is authenticated to one of the +principals named in the ~/.k5login file. Otherwise, the originating user will be granted access to the account if and only if the authenticated principal name of the user can be mapped to the local account name using the aname -> lname mapping rules (see