diff options
-rw-r--r-- | doc/admin.texinfo | 2819 | ||||
-rw-r--r-- | doc/build.texinfo | 323 | ||||
-rw-r--r-- | doc/copyright.texinfo | 91 | ||||
-rw-r--r-- | doc/cyg-install.texinfo | 1644 | ||||
-rw-r--r-- | doc/definitions.texinfo | 28 | ||||
-rw-r--r-- | doc/document-list.texinfo | 21 | ||||
-rw-r--r-- | doc/glossary.texinfo | 63 | ||||
-rw-r--r-- | doc/krb425.texinfo | 479 | ||||
-rw-r--r-- | doc/man2ps | 42 | ||||
-rw-r--r-- | doc/send-pr.texinfo | 200 | ||||
-rw-r--r-- | doc/user-guide.texinfo | 1671 |
11 files changed, 7381 insertions, 0 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo new file mode 100644 index 0000000000..c90a0ef138 --- /dev/null +++ b/doc/admin.texinfo @@ -0,0 +1,2819 @@ +\input texinfo @c -*-texinfo-*- +@c Note: the above texinfo file must include the "doubleleftarrow" +@c definitions added by jcb. +@c %**start of header +@c guide +@setfilename kerbnet-admin.info +@settitle Kerb*Net System Administrator's Guide +@c @setchapternewpage odd @c chapter begins on next odd page +@setchapternewpage on @c chapter begins on next page +@smallbook @c Format for 7" X 9.25" paper +@c %**end of header +@paragraphindent 0 +@iftex +@parskip 6pt plus 6pt +@end iftex + +@include definitions.texinfo +@set EDITION 0.9 beta + +@finalout @c don't print black warning boxes + +@titlepage +@title @value{PRODUCT} System Administrator's Guide +@subtitle Release: @value{RELEASE} +@subtitle Document Edition: @value{EDITION} +@subtitle Last updated: @value{UPDATED} +@author @value{COMPANY} + +@page +@vskip 0pt plus 1filll + +@include copyright.texinfo +@end titlepage + +@comment node-name, next, previous, up +@node Top, Introduction, (dir), (dir) + +@ifinfo +This document describes how to administrate a @value{PRODUCT} +installation. + +@include copyright.texinfo +@end ifinfo + +@c The master menu is updated using emacs19's M-x texinfo-all-menus-update +@c function. Don't forget to run M-x texinfo-every-node-update after +@c you add a new section or subsection, or after you've rearranged the +@c order of sections or subsections. Also, don't forget to add an @node +@c comand before each @section or @subsection! All you need to enter +@c is: +@c +@c @node New Section Name + +@c @section New Section Name +@c +@c M-x texinfo-every-node-update will take care of calculating the +@c node's forward and back pointers. +@c + +@menu +* Introduction:: +* How Kerberos Works:: +* Administrating Kerberos Database Entries:: +* Application Servers:: +* Updates:: +* Backups of Secure Hosts:: +* Support:: +* Appendix:: +@end menu + +@c --------------------------------------------------------------------- + +@node Introduction, How Kerberos Works, Top, Top +@chapter Introduction + +Congratulations on your purchase of @value{PRODUCT}. @value{COMPANY} +believes @value{PRODUCT} provides the best network security available. +Please let us know if we can be of assistance in getting your +installation of @value{PRODUCT} set up and running. + +@menu +* Why Should I use Kerberos?:: +* @value{PRODUCT} Documentation:: +* Overview of This Guide:: +@end menu + +@node Why Should I use Kerberos?, @value{PRODUCT} Documentation, Introduction, Introduction +@section Why Should I use Kerberos? + +Since Kerberos negotiates authenticated, and optionally encrypted, +communications between two points anywhere on the internet, it provides +a layer of security that is not dependent on which side of a firewall +either client is on. Since studies have shown that half of the computer +security breaches in industry happen from @i{inside} firewalls, +@value{PRODUCT} from @value{COMPANY} will play a vital role in the +security of your network. + +@node @value{PRODUCT} Documentation, Overview of This Guide, Why Should I use Kerberos?, Introduction +@section @value{PRODUCT} Documentation + +This document is one piece of the document set for @value{PRODUCT}. The +documents, and their intended audiences, are: + +@include document-list.texinfo + +@node Overview of This Guide, , @value{PRODUCT} Documentation, Introduction +@section Overview of This Guide + +The next chapter describes how Kerberos works. + +Chapter three describes administration of the principals in the Kerberos +database. + +Chapter four describes administrative programs for manipulating the +Kerberos database as a whole. + +Chapter five describes issues to consider when adding an application +server to the database. + +Chapter six describes our problem reporting system. + +The appendices include sample configuration files, the list of Kerberos +error messages, and a complete list of the time zones understood by +@code{kadmin}. + +@node How Kerberos Works, Administrating Kerberos Database Entries, Introduction, Top +@chapter How Kerberos Works + +This section provides a simplified description of a general user's +interaction with the Kerberos system. This interaction happens +transparently---users don't need to know and probably don't care about +what's going on---but Kerberos administrators might find a schematic +description of the process useful. This description glosses over a lot +of details; for more information, see @i{Kerberos: An Authentication +Service for Open Network Systems}, a paper presented at Winter USENIX +1988, in Dallas, Texas. This paper can be retreived by FTP from +@code{athena-dist.mit.edu}, in the location: +@code{/pub/ATHENA/kerberos/doc/USENIX.ps}. + +@menu +* Network Services and Their Client Programs:: +* Kerberos Tickets:: +* The Kerberos Database:: +* Kerberos Realms:: +* The Ticket-Granting Ticket:: +* Network Services and the Master Database:: +* The User--Kerberos Interaction:: +* Definitions:: +@end menu + +@node Network Services and Their Client Programs, Kerberos Tickets, How Kerberos Works, How Kerberos Works +@section Network Services and Their Client Programs + +In an environment that provides network services, you use @dfn{client} +programs to request @dfn{services} from @dfn{server} programs that are +somewhere on the network. Suppose you have logged in to a workstation +and you want to @samp{rlogin} to a typical UNIX host. You use the local +@samp{rlogin} client program to contact the remote machine's +@samp{rlogind} daemon. + +@node Kerberos Tickets, The Kerberos Database, Network Services and Their Client Programs, How Kerberos Works +@section Kerberos Tickets + +Under Kerberos, the @samp{klogind} daemon allows you to login to a +remote machine if you can provide @samp{klogind} a Kerberos ticket +which proves your identity. In addition to the ticket, you must also +have possession of the corresponding ticket session key. The +combination of a ticket and the ticket's session key is known as a credential. + +Typically, a client program automatically obtains credentials +identifying the person using the client program. The credentials are +obtained from a Kerberos server that resides somewhere on the network. +A Kerberos server maintains a database of user, server, and password +information. + +@node The Kerberos Database, Kerberos Realms, Kerberos Tickets, How Kerberos Works +@section The Kerberos Database + +Kerberos will give you credentials only if you have an entry in the +Kerberos server's @dfn{Kerberos database}. Your database entry includes +your Kerberos @dfn{principal} (an identifying string, which is often +just your username), and your Kerberos password. Every Kerberos user +must have an entry in this database. + +@node Kerberos Realms, The Ticket-Granting Ticket, The Kerberos Database, How Kerberos Works +@section Kerberos Realms + +Each administrative domain will have its own Kerberos database, which +contains information about the users and services for that particular +site or administrative domain. This administrative domain is the +@dfn{Kerberos realm}. + +Each Kerberos realm will have at least one Kerberos server, where the +master Kerberos database for that site or administrative domain is +stored. A Kerberos realm may also have one or more @dfn{slave servers}, +which have read-only copies of the Kerberos database that are +periodically propagated from the master server. For more details on how +this is done, see the ``Set Up the Slave KDCs for Database Propagation'' +and ``Propagate the Database to Each Slave KDC'' sections of the +@value{PRODUCT} Installation Guide. + +@node The Ticket-Granting Ticket, Network Services and the Master Database, Kerberos Realms, How Kerberos Works +@section The Ticket-Granting Ticket + +The @samp{kinit} command prompts for your password. If you enter it +successfully, you will obtain a @dfn{ticket-granting ticket} and a +@dfn{ticket session key} which gives you the right to use the ticket. +This combination of the ticket and its associated key is known as your +@dfn{credentials}. As illustrated below, client programs use your +ticket-granting ticket credentials in order to obtain client-specific +credentials as needed. + +Your credentials are stored in a @dfn{credentials cache}, which is often +just a file in @code{/tmp}. The credentials cache is also called the +@dfn{ticket file}, especially in Kerberos V4 documentation. Note, +however, that a credentials cache does not have to be stored in a file. + +@node Network Services and the Master Database, The User--Kerberos Interaction, The Ticket-Granting Ticket, How Kerberos Works +@section Network Services and the Master Database + +The master database also contains entries for all network services that +require Kerberos authentication. Suppose that your site has a machine, +@samp{laughter.@value{PRIMARYDOMAIN}}, that requires Kerberos +authentication from anyone who wants to @samp{rlogin} to it. The host's +Kerberos realm is @samp{@value{PRIMARYREALM}}. + +This service must be registered in the Kerberos database, using the +proper service name, which in this case is the @dfn{principal}: + +@smallexample +host/laughter.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@end smallexample + +@noindent +The @samp{/} character separates the Kerberos @dfn{primary} (in this +case, @samp{host}) from the @dfn{instance} (in this case, +@samp{laughter.@value{PRIMARYDOMAIN}}); the @samp{@@} character separates +the realm name (in this case, @samp{@value{PRIMARYREALM}}) from the rest +of the principal. The primary, @samp{host}, denotes the name or type of +the service that is being offered: generic host-level access to the +machine. The instance, @samp{laughter.@value{PRIMARYDOMAIN}}, names the +specific machine that is offering this service. There will generally be +many different machines, each offering one particular type of service, +and the instance serves to give each one of these servers a different +Kerberos principal. + +@menu +* The Keytab File:: +@end menu + +@node The Keytab File, , Network Services and the Master Database, Network Services and the Master Database +@subsection The Keytab File + +For each service, there must also be a @dfn{service key} known only by +Kerberos and the service. On the Kerberos server, the service key is +stored in the Kerberos database. + +On the server host, these service keys are stored in @dfn{key tables}, +which are files known as @dfn{keytabs}.@footnote{Keytabs were called +@dfn{srvtabs} in Kerberos V4.} For example, the service keys used by +services that run as root are usually stored in the keytab file +@code{/etc/v5srvtab}. @b{N.B.:} This service key is the equivalent of +the service's password, and must be kept secure. Data which is meant to +be read only by the service is encrypted using this key. + +@node The User--Kerberos Interaction, Definitions, Network Services and the Master Database, How Kerberos Works +@section The User--Kerberos Interaction + +Suppose that you walk up to a host intending to login to it, and then +@samp{rlogin} to the machine @samp{laughter}. Here's what happens: + +@enumerate +@item +You login to the workstation and use the @samp{kinit} command to get a +ticket-granting ticket. This command prompts you for your Kerberos +password. (On systems running the @value{PRODUCT} @samp{login} program, +this may be done as part of the login process, not requiring the user to +run a separate program.) + +@enumerate A +@item +The @samp{kinit} command sends your request to the Kerberos master +server machine. The server software looks for your principal name's +entry in the Kerberos database. + +@item +If this entry exists, the Kerberos server creates and returns a +ticket-granting ticket and the key which allows you to use it, encrypted +by your password. If @samp{kinit} can decrypt the Kerberos reply using +the password you provide, it stores this ticket in a credentials cache +on your local machine for later use. The name of the credentials cache +can be specified in the @samp{KRB5_CCNAME} environment variable. If +this variable is not set, the name of the file will be +@file{/tmp/krb5cc_<uid>}, where <uid> is your UNIX user-id, represented +in decimal format. +@end enumerate + +@need 1500 +@item +Now you use the @samp{rlogin} client to access the machine +@samp{laughter}. + +@example +host% @b{rlogin laughter} +@end example + +@enumerate A +@item +The @samp{rlogin} client checks your ticket file to see if you have a +ticket for the @samp{host} service for @samp{laughter}. You don't, so +@samp{rlogin} uses the credential cache's ticket-granting ticket to make +a request to the master server's ticket-granting service. + +@item +This ticket-granting service receives the request for a ticket for +@samp{host/laughter.@value{PRIMARYDOMAIN}}, and looks in the master +database for an entry for @samp{host/laughter.@value{PRIMARYDOMAIN}}. +If the entry exists, the ticket-granting service issues you a ticket for +that service. That ticket is also cached in your credentials cache. + +@item +The @samp{rlogin} client now sends that ticket to the @samp{laughter} +@samp{klogind} service program. The service program checks the ticket +by using its own service key. If the ticket is valid, it now knows your +identity. If you are allowed to login to @samp{laughter} (because your +username matches one in /etc/passwd, or your Kerberos principal is in +the appropriate @file{.k5login} file), @code{klogind} will let you +login. +@end enumerate +@end enumerate + +@node Definitions, , The User--Kerberos Interaction, How Kerberos Works +@section Definitions + +Following are definitions of some of the Kerberos terminology. + +@include glossary.texinfo + +@node Administrating Kerberos Database Entries, Application Servers, How Kerberos Works, Top +@chapter Administrating the Kerberos Database + +Your Kerberos database contains all of your realm's Kerberos principals, +their passwords, and other administrative information about each +principal. For the most part, you will use the @code{kdb5_util} program +to manipulate the Kerberos database as a whole, and the @code{kadmin} +program to make changes to the entries in the database. (One notable +exception is that users will use the @code{kpasswd} program to change +their own passwords.) The @code{kadmin} program has its own +command-line interface, to which you type the database administrating +commands. + +@code{Kdb5_util} provides a means to create, delete, load, or dump a +Kerberos database. It also includes a command to stash a copy of the +master database key in a file on a KDC, so that the KDC can authenticate +itself to the @code{kadmind} and @code{krb5kdc} daemons at boot time. + +@code{Kadmin} provides for the maintenance of Kerberos principals, KADM5 +policies, and service key tables (keytabs). It exists as both a +Kerberos client, @code{kadmin}, using Kerberos authentication and an +RPC, to operate securely from anywhere on the network, and as a local +client, @code{kadmin.local}, intended to run directly on the KDC without +Kerberos authentication. Other than the fact that the remote client +uses Kerberos to authenticate the person using it, the functionalities +of the two versions are identical. The local version is necessary to +enable you to set up enough of the database to be able to use the remote +version. It replaces the now obsolete @code{kdb5_edit} (except for +database dump and load, which are provided by @code{kdb5_util}). + +The remote version authenticates to the KADM5 server using the service +principal @code{kadmin/admin}. If the credentials cache contains a +ticket for the @code{kadmin/admin} principal, and the @samp{-c +credentials_cache} option is specified, that ticket is used to +authenticate to KADM5. Otherwise, the @samp{-p} and @samp{-k} options +are used to specify the client Kerberos principal name used to +authenticate. Once kadmin has determined the principal name, it +requests a @code{kadmin/admin} Kerberos service ticket from the KDC, and +uses that service ticket to authenticate to KADM5. + +@menu +* Kadmin Options:: +* Date Format:: +* Principals:: +* Policies:: +* Dumping a Kerberos Database to a File:: +* Restoring a Kerberos Database from a Dump File:: +* Creating a Stash File:: +* Creating and Destroying a Kerberos Database:: +* The KDC Logs:: +@end menu + +@node Kadmin Options, Date Format, Administrating Kerberos Database Entries, Administrating Kerberos Database Entries +@section Kadmin Options + +You can invoke @code{kadmin} with any of the following options: + +@table @b +@item @b{-r} @i{REALM} +Use @i{REALM} as the default Kerberos realm for the database. + +@item @b{-p} @i{principal} +Use the Kerberos principal @i{principal} to authenticate to Kerberos. +If this option is not given, @code{kadmin} will append @code{admin} to +either the primary principal name, the environment variable USER, or to +the username obtained grom @code{getpwuid}, in order of preference. + +@item @b{-k} @i{keytab} +Use the keytab @i{keytab} to decrypt the KDC response instead of +prompting for a password on the TTY. In this case, the principal will +be @samp{host/@i{hostname}}. + +@item @b{-c} @i{credentials cache} +Use @i{credentials_cache} as the credentials cache. The credentials +cache should contain a service ticket for the @code{kadmin/admin} +service, which can be acquired with the @code{kinit} program. If this +option is not specified, @code{kadmin} requests a new service ticket +from the KDC, and stores it in its own temporary ccache. + +@item @b{-w} @i{password} +Use @i{password} as the password instead of prompting for one on the +TTY. Note: placing the password for a Kerberos principal with +administration access into a shell script can be dangerous if +unauthorized users gain read access to the script. + +@item @b{-q} @i{query} +Pass @i{query} directly to @code{kadmin}. This is useful for writing +scripts that pass specific queries to @code{kadmin}. +@end table + +@node Date Format, Principals, Kadmin Options, Administrating Kerberos Database Entries +@section Date Format + +Many of the @code{kadmin} commands take a duration or time as an +argument. The date can appear in a wide variety of formats, such as: + +@smallexample +@group +1 month ago +2 hours ago +400000 seconds ago +last year +this Monday +next Monday +yesterday +tomorrow +now +second Monday +a fortnight ago +3/31/92 10:00:07 PST +January 23, 1987 10:05pm +22:00 GMT +@end group +@end smallexample + +All of these are case-insensitive. The following is a list of all of +the allowable keywords. + +@table @b +@item Months +january, jan, february, feb, march, mar, april, apr, may, june, jun, +july, jul, august, aug, september, sept, sep, october, oct, november, +nov, december, dec + +@item Days +sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, +thursday, thurs, thur, thu, friday, fri, saturday, sat + +@item Units +year, month, fortnight, week, day, hour, minute, min, second, sec + +@item Relative +tomorrow, yesterday, today, now, last, this, next, first, third, fourth, +fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago + +@item Time Zones +@code{kadmin} recognizes abbreviations for most of the world's time +zones. A complete listing appears in @ref{kadmin Time Zones}. + +@item 12-hour Time Delimiters +am, pm +@end table + +@menu +* Principals:: +* Policies:: +* The KDC Logs:: +@end menu + +@node Principals, Policies, Date Format, Administrating Kerberos Database Entries +@section Principals + +Each entry in the Kerberos database contains a Kerberos principal +(@pxref{Definitions}) and the attributes and policies associated with +that principal. + +@menu +* Retrieving Information About a Principal:: +* Privileges:: +* Adding or Modifying Principals:: +* Deleting Principals:: +* Changing Passwords:: +* Renaming Principals:: +@end menu + +@node Retrieving Information About a Principal, Privileges, Principals, Principals +@subsection Retrieving Information About a Principal + +@menu +* Attributes:: +* Retrieving a List of Principals:: +@end menu + +@node Attributes, Retrieving a List of Principals, Retrieving Information About a Principal, Retrieving Information About a Principal +@subsubsection Attributes + +To retrieve a listing of the attributes and/or policies associated with +a principal, use the @code{kadmin} @code{get_principal} command, which +requires the ``inquire'' administrative privilege. The syntax is: + +@smallexample +@b{get_principal} @i{principal} +@end smallexample + +@noindent The @code{get_principal} command has the alias @code{getprinc}. + +For example, suppose you wanted to view the attributes of the principals +@code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}} and +@code{systest@@@value{PRIMARYREALM}}. You would type: + +@smallexample +@group +@b{shell%} kadmin +@b{kadmin:} getprinc @value{RANDOMUSER1}/root +@b{Principal: @value{RANDOMUSER1}/admin@@@value{PRIMARYREALM} +Key version: 3 +Maximum life: 1 day 00:00:00 +Maximum renewable life: 7 days 00:00:00 +Master key version: 1 +Expires: Mon Jan 18 22:14:07 EDT 2038 +Password expires: Mon Sep 19 14:40:00 EDT 1996 +Password last changed: Mon Jan 31 02:06:40 EDT 1996 +Last modified: by @value{ADMINUSER}/admin@@@value{PRIMARYREALM} + on Wed Jul 13 18:27:08 EDT 1996 +Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, + REQUIRES_HW_AUTH +Salt type: DEFAULT +kadmin:} +@end group +@end smallexample + +The @code{get_principal} command has a @code{-terse} option, which lists +the fields as a quoted, tab-separated string. For example: + +@smallexample +@group +@b{kadmin:} getprinc -terse systest +@b{systest@@@value{PRIMARYREALM} 3 86400 604800 1 +785926535 753241234 785900000 +@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM} 786100034 0 +0 +kadmin:} +@end group +@end smallexample + +@node Retrieving a List of Principals, , Attributes, Retrieving Information About a Principal +@subsubsection Retrieving a List of Principals + +To generate a listing of principals, use the @code{kadmin} +@code{list_principals} command, which requires the ``list'' privilege. +The syntax is: + +@smallexample +@b{list_principals} [@i{expression}] +@end smallexample + +@noindent where @i{expression} is a shell-style glob expression that can +contain the characters @samp{*}, @samp{?}, @samp{[}, and @samp{]}. All +policy names matching the expression are displayed. The +@code{list_principals} command has the alias @code{listprincs}. For +example: + +@smallexample +@group +@b{kadmin:} listprincs test* +@b{test3@@@value{PRIMARYDOMAIN} +test2@@@value{PRIMARYDOMAIN} +test1@@@value{PRIMARYDOMAIN} +testuser@@@value{PRIMARYDOMAIN} +kadmin:} +@end group +@end smallexample + +@noindent If no expression is provided, all principals are printed. + +@node Privileges, Adding or Modifying Principals, Retrieving Information About a Principal, Principals +@subsection Privileges + +Administrative privileges for the Kerberos database are stored in the +file @code{kadm5.acl}. Each line of the file contains a principal, the +privileges that principal has, and optionally the target to which those +permissions apply. The privileges are represented by single letters; +UPPER-CASE letters represent negative permissions. The permissions are: + +@table @b +@itemx a +allows the addition of principals or policies in the database. +@itemx A +disallows the addition of principals or policies in the database. +@itemx d +allows the deletion of principals or policies in the database. +@itemx D +disallows the deletion of principals or policies in the database. +@itemx m +allows the modification of principals or policies in the database. +@itemx M +disallows the modification of principals or policies in the database. +@itemx c +allows the changing of passwords for principals in the database. +@itemx C +disallows the changing of passwords for principals in the database. +@itemx i +allows inquiries to the database. +@itemx I +disallows inquiries to the database. +@itemx l +allows the listing of principals or policies in the database. +@itemx L +disallows the listing of principals or policies in the database. +@itemx * +All privileges (admcil). +@itemx x +All privileges (admcil); identical to ``*''. +@end table + +Principals in this file can include the @b{*} wildcard. Here is an +example of a @code{kadm5.acl} file. Note that order is important; +permissions are determined by the first matching entry. + +@smallexample +@group +*/admin@@@value{PRIMARYREALM} * +@value{ADMINUSER}/null@@@value{PRIMARYREALM} ADMCIL +@value{ADMINUSER}/*@@@value{PRIMARYREALM} il +@value{RANDOMUSER1}/root@@@value{PRIMARYREALM} cil */root@@@value{PRIMARYREALM} +*/*@@@value{PRIMARYREALM} i +@end group +@end smallexample + +@noindent In the above file, any principal with an @code{admin} instance +has all administrative privileges. The user @code{@value{ADMINUSER}} +has all permissions with his @code{admin} instance, +@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}} (matches the first +line). He has no permissions at all with his @code{null} instance, +@code{@value{ADMINUSER}/null@@@value{PRIMARYREALM}} (matches the second +line). He has @i{inquire} and @i{list} permissions with any other +instance (matches the third line). When @code{@value{RANDOMUSER1}} is +using her @code{root} +instance, @code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}}, she has +@i{change password}, @i{inquire}, and @i{list} privileges for any other +principal that has the instance @code{root}. Finally, any principal in +the realm @code{@value{PRIMARYREALM}} (except for +@code{@value{ADMINUSER}/null@@@value{PRIMARYREALM}}, as mentioned above) +has @i{inquire} privileges. + +@node Adding or Modifying Principals, Deleting Principals, Privileges, Principals +@subsection Adding or Modifying Principals + +To add a principal to the database, use the kadmin @code{add_principal} +command, which requires the ``add'' administrative privilege. The +syntax is: + +@smallexample +@b{kadmin:} add_principal [@i{options}] @i{principal} +@end smallexample + +To modify attributes of a principal, use the kadmin +@code{modify_principal} command, which requires the ``modify'' +administrative privilege. The syntax is: + +@smallexample +@b{kadmin:} modify_principal [@i{options}] @i{principal} +@end smallexample + +@noindent +@code{add_principal} has the aliases @code{addprinc} and +@code{ank}@footnote{@code{ank} was the short form of the equivalent +command using the deprecated @code{kadmin5} database administrative +tool. It has been kept}. @code{modify_principal} has the alias @code{modprinc}. + +The @code{add_principal} and @code{modify_principal} commands take the +following switches: + +@table @b +@item -salt @i{salttype} +Uses the specified salt for generating the key. The valid salt types +are: + +@itemize @bullet +@item full_name (aliases ``v5_salt'' and ``normal''; this is the default) +@item name_only +@item realm_only +@item no_salt (alias ``v4_salt'') +@end itemize + +@item -clearpolicy +removes the current policy from a principal (@code{modify_principal} +only). + +@item -expire @i{date} +Sets the expiration date of the principal to @i{date}. + +@item -pwexpire @i{date} +Sets the expiration date of the password to @i{date}. + +@item -maxlife @i{maxlife} +Sets the maximum ticket life of the principal to @i{maxlife}. + +@item -kvno @i{number} +Explicity sets the key version number to @i{number}. @value{COMPANY} +does not recommend doing this unless there is a specific reason. + +@item -policy @i{policy} +Sets the policy used by this principal. (@xref{Policies}.) If no +policy is supplied, the principal will have no policy, and @code{kadmin} +will print a warning message. + +@item @{-|+@}allow_postdated +The ``-allow_postdated'' option prohibits this principal from obtaining +postdated tickets. ``+allow_postdated'' clears this flag. In effect, +``-allow_postdated'' sets the KRB5_KDB_DISALLOW_POSTDATED flag on the +principal in the database. + +@item @{-|+@}allow_forwardable +The ``-allow_forwardable'' option prohibits this principal from +obtaining forwardable tickets. ``+allow_forwardable'' clears this flag. +In effect, ``-allow_forwardable'' sets the KRB5_KDB_DISALLOW_FORWARDABLE +flag on the principal in the database. + +@item @{-|+@}allow_renewable +The ``-allow_renewable'' option prohibits this principal from obtaining +renewable tickets. ``+allow_renewable'' clears this flag. In effect, +``-allow_renewable'' sets the KRB5_KDB_DISALLOW_RENEWABLE flag on the +principal in the database. + +@item @{-|+@}allow_proxiable +The ``-allow_proxiable'' option prohibits this principal from obtaining +proxiable tickets. ``+allow_proxiable'' clears this flag. In effect, +``-allow_proxiable'' sets the KRB5_KDB_DISALLOW_PROXIABLE flag. on the +principal in the database. + +@item @{-|+@}allow_dup_skey +The ``-allow_dup_skey'' option disables user-to-user authentication for +this principal by prohibiting this principal from obtaining a session +key for another user. ``+allow_dup_skey'' clears this flag. In effect, +``-allow_dup_skey'' sets the KRB5_KDB_DISALLOW_DUP_SKEY flag on the +principal in the database. + +@item @{-|+@}requires_preauth +The ``+requires_preauth'' option requires this principal to +preauthenticate before being allowed to kinit. -requires_preauth clears +this flag. In effect, +requires_preauth sets the +KRB5_KDB_REQUIRES_PRE_AUTH flag on the principal in the database. + +@item @{-|+@}requires_hwauth +The ``+requires_hwauth'' flag requires the principal to preauthenticate +using a hardware device before being allowed to kinit. +``-requires_hwauth'' clears this flag. In effect, ``+requires_hwauth'' +sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the +database. + +@item @{-|+@}allow_svr +The ``-allow_svr'' flag prohibits the issuance of service tickets for +this principal. ``+allow_svr'' clears this flag. In effect, +``-allow_svr'' sets the KRB5_KDB_DISALLOW_SVR flag on the principal in +the database. + +@item @{-|+@}allow_tgs_req +The ``-allow_tgs_req'' option specifies that a Ticket-Granting Service +(TGS) request for a service ticket for this principal is not permitted. +You will probably never need to use this option. ``+allow_tgs_req'' +clears this flag. The default is ``+allow_tgs_req''. In effect, +``-allow_tgs_req'' sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the +principal in the database. + +@item @{-|+@}allow_tix +The ``-allow_tix'' option forbids the issuance of any tickets for this +principal. ``+allow_tix'' clears this flag. The default is +``+allow_tix''. In effect, ``-allow_tix'' sets the +KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database. + +@item @{-|+@}needchange +The ``+needchange'' option sets a flag in attributes field to force a +password change; ``-needchange'' clears it. The default is +``-needchange''. In effect, ``+needchange'' sets the +KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database. + +@item @{-|+@}password_changing_service +The ``+password_changing_service'' option sets a flag in the attributes +field marking this principal as a password change service. (Again, you +will probably never need to use this option.) +``-password_changing_service'' clears the flag. The default is +``-password_changing_service''. In effect, the +``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE +flag on the principal in the database. + +@item -clearpolicy @i{policyname} +Removes the policy @i{policyname} from the principal +(@code{modify_principal} only). + +@item -randkey +Sets the key for the principal to a random value (@code{add_principal} +only). @value{COMPANY} recommends using this option for host keys. + +@item -pw @i{password} +Sets the key of the principal to the specified string and does not +prompt for a password (@code{add_principal} only). @value{COMPANY} does +not recommend using this option. +@end table + +If you want to just use the default values, all you need to do is: + +@smallexample +@group +@b{kadmin:} addprinc @value{RANDOMUSER1} +@b{WARNING: no policy specified for "@value{RANDOMUSER1}@@@value{PRIMARYREALM}"; +defaulting to no policy.} +@iftex +@b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the password.} +@b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<= Type the password.} +@b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<=Type it again.} +@end ifinfo +@b{Principal "@value{RANDOMUSER1}@@@value{PRIMARYREALM}" created. +kadmin:} +@end group +@end smallexample + +If, on the other hand, you want to set up an account that expires on +January 1, 2000, that uses a policy called ``stduser'', with a temporary +password (which you want the user to change immediately), you would type +the following. (Note: each line beginning with @result{} is a +continuation of the previous line.) + +@smallexample +@group + +@b{kadmin:} addprinc @value{RANDOMUSER2} -expire "1/1/2000 12:01am EST" -policy stduser +@result{} +needchange +@iftex +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the password.} +@b{Re-enter password for principal +@value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the password.} +@b{Re-enter password for principal +@value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} +@end ifinfo +@b{Principal "@value{RANDOMUSER2}@@@value{PRIMARYREALM}" created. +kadmin:} + +@end group +@end smallexample + +If you will need cross-realm authentication, you need to add principals +for the other realm's TGT to each realm. For example, if you need to do +cross-realm authentication between the realms @value{PRIMARYREALM} and +@value{SECONDREALM}, you would need to add the principals +@samp{krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}} and +@samp{krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}} to both +databases. You need to be sure the passwords and the key version +numbers (kvno) are the same in both databases. This may require +explicitly setting the kvno with the @samp{-kvno} option. + +@node Deleting Principals, Changing Passwords, Adding or Modifying Principals, Principals +@subsection Deleting Principals + +To delete a principal, use the kadmin @code{delete_principal} command, +which requires the ``delete'' administrative privilege. The syntax is: + +@smallexample +@b{delete_principal} [@b{-force}] @i{principal} +@end smallexample + +@noindent @code{delete_principal} has the alias @code{delprinc}. The +@code{-force} option causes @code{delete_principal} not to ask if you're +sure. For example: + +@smallexample +@group +@b{kadmin:} delprinc @value{RANDOMUSER1} +@b{Are you sure you want to delete the principal +"@value{RANDOMUSER1}@@@value{PRIMARYREALM}"? (yes/no):} yes +@b{Principal "@value{RANDOMUSER1}@@@value{PRIMARYREALM}" deleted. +Make sure that you have removed this principal from +all ACLs before reusing. +kadmin:} +@end group +@end smallexample + +@node Changing Passwords, Renaming Principals, Deleting Principals, Principals +@subsection Changing Passwords + +To change a principal's password use the kadmin @code{change_password} +command, which requires the ``modify'' administrative privilege (unless +the principal is changing his/her own password). The syntax is: + +@smallexample +@b{change_password} [@i{options}] @i{principal} +@end smallexample + +@noindent The @code{change_password} option has the alias @code{cpw}. +@code{change_password} takes the following options: + +@table @b +@item @b{-salt} @i{salttype} +Uses the specified salt for generating the key. Salt types are the same +as for the @code{add_principal} command (@pxref{Adding or Modifying +Principals}). + +@item -randkey +Sets the key of the principal to a random value. + +@item @b{-pw} @i{password} +Sets the password to the string @i{password}. @value{COMPANY} does not +recommend using this option. +@end table + +For example: + +@smallexample +@group +@b{kadmin:} cpw @value{RANDOMUSER2} +@iftex +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the new password.} +@b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the new password.} +@b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} +@end ifinfo +@b{Password for @value{RANDOMUSER2}@@@value{PRIMARYREALM} changed. +kadmin:} +@end group +@end smallexample + +Note that @code{change_password} will not let you change the password to +one that is in the principal's password history. + +@node Renaming Principals, , Changing Passwords, Principals +@subsection Renaming Principals + +To rename a principal, use the kadmin @code{rename_principal} command, +which requires both the ``add'' and ``delete'' administrative +privileges. The syntax is: + +@smallexample +@b{rename_principal} [@b{-force}] @i{old_principal} @i{new_principal} +@end smallexample + +@noindent The @code{rename_principal} command has the alias @code{renprinc}. + +For example: + +@smallexample +@group +@b{kadmin:} renprinc tlyutest test0 +@b{Are you sure you want to rename the principal +"test@@@value{PRIMARYREALM}" to +"test2@@@value{PRIMARYREALM}"? (yes/no):} yes +@b{Principal "test@@@value{PRIMARYREALM}" renamed to +"test2@@@value{PRIMARYREALM}". +Make sure that you have removed "test@@@value{PRIMARYREALM}" from +all ACLs before reusing. +kadmin:} +@end group +@end smallexample + +@node Policies, Dumping a Kerberos Database to a File, Principals, Administrating Kerberos Database Entries +@section Policies + +A policy is a set of rules governing passwords. Policies can dictate +minimum and maximum password lifetimes, minimum number of characters and +character classes a password must contain, and the number of old +passwords kept in the database. + +@menu +* Retrieving Policies:: +* Retrieving the List of Policies:: +* Adding or Modifying Policies:: +* Deleting Policies:: +@end menu + +@node Retrieving Policies, Retrieving the List of Policies, Policies, Policies +@subsection Retrieving Policies + +To retrieve a policy, use the kadmin @code{get_policy} command, which +requires the ``inquire'' administrative privilege. The syntax is: + +@smallexample +@b{get_policy} [@b{-terse}] @i{policy} +@end smallexample + +The @code{get_policy} command has the alias @code{getpol}. For example: + +@smallexample +@group +@b{kadmin:} get_policy admin +@b{Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 +kadmin:} +@end group +@end smallexample + +@noindent The @dfn{reference count} is the number of principals using +that policy. + +The @code{get_policy} command has a @code{-terse} option, which lists +each field as a quoted, tab-separated string. For example: + +@smallexample +@group +@b{kadmin:} get_policy -terse admin +@b{admin 15552000 0 6 2 5 17 +kadmin:} +@end group +@end smallexample + +@node Retrieving the List of Policies, Adding or Modifying Policies, Retrieving Policies, Policies +@subsection Retrieving the List of Policies + +You can retrieve the list of policies with the kadmin +@code{list_policies} command, which requires the ``list'' privilege. The +syntax is: + +@smallexample +@b{list_policies} [@i{expression}] +@end smallexample + +@noindent where @i{expression} is a shell-style glob expression that can +contain the characters *, ?, and []. All policy names matching the +expression are displayed. The @code{list_policies} command has the alias +@code{listpols}. For example: + +@smallexample +@group +@b{kadmin:} listpols +@b{test-pol +dict-only +once-a-min +test-pol-nopw} + +@b{kadmin:} listpols t* +@b{test-pol +test-pol-nopw +kadmin:} +@end group +@end smallexample + +@node Adding or Modifying Policies, Deleting Policies, Retrieving the List of Policies, Policies +@subsection Adding or Modifying Policies + +To add a new policy, use the kadmin @code{add_policy} command, which +requires the ``add'' administrative privilege. The syntax is: + +@smallexample +@b{add_policy} [@i{options}] @i{policy_name} +@end smallexample + +To modify attributes of a principal, use the kadmin @code{modify_policy} +command, which requires the ``modify'' administrative privilege. The +syntax is: + +@smallexample +@b{modify_policy} [@i{options}] @i{policy_name} +@end smallexample + +@noindent @code{add_policy} has the alias @code{addpol}. +@code{modify_poilcy} has the alias @code{modpol}. + +The @code{add_policy} and @code{modify_policy} commands take the +following switches: + +@table @b +@item -maxlife @i{time} +Sets the maximum lifetime of a password to @i{time}. + +@item -minlife @i{time} +Sets the minimum lifetime of a password to @i{time}. + +@item -minlength @i{length} +Sets the minimum length of a password to @i{length} characters. + +@item -minclasses @i{number} +Requires at least @i{number} of character classes in a password. + +@item -history @i{number} +Sets the number of past keys kept for a principal to @i{number}. +@end table + +@c **** An example here would be nice. **** + +@node Deleting Policies, , Adding or Modifying Policies, Policies +@subsection Deleting Policies + +To delete a policy, use the @code{kadmin} @code{delete_policy} command, +which requires the ``delete'' administrative privilege. The syntax is: + +@smallexample +@b{delete_policy} @i{policy_name} +@end smallexample + +@noindent The @code{delete_policy} command has the alias @code{delpol}. +It prompts for confirmation before deletion. +For example: + +@smallexample +@group +@b{kadmin:} delete_policy guests +@b{Are you sure you want to delete the policy "guests"? +(yes/no):} yes +@b{Policy "guests" deleted. +kadmin:} +@end group +@end smallexample + +Note that you must cancel the policy from all principals before deleting +it. The @code{delete_policy} command will fail if it is in use by any +principals. + +@node Dumping a Kerberos Database to a File, Restoring a Kerberos Database from a Dump File, Policies, Administrating Kerberos Database Entries +@section Dumping a Kerberos Database to a File + +To dump a Kerberos database into a file, use the @code{kdb5_util} +@code{dump} command on one of the KDCs. The syntax is: + +@smallexample +@b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@i{filename} +[@i{principals...}]] +@end smallexample + +The @code{kdb5_util dump} command takes the following options: + +@table @b +@itemx -old +causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format +(``kdb5_edit load_dump version 2.0''). +@itemx -b6 +causes the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit +load_dump version 3.0''). +@itemx -ov +causes the dump to be in ovsec_adm_export format. +@itemx -verbose +causes the name of each principal and policy to be printed as it is +dumped. +@end table + +For example: + +@smallexample +@group +@b{shell%} kdb5_util dump dumpfile +@b{shell%} +@end group +@end smallexample + +@smallexample +@group +@b{shell%} kbd5_util dump -verbose dumpfile +@b{kadmin/admin@@@value{PRIMARYREALM} +krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +kadmin/history@@@value{PRIMARYREALM} +K/M@@@value{PRIMARYREALM} +kadmin/changepw@@@value{PRIMARYREALM} +shell%} +@end group +@end smallexample + +@noindent +If you specify which principals to dump, you must use the full +principal, as in the following example. (The line beginning with +@result{} is a continuation of the previous line.): + +@smallexample +@group +@b{shell%} kdb5_util dump -verbose dumpfile K/M@@@value{PRIMARYREALM} +@result{} kadmin/admin@@@value{PRIMARYREALM} +@b{kadmin/admin@@@value{PRIMARYREALM} +K/M@@@value{PRIMARYREALM} +shell%} +@end group +@end smallexample + +@noindent +Otherwise, the principals will not match those in the database and will +not be dumped: + +@smallexample +@group +@b{shell%} kdb5_util dump -verbose dumpfile K/M kadmin/admin +@b{shell%} +@end group +@end smallexample + +@noindent +If you do not specify a dump file, @code{kdb5_util} will dump the +database to the standard output. + +@node Restoring a Kerberos Database from a Dump File, Creating a Stash File, Dumping a Kerberos Database to a File, Administrating Kerberos Database Entries +@section Restoring a Kerberos Database from a Dump File + +To restore a Kerberos database dump from a file, use the +@code{kdb5_util} @code{load} command on one of the KDCs. The syntax +is: + +@smallexample +@b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@b{-update}] +@i{dumpfilename} @i{dbname} [@i{admin_dbname}] +@end smallexample + +The @code{kdb5_util load} command takes the following options: + +@table @b +@itemx -old +requires the dump to be in the Kerberos 5 Beta 5 and earlier dump format +(``kdb5_edit load_dump version 2.0''). +@itemx -b6 +requires the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit +load_dump version 3.0''). +@itemx -ov +requires the dump to be in ovsec_adm_export format. +@itemx -verbose +causes the name of each principal and policy to be printed as it is +dumped. +@itemx -update +causes records from the dump file to be updated in or added to the +existing database. +@end table + +For example: + +@smallexample +@group +@b{shell%} kdb5_util load dumpfile principal +@b{shell%} +@end group +@end smallexample + +@smallexample +@group +@b{shell%} kdb5_util load -update dumpfile principal +@b{shell%} +@end group +@end smallexample + +@noindent +If the database file exists, and the @b{-update} flag was not given, +@code{kdb5_util} will overwrite the existing database. + +@node Creating a Stash File, Creating and Destroying a Kerberos Database, Restoring a Kerberos Database from a Dump File, Administrating Kerberos Database Entries +@section Creating a Stash File + +A stash file allows a KDC to authenticate itself to the database +utilities, such as @code{kadmin}, @code{kadmind}, @code{krb5kdc}, and +@code{kdb5_util}. + +To create a stash file, use the @code{kdb5_util} @code{stash} command. +The syntax is: + +@smallexample +@b{kdb5_util stash} [@b{-f} @i{keyfile}] +@end smallexample + +For example: + +@smallexample +@group +@b{shell%} kdb5_util stash +@b{kdb5_util: Cannot find/read stored master key while reading master key +kdb5_util: Warning: proceeding without master key} +@iftex +@b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the KDC database master password.} +@end iftex +@ifinfo +@b{Enter KDC database master key:} @i{<= Type the KDC database master password.} +@end ifinfo +@b{shell%} +@end group +@end smallexample + +@noindent +If you do not specify a stash file, @code{kdb5_util} will stash the key +in the file specified in your @code{kdc.conf} file. + +@node Creating and Destroying a Kerberos Database, The KDC Logs, Creating a Stash File, Administrating Kerberos Database Entries +@section Creating and Destroying a Kerberos Database + +If you need to create a new Kerberos database, use the @code{kdb5_util} +@code{create} command. The syntax is: + +@smallexample +@b{kdb5_util create} [@b{-s}] +@end smallexample + +If you specify the @samp{-s} option, @code{kdb5_util} will stash a copy +of the master key in a stash file. (@xref{Creating a Stash File}.) For +example: + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} create -s +@b{kdb5_util: No such file or directory while setting active database to '/krb5/principal' +Initializing database '@value{ROOTDIR}/lib/krb5kdc/principal' for +@result{} realm '@value{PRIMARYREALM}', +master key name 'K/M@@@value{PRIMARYREALM}' +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password.} +@iftex +@b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter KDC database master key:} @i{<= Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{<= Type it again.} +@end ifinfo +@b{shell%} +@end group +@end smallexample + +@ignore +@node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating Kerberos Database Entries +@section The KDC Logs + +This will have to wait until the next release. *sigh* +@end ignore + +@node Application Servers, Updates, Administrating Kerberos Database Entries, Top +@chapter Application Servers + +If you need to install the @value{PRODUCT} programs on an application +server, please refer to the @value{PRODUCT} Installation Guide. Once +you have installed the software, you need to add that host to the +Kerberos database (@pxref{Adding or Modifying Principals}), and generate +a @dfn{keytab} for that host, that contains the host's key. You also +need to make sure the host's clock is within your maximum clock skew of +the KDCs. + +@menu +* Keytabs:: +* Clock Skew:: +* Getting DNS Information Correct:: +* Configuring Your Firewall to Work With @value{PRODUCT}:: +* Enabling Users to Connect from Off-Site:: +@end menu + +@node Keytabs, Clock Skew, Application Servers, Application Servers +@section Keytabs + +A @dfn{keytab} is a host's copy of its own keylist, which is analogous +to a user's password. An application server that needs to authenticate +itself to the KDC has to have a keytab that contains its own principal +and key. Just as it is important for users to protect their passwords, +it is equally important for hosts to protect their keytabs. You should +always store keytab files on local disk, and make them readable only by +root, and you should never send a keytab file over a network in the +clear. Ideally, you should run the @code{kadmin} command to extract a +keytab on the host on which the keytab is to reside. + +@menu +* Adding Principals to Keytabs:: +* Removing Principals from Keytabs:: +@end menu + +@node Adding Principals to Keytabs, Removing Principals from Keytabs, Keytabs, Keytabs +@subsection Adding Principals to Keytabs + +To generate a keytab, or to add a principal to an existing keytab, use +the @code{ktadd} command from @code{kadmin}, which requires the +``inquire'' administrative privilege. (If you use the @b{-glob} +@i{princ_exp} option, it also requires the ``list'' administrative +privilege.) The syntax is: + +@smallexample +@b{ktadd} [@b{-k} @i{keytab}] [@b{-q}] [@i{principal} | @b{-glob} @i{princ_exp}] [@i{@dots{}}] +@end smallexample + +The @code{ktadd} command takes the following switches: + +@table @b +@item -k @i{keytab} +use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the +default keytab file (@code{/etc/v5srvtab}). + +@item -q +run in quiet mode. This causes @code{ktadd} to display less verbose +information. + +@item @i{principal} | -glob @i{principal expression} +add @i{principal}, or all principals matching @i{principal expression} +to the keytab. The rules for @i{principal expression} are the same as +for the kadmin @code{list_principals} (@pxref{Retrieving a List of +Principals}) command. +@end table + +For example: + +@smallexample +@group +@b{kadmin:} ktadd host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@b{kadmin: Entry for principal host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with + kvno 2, encryption type DES-CBC-CRC added to keytab + WRFILE:/etc/v5srvtab. +kadmin:} +@end group +@end smallexample + +@smallexample +@group +@b{kadmin:} ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw +@b{kadmin: Entry for principal kadmin/admin@@@value{PRIMARYREALM} with + kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:/krb5/kadmind.keytab. +kadmin:} +@end group +@end smallexample + +@node Removing Principals from Keytabs, , Adding Principals to Keytabs, Keytabs +@subsection Removing Principals from Keytabs + +To remove a principal to an existing keytab, use the kadmin +@code{ktremove} command. The syntax is: + +@smallexample +@b{ktremove} [@b{-k} @i{keytab}] [@b{-q}] @i{principal} [@i{kvno} | @b{all} | @b{old}] +@end smallexample + +The @code{ktremove} command takes the following switches: + +@table @b +@item -k @i{keytab} +use @i{keytab} as the keytab file. Otherwise, @code{ktremove} will use +the default keytab file (@code{/etc/v5srvtab}). + +@item -q +run in quiet mode. This causes @code{ktremove} to display less verbose +information. + +@item @i{principal} +the principal to remove from the keytab. (Required.) + +@item @i{kvno} +remove all entries for the specified principal whose Key Version Numbers +match @i{kvno}. + +@item all +remove all entries for the specified principal + +@item old +remove all entries for the specified principal except those with the +highest kvno. +@end table + +For example: + +@smallexample +@group +@b{kadmin:} ktremove -k /krb5/kadmind.keytab kadmin/admin +@b{kadmin: Entry for principal kadmin/admin with kvno 3 removed + from keytab WRFILE:/krb5/kadmind.keytab. +kadmin:} +@end group +@end smallexample + +@node Clock Skew, Getting DNS Information Correct, Keytabs, Application Servers +@section Clock Skew + +In order to prevent intruders from resetting their system clocks in +order to continue to use expired tickets, @value{PRODUCT} is set up to +reject ticket requests from any host whose clock is not within the +specified maximum clock skew of the KDC (as specified in the +@code{kdc.conf} file). Similarly, hosts are configured to reject +responses from any KDC whose clock is not within the specified maximum +clock skew of the host (as specified in the @code{krb5.conf} file). The +default value for maximum clock skew is 300 seconds (five minutes). + +@value{COMPANY} suggests that you add a line to client machines' +@code{/etc/rc} files to synchronize the machine's clock to your KDC at +boot time. On UNIX hosts, assuming you had a kdc called +@code{@value{KDCSERVER}} in your realm, this would be: + +@smallexample +gettime -s @value{KDCSERVER} +@end smallexample + +If the host is not likely to be rebooted frequently, you may also want +to set up a cron job that adjusts the time on a regular basis. + +@node Getting DNS Information Correct, Configuring Your Firewall to Work With @value{PRODUCT}, Clock Skew, Application Servers +@section Getting DNS Information Correct + +Several aspects of Kerberos rely on name service. In order for Kerberos +to provide its high level of security, it is less forgiving of name +service problems than some other parts of your network. It is important +that your Distributed Name Service (DNS) entries and your hosts have the +correct information. + +Each host's canonical name must be the fully-qualified host name +(including the domain), and each host's IP address must reverse-resolve +to the canonical name. + +Other than the @code{localhost} entry, make all entries in each +machine's @code{/etc/hosts} file in the following form: + +@smallexample +IP address fully-qualified hostname aliases +@end smallexample + +Here is a sample @code{/etc/hosts} file: + +@smallexample +@group +# this is a comment +127.0.0.1 localhost localhost@@@value{PRIMARYDOMAIN} +@value{RANDOMHOST1IP} @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} trillium wake-robin +@end group +@end smallexample + +Additionally, on Solaris machines, you need to be sure the ``hosts'' +entry in the file @code{/etc/nsswitch.conf} includes the source ``dns'' +as well as ``file''. + +Finally, each host's keytab file must include a host/key pair for the +host's canonical name. You can list the keys in a keytab file by +issuing the command @code{klist -k}. For example: + +@smallexample +@group +viola# klist -k +Keytab name: /etc/v5srvtab +KVNO Principal +---- ------------------------------------------------------------ + 1 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@end group +@end smallexample + +If you telnet to the host with a fresh credentials cache (ticket file), +and then @code{klist}, the host's service principal should be +@i{host/fully-qualified-hostname@@REALM_NAME}. + +@node Configuring Your Firewall to Work With @value{PRODUCT}, Enabling Users to Connect from Off-Site, Getting DNS Information Correct, Application Servers +@section Configuring Your Firewall to Work With @value{PRODUCT} + +If you need off-site users to be able to get Kerberos tickets in your +realm, they must be able to get to your KDC. This requires either that +you have a slave KDC outside your firewall, or you configure your +firewall to allow UDP requests into to at least one of your KDCs, on +whichever port the KDC is running. (The default is port 88; other ports +may be specified in the KDC's kdc.conf file.) Similarly, if you need +off-site users to be able to change their passwords in your realm, they +must be able to get to your Kerberos admin server. The default port for +the admin server is 749. + +If your on-site users inside your firewall will need to get to KDCs in +other realms, you will also need to configure your firewall to allow +outgoing TCP and UDP requests to port 88. Additionally, if they will +need to get to any Kerberos V4 KDCs, you may also need to allow TCP and +UDP requests to port 750. If your on-site users inside your firewall +will need to get to Kerberos admin servers in other realms, you will +also need to allow outgoing TCP and UDP requests to port 749. + +If any of your KDCs is outside your firewall, you will need to allow +@code{kprop} requests to get through to the remote KDC. @code{Kprop} +uses the krb5_prop service on port 754 (tcp). + +If you need your off-site users to have access to machines inside your +firewall, you need to allow TCP connections from their off-site hosts on +the appropriate ports for the programs they will be using. The +following lines from @code{/etc/services} show the default port numbers +for the @value{PRODUCT} programs: + +@smallexample +@group +ftp 21/tcp # Kerberos ftp and telnet use the +telnet 23/tcp # default ports +kerberos 88/udp kdc # Kerberos V5 KDC +kerberos 88/tcp kdc # Kerberos V5 KDC +klogin 543/tcp # Kerberos authenticated rlogin +kshell 544/tcp cmd # and remote shell +kerberos-adm 749/tcp # Kerberos 5 admin/changepw +kerberos-adm 749/udp # Kerberos 5 admin/changepw +krb5_prop 754/tcp # Kerberos slave propagation +@c kpop 1109/tcp # Pop with Kerberos +eklogin 2105/tcp # Kerberos auth. & encrypted rlogin +krb524 4444/tcp # Kerberos 5 to 4 ticket translator +@end group +@end smallexample + +By default, @value{PRODUCT} @code{telnet} and @code{ftp} use the same +ports as the standard @code{telnet} and @code{ftp} programs, so if you +already allow telnet and ftp connections through your firewall, the +@value{PRODUCT} versions will get through as well. If you do not +already allow telnet and ftp connections through your firewall, but need +your users to be able to use @value{PRODUCT} telnet and ftp, you can +either allow ftp and telnet connections on the standard ports, or switch +these programs to non-default port numbers and allow ftp and telnet +connections on those ports to get through. + +@value{PRODUCT} @code{rlogin} uses the @code{klogin} service, which by +default uses port 543. Encrypted @value{PRODUCT} rlogin uses uses the +@code{eklogin} service, which by default uses port 2105. + +@value{PRODUCT} @code{rsh} uses the @code{kshell} service, which by +default uses port 544. However, the server must be able to make a TCP +connection from the kshell port to an arbitrary port on the client, so +if your users are to be able to use @code{rsh} from outside your +firewall, the server they connect to must be able to send outgoing +packets to arbitrary port numbers. Similarly, if your users need to run +@code{rsh} from inside your firewall to hosts outside your firewall, the +outside server needs to be able to connect to an arbitrary port on the +machine inside your firewall. Because @value{PRODUCT} @code{rcp} and +@code{krdist} use @code{rsh}, the same issues apply to these programs. +If you need to use @code{rsh} (or @code{rcp} or @code{krdist}) through +your firewall and are concerned with the security implications of +allowing connections to arbitrary ports, @value{COMPANY} suggests that +you have rules that specifically name these applications and, if +possible, list the allowed hosts. + +A reasonably good cookbook for configuring firewalls is available by FTP +from @code{ftp.livingston.com}, in the location: +@code{/pub/firewall/firewall-1.1.ps.Z}. The book @cite{UNIX System +Security}, by David Curry, is also a good starting point. + +@ignore +@node Enabling Users to Connect from Off-Site, , Configuring Your Firewall to Work With @value{PRODUCT}, Application Servers +@section Enabling Users to Connect from Off-Site + +This will have to wait until the next release. *sigh* +@end ignore + +@node Updates, Backups of Secure Hosts, Application Servers, Top +@chapter Updates + +Because the directory into which @value{PRODUCT} installs itself +contains the release name, it is easy to install a new release of +@value{PRODUCT}, and to de-install an old one. If you have a problem +with a new release, it is equally easy to revert to the earlier release. +These procedures will also work if you are updating from any other +version of Kerberos V5. + +@menu +* Updating KDCs:: +* Updating Application Servers:: +@end menu + +@node Updating KDCs, Updating Application Servers, Updates, Updates +@section Updating KDCs + +To update a KDC from an earlier version of @value{PRODUCT} or of +Kerberos V5, you need to do the following: + +@enumerate +@item +Install the new software. +@item +Copy your @code{kdc.conf} file and stash file from the old installation +to the new one. For example, if you were upgrading from @value{PRODUCT} +version @value{PREVRELEASE} to version @value{RELEASE}, you would have +to copy these files from the directory @value{PREVINSTALLDIR} to the +directory @value{INSTALLDIR}. Be sure the new copy of the stash file +has the correct name. (The default is @code{.k5stash}, unless you have +specified something different in your @code{kdc.conf} file.) +@item +Create a dump of the old database, using whichever old command you used +with that release (@i{e.g.,} the @code{kdb5_dump} command). +@item +Load the dumpfile into the new database in the new location, using the +@code{kdb5_util} @code{load} command. Be sure to give @code{load} +the argument for the correct dump format. +@item +Change any symbolic links you have (@i{e.g.}, +@code{/usr/@value{LCPRODUCT}}) so that they point to the new +installation. +@end enumerate +@c Reference to upgrading from Kerberos V4 document, once it's written. + +@node Updating Application Servers, , Updating KDCs, Updates +@section Updating Clients and Application Servers + +To update a client or application server, you need only to install the +new release and change any symbolic links to point to the new programs. +Other than any functionality changes in the programs, the upgrade should +be completely user-transparent. +@c Reference to upgrading from Kerberos V4 document, once it's written. + +@node Backups of Secure Hosts, Support, Updates, Top +@chapter Backups of Secure Hosts + +When you back up a secure host, you should exclude the host's keytab +file from the backup. If someone obtained a copy of the keytab from a +backup, that person could make any host masquerade as the host whose +keytab was compromised. This could be particularly dangerous if the +compromised keytab was from one of your KDCs. If the machine has a disk +crash and the keytab file is lost, it is easy to generate another keytab +file. (@xref{Adding Principals to Keytabs}.) If you are unable to +exclude particular files from backups, you should ensure that the +backups are kept as secure as the host's root password. + +@menu +* Backing Up the Kerberos Database:: +@end menu + +@node Backing Up the Kerberos Database, , Backups of Secure Hosts, Backups of Secure Hosts +@section Backing Up the Kerberos Database + +It is possible that the Kerberos database could be corrupted. If this +happens on one of the slave KDCs, you might never notice, since the next +automatic propagation of the database would install a fresh copy. +However, if it happens to the master KDC, the corrupted database would +be propagated to all of the slaves during the next propagation. For +this reason, @value{COMPANY} recommends that you back up your Kerberos +database regularly. Because the master KDC is continuously dumping the +database to a file in order to propagate it to the slave KDCs, it is a +simple matter to have a cron job periodically copy the dump file to a +secure machine elsewhere on your network. (Of course, it is important +to make the host where these backups are stored as secure as your KDCs, +and to encrypt its transmission across your network.) Then if your +database becomes corrupted, you can load the most recent dump onto the +master KDC. (@xref{Restoring a Kerberos Database from a Dump File}.) + +@node Support, Appendix, Backups of Secure Hosts, Top +@chapter Support + +@menu +* Supported Functionalities:: +* Using sendpr:: +@end menu + +@node Supported Functionalities, Using sendpr, Support, Support +@section Supported Functionalities + +@node Using sendpr, , Supported Functionalities, Support +@section Using sendpr + +@include send-pr.texinfo + +@node Appendix, , Support, Top +@appendix Appendix + +@menu +* Files:: +* krb5.conf:: +* kdc.conf:: +* Errors:: +* kadmin Time Zones:: +@end menu + +@node Files, krb5.conf, Appendix, Appendix +@appendixsec Files + +@node krb5.conf, kdc.conf, Files, Appendix +@appendixsec krb5.conf + +Normally, you should install your @code{krb5.conf} file in the directory +@code{/etc}. However, note that you can override this default through +the environment variable @samp{KRB5_CONFIG}. + +Here is an example of a generic @code{krb5.conf} file: + +@smallexample +@group +[libdefaults] + ticket_lifetime = 600 + default_realm = @value{PRIMARYREALM} + default_tkt_enctypes = des-cbc-crc + default_tgs_enctypes = des-cbc-crc + +[realms] + @value{PRIMARYREALM} = @{ + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 + default_domain = @value{PRIMARYDOMAIN} + @} + @} + +[domain_realm] + .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + +[logging] + kdc = FILE:/dev/ttyp9 + admin_server = FILE:/dev/ttyp9 + default = FILE:/dev/ttyp9 +@end group +@end smallexample + +@iftex +@vfill +@end iftex +@page + +Here is an example of a more extensive @code{krb5.conf} file, which +includes a second Kerberos realm and authentication to Kerberos V4 as +well as V5 KDCs in the realm @code{@value{PRIMARYREALM}}: + +@smallexample +@group +[libdefaults] + ticket_lifetime = 600 + default_realm = @value{PRIMARYREALM} + default_tkt_enctypes = des-cbc-crc + default_tgs_enctypes = des-cbc-crc + krb4_srvtab = /etc/srvtab + krb4_config = /usr/krb4/lib/krb.conf + krb4_realms = /usr/krb4/lib/krb.realms + +[realms] + @value{PRIMARYREALM} = @{ + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 + default_domain = @value{PRIMARYDOMAIN} + v4_instance_convert = @{ + bleep = @value{PRIMARYDOMAIN} + @} + @} + @value{SECONDREALM} = @{ + kdc = @value{KDCSERVER}.@value{SECONDDOMAIN} + kdc = @value{KDCSLAVE1}.@value{SECONDDOMAIN} + admin_server = @value{KDCSERVER}.@value{SECONDDOMAIN} + @} + +[domain_realm] + .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + .@value{SECONDDOMAIN} = @value{SECONDREALM} + @value{SECONDDOMAIN} = @value{SECONDREALM} +@end group +@end smallexample + +For the KDCs, add a section onto the end of the @code{krb5.conf} file +telling where the @code{kdc.conf} file is located, as in the following +example: + +@smallexample +@group +[kdc] + profile = @value{ROOTDIR}/lib/krb5kdc/kdc.conf + +[logging] + admin_server = FILE:@value{ROOTDIR}/lib/krb5kdc/kadmind.log + kdc = FILE:@value{ROOTDIR}/lib/krb5kdc/kdc.log + default = CONSOLE +@end group +@end smallexample + +@iftex +@vfill +@end iftex +@page + +@node kdc.conf, Errors, krb5.conf, Appendix +@appendixsec kdc.conf + +Normally, you should install your @code{kdc.conf} file in the directory +@code{@value{ROOTDIR}/lib/krb5kdc}. However, note that you can override +this default by a pointer in the KDC's @code{krb5.conf} file, or through +the environment variable @samp{KRB5_KDC_PROFILE}. + +Here's an example of a @code{kdc.conf} file: + +@smallexample +@group +[kdcdefaults] + kdc_ports = 88,750 + +[realms] + @value{PRIMARYREALM} = @{ + profile = /etc/krb5.conf + database_name = @value{ROOTDIR}/lib/krb5kdc/principal + admin_database_name = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5 + admin_database_lockfile = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5.lock + admin_keytab = @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab + acl_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.acl + dict_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.dict + key_stash_file = @value{ROOTDIR}/lib/krb5kdc/.k5.@value{PRIMARYREALM} + kadmind_port = 749 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des-cbc-crc + supported_enctypes = des-cbc-crc:normal + @} +@end group +@end smallexample + +To add Kerberos V4 support, change the @code{supported_enctypes} line to: + +@smallexample + supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 +@end smallexample + +@node Errors, kadmin Time Zones, kdc.conf, Appendix +@appendixsec Kerberos Error Messages + +@menu +* Kerberos V5 Library Error Codes:: +* Kerberos V5 Database Library Error Codes:: +* Kerberos V5 Magic Numbers Error Codes:: +* ASN.1 Error Codes:: +* GSSAPI Error Codes:: +@end menu + +@node Kerberos V5 Library Error Codes, Kerberos V5 Database Library Error Codes, Errors, Errors +@appendixsubsec Kerberos V5 Library Error Codes + +This is the Kerberos v5 library error code table. Protocol error codes +are ERROR_TABLE_BASE_krb5 + the protocol error code number; other error +codes start at ERROR_TABLE_BASE_krb5 + 128. + +@c error table numbering starts at 0 +@enumerate 0 +@item +KRB5KDC_ERR_NONE: No error +@item +KRB5KDC_ERR_NAME_EXP: Client's entry in database has expired +@item +KRB5KDC_ERR_SERVICE_EXP: Server's entry in database has expired +@item +KRB5KDC_ERR_BAD_PVNO: Requested protocol version not supported +@item +KRB5KDC_ERR_C_OLD_MAST_KVNO: Client's key is encrypted in an old master +key +@item +KRB5KDC_ERR_S_OLD_MAST_KVNO: Server's key is encrypted in an old master +key +@item +KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database +@item +KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database +@item +KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE: Principal has multiple entries in +Kerberos database +@item +KRB5KDC_ERR_NULL_KEY: Client or server has a null key +@item +KRB5KDC_ERR_CANNOT_POSTDATE: Ticket is ineligible for postdating +@item +KRB5KDC_ERR_NEVER_VALID: Requested effective lifetime is negative or +too short +@item +KRB5KDC_ERR_POLICY: KDC policy rejects request +@item +KRB5KDC_ERR_BADOPTION: KDC can't fulfill requested option +@item +KRB5KDC_ERR_ETYPE_NOSUPP: KDC has no support for encryption type +@item +KRB5KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for checksum type +@item +KRB5KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type +@item +KRB5KDC_ERR_TRTYPE_NOSUPP: KDC has no support for transited type +@item +KRB5KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked +@item +KRB5KDC_ERR_SERVICE_REVOKED: Credentials for server have been revoked +@item +KRB5KDC_ERR_TGT_REVOKED: TGT has been revoked +@item +KRB5KDC_ERR_CLIENT_NOTYET: Client not yet valid - try again later +@item +KRB5KDC_ERR_SERVICE_NOTYET: Server not yet valid - try again later +@item +KRB5KDC_ERR_KEY_EXP: Password has expired +@item +KRB5KDC_ERR_PREAUTH_FAILED: Preauthentication failed +@item +@iftex +KRB5KDC_ERR_PREAUTH_REQUIRED: Additional pre-auth@-en@-ti@-ca@-tion required +@end iftex +@ifinfo +KRB5KDC_ERR_PREAUTH_REQUIRED: Additional preauthentication required +@end ifinfo +@item +KRB5KDC_ERR_SERVER_NOMATCH: Requested server and ticket don't match +@item +KRB5PLACEHOLD_27: KRB5 error code 27 +@item +KRB5PLACEHOLD_28: KRB5 error code 28 +@item +KRB5PLACEHOLD_29: KRB5 error code 29 +@item +KRB5PLACEHOLD_30: KRB5 error code 30 +@item +KRB5KRB_AP_ERR_BAD_INTEGRITY: Decrypt integrity check failed +@item +KRB5KRB_AP_ERR_TKT_EXPIRED: Ticket expired +@item +KRB5KRB_AP_ERR_TKT_NYV: Ticket not yet valid +@item +KRB5KRB_AP_ERR_REPEAT: Request is a replay +@item +KRB5KRB_AP_ERR_NOT_US: The ticket isn't for us +@item +KRB5KRB_AP_ERR_BADMATCH: Ticket/authenticator don't match +@item +KRB5KRB_AP_ERR_SKEW: Clock skew too great +@item +KRB5KRB_AP_ERR_BADADDR: Incorrect net address +@item +KRB5KRB_AP_ERR_BADVERSION: Protocol version mismatch +@item +KRB5KRB_AP_ERR_MSG_TYPE: Invalid message type +@item +KRB5KRB_AP_ERR_MODIFIED: Message stream modified +@item +KRB5KRB_AP_ERR_BADORDER: Message out of order +@item +KRB5KRB_AP_ERR_ILL_CR_TKT: Illegal cross-realm ticket +@item +KRB5KRB_AP_ERR_BADKEYVER: Key version is not available +@item +KRB5KRB_AP_ERR_NOKEY: Service key not available +@item +KRB5KRB_AP_ERR_MUT_FAIL: Mutual authentication failed +@item +KRB5KRB_AP_ERR_BADDIRECTION: Incorrect message direction +@item +KRB5KRB_AP_ERR_METHOD: Alternative authentication method required +@item +KRB5KRB_AP_ERR_BADSEQ: Incorrect sequence number in message +@item +KRB5KRB_AP_ERR_INAPP_CKSUM: Inappropriate type of checksum in message +@item +KRB5PLACEHOLD_51: KRB5 error code 51 +@item +KRB5PLACEHOLD_52: KRB5 error code 52 +@item +KRB5PLACEHOLD_53: KRB5 error code 53 +@item +KRB5PLACEHOLD_54: KRB5 error code 54 +@item +KRB5PLACEHOLD_55: KRB5 error code 55 +@item +KRB5PLACEHOLD_56: KRB5 error code 56 +@item +KRB5PLACEHOLD_57: KRB5 error code 57 +@item +KRB5PLACEHOLD_58: KRB5 error code 58 +@item +KRB5PLACEHOLD_59: KRB5 error code 59 +@item +KRB5KRB_ERR_GENERIC: Generic error (see e-text) +@item +KRB5KRB_ERR_FIELD_TOOLONG: Field is too long for this implementation +@item +KRB5PLACEHOLD_62: KRB5 error code 62 +@item +KRB5PLACEHOLD_63: KRB5 error code 63 +@item +KRB5PLACEHOLD_64: KRB5 error code 64 +@item +KRB5PLACEHOLD_65: KRB5 error code 65 +@item +KRB5PLACEHOLD_66: KRB5 error code 66 +@item +KRB5PLACEHOLD_67: KRB5 error code 67 +@item +KRB5PLACEHOLD_68: KRB5 error code 68 +@item +KRB5PLACEHOLD_69: KRB5 error code 69 +@item +KRB5PLACEHOLD_70: KRB5 error code 70 +@item +KRB5PLACEHOLD_71: KRB5 error code 71 +@item +KRB5PLACEHOLD_72: KRB5 error code 72 +@item +KRB5PLACEHOLD_73: KRB5 error code 73 +@item +KRB5PLACEHOLD_74: KRB5 error code 74 +@item +KRB5PLACEHOLD_75: KRB5 error code 75 +@item +KRB5PLACEHOLD_76: KRB5 error code 76 +@item +KRB5PLACEHOLD_77: KRB5 error code 77 +@item +KRB5PLACEHOLD_78: KRB5 error code 78 +@item +KRB5PLACEHOLD_79: KRB5 error code 79 +@item +KRB5PLACEHOLD_80: KRB5 error code 80 +@item +KRB5PLACEHOLD_81: KRB5 error code 81 +@item +KRB5PLACEHOLD_82: KRB5 error code 82 +@item +KRB5PLACEHOLD_83: KRB5 error code 83 +@item +KRB5PLACEHOLD_84: KRB5 error code 84 +@item +KRB5PLACEHOLD_85: KRB5 error code 85 +@item +KRB5PLACEHOLD_86: KRB5 error code 86 +@item +KRB5PLACEHOLD_87: KRB5 error code 87 +@item +KRB5PLACEHOLD_88: KRB5 error code 88 +@item +KRB5PLACEHOLD_89: KRB5 error code 89 +@item +KRB5PLACEHOLD_90: KRB5 error code 90 +@item +KRB5PLACEHOLD_91: KRB5 error code 91 +@item +KRB5PLACEHOLD_92: KRB5 error code 92 +@item +KRB5PLACEHOLD_93: KRB5 error code 93 +@item +KRB5PLACEHOLD_94: KRB5 error code 94 +@item +KRB5PLACEHOLD_95: KRB5 error code 95 +@item +KRB5PLACEHOLD_96: KRB5 error code 96 +@item +KRB5PLACEHOLD_97: KRB5 error code 97 +@item +KRB5PLACEHOLD_98: KRB5 error code 98 +@item +KRB5PLACEHOLD_99: KRB5 error code 99 +@item +KRB5PLACEHOLD_100: KRB5 error code 100 +@item +KRB5PLACEHOLD_101: KRB5 error code 101 +@item +KRB5PLACEHOLD_102: KRB5 error code 102 +@item +KRB5PLACEHOLD_103: KRB5 error code 103 +@item +KRB5PLACEHOLD_104: KRB5 error code 104 +@item +KRB5PLACEHOLD_105: KRB5 error code 105 +@item +KRB5PLACEHOLD_106: KRB5 error code 106 +@item +KRB5PLACEHOLD_107: KRB5 error code 107 +@item +KRB5PLACEHOLD_108: KRB5 error code 108 +@item +KRB5PLACEHOLD_109: KRB5 error code 109 +@item +KRB5PLACEHOLD_110: KRB5 error code 110 +@item +KRB5PLACEHOLD_111: KRB5 error code 111 +@item ++ +KRB5PLACEHOLD_112: KRB5 error code 112 +@item +KRB5PLACEHOLD_113: KRB5 error code 113 +@item +KRB5PLACEHOLD_114: KRB5 error code 114 +@item +KRB5PLACEHOLD_115: KRB5 error code 115 +@item +KRB5PLACEHOLD_116: KRB5 error code 116 +@item +KRB5PLACEHOLD_117: KRB5 error code 117 +@item +KRB5PLACEHOLD_118: KRB5 error code 118 +@item +KRB5PLACEHOLD_119: KRB5 error code 119 +@item +KRB5PLACEHOLD_120: KRB5 error code 120 +@item +KRB5PLACEHOLD_121: KRB5 error code 121 +@item +KRB5PLACEHOLD_122: KRB5 error code 122 +@item +KRB5PLACEHOLD_123: KRB5 error code 123 +@item +KRB5PLACEHOLD_124: KRB5 error code 124 +@item +KRB5PLACEHOLD_125: KRB5 error code 125 +@item +KRB5PLACEHOLD_126: KRB5 error code 126 +@item +KRB5PLACEHOLD_127: KRB5 error code 127 +@item +KRB5_ERR_RCSID: $Id$ +@item +KRB5_LIBOS_BADLOCKFLAG: Invalid flag for file lock mode +@item +KRB5_LIBOS_CANTREADPWD: Cannot read password +@item +KRB5_LIBOS_BADPWDMATCH: Password mismatch +@item +KRB5_LIBOS_PWDINTR: Password read interrupted +@item +KRB5_PARSE_ILLCHAR: Illegal character in component name +@item +KRB5_PARSE_MALFORMED: Malformed representation of principal +@item +KRB5_CONFIG_CANTOPEN: Can't open/find configuration file +@item +KRB5_CONFIG_BADFORMAT: Improper format of configuration file +@item +KRB5_CONFIG_NOTENUFSPACE: Insufficient space to return complete +information +@item +KRB5_BADMSGTYPE: Invalid message type specified for encoding +@item +KRB5_CC_BADNAME: Credential cache name malformed +@item +KRB5_CC_UNKNOWN_TYPE: Unknown credential cache type +@item +KRB5_CC_NOTFOUND: Matching credential not found +@item +KRB5_CC_END: End of credential cache reached +@item +KRB5_NO_TKT_SUPPLIED: Request did not supply a ticket +@item +KRB5KRB_AP_WRONG_PRINC: Wrong principal in request +@item +KRB5KRB_AP_ERR_TKT_INVALID: Ticket has invalid flag set +@item +KRB5_PRINC_NOMATCH: Requested principal and ticket don't match +@item +KRB5_KDCREP_MODIFIED: KDC reply did not match expectations +@item +KRB5_KDCREP_SKEW: Clock skew too great in KDC reply +@item +KRB5_IN_TKT_REALM_MISMATCH: Client/server realm mismatch in initial +ticket request +@item +KRB5_PROG_ETYPE_NOSUPP: Program lacks support for encryption type +@item +KRB5_PROG_KEYTYPE_NOSUPP: Program lacks support for key type +@item +KRB5_WRONG_ETYPE: Requested encryption type not used in message +@item +KRB5_PROG_SUMTYPE_NOSUPP: Program lacks support for checksum type +@item +KRB5_REALM_UNKNOWN: Cannot find KDC for requested realm +@item +KRB5_SERVICE_UNKNOWN: Kerberos service unknown +@item +KRB5_KDC_UNREACH: Cannot contact any KDC for requested realm +@item +KRB5_NO_LOCALNAME: No local name found for principal name +@item +KRB5_MUTUAL_FAILED: Mutual authentication failed +@item +KRB5_RC_TYPE_EXISTS: Replay cache type is already registered +@item +KRB5_RC_MALLOC: No more memory to allocate (in replay cache code) +@item +KRB5_RC_TYPE_NOTFOUND: Replay cache type is unknown +@item +KRB5_RC_UNKNOWN: Generic unknown RC error +@item +KRB5_RC_REPLAY: Message is a replay +@item +KRB5_RC_IO: Replay I/O operation failed XXX +@item +KRB5_RC_NOIO: Replay cache type does not support non-volatile storage +@item +KRB5_RC_PARSE: Replay cache name parse/format error +@item +KRB5_RC_IO_EOF: End-of-file on replay cache I/O +@item +KRB5_RC_IO_MALLOC: No more memory to allocate (in replay cache I/O +code) +@item +KRB5_RC_IO_PERM: Permission denied in replay cache code +@item +KRB5_RC_IO_IO: I/O error in replay cache i/o code +@item +KRB5_RC_IO_UNKNOWN: Generic unknown RC/IO error +@item +KRB5_RC_IO_SPACE: Insufficient system space to store replay information +@item +KRB5_TRANS_CANTOPEN: Can't open/find realm translation file +@item +KRB5_TRANS_BADFORMAT: Improper format of realm translation file +@item +KRB5_LNAME_CANTOPEN: Can't open/find lname translation database +@item +KRB5_LNAME_NOTRANS: No translation available for requested principal +@item +KRB5_LNAME_BADFORMAT: Improper format of translation database entry +@item +KRB5_CRYPTO_INTERNAL: Cryptosystem internal error +@item +KRB5_KT_BADNAME: Key table name malformed +@item +KRB5_KT_UNKNOWN_TYPE: Unknown Key table type +@item +KRB5_KT_NOTFOUND: Key table entry not found +@item +KRB5_KT_END: End of key table reached +@item +KRB5_KT_NOWRITE: Cannot write to specified key table +@item +KRB5_KT_IOERR: Error writing to key table +@item +KRB5_NO_TKT_IN_RLM: Cannot find ticket for requested realm +@item +KRB5DES_BAD_KEYPAR: DES key has bad parity +@item +KRB5DES_WEAK_KEY: DES key is a weak key +@item +KRB5_BAD_ENCTYPE: Bad encryption type +@item +KRB5_BAD_KEYSIZE: Key size is incompatible with encryption type +@item +KRB5_BAD_MSIZE: Message size is incompatible with encryption type +@item +KRB5_CC_TYPE_EXISTS: Credentials cache type is already registered. +@item +KRB5_KT_TYPE_EXISTS: Key table type is already registered. +@item +KRB5_CC_IO: Credentials cache I/O operation failed XXX +@item +KRB5_FCC_PERM: Credentials cache file permissions incorrect +@item +KRB5_FCC_NOFILE: No credentials cache file found +@item +KRB5_FCC_INTERNAL: Internal file credentials cache error +@item +KRB5_CC_WRITE: Error writing to credentials cache file +@item +KRB5_CC_NOMEM: No more memory to allocate (in credentials cache code) +@item +KRB5_CC_FORMAT: Bad format in credentials cache +@item +KRB5_INVALID_FLAGS: Invalid KDC option combination (library internal +error) [for dual tgt library calls] +@item +KRB5_NO_2ND_TKT: Request missing second ticket [for dual tgt library +calls] +@item +KRB5_NOCREDS_SUPPLIED: No credentials supplied to library routine +@item +KRB5_SENDAUTH_BADAUTHVERS: Bad sendauth version was sent +@item +KRB5_SENDAUTH_BADAPPLVERS: Bad application version was sent (via +sendauth) +@item +KRB5_SENDAUTH_BADRESPONSE: Bad response (during sendauth exchange) +@item +KRB5_SENDAUTH_REJECTED: Server rejected authentication (during sendauth +exchange) +@item +KRB5_PREAUTH_BAD_TYPE: Unsupported preauthentication type +@item +KRB5_PREAUTH_NO_KEY: Required preauthentication key not supplied +@item +KRB5_PREAUTH_FAILED: Generic preauthentication failure +@item +KRB5_RCACHE_BADVNO: Unsupported replay cache format version number +@item +KRB5_CCACHE_BADVNO: Unsupported credentials cache format version number +@item +KRB5_KEYTAB_BADVNO: Unsupported key table format version number +@item +KRB5_PROG_ATYPE_NOSUPP: Program lacks support for address type +@item +KRB5_RC_REQUIRED: Message replay detection requires rcache parameter +@item +KRB5_ERR_BAD_HOSTNAME: Hostname cannot be canonicalized +@item +KRB5_ERR_HOST_REALM_UNKNOWN: Cannot determine realm for host +@item +KRB5_SNAME_UNSUPP_NAMETYPE: Conversion to service principal undefined +for name type +@item +KRB5KRB_AP_ERR_V4_REPLY: Initial Ticket response appears to be Version +4 error +@item +KRB5_REALM_CANT_RESOLVE: Cannot resolve KDC for requested realm +@item +KRB5_TKT_NOT_FORWARDABLE: Requesting ticket can't get forwardable +tickets +@item +KRB5_FWD_BAD_PRINCIPAL: Bad principal name while trying to forward +credentials +@item +KRB5_GET_IN_TKT_LOOP: Looping detected inside krb5_get_in_tkt +@item +KRB5_CONFIG_NODEFREALM: Configuration file does not specify default +realm +@item +KRB5_SAM_UNSUPPORTED: Bad SAM flags in obtain_sam_padata +@end enumerate + +@node Kerberos V5 Database Library Error Codes, Kerberos V5 Magic Numbers Error Codes, Kerberos V5 Library Error Codes, Errors +@appendixsubsec Kerberos V5 Database Library Error Codes + +This is the Kerberos v5 database library error code table. + +@c error table numbering starts at 0 +@enumerate 0 +@item +KRB5_KDB_RCSID: $Id$ +@item +KRB5_KDB_INUSE: Entry already exists in database +@item +KRB5_KDB_UK_SERROR: Database store error +@item +KRB5_KDB_UK_RERROR: Database read error +@item +KRB5_KDB_UNAUTH: Insufficient access to perform requested operation +@item +KRB5_KDB_NOENTRY: No such entry in the database +@item +KRB5_KDB_ILL_WILDCARD: Illegal use of wildcard +@item +KRB5_KDB_DB_INUSE: Database is locked or in use--try again later +@item +KRB5_KDB_DB_CHANGED: Database was modified during read +@item +KRB5_KDB_TRUNCATED_RECORD: Database record is incomplete or corrupted +@item +KRB5_KDB_RECURSIVELOCK: Attempt to lock database twice +@item +KRB5_KDB_NOTLOCKED: Attempt to unlock database when not locked +@item +KRB5_KDB_BADLOCKMODE: Invalid kdb lock mode +@item +KRB5_KDB_DBNOTINITED: Database has not been initialized +@item +KRB5_KDB_DBINITED: Database has already been initialized +@item +KRB5_KDB_ILLDIRECTION: Bad direction for converting keys +@item +KRB5_KDB_NOMASTERKEY: Cannot find master key record in database +@item +KRB5_KDB_BADMASTERKEY: Master key does not match database +@item +KRB5_KDB_INVALIDKEYSIZE: Key size in database is invalid +@item +KRB5_KDB_CANTREAD_STORED: Cannot find/read stored master key +@item +KRB5_KDB_BADSTORED_MKEY: Stored master key is corrupted +@item +KRB5_KDB_CANTLOCK_DB: Insufficient access to lock database +@item +KRB5_KDB_DB_CORRUPT: Database format error +@item +KRB5_KDB_BAD_VERSION: Unsupported version in database entry +@item +KRB5_KDB_BAD_SALTTYPE: Unsupported salt type +@item +KRB5_KDB_BAD_ENCTYPE: Unsupported encryption type +@end enumerate + +@node Kerberos V5 Magic Numbers Error Codes, ASN.1 Error Codes, Kerberos V5 Database Library Error Codes, Errors +@appendixsubsec Kerberos V5 Magic Numbers Error Codes + +This is the Kerberos v5 magic numbers error code table. + +@c error table numbering starts at 0 +@enumerate 0 +@item +KV5M_NONE: Kerberos V5 magic number table +@item +KV5M_PRINCIPAL: Bad magic number for krb5_principal structure +@item +KV5M_DATA: Bad magic number for krb5_data structure +@item +KV5M_KEYBLOCK: Bad magic number for krb5_keyblock structure +@item +KV5M_CHECKSUM: Bad magic number for krb5_checksum structure +@item +KV5M_ENCRYPT_BLOCK: Bad magic number for krb5_encrypt_block structure +@item +KV5M_ENC_DATA: Bad magic number for krb5_enc_data structure +@item +@iftex +KV5M_CRYPTOSYSTEM_ENTRY: Bad magic number for krb5_cryp@-to@-sys@-tem_entry +structure +@end iftex +@ifinfo +KV5M_CRYPTOSYSTEM_ENTRY: Bad magic number for krb5_cryptosystem_entry +structure +@end ifinfo +@item +KV5M_CS_TABLE_ENTRY: Bad magic number for krb5_cs_table_entry structure +@item +@iftex +KV5M_CHECKSUM_ENTRY: Bad magic number for krb5_check@-sum_en@-try structure +@end iftex +@ifinfo +KV5M_CHECKSUM_ENTRY: Bad magic number for krb5_checksum_entry structure +@end ifinfo +@item +KV5M_AUTHDATA: Bad magic number for krb5_authdata structure +@item +KV5M_TRANSITED: Bad magic number for krb5_transited structure +@item +KV5M_ENC_TKT_PART: Bad magic number for krb5_enc_tkt_part structure +@item +KV5M_TICKET: Bad magic number for krb5_ticket structure +@item +KV5M_AUTHENTICATOR: Bad magic number for krb5_authenticator structure +@item +KV5M_TKT_AUTHENT: Bad magic number for krb5_tkt_authent structure +@item +KV5M_CREDS: Bad magic number for krb5_creds structure +@item +KV5M_LAST_REQ_ENTRY: Bad magic number for krb5_last_req_entry structure +@item +KV5M_PA_DATA: Bad magic number for krb5_pa_data structure +@item +KV5M_KDC_REQ: Bad magic number for krb5_kdc_req structure +@item +KV5M_ENC_KDC_REP_PART: Bad magic number for @* +krb5_enc_kdc_rep_part structure +@item +KV5M_KDC_REP: Bad magic number for krb5_kdc_rep structure +@item +KV5M_ERROR: Bad magic number for krb5_error structure +@item +KV5M_AP_REQ: Bad magic number for krb5_ap_req structure +@item +KV5M_AP_REP: Bad magic number for krb5_ap_rep structure +@item +KV5M_AP_REP_ENC_PART: Bad magic number for @* +krb5_ap_rep_enc_part structure +@item +KV5M_RESPONSE: Bad magic number for krb5_response structure +@item +KV5M_SAFE: Bad magic number for krb5_safe structure +@item +KV5M_PRIV: Bad magic number for krb5_priv structure +@item +KV5M_PRIV_ENC_PART: Bad magic number for krb5_priv_enc_part structure +@item +KV5M_CRED: Bad magic number for krb5_cred structure +@item +KV5M_CRED_INFO: Bad magic number for krb5_cred_info structure +@item +KV5M_CRED_ENC_PART: Bad magic number for krb5_cred_enc_part structure +@item +KV5M_PWD_DATA: Bad magic number for krb5_pwd_data structure +@item +KV5M_ADDRESS: Bad magic number for krb5_address structure +@item +KV5M_KEYTAB_ENTRY: Bad magic number for krb5_keytab_entry structure +@item +KV5M_CONTEXT: Bad magic number for krb5_context structure +@item +KV5M_OS_CONTEXT: Bad magic number for krb5_os_context structure +@item +KV5M_ALT_METHOD: Bad magic number for krb5_alt_method structure +@item +KV5M_ETYPE_INFO_ENTRY: Bad magic number for @* +krb5_etype_info_entry structure +@item +KV5M_DB_CONTEXT: Bad magic number for krb5_db_context structure +@item +KV5M_AUTH_CONTEXT: Bad magic number for krb5_auth_context structure +@item +KV5M_KEYTAB: Bad magic number for krb5_keytab structure +@item +KV5M_RCACHE: Bad magic number for krb5_rcache structure +@item +KV5M_CCACHE: Bad magic number for krb5_ccache structure +@item +KV5M_PREAUTH_OPS: Bad magic number for krb5_preauth_ops +@item +KV5M_SAM_CHALLENGE: Bad magic number for krb5_sam_challenge +@item +KV5M_SAM_KEY: Bad magic number for krb5_sam_key +@item +KV5M_ENC_SAM_RESPONSE_ENC: Bad magic number for @* +krb5_enc_sam_response_enc +@item +KV5M_SAM_RESPONSE: Bad magic number for krb5_sam_response +@item +KV5M_PREDICTED_SAM_RESPONSE: Bad magic number for +krb5_predicted_sam_response +@item +KV5M_PASSWD_PHRASE_ELEMENT: Bad magic number for passwd_phrase_element +@end enumerate + +@node ASN.1 Error Codes, GSSAPI Error Codes, Kerberos V5 Magic Numbers Error Codes, Errors +@appendixsubsec ASN.1 Error Codes + +@c error table numbering starts at 0 +@enumerate 0 +@item +ASN1_BAD_TIMEFORMAT: ASN.1 failed call to system time library +@item +ASN1_MISSING_FIELD: ASN.1 structure is missing a required field +@item +ASN1_MISPLACED_FIELD: ASN.1 unexpected field number +@item +ASN1_TYPE_MISMATCH: ASN.1 type numbers are inconsistent +@item +ASN1_OVERFLOW: ASN.1 value too large +@item +ASN1_OVERRUN: ASN.1 encoding ended unexpectedly +@item +ASN1_BAD_ID: ASN.1 identifier doesn't match expected value +@item +ASN1_BAD_LENGTH: ASN.1 length doesn't match expected value +@item +ASN1_BAD_FORMAT: ASN.1 badly-formatted encoding +@item +ASN1_PARSE_ERROR: ASN.1 parse error +@end enumerate + +@node GSSAPI Error Codes, , ASN.1 Error Codes, Errors +@appendixsubsec GSSAPI Error Codes + +Generic GSSAPI Errors: + +@c error table numbering starts at 0 +@enumerate 0 +@item +G_BAD_SERVICE_NAME: No @ in SERVICE-NAME name string +@item +G_BAD_STRING_UID: STRING-UID-NAME contains nondigits +@item +G_NOUSER: UID does not resolve to username +@item +G_VALIDATE_FAILED: Validation error +@item +G_BUFFER_ALLOC: Couldn't allocate gss_buffer_t data +@item +G_BAD_MSG_CTX: Message context invalid +@item +G_WRONG_SIZE: Buffer is the wrong size +@item +G_BAD_USAGE: Credential usage type is unknown +@item +G_UNKNOWN_QOP: Unknown quality of protection specified +@item +G_BAD_HOSTNAME: Hostname in SERVICE-NAME string could not be +canonicalized +@end enumerate + +Kerberos 5 GSSAPI Errors: + +@c error table numbering starts at 0 +@enumerate 0 +@item +KG_CCACHE_NOMATCH: Principal in credential cache does not match desired +name +@item +KG_KEYTAB_NOMATCH: No principal in keytab matches desired name +@item +KG_TGT_MISSING: Credential cache has no TGT +@item +KG_NO_SUBKEY: Authenticator has no subkey +@item +KG_CONTEXT_ESTABLISHED: Context is already fully established +@item +KG_BAD_SIGN_TYPE: Unknown signature type in token +@item +KG_BAD_LENGTH: Invalid field length in token +@item +KG_CTX_INCOMPLETE: Attempt to use incomplete security context +@item +KG_CONTEXT: Bad magic number for krb5_gss_ctx_id_t +@item +KG_CRED: Bad magic number for krb5_gss_cred_id_t +@item +KG_ENC_DESC: Bad magic number for krb5_gss_enc_desc +@end enumerate + +@node kadmin Time Zones, , Errors, Appendix +@appendixsec kadmin Time Zones + +This is a complete listing of the time zones recognized by the +@code{kadmin} command. + +@table @b +@itemx gmt +Greenwich Mean Time +@itemx ut, utc +Universal Time (Coordinated). +@itemx wet +Western European Time. (Same as GMT.) +@itemx bst +British Summer Time. (1 hour ahead of GMT.) +@itemx wat +West Africa Time. (1 hour behind GMT.) +@itemx at +Azores Time. (2 hours behind GMT.) +@itemx bst +Brazil Standard Time. (3 hours behind GMT.) Note that the abbreviation +BST also stands for British Summer Time. +@itemx gst +Greenland Standard Time. (3 hours behind GMT.) Note that the +abbreviation GST also stands for Guam Standard Time. +@itemx nft +Newfoundland Time. (3.5 hours behind GMT.) +@itemx nst +Newfoundland Standard Time. (3.5 hours behind GMT.) +@itemx ndt +Newfoundland Daylight Time. (2.5 hours behind GMT.) +@itemx ast +Atlantic Standard Time. (4 hours behind GMT.) +@itemx adt +Atlantic Daylight Time. (3 hours behind GMT.) +@itemx est +Eastern Standard Time. (5 hours behind GMT.) +@itemx edt +Eastern Daylight Time. (4 hours behind GMT.) +@itemx cst +Central Standard Time. (6 hours behind GMT.) +@itemx cdt +Central Daylight Time. (5 hours behind GMT.) +@itemx mst +Mountain Standard Time. (7 hours behind GMT.) +@itemx mdt +Mountain Daylight Time. (6 hours behind GMT.) +@itemx pst +Pacific Standard Time. (8 hours behind GMT.) +@itemx pdt +Pacific Daylight Time. (7 hours behind GMT.) +@itemx yst +Yukon Standard Time. (9 hours behind GMT.) +@itemx ydt +Yukon Daylight Time. (8 hours behind GMT.) +@itemx hst +Hawaii Standard Time. (10 hours behind GMT.) +@itemx hdt +Hawaii Daylight Time. (9 hours behind GMT.) +@itemx cat +Central Alaska Time. (10 hours behind GMT.) +@itemx ahst +Alaska-Hawaii Standard Time. (10 hours behind GMT.) +@itemx nt +Nome Time. (11 hours behind GMT.) +@itemx idlw +International Date Line West Time. (12 hours behind GMT.) +@itemx cet +Central European Time. (1 hour ahead of GMT.) +@itemx met +Middle European Time. (1 hour ahead of GMT.) +@itemx mewt +Middle European Winter Time. (1 hour ahead of GMT.) +@itemx mest +Middle European Summer Time. (2 hours ahead of GMT.) +@itemx swt +Swedish Winter Time. (1 hour ahead of GMT.) +@itemx sst +Swedish Summer Time. (1 hours ahead of GMT.) +@itemx fwt +French Winter Time. (1 hour ahead of GMT.) +@itemx fst +French Summer Time. (2 hours ahead of GMT.) +@itemx eet +Eastern Europe Time; Russia Zone 1. (2 hours ahead of GMT.) +@itemx bt +Baghdad Time; Russia Zone 2. (3 hours ahead of GMT.) +@itemx it +Iran Time. (3.5 hours ahead of GMT.) +@itemx zp4 +Russia Zone 3. (4 hours ahead of GMT.) +@itemx zp5 +Russia Zone 4. (5 hours ahead of GMT.) +@itemx ist +Indian Standard Time. (5.5 hours ahead of GMT.) +@itemx zp6 +Russia Zone 5. (6 hours ahead of GMT.) +@itemx nst +North Sumatra Time. (6.5 hours ahead of GMT.) Note that the +abbreviation NST is also used for Newfoundland Stanard Time. +@itemx sst +South Sumatra Time; Russia Zone 6. (7 hours ahead of GMT.) Note that +SST is also Swedish Summer Time. +@itemx wast +West Australian Standard Time. (7 hours ahead of GMT.) +@itemx wadt +West Australian Daylight Time. (8 hours ahead of GMT.) +@itemx jt +Java Time. (7.5 hours ahead of GMT.) +@itemx cct +China Coast Time; Russia Zone 7. (8 hours ahead of GMT.) +@itemx jst +Japan Standard time; Russia Zone 8. (9 hours ahead of GMT.) +@itemx kst +Korean Standard Time. (9 hours ahead of GMT.) +@itemx cast +Central Australian Standard Time. (9.5 hours ahead of GMT.) +@itemx cadt +Central Australian Daylight Time. (10.5 hours ahead of GMT.) +@itemx east +Eastern Australian Standard Time. (10 hours ahead of GMT.) +@itemx eadt +Eastern Australian Daylight Time. (11 hours ahead of GMT.) +@itemx gst +Guam Standard Time; Russia Zone 9. (10 hours ahead of GMT.) +@itemx kdt +Korean Daylight Time. (10 hours ahead of GMT.) +@itemx nzt +New Zealand Time. (12 hours ahead of GMT.) +@itemx nzst +New Zealand Standard Time. (12 hours ahead of GMT.) +@itemx nzdt +New Zealand Daylight Time. (13 hours ahead of GMT.) +@itemx idle +International Date Line East. (12 hours ahead of GMT.) +@end table + +@contents +@bye diff --git a/doc/build.texinfo b/doc/build.texinfo new file mode 100644 index 0000000000..f20ee91e55 --- /dev/null +++ b/doc/build.texinfo @@ -0,0 +1,323 @@ +\input texinfo @c -*-texinfo-*- +@c +@c NOTE: add /bin/login and xdm to client machine section +@c +@c Note: the above texinfo file must include the "doubleleftarrow" +@c definitions added by jcb. +@c %**start of header +@c guide +@setfilename Kerberos-Build.info +@settitle Guide to Building Kerberos +@c @setchapternewpage odd @c chapter begins on next odd page +@setchapternewpage on @c chapter begins on next page +@smallbook @c Format for 7" X 9.25" paper +@c %**end of header + +@paragraphindent 0 +@iftex +@parskip 6pt plus 6pt +@end iftex + +@include definitions.texinfo +@set EDITION 0.1 alpha + +@c @finalout @c don't print black warning boxes + +@titlepage +@title Guide to Building @value{PRODUCT} +@subtitle Release: @value{RELEASE} +@subtitle Document Edition: @value{EDITION} +@subtitle Last updated: @value{UPDATED} +@author @value{COMPANY} + +@page +@vskip 0pt plus 1filll + +@include copyright.texinfo +@end titlepage + +@node Top, Top, (dir), (dir) +@comment node-name, next, previous, up + +@ifinfo +This file describes how to build @value{PRODUCT}, and how to build +software using the @value{PRODUCT} libraries. + +@include copyright.texinfo +@end ifinfo + +@menu +* Compiling @value{PRODUCT}:: +@end menu + +@node Top, Compiling @value{PRODUCT}, (dir), (dir) +@top Guide to Building @value{PRODUCT} + +@menu +* Compiling @value{PRODUCT}:: +@end menu +@end ifinfo + +@node Compiling @value{PRODUCT}, , Top, Top +@chapter Compiling @value{PRODUCT} + +@value{PRODUCT} is supplied in source form for a number of reasons: +@itemize @bullet +@item You can examine the source yourself, and verify the behavior of +the system to your satisfaction. This is especially important with +security software. +@item You can make your own changes (of course, we recommend having us +make the changes, so that we can support them in the future.) +@end itemize + +@value{PRODUCT} is a large package. In order to efficiently manage sources across a +large number of platforms, we've used certain tools that you may be +unfamilar with, and we explain them here. + +@menu +* Requirements:: Requirements +* Setup:: Setting Up the files +* Testing:: Testing the release +* Constructing an Install Kit:: Constructing a tar file or package +@end menu + +@node Requirements, Setup, Compiling @value{PRODUCT}, Compiling @value{PRODUCT} +@section Requirements + +At the very minimum, you need a Unix-like operating system with a C +compiler. (The MacOS and Windows ports are not discussed here.) While an +ANSI C compiler is preferred, mostly because it is likely to be a more +recent compiler, the build process checks for particular features and +works around them in most cases. We of course recommend gcc, but we test +the compilation with both gcc and the "native" or OS-vendor supplied +compiler whenever possible. + +You also need a version of @code{make}. We recommend GNU make, but +again, we test with the vendor-supplied one as well. Most native +implementations of make are sufficient to build @value{PRODUCT} directly in the +source tree. Having a seperate build tree is far more convenient, and is +what we recommend; this usually needs GNU make because of the variation +in support of @samp{VPATH}. + +If you're only going to compile the unchanged source, or are only going +to change C files, you should be set. If you're going to change some +part of the build process (any of the @file{Makefile}s -- more specifically, +any of the @file{configure.in} or @file{Makefile.in} files that generate +them) you're +going to need a recent version of GNU m4. + +@node Setup, Testing, Requirements, Compiling @value{PRODUCT} +@section Setup + +We recommend a directory structure as follows: +@table @file +@item krb5 +is the source tree itself. +@item src +is a symlink farm pointing into the source tree. +@item @var{platform} +is a directory for a particular build platform. It may be more +convenient for you to name these by hostname, but if you're keeping the +trees around for any length of time it is better to label them by vendor +and version. +@end table + +Given the above structure, unpack the tar file of sources. + +If you don't have GNU m4, or are not planning to change anything, +simply +@example + mv krb5 src +@end example + +If you are likely to be changing build-related information, then the +procedure +@example + % mkdir src + % cd src + % ../krb5/util/lndir ../krb5 +@end example +@noindent will produce the symlink farm, then +@example + % rm Makefile + % cd util/autoconf + % ./configure + % make + % cd ../.. + % util/reconf + % cd .. +@end example +The reconf step will take a while, as it regenerates the build +scripts. If you change @file{aclocal.m4}, @file{Makefile.in}, or +@file{configure.in}, you can +rerun @file{util/reconf} (causing it to rebuild only those things that +need to.) If you're just making changes to a @file{Makefile.in} or +@file{configure.in} +in one directory, the make rules will take care of rerunning @file{autoconf} to +rebuild them directly. + +In order to build a particular platform, simply +@example + % mkdir platform + % cd platform + % ../src/configure --@var{configure options} + % make all @{@var{MAKE OPTIONS}@} + % make check + % make install +@end example + +If @samp{cc} isn't a working compiler (stock Solaris, for example) you should +also do a +@example + setenv CC gcc +@end example +before running configure. + +@menu +* Make Options:: +* Configure Options:: +@end menu + +@node Make Options, Configure Options, Setup, Setup +@subsection Make Options + +@var{MAKE OPTIONS} include +@itemize @bullet +@item @code{CC=@var{compiler}} +@item @code{CCOPTS=@var{compiler flags}} +@end itemize +which get automatically propagated to all subdirectories. + + +@node Configure Options, , Make Options, Setup +@subsection Configure Options + +@var{configure options} include +@table @code +@item --with-dbm + Use native @code{dbm} for the key database. +@item --without-dbm + Use included version of Berkeley @code{db}. This is the default, but +not yet recommended. In a future release, after @code{db} is more +thoroughly tested, a conversion tool will be supplied. +@item --with-dbm-lname + Use native @code{dbm} for @code{aname} to @code{lname} conversion +database. This optional database is most useful when users have +principals in multiple realms that have common access. +@item --without-dbm-lname + Use included version of Berkeley @code{db}. This is the default, but +not yet recommended. In a future release, after @code{db} is more +thoroughly tested, a conversion tool will be supplied. +@item --enable-athena + If V4 compatibility is also enabled (the default), construct +@code{kadmin.v4}, the @value{PRODUCT} V4 compatible Kerberos +Administration Server, and @code{krb524}, the conversion tools to allow +users to generate V4 tickets from V5 tickets. For further details, see +the @ref{@value{PRODUCT} V4 Compatibility,,@value{PRODUCT} V4 Backward +Compatibility Support,@value{PRODUCT}-inst-man,Cygnus Network Security +-- Version 5}. + +It also causes @code{KRB5_ATHENA_COMPAT} to be defined, which may have affects +in future releases, but is currently unused. + +@item --prefix @var{pathname} + Specify that the installed tree be rooted at @var{pathname}. The MIT +default is to use @file{/krb5} but +@item --without-krb4 + Don't include any Kerberos V4 backwards compatibility support in +applications, and don't build the V4 libraries either. +@item --with-krb4 + @value{PRODUCT} V4 libraries (enhanced for compatibility use) are included as part of +the @value{PRODUCT} V5 source tree. By default, or with this option, these are built +and installed in @file{libkrb4.a} and are used in various utilities. +@item --with-krb4=@var{KRB4DIR} + Enable V4 backwards compatibility support, but use existing Kerberos +libraries as preinstalled in @var{KRB4DIR}. Generally not used now that +the V4 libraries are included. +@item --with-cc=@var{COMPILER} + Select compiler to use, and write it into the constructed +@code{Makefile}s as the default value of @code{CC}. +@item --with-linker=@var{LINKER} + Select linker to use, and write it into the constructed +@code{Makefile}s as the default value of @code{LD}. Useful for building +with Purify. +@item --with-ccopts=@var{CCOPTS} + Select compiler command line options, and write it into the constructed +@code{Makefile}s as the default value of @code{CCOPTS}. Useful for +building with debugging or optimization. +@item --with-cppopts=@var{CPPOPTS} + Select compiler preprocessor command line options, and write it into +the constructed @code{Makefile}s as the default value of +@code{CPPOPTS}. Useful for setting flags. +@item --with-netlib=@var{libs} + Use user defined resolve library. Normally the resolver is part of the +C library, but on SunOS systems using NIS, you may need to specify +@code{-lresolv} in order to get a proper domain name resolver. +@item --enable-shared + Construct @value{PRODUCT} V5 shared libraries. Not supported on all systems. +@item --with-shared + Use constructed shared (default) libraries. +@item --without-shared + Don't use any shared libraries when building @value{PRODUCT}. +@item --without-afs + The default, indicating that you don't have afs libraries to build +with and therefore can't to build @code{asetkey}, @code{aklog}, and +@code{kascvt}. +@item --with-afs=@var{AFSDIR} + Use preinstalled AFS library tree located under @var{AFSDIR} to build +the TransArc AFS support and conversion tools. These require V4 +compatibility to operate, and work in conjunction with @code{krb524d}. +@item --enable-telnet-encryption + Use non-standard encryption in telnet. The telnet implementation +provides for the use of DES in a stream mode to encrypt the connection, +but there are some user interface issues that may make it less +safe. Always verify using @kbd{^[ enc status RET} that it was +successful, rather than trusting the message which may have been +inserted by an attacker. For this and other reasons, the encryption mode +is not an Internet Standard as of October 1995, but work is expected in +the coming year to change that. +@item --disable-telnet-encryption + Don't enable the non-standard telnet encryption mode described above. +@end table + +@node Testing, Constructing an Install Kit, Setup, Compiling @value{PRODUCT} +@section Testing + +After running @code{make all} successfully, you should run the +collection of built in test cases. Running @code{make check} will run a +number of built in tests of +@itemize @bullet +@item +raw database code +@item +raw encryption code +@item +various Kerberos V5 interfaces including @code{kdb5} +@end itemize + +If you have @code{runtest} from the DejaGnu package +@footnote{@code{prep.ai.mit.edu:/pub/gnu/dejagnu-1.2.tar.gz} as of this +writing} installed, this will also run a set of live application tests, +creating a test realm, starting a Kerberos server, @code{kadmind}, and +clients, and testing their features the way a human would use them. The +end summary should list no unexpected failures. + +If you do find problems, you can get more specific detail by changing to +the @file{tests/dejagnu} directory and running @code{runtest} with the +@samp{-d} option, and examining the @file{dbg.log} file produced. (This +will not be necessary with any platform supported by @value{COMPANY}.) + +@node Constructing an Install Kit, , Testing, Compiling @value{PRODUCT} +@section Constructing an Install Kit + +Currently install kits are constructed by creating an install directory +and running @code{make install DESTDIR=@var{install directory}}, then +using @samp{tar cf} to produce a tar file. In the future, there will be +direct make targets to support construction of @code{tar} files and +@sc{svr4} packages. + +@contents +@c second page break makes sure right-left page alignment works right +@c with a one-page toc, even though we don't have setchapternewpage odd. +@c end of texinfo file +@bye diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo new file mode 100644 index 0000000000..83ab0e7982 --- /dev/null +++ b/doc/copyright.texinfo @@ -0,0 +1,91 @@ +Copyright @copyright{} 1993, 1994, 1995, 1996 @value{COMPANY}. +@iftex +@vskip 12pt +@hrule +@vskip 12pt +@end iftex + +@value{PRODUCT} includes documentation and software developed at the +Massachusetts Institute of Technology, which includes this copyright +information: + +Copyright @copyright{} 1995 by the Massachusetts Institute of Technology. + +@quotation +Export of software employing encryption from the United States of +America is assumed to require a specific license from the United States +Government. It is the responsibility of any person or organization +contemplating export to obtain such a license before exporting. +@end quotation + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute +this software and its documentation for any purpose and without fee is +hereby granted, provided that the above copyright notice appear in all +copies and that both that copyright notice and this permission notice +appear in supporting documentation, and that the name of M.I.T. not be +used in advertising or publicity pertaining to distribution of the +software without specific, written prior permission. M.I.T. makes no +representations about the suitability of this software for any purpose. +It is provided ``as is'' without express or implied warranty. + +@iftex +@vskip 12pt +@hrule +@vskip 12pt +@end iftex + +@value{PRODUCT} includes documentation and software developed at the +University of California at Berkeley, which includes this copyright +notice: + +Copyright @copyright{} 1983 Regents of the University of California.@* +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: +@enumerate +@item +Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. +@item +Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. +@item +All advertising materials mentioning features or use of this software +must display the following acknowledgement: +@quotation +This product includes software developed by the University of +California, Berkeley and its contributors. +@end quotation +@item +Neither the name of the University nor the names of its contributors +may be used to endorse or promote products derived from this software +without specific prior written permission. +@end enumerate + +@iftex +@vskip 12pt +@hrule +@vskip 12pt +@end iftex + +Permission is granted to make and distribute verbatim copies of this +manual provided the copyright notices and this permission notice are +preserved on all copies. + +@ignore +Permission is granted to process this file through TeX and print the +results, provided the printed document carries a copying permission +notice identical to this one except for the removal of this paragraph +(this paragraph not being relevant to the printed manual). +@end ignore + +Permission is granted to copy and distribute modified versions of this +manual under the conditions for verbatim copying, provided also that the +entire resulting derived work is distributed under the terms of a +permission notice identical to this one. + +Permission is granted to copy and distribute translations of this manual +into another language, under the above conditions for modified versions. diff --git a/doc/cyg-install.texinfo b/doc/cyg-install.texinfo new file mode 100644 index 0000000000..60532eb042 --- /dev/null +++ b/doc/cyg-install.texinfo @@ -0,0 +1,1644 @@ +\input texinfo @c -*-texinfo-*- +@c +@c NOTE: add /bin/login and xdm to client machine section +@c +@c Note: the above texinfo file must include the "doubleleftarrow" +@c definitions added by jcb. +@c %**start of header +@c guide +@setfilename KerbNet-Install.info +@settitle Kerb*Net Installation Guide +@setchapternewpage odd @c chapter begins on next odd page +@c @setchapternewpage on @c chapter begins on next page +@smallbook @c Format for 7" X 9.25" paper +@c %**end of header + +@paragraphindent 0 +@iftex +@parskip 6pt plus 6pt +@end iftex + +@include definitions.texinfo +@set EDITION 0.91 beta + +@finalout @c don't print black warning boxes + +@titlepage +@title @value{PRODUCT} Installation Guide +@subtitle Release: @value{RELEASE} +@subtitle Document Edition: @value{EDITION} +@subtitle Last updated: @value{UPDATED} +@author @value{COMPANY} + +@page +@vskip 0pt plus 1filll + +@include copyright.texinfo +@end titlepage + +@node Top, Introduction, (dir), (dir) +@comment node-name, next, previous, up + +@ifinfo +This file documents how to install the @value{RELEASE} release of +@value{PRODUCT}. + +@include copyright.texinfo +@end ifinfo + +@c The master menu is updated using emacs19's M-x texinfo-all-menus-update +@c function. Don't forget to run M-x texinfo-every-node-update after +@c you add a new section or subsection, or after you've rearranged the +@c order of sections or subsections. Also, don't forget to add an @node +@c comand before each @section or @subsection! All you need to enter +@c is: +@c +@c @node New Section Name + +@c @section New Section Name +@c +@c M-x texinfo-every-node-update will take care of calculating the +@c node's forward and back pointers. +@c +@c --------------------------------------------------------------------- +@menu +* Introduction:: +* Realm Configuration Decisions:: +* Installing @value{PRODUCT}:: +* Support:: +* Files:: +@end menu + +@node Introduction, Realm Configuration Decisions, Top, Top +@chapter Introduction + +Congratulations on your purchase of @value{PRODUCT}. @value{COMPANY} +believes @value{PRODUCT} provides the best network security available. +Please let us know if we can be of assistance in getting your +installation of @value{PRODUCT} set up and running. + +@menu +* What is Kerberos and How Does it Work?:: +* Why Should I use Kerberos?:: +* @value{PRODUCT} Documentation:: +* Please Read the Documentation:: +* Overview of This Guide:: +@end menu + +@node What is Kerberos and How Does it Work?, Why Should I use Kerberos?, Introduction, Introduction +@section What is Kerberos and How Does it Work? + +@value{PRODUCT} is based on the Kerberos authentication system developed +at MIT. Under Kerberos, a client (generally either a user or a service) +sends a request for a ticket to the Key Distribution Center (KDC). The +KDC creates a @dfn{ticket-granting ticket} (TGT) for the client, +encrypts it using the client's password as the key, and sends the +encrypted TGT back to the client. The client then attempts to decrypt +the TGT, using its password. If the client successfully decrypts the +TGT (@i{i.e.}, if the client gave the correct password), it keeps the +decrypted TGT, which indicates proof of the client's identity. + +The TGT, which expires at a specified time, permits the client to obtain +additional tickets, which give permission for specific services. The +requesting and granting of these additional tickets is user-transparent. + +@node Why Should I use Kerberos?, @value{PRODUCT} Documentation, What is Kerberos and How Does it Work?, Introduction +@section Why Should I use Kerberos? + +Since Kerberos negotiates authenticated, and optionally encrypted, +communications between two points anywhere on the internet, it provides +a layer of security that is not dependent on which side of a firewall +either client is on. Since studies have shown that half of the computer +security breaches in industry happen from @i{inside} firewalls, +@value{PRODUCT} from @value{COMPANY} will play a vital role in the +security of your network. + +@node @value{PRODUCT} Documentation, Please Read the Documentation, Why Should I use Kerberos?, Introduction +@section @value{PRODUCT} Documentation + +This document is one piece of the document set for @value{PRODUCT}. The +documents, and their intended audiences, are: + +@include document-list.texinfo + +@node Please Read the Documentation, Overview of This Guide, @value{PRODUCT} Documentation, Introduction +@section Please Read the Documentation + +As with any software package that uses a centrallized database, the +installation procedure is somewhat involved, and requires forethought +and planning. @value{COMPANY} has attempted to make this +@value{PRODUCT} Installation Guide as concise as possible, rather than +making it an exhaustive description of the details of Kerberos. +Consequently, everything in this guide appears because @value{COMPANY} +believes that it is important. Please read and follow these +instructions carefully, and if there is anything you do not understand +or are not sure of, please don't hesitate to call us. + +@node Overview of This Guide, , Please Read the Documentation, Introduction +@section Overview of This Guide + +The next chapter describes the decisions you need to make before +installing @value{PRODUCT}. + +Chapter three describes installation procedures for each class of +Kerberos machines: + +@enumerate +@item +Key Distribution Centers (KDCs). + +@enumerate A +@item +The Master KDC. + +@item +Slave KDCs. +@end enumerate + +@item +Client machines (user machines): + +@enumerate A +@item +UNIX client machines. + +@item +Windows machines. + +@item +Macintoshes. +@end enumerate + +@item +application server machines +@end enumerate + +@noindent +Note that a machine can be both a client machine and an application +server. + +Chapter four describes our problem reporting system. + +The appendices give sample configuration files. + +@node Realm Configuration Decisions, Installing @value{PRODUCT}, Introduction, Top +@chapter Realm Configuration Decisions + +Before installing @value{PRODUCT}, it is necessary to consider the +following issues: + +@itemize @bullet +@item +The name of your Kerberos realm (or the name of each realm, if you need +more than one). + +@item +How you will map your hostnames onto Kerberos realms. + +@item +Which ports your KDC and and kadmin (database access) services will use. + +@item +How many slave KDCs you need and where they should be located. + +@item +The hostnames of your master and slave KDCs. + +@item +How frequently you will propagate the database from the master KDC to +the slave KDCs. + +@item +Whether you need backward compatibility with Kerberos V4. +@end itemize + +@menu +* Kerberos Realms:: +* Mapping Hostnames onto Kerberos Realms:: +* Ports for the KDC and Admin Services:: +* Slave KDCs:: +* Hostnames for the Master and Slave KDCs:: +* Database Propagation:: +@end menu + +@node Kerberos Realms, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions, Realm Configuration Decisions +@section Kerberos Realms + +Although your Kerberos realm can be any ASCII string, convention is to +make it the same as your domain name, in upper-case letters. For +example, hosts in the domain @value{PRIMARYDOMAIN} would be in the +Kerberos realm @value{PRIMARYREALM}. + +If you need multiple Kerberos realms, @value{COMPANY} recommends that +you use descriptive names which end with your domain name, such as +BOSTON.@value{PRIMARYREALM} and SAN_FRANCISCO.@value{PRIMARYREALM}. + +@node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions +@section Mapping Hostnames onto Kerberos Realms + +Mapping hostnames onto Kerberos realms is done through a set of rules in +the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can +specify mappings for an entire domain or subdomain, and/or on a +hostname-by-hostname basis. Since greater specificity takes precedence, +you would do this by specifying the mappings for a given domain or +subdomain and listing the exceptions. + +@node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions +@section Ports for the KDC and Admin Services + +The default ports used by Kerberos are port 88 for the +KDC@footnote{Kerberos V4 used port 750. If necessary, you can run on +both ports for backward compatibility.} and port 749 for the admin +server. You can, however, choose to run on other ports, as long as they +are specified in each host's @code{/etc/services} and @code{krb5.conf} +files, and the @code{kdc.conf} file on each KDC. Because the kadmin +port was recently assigned, @value{COMPANY} recommands that you specify +it explicitly in your @code{krb5.conf} and @code{kdc.conf} files. For a +more thorough treatment of port numbers used by the @value{PRODUCT} +programs, refer to the ``Configuring Your Firewall to Work With +@value{PRODUCT}'' section of the @cite{@value{PRODUCT} System +Administrator's Guide}. + +@node Slave KDCs, Hostnames for the Master and Slave KDCs, Ports for the KDC and Admin Services, Realm Configuration Decisions +@section Slave KDCs + +Slave KDCs provide an additional source of Kerberos ticket-granting +services in the event of inaccessibility of the master KDC. The number +of slave KDCs you need and the decision of where to place them, both +physically and logically, depend on the specifics of your network. + +All of the Kerberos authentication on your network requires that each +client be able to contact a KDC. Therefore, you need to anticipate any +likely reason a KDC might be unavailable and have a slave KDC to take up +the slack. + +Some considerations include: + +@itemize @bullet +@item +Have at least one slave KDC as a backup, for when the master KDC is +down, is being upgraded, or is otherwise unavailable. + +@item +If your network is split such that a network outage is likely to cause +some segment or segments of the network to become cut off or isolated, +have a slave KDC accessible to each segment. + +@item +If possible, have at least one slave KDC in a different building from +the master, in case of power outages, fires, or other localized +disasters. +@end itemize + +If you have a large and/or complex network, @value{COMPANY} will be +happy to work with you to determine the optimal number and placement of +your slave KDCs. + +@node Hostnames for the Master and Slave KDCs, Database Propagation, Slave KDCs, Realm Configuration Decisions +@section Hostnames for the Master and Slave KDCs + +@value{COMPANY} recommends that your KDCs have a predefined set of +cnames, such as @code{@value{KDCSERVER}} for the master KDC and +@code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the +slave KDCs. This way, if you need to swap a machine, you only need to +change a DNS entry, rather than having to change hostnames. + +@node Database Propagation, , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions +@section Database Propagation + +The Kerberos database resides on the master KDC, and must be propagated +regularly (usually by a cron job) to the slave KDCs. In deciding how +frequently the propagation should happen, you will need to balance the +amount of time the propagation takes against the maximum reasonable +amount of time a user should have to wait for a password change to take +effect. @value{COMPANY} recommends that this be no longer than an hour. + +If the propagation time is longer than this maximum reasonable time +(@i{e.g.,} you have a particularly large database, you have a lot of +slaves, and/or you experience frequent network delays), you may wish to +cut down on your propagation delay by performing the propagation in +parallel. To do this, have the master KDC propagate the database to one +set of slaves, and then have each of these slaves propagate the database +to additional slaves. + +@node Installing @value{PRODUCT}, Support, Realm Configuration Decisions, Top +@chapter Installing @value{PRODUCT} + +The sections of this chapter describe procedures for installing +@value{PRODUCT} on: + +@enumerate +@item +The KDCs + +@item +Client machines + +@enumerate A +@item +UNIX client machines + +@item +Windows machines + +@item +Macintoshes +@end enumerate + +@item +UNIX Application Servers +@end enumerate + +@menu +* Installing KDCs:: +* Installing and Configuring UNIX Client Machines:: +* Installing and Configuring Windows Client Machines:: +* Installing and Configuring Macintosh Client Machines:: +* UNIX Application Servers:: +@end menu + +@node Installing KDCs, Installing and Configuring UNIX Client Machines, Installing @value{PRODUCT}, Installing @value{PRODUCT} +@section Installing KDCs + +The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC +contains a copy of the Kerberos database. The master KDC contains the +master copy of the database, which it propagates to the slave KDCs at +regular intervals. All database changes (such as password changes) are +made on the master KDC. + +Slave KDCs provide Kerberos ticket-granting services, but not database +access. This allows clients to continue to obtain tickets when the +master KDC is unavailable. + +@value{COMPANY}'s recommends that you install all of your KDCs to be +able to function as either the master or one of the slaves. This will +enable you to easily switch your master KDC with one of the slaves if +necessary. (@xref{Switching Master and Slave KDCs}.) This installation +procedure is based on that recommendation. + +@menu +* Install the Master KDC:: +* Install the Slave KDCs:: +* Back on the Master KDC:: +* Finish Installing the Slave KDCs:: +* Add Kerberos Principals to the Database:: +* Limit Access to the KDCs:: +* Switching Master and Slave KDCs:: +@end menu + +@node Install the Master KDC, Install the Slave KDCs, Installing KDCs, Installing KDCs +@subsection Install the Master KDC + +This installation procedure will require you to go back and forth a +couple of times between the master KDC and each of the slave KDCs. The +first few steps must be done on the master KDC. + +@menu +* Unpack the tar file:: +* Edit the Configuration Files:: +* Create the Database:: +* Add Administrators to the Acl File:: +* Add Administrators to the Kerberos Database:: +* Create a kadmind Keytab:: +* Start the Kerberos Daemons:: +@end menu + +@node Unpack the tar file, Edit the Configuration Files, Install the Master KDC, Install the Master KDC +@subsubsection Unpack the tar file + +Unpack the tar file on each KDC. Because of some specifications that +are compiled into the software, you must install @value{PRODUCT} in the +directory @code{@value{INSTALLDIR}}. If you extract the tar file from +the top-level directory (@code{/}), the files will end up in this +directory. Installation into other locations is not supported in this +release, but is planned for future releases. + +@value{COMPANY} recommends that you choose a persistent directory name, +and make it a symbolic link to @code{@value{INSTALLDIR}}, so +you can install updates later without requiring users to change their +paths. This document will refer to @code{@value{ROOTDIR}} as the +persistent directory name. + +@node Edit the Configuration Files, Create the Database, Unpack the tar file, Install the Master KDC +@subsubsection Edit the Configuration Files + +Modify the configuration files, @code{/etc/krb5.conf} +(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/lib/krb5kdc/kdc.conf} +(@pxref{kdc.conf}) to reflect the correct information (such as the +hostnames and realm name) for your realm. @value{COMPANY} recommends +that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf} +file may contain a pointer to @code{kdc.conf}, which you need to change +if you want to move @code{kdc.conf} to another location. + +@node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC +@subsubsection Create the Database + +You will use the @code{kdb5_util} command @emph{on the Master KDC} to +create the Kerberos database and the optional stash file. The +@dfn{stash file} is a local copy of the master key that resides in +encrypted form on the KDC's local disk. The stash file is used to +authenticate the KDC to itself automatically before starting the +@code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the +machine's boot sequence). The stash file, like the keytab file +(@xref{The Keytab File}) is a potential point-of-entry for a break-in, +and if compromised, would allow unrestricted access to the Kerberos +database. If you choose to install a stash file, it should be readable +only by root, and should exist only on the KDC's local disk. The file +should not be part of any backup of the machine, unless access to the +backup data is secured as tightly as access to the master password +itself. + +Note that @code{kdb5_util} will prompt you for the master key for the +Kerberos database. This key can be any string. A good key is one you +can remember, but that no one else can guess. Examples of bad keys are +words that can be found in a dictionary, any common or popular name, +especially a famous person (or cartoon character), your username in any +form (@i{e.g.}, forward, backward, repeated twice, @i{etc.}), and any of +the sample keys that appear in this manual. One example of a key which +would be good if it did not appear in this manual is ``CSiys4K5!'', +which represents the sentence ``@value{COMPANY} is your source for +Kerberos 5!'' (It's the first letter of each word, substituting the +numeral ``4'' for the word ``for'', and includes the punctuation mark at +the end.) + +The following is an example of how to create a Kerberos database and +stash file on the master KDC, using the @code{kdb5_util} command. (The +line that begins with @result{} is a continuation of the previous line.) +Replace @i{@value{PRIMARYREALM}} with the name of your Kerberos realm. + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kdb5_util create -r @value{PRIMARYREALM} -s +@b{kdb5_util: No such file or directory while setting active database to '/krb5/principal' +Initializing database '@value{ROOTDIR}/lib/krb5kdc/principal' for +@result{} realm '@value{PRIMARYREALM}', +master key name 'K/M@@@value{PRIMARYREALM}' +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password.} +@iftex +@b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter KDC database master key:} @i{<= Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{<= Type it again.} +@end ifinfo +@b{shell%} +@end group +@end smallexample + +This will create five files in the directory specified in your +@code{kdc.conf} file: two Kerberos database files, @code{principal.db}, +and @code{principal.ok}; the Kerberos administrative database file, +@code{principal.kadm5}; the administrative database lock file, +@code{principal.kadm5.lock}; and the stash file, @code{.k5stash}. (The +default directory is @code{@value{ROOTDIR}/lib/krb5kdc}.) If you do not +want a stash file, run the above command without the @code{-s} option. + +@node Add Administrators to the Acl File, Add Administrators to the Kerberos Database, Create the Database, Install the Master KDC +@subsubsection Add Administrators to the Acl File + +Next, you need create an Access Control List (acl) file, and put the +Kerberos principal of at least one of the administrators into it. The +filename should match the value you have set for ``acl_file'' in your +@code{kdc.conf} file. The default file name is @samp{kadm5.acl}. The +format of the file is: + +@smallexample +Kerberos principal permissions optional target principal +@end smallexample + +The Kerberos principal (and optional target principal) can include the +``@b{*}'' wildcard, so if you want any principal with the instance +``admin'' to have full permissions on the database, you could use the +principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos +realm. + +Note: a common use of an @i{admin} instance is so you can grant +separate permissions (such as administrator access to the Kerberos +database) to a separate Kerberos principal. For example, the user +@code{@value{ADMINUSER}} might have a principal for his administrative +use, called @code{@value{ADMINUSER}/admin}. This way, +@code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin} +tickets only when he actually needs to use those permissions. Refer to +the @value{PRODUCT} Administrator's Guide or the @value{PRODUCT} User's +Guide for more detailed explanations of @dfn{principals} and +@dfn{instances}. + +The permissions (acls) recognized in the acl file +are the following: + +@table @b +@itemx a +allows the addition of principals or policies in the database. +@itemx A +prohibits the addition of principals or policies in the database. +@itemx d +allows the deletion of principals or policies in the database. +@itemx D +prohibits the deletion of principals or policies in the database. +@itemx m +allows the modification of principals or policies in the database. +@itemx M +prohibits the modification of principals or policies in the database. +@itemx c +allows the changing of passwords for principals in the database. +@itemx C +prohibits the changing of passwords for principals in the database. +@itemx i +allows inquiries to the database. +@itemx I +prohibits inquiries to the database. +@itemx l +allows the listing of principals or policies in the database. +@itemx L +prohibits the listing of principals or policies in the database. +@itemx * +Short for all privileges (admcil). +@itemx x +Short for all privileges (admcil); identical to ``*''. +@end table + +To give the principal @code{*/admin@@@value{PRIMARYREALM}} permission to +change all of the database permissions on any principal permissions, you +would place the following line in the file: + +@smallexample +*/admin@@@value{PRIMARYREALM} * +@end smallexample + +To give the principal @code{@value{ADMINUSER}@@@value{PRIMARYREALM}} +permission to add, list, and inquire about any principal that has the +instance ``root'', you would add the following line to the acl file: + +@smallexample +@value{ADMINUSER}@@@value{PRIMARYREALM} ali */root@@@value{PRIMARYREALM} +@end smallexample + +@node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC +@subsubsection Add Administrators to the Kerberos Database + +Next you need to add administrative principals to the Kerberos database. +(You must add at least one now.) To do this, use @code{kadmin.local} +@emph{on the master KDC}, as in the following example: + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kadmin.local +@b{kadmin:} addprinc admin/admin@@@value{PRIMARYREALM} +@b{WARNING: no policy specified for "admin/admin@@@value{PRIMARYREALM}"; +defaulting to no policy.} +@iftex +@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Enter a password.} +Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doubleleftarrow{} Type it again.} +@end iftex +@ifinfo +@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.} +Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.} +@end ifinfo +@b{Principal "admin/admin@@@value{PRIMARYREALM}" created. +kadmin:} +@end group +@end smallexample + +@node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC +@subsubsection Create a kadmind Keytab + +The kadmind keytab is the key that kadmind will use to decrypt +administrators' Kerberos tickets to determine whether or not it should +give them access to the database. You need to create the kadmin keytab +with entries for the principals @code{kadmin/admin} and +@code{kadmin/changepw}. (These principals are placed in the Kerberos +database automatically when you create it.) To create the kadmin +keytab, run @code{kadmin} and use the @code{ktadd} command, as in the +following example. (The line beginning with @result{} is a continuation +of the previous line.): + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kadmin +@b{kadmin:} ktadd -k @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab +@result{} kadmin/admin kadmin/changepw +@b{kadmin: Entry for principal kadmin/admin@@@value{PRIMARYREALM} with + kvno 3, encryption type DES-CBC-CRC added to keytab + WRFILE:@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab. +kadmin:} quit +@b{shell%} +@end group +@end smallexample + +@noindent +As specified in the @samp{-k} argument, @code{ktadd} will save the +extracted keytab as @code{@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab}. +The filename you use must be the one specified in your @code{kdc.conf} +file. + +@need 2000 +@node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC +@subsubsection Start the Kerberos Daemons on the Master KDC + +At this point, you are ready to start the Kerberos daemons on the Master +KDC. To do so, type: + +@smallexample +@b{shell%} @value{ROOTDIR}/sbin/krb5kdc +@b{shell%} @value{ROOTDIR}/sbin/kadmind +@end smallexample + +@noindent +Each daemon will fork and run in the background. Assuming you want +these daemons to start up automatically at boot time, you can add them +to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to +have a stash file in order to do this. + +@node Install the Slave KDCs, Back on the Master KDC, Install the Master KDC, Installing KDCs +@subsection Install the Slave KDCs + +You are now ready to start configuring the slave KDCs. Assuming you are +setting the KDCs up so that you can easily switch the master KDC with +one of the slaves, you should perform each of these steps on the master +KDC as well as the slave KDCs, unless these instructions specify +otherwise. + +@menu +* Copy the Software onto the Slave KDCs:: +* Create Host Keys for the Slave KDCs:: +* Extract Host Keytabs for the KDCs:: +* Set Up the Slave KDCs for Database Propagation:: +@end menu + +@node Copy the Software onto the Slave KDCs, Create Host Keys for the Slave KDCs, Install the Slave KDCs, Install the Slave KDCs +@subsubsection Copy the Software onto the Slave KDCs + +Unpack the tar file on each slave KDC as you did on the master. Once +again, note that you must install @value{PRODUCT} in the directory +@code{@value{INSTALLDIR}}. If you extract the tar file from the +top-level directory (@code{/}), the files will end up in this directory. +As with the master KDC, make the symbolic link to +@code{@value{INSTALLDIR}} with the persistent name you chose earlier. +Once you have unpacked the tar file, replace the configuration files, +@code{krb5.conf} (@pxref{krb5.conf}) and @code{kdc.conf} +(@pxref{kdc.conf}) with those you edited on the master KDC. + +@node Create Host Keys for the Slave KDCs, Extract Host Keytabs for the KDCs, Copy the Software onto the Slave KDCs, Install the Slave KDCs +@subsubsection Create Host Keys for the Slave KDCs + +Each KDC needs a host principal in the Kerberos database. You can enter +these from any host, once the @code{kadmind} daemon is running. For +example, if your master KDC were called +@value{KDCSERVER}.@value{PRIMARYDOMAIN}, and you had two KDC slaves +named @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} and +@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}, you would type the following: + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kadmin +@b{kadmin:} addprinc -randpass host/@value{KDCSERVER}.@value{PRIMARYDOMAIN} +@b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +defaulting to no policy. +Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. +kadmin:} addprinc -randpass host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} +@b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +defaulting to no policy. +Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.} +@b{kadmin:} addprinc -randpass host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN} +@b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +defaulting to no policy. +Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. +kadmin:} +@end group +@end smallexample + +@noindent +It is not actually necessary to have the master KDC server in the +Kerberos database, but it can be handy if: + +@itemize @bullet +@item +anyone will be logging into the machine as something other than root + +@item +you want to be able to swap the master KDC with one of the slaves if +necessary. +@end itemize + +@node Extract Host Keytabs for the KDCs, Set Up the Slave KDCs for Database Propagation, Create Host Keys for the Slave KDCs, Install the Slave KDCs +@subsubsection Extract Host Keytabs for the KDCs + +Each KDC (including the master) needs a keytab to decrypt tickets. +Ideally, you should extract each keytab locally on its own KDC. If this +is not feasible, you should use an encrypted session to send them across +the network. To extract a keytab on a KDC called +@value{KDCSERVER}.@value{PRIMARYDOMAIN}, you would execute the following +command: + +@smallexample +@group +@b{kadmin:} ktadd host/@value{KDCSERVER}.@value{PRIMARYDOMAIN} +@b{kadmin: Entry for principal host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with + kvno 1, encryption type DES-CBC-CRC added to keytab + WRFILE:/etc/v5srvtab. +kadmin:} +@end group +@end smallexample + +@noindent +Note that the principal must exist in the Kerberos database in order to +extract the keytab. + +@node Set Up the Slave KDCs for Database Propagation, , Extract Host Keytabs for the KDCs, Install the Slave KDCs +@subsubsection Set Up the Slave KDCs for Database Propagation + +The database is propagated from the master KDC to the slave KDCs via the +@code{kpropd} daemon. To set up propagation, create a file on each KDC, +named @code{@value{ROOTDIR}/lib/krb5kdc/kpropd.acl}, containing the +principals for each of the KDCs. +@need 1200 +For example, if the master KDC were +@code{@value{KDCSERVER}.@value{PRIMARYDOMAIN}}, the slave KDCs were +@code{@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}} and +@code{@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}}, and the realm were +@code{@value{PRIMARYREALM}}, then the file's contents would be: + +@smallexample +@group +host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@end group +@end smallexample + +@need 1000 +Then, add the following lines to @code{/etc/inetd.conf} file on each KDC +(the line beginnng with @result{} is a continuation of the previous +line): + +@smallexample +@group +krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd +eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c -e +@end group +@end smallexample + +@noindent +The first line sets up the @code{kpropd} database propagation daemon. +The second line sets up the @code{eklogin} daemon, allowing +Kerberos-authenticated, encrypted rlogin to the KDC. + +You also need to add the following lines to @code{/etc/services} on each +KDC: + +@smallexample +@group +kerberos 88/udp kdc # Kerberos authentication (udp) +kerberos 88/tcp kdc # Kerberos authentication (tcp) +krb5_prop 754/tcp # Kerberos slave propagation +kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) +kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) +eklogin 2105/tcp # Kerberos encrypted rlogin +@end group +@end smallexample + +@node Back on the Master KDC, Finish Installing the Slave KDCs, Install the Slave KDCs, Installing KDCs +@subsection Back on the Master KDC + +Now that the slave KDCs are able to accept database propagation, you'll +need to propagate the database to each of them. + +@menu +* Propagate the Database to Each Slave KDC:: +@end menu + +@node Propagate the Database to Each Slave KDC, , Back on the Master KDC, Back on the Master KDC +@subsubsection Propagate the Database to Each Slave KDC + +First, create a dump of the database on the master KDC, as follows: + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/kdb5_util dump @value{ROOTDIR}/lib/krb5kdc/slave_datatrans +@b{shell%} +@end group +@end smallexample + +Next, you need to manually propagate the database to each slave KDC, as +in the following example. (The lines beginning with @result{} are +continuations of the previous line.): + +@smallexample +@group +@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans +@result{} @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} +@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans +@result{} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} +@end group +@end smallexample + +You will need a script to dump and propagate the database. The +following is an example of a bourne shell script that will do this. +(Note that the line that begins with @result{} is a continuation of the +previous line. Remember that you need to replace @value{ROOTDIR} with +the name of the directory in which you installed @value{PRODUCT}.) + +@smallexample +@group +#!/bin/sh + +kdclist = "@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}" + +@value{ROOTDIR}/sbin/kdb5_util -R "dump +@result{} @value{ROOTDIR}/lib/krb5kdc/slave_datatrans" + +for kdc in $kdclist +do +@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans $kdc +done +@end group +@end smallexample + +@noindent +You will need to set up a cron job to run this script at the intervals +you decided on earlier (@xref{Database Propagation}.) + +@node Finish Installing the Slave KDCs, Add Kerberos Principals to the Database, Back on the Master KDC, Installing KDCs +@subsection Finish Installing the Slave KDCs + +Now that the slave KDCs have copies of the Kerberos database, you can +create stash files for them and start the @code{krb5kdc} daemon. + +@menu +* Create Stash Files on the Slave KDCs:: +* Start the krb5kdc Daemon on Each KDC:: +@end menu + +@node Create Stash Files on the Slave KDCs, Start the krb5kdc Daemon on Each KDC, Finish Installing the Slave KDCs, Finish Installing the Slave KDCs +@subsubsection Create Stash Files on the Slave KDCs + +Create stash files, by issuing the following commands on each slave KDC: + +@smallexample +@group +@b{shell%} kdb5_util stash +@b{kdb5_util: Cannot find/read stored master key while reading master key +kdb5_util: Warning: proceeding without master key} +@iftex +@b{Enter KDC database master key:} @i{@doubleleftarrow{} Enter the database master key.} +@end iftex +@ifinfo +@b{Enter KDC database master key:} @i{<= Enter the database master key.} +@end ifinfo +@b{shell%} +@end group +@end smallexample + +As mentioned above, the stash file is necessary for your KDCs to be able +authenticate to themselves, such as when they reboot. You could run +your KDCs without stash files, but you would then need to type in the +Kerberos database master key by hand every time you start a KDC daemon. + +@node Start the krb5kdc Daemon on Each KDC, , Create Stash Files on the Slave KDCs, Finish Installing the Slave KDCs +@subsubsection Start the krb5kdc Daemon on Each KDC + +The final step in configuing your slave KDCs is to run the KDC daemon: + +@smallexample +@group +@b{shell%} @value{ROOTDIR}/sbin/krb5kdc +@end group +@end smallexample + +As with the master KDC, you will probably want to add this command to +the KDCs' @code{/etc/rc} or @code{/etc/inittab} files, so they will +start the krb5kdc daemon automatically at boot time. + +@node Add Kerberos Principals to the Database, Limit Access to the KDCs, Finish Installing the Slave KDCs, Installing KDCs +@subsection Add Kerberos Principals to the Database + +@need 1800 +Once your KDCs are set up and running, you are ready to use +@code{kadmin} to load principals for your users, hosts, and other +services into the Kerberos database. This procedure is described fully in the +``Adding or Modifying Principals'' section of the @value{PRODUCT} System +Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs} for a +brief description.) The keytab is generated by running @code{kadmin} +and issuing the @code{ktadd} command. + +@node Limit Access to the KDCs, Switching Master and Slave KDCs, Add Kerberos Principals to the Database, Installing KDCs +@subsection Limit Access to the KDCs + +To limit the possibility that your Kerberos database could be +compromised, @value{COMPANY} recommends that each KDC be a dedicated +host, with limited access. If your KDC is also a file server, FTP +server, Web server, or even just a client machine, someone who obtained +root access through a security hole in any of those areas could gain +access to the Kerberos database. + +@need 4700 +@value{COMPANY} recommends that your KDCs use the following +@code{/etc/inetd.conf} file. (Note: each line beginning with @result{} +is a continuation of the previous line.): + +@smallexample +@group +# +# Configuration file for inetd(1M). See inetd.conf(4). +# +# To re-configure the running inetd process, edit this file, then +# send the inetd process a SIGHUP. +# +# Syntax for socket-based Internet services: +# <service_name> <socket_type> <proto> <flags> <user> +@result{} <server_pathname> <args> +# +# Syntax for TLI-based Internet services: +# +# <service_name> tli <proto> <flags> <user> <server_pathname> <args> +# +# Ftp and telnet are standard Internet services. +# +# This machine is a secure Kerberos Key Distribution Center (KDC). +# Services are limited. +# +# +# Time service is used for clock synchronization. +# +time stream tcp nowait root internal +time dgram udp wait root internal +# +# Limited Kerberos services +# +krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd +eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c -e +@end group +@end smallexample + +@node Switching Master and Slave KDCs, , Limit Access to the KDCs, Installing KDCs +@subsection Switching Master and Slave KDCs + +You may occasionally want to use one of your slave KDCs as the master. +This might happen if you are upgrading the master KDC, or if your master +KDC has a disk crash. + +Assuming you have configured all of your KDCs to be able to function as +either the master KDC or a slave KDC (as this document recommends), all +you need to do to make the changeover is: + +If the master KDC is still running, do the following on the @emph{old} +master KDC: + +@enumerate +@item +Kill the @code{kadmind} process. + +@item +Disable the cron job that propagates the database. + +@item +Run your database propagation script manually, to ensure that the slaves +all have the latest copy of the database. (@xref{Propagate the Database +to Each Slave KDC}.) +@end enumerate + +On the @emph{new} master KDC: + +@enumerate +@item +Create a database keytab. (@xref{Create a kadmind Keytab}.) + +@item +Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.) + +@item +Set up the cron job to propagate the database. (@xref{Propagate the +Database to Each Slave KDC}.) + +@item +Switch the cnames of the old and new master KDCs. (If you don't do +this, you'll need to change the @code{krb5.conf} file on every client +machine in your Kerberos realm.) +@end enumerate + +@node Installing and Configuring UNIX Client Machines, Installing and Configuring Windows Client Machines, Installing KDCs, Installing @value{PRODUCT} +@section Installing and Configuring UNIX Client Machines + +Client machine installation is much more straightforward than +installation of the KDCs. + +@menu +* Unpack the tar File:: +* Client Programs:: +* Client Machine Configuration Files:: +@end menu + +@node Unpack the tar File, Client Programs, Installing and Configuring UNIX Client Machines, Installing and Configuring UNIX Client Machines +@subsection Unpack the tar File + +Install @value{PRODUCT} in @code{@value{ROOTDIR}}. If you extract the +tar file from the top level directory (@code{/}), the files will end up +in this directory. + +@node Client Programs, Client Machine Configuration Files, Unpack the tar File, Installing and Configuring UNIX Client Machines +@subsection Client Programs + +The Kerberized client programs are @code{login.krb5}, @code{rlogin}, +@code{telnet}, @code{ftp}, @code{rcp}, @code{rsh}, @code{xdm}, +@code{kinit}, @code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ksu}, +@c @code{krb524init}, +and @code{krdist}. All of these programs are in the directory +@code{@value{ROOTDIR}/bin}, except for @code{login.krb5} and @code{xdm}, +which are in @code{@value{ROOTDIR}/sbin}. + +You will probably want to have your users put @code{@value{ROOTDIR}/bin} +ahead of @code{/bin} and @code{/usr/bin} in their paths, so they will by +default get the @value{PRODUCT} versions of @code{rlogin}, +@code{telnet}, @code{ftp}, @code{rcp}, and @code{rsh}. + +@value{COMPANY} recommends that you use @code{login.krb5}, and +@value{PRODUCT} @code{xdm} in place of @code{/bin/login} and ordinary +@code{xdm}, to give your users a single-sign-on system. You will need +to make sure your users know to use their Kerberos passwords when they +log in. + +You will also need to educate your users to use the ticket management +programs @code{kinit}, +@c @code{krb524init}, +@code{klist}, @code{kdestroy}, and to use the Kerberos programs +@c @code{pfrom}, +@code{ksu}, @code{kpasswd}, and @code{krdist}, in place of their +non-Kerberos counterparts +@c @code{from} +@code{su}, @code{passwd}, and @code{rdist}. + +@menu +* Configuring the X Display Manager (Xdm):: +* Additional Xdm Configuration for AIX Machines:: +@end menu + +@node Configuring the X Display Manager (Xdm), Additional Xdm Configuration for AIX Machines, Client Programs, Client Programs +@subsubsection Configuring the X Display Manager (Xdm) + +You will need to edit the @code{xdm} configuration files slightly, based +on your installation. The files are in the directory +@code{@value{ROOTDIR}/lib/X11/xdm}. You will need to add a line of the +following form to the file @code{Xservers} in that directory: + +@smallexample +:0 local /usr/bin/X11/X :0 +@end smallexample + +@noindent +Replace @code{/usr/bin/X11/X} with the path to your X server, and +@samp{:0} with the actual display name, if different. + +If you will be having @code{xdm} manage multiple displays, you will need +to add lines to the @code{xdm-config} file for those displays. The +following lines are shipped in the file, for display @samp{:0}: + +@smallexample +@group +DisplayManager._0.authorize: true +DisplayManager._0.setup: @value{ROOTDIR}/lib/X11/xdm/Xsetup_0 +DisplayManager._0.startup: @value{ROOTDIR}/lib/X11/xdm/GiveConsole +DisplayManager._0.reset: @value{ROOTDIR}/lib/X11/xdm/TakeConsole +@end group +@end smallexample + +The @samp{_0} in these lines translates to display @samp{:0}. Add +equivalent lines for other displays. Replace the @samp{_0} with the +other display names, substituting underscores (@samp{_}) for the +@samp{:} and @samp{.} characters. + +@node Additional Xdm Configuration for AIX Machines, , Configuring the X Display Manager (Xdm), Client Programs +@subsubsection Additional Xdm Configuration for AIX Machines + +If you have machines running AIX, you will need to do some additional +configuration. Also note that under AIX, multiple non-network logins +(on the console or via a serial port) will all use the same ticket file. + +For AIX, the line in the @code{Xservers} file described above needs the +@code{-force} option, as in the following example: + +@smallexample +:0 local /usr/lpp/X11/bin/X -force :0 +@end smallexample + +@noindent +Again, replace @code{/usr/lpp/X11/bin/X} with the correct path for your +X server, and @samp{:0} with the actual display name, if different. + +Also, you need to make the following changes to files in the directory +@code{/etc/security}. + +In the file @code{login.cfg}, you need to add the following lines under +the ``Authentication methods'' section + +@smallexample +@group +@value{CPRODUCT}: + program = @value{ROOTDIR}/sbin/login-auth +@end group +@end smallexample + +In the file @code{/etc/security/user}, add the following lines, under +the @samp{default:} heading: + +@smallexample +@group +auth1 = @value{CPRODUCT} +auth2 = none +SYSTEM = NONE +@end group +@end smallexample + +@noindent +You can comment out any previous values for @code{auth1}, @code{auth2}, +and @code{SYSTEM} using the @samp{*} character. + +Additionally, assuming you want to allow root to log in to the machine +locally (instead of using Kerberos), you also need to add the following +lines to the @samp{root:} section of @code{/etc/security/user}: + +@smallexample +@group +auth1 = SYSTEM +SYSTEM = "compat" +@end group +@end smallexample + +@noindent +You will also need to do the same for any other user who needs to log in +locally. + +Note that if Kerberos authentication succeeds, but the native login +program is unable to log the user in (@i{e.g.}, if it can't find the +user's shell), the ticket file may not be destroyed. + +You may also want to edit the @code{/etc/environment} and/or +@code{/etc/TIMEZONE} files to get any desired variables into the user's +environment. + +Finally, because the AIX login program does not destroy tickets +automatically upon completion, users need to put the @code{kdestroy} +command in their @code{.logout} files. + +@node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines +@subsection Client Machine Configuration Files + +Each machine running Kerberos must have a @code{/etc/krb5.conf} file. +(@xref{krb5.conf}) + +@need 4000 +Also, you must add the appropriate Kerberos services to each client +machine's @code{/etc/services} file. If you are using the default +configuration for @value{PRODUCT}, you should be able to just insert the +following code: + +@smallexample +@group +# +# Note --- if you are using Kerberos V4 and you either: +# +# (a) haven't converted all your master or slave KDCs to V5, or +# +# (b) are worried about inter-realm interoperability with other KDC's +# that are still using V4 +# +# you will need to switch the "kerberos" service to port 750 and create a +# "kerberos-sec" service on port 88. +# +kerberos 88/udp kdc # Kerberos V5 KDC +kerberos 88/tcp kdc # Kerberos V5 KDC +klogin 543/tcp # Kerberos authenticated rlogin +kshell 544/tcp cmd # and remote shell +kerberos-adm 749/tcp # Kerberos 5 admin/changepw +kerberos-adm 749/udp # Kerberos 5 admin/changepw +krb5_prop 754/tcp # Kerberos slave propagation +@c kpop 1109/tcp # Pop with Kerberos +eklogin 2105/tcp # Kerberos auth. & encrypted rlogin +krb524 4444/tcp # Kerberos 5 to 4 ticket translator +@end group +@end smallexample + +@noindent As described in the comments in the above code, if your master +KDC or any of your slave KDCs is running Kerberos V4, (or if you will be +authenticating to any Kerberos V4 KDCs in another realm) you will need +to switch the port number for @code{kerberos} to 750 and create a +@code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos +V4 KDC(s) will continue to work properly. + +@node Installing and Configuring Windows Client Machines, Installing and Configuring Macintosh Client Machines, Installing and Configuring UNIX Client Machines, Installing @value{PRODUCT} +@section Installing and Configuring Windows Client Machines + +@value{PRODUCT} for Windows includes a GUI ticket management program +(called @code{@value{CPRODUCT}}), a GUI telnet program, and a +command-line telnet program that runs from within the @samp{Command +Prompt}. The command-line program is included because encryption and +ticket forwarding are not available for the GUI program in this release. +The GUI programs are available for Windows 3.1, Windows95, and Windows +NT. The command-line program is available only for Windows95 and +Windows NT. + +@menu +* Install the Executables:: +* Install the @code{krb5.conf} file:: +* Install an @code{\etc\passwd} file:: +* Check the Clock and Time Zone:: +* Create the Directory @code{\tmp}:: +* Set the Ticket File Location:: +@end menu + +@node Install the Executables, Install the @code{krb5.conf} file, Installing and Configuring Windows Client Machines, Installing and Configuring Windows Client Machines +@subsection Install the Executables + +To install the ticket management program and the GUI telnet program, +simply run the @code{setup} program and answer the questions. To +install the command-line telnet program, copy the @code{telnet.exe} and +@code{cygwin.dll} programs into the directory of your choice. + +@node Install the @code{krb5.conf} file, Install an @code{\etc\passwd} file, Install the Executables, Installing and Configuring Windows Client Machines +@subsection Install the @code{krb5.conf} file + +Install the same @code{krb5.conf} file (@xref{krb5.conf}) you use on +your UNIX client machines. The GUI programs will accept any path and +filename for the configuration file; however, the command-line telnet +program requires that the file be @code{\etc\krb5.conf}. Once you have +installed the file, run the @code{@value{CPRODUCT}} program and enter +the path and filename into the @samp{Configuration File} box under the +@samp{Options} menu (under @samp{File}). + +@node Install an @code{\etc\passwd} file, Check the Clock and Time Zone, Install the @code{krb5.conf} file, Installing and Configuring Windows Client Machines +@subsection Install an @code{\etc\passwd} file + +@need 1100 +For the command-line telnet program, you need to install an +@code{\etc\passwd} file containing the usernames of the users who will +be running the program. Each username must on its own line, with a +colon at the end, as in the following example: + +@smallexample +@group +@value{RANDOMUSER1}: +@value{RANDOMUSER2}: +cbrown: +@end group +@end smallexample + +@node Check the Clock and Time Zone, Create the Directory @code{\tmp}, Install an @code{\etc\passwd} file, Installing and Configuring Windows Client Machines +@subsection Check the Clock and Time Zone + +Make sure the clock and time zone are set correctly, and that the time +is within the maximum clock skew of the KDC. The default maximum clock +skew is five minutes. + +@node Create the Directory @code{\tmp}, Set the Ticket File Location, Check the Clock and Time Zone, Installing and Configuring Windows Client Machines +@subsection Create the Directory @code{\tmp} + +If you are using the command-line telnet program, make sure the +directory @code{\tmp} exists, since this is where it needs the default +ticket files need to be stored. + +@node Set the Ticket File Location, , Create the Directory @code{\tmp}, Installing and Configuring Windows Client Machines +@subsection Set the Ticket File Location + +From the @code{@value{CPRODUCT}} program, enter the path and filename +for the ticket file location into the @samp{Credentials Cache Location} +box under the @samp{Options} menu. Again, the GUI programs will accept +any path and filename; however, the command-line telnet program requires +that this be @code{\tmp\krb5cc_0}. + +@node Installing and Configuring Macintosh Client Machines, UNIX Application Servers, Installing and Configuring Windows Client Machines, Installing @value{PRODUCT} +@section Installing and Configuring Macintosh Client Machines + +@value{PRODUCT} for the Macintosh includes a GUI ticket management program +(called @code{@value{CPRODUCT} config}) and a GUI telnet program. + +@menu +* Unpack the Executables:: +* Set Up your Configuration:: +* Set the Clock and Time Zone:: +@end menu + +@node Unpack the Executables, Set Up your Configuration, Installing and Configuring Macintosh Client Machines, Installing and Configuring Macintosh Client Machines +@subsection Unpack the Executables + +To install the @code{@value{CPRODUCT} config} program and the +@code{telnet} program, simply unpack the archive and answer the +questions. Then move the programs into the folder of your choice. + +@node Set Up your Configuration, Set the Clock and Time Zone, Unpack the Executables, Installing and Configuring Macintosh Client Machines +@subsection Set Up your Configuration + +To set up your configuration, run the @code{@value{CPRODUCT} config} +program and enter the information from your site's @code{krb5.conf} +file. Enter the hostname or IP address and realm for each KDC under the +Server section. If the KDC is an admin server, check the ``Admin +server'' box. Enter any domain/realm mappings in the Domain/Hostname +section. + +@node Set the Clock and Time Zone, , Set Up your Configuration, Installing and Configuring Macintosh Client Machines +@subsection Set the Clock and Time Zone + +Make sure the clock and time zone are set correctly, and that the time +is within the maximum clock skew of the KDC. The default maximum clock +skew is five minutes. + +@node UNIX Application Servers, , Installing and Configuring Macintosh Client Machines, Installing @value{PRODUCT} +@section UNIX Application Servers + +An application server is a host that provides one or more services over +the network. Application servers can be ``secure'' or ``insecure.'' A +``secure'' host is set up to require authentication from every client +connecting to it. An ``insecure'' host will still provide Kerberos +authentication, but will also allow unauthenticated clients to connect. + +If you have @value{PRODUCT} installed on all of your client machines, +@value{COMPANY} recommends that you make your hosts secure, to take +advantage of the security that Kerberos authentication affords. +However, if you have some clients that do not have @value{PRODUCT} +installed, you can run an insecure server, and still take advantage of +@value{PRODUCT}'s single sign-on on capability. + +@menu +* Server Programs:: +* Server Configuration Files:: +* The Keytab File:: +* Some Advice about Secure Hosts:: +@end menu + +@node Server Programs, Server Configuration Files, UNIX Application Servers, UNIX Application Servers +@subsection Server Programs + +Just as @value{PRODUCT} provided its own Kerberos-enhanced versions of +client UNIX network programs, @value{PRODUCT} also provides +Kerberos-enhanced versions of server UNIX network daemons. These are +@code{ftpd}, @code{klogind}, @code{kshd}, and @code{telnetd}. +@c @code{popper}, +These programs are installed in the directory +@code{@value{ROOTDIR}/sbin}. You may want to add this directory to +root's path. + +@node Server Configuration Files, The Keytab File, Server Programs, UNIX Application Servers +@subsection Server Configuration Files + +For a @emph{secure} server, make the following changes to +@code{/etc/inetd.conf}: + +Find and comment out any lines for the services @code{ftp}, +@code{telnet}, @code{shell}, @code{login}, and @code{exec}. + +@need 1800 +Add the following lines. (Note: each line beginning with @result{} is +a continuation of the previous line.) + +@smallexample +@group +klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c +eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c -e +kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd +@result{} kshd -k -c -A +ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd +@result{} ftpd -a +telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd +@result{} telnetd -a valid +@end group +@end smallexample + +For an @emph{insecure} server, make the following changes instead to +@code{/etc/inetd.conf}: + +@need 1800 +Find and comment out any lines for the services @code{ftp} and +@code{telnet}. + +Add the following lines. (Note: each line beginning with @result{} is +a continuation of the previous line.) +@smallexample +@group +klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c +eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind +@result{} klogind -k -c -e +kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd +@result{} kshd -k -c -A +ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd +@result{} ftpd +telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd +@result{} telnetd -a none +@end group +@end smallexample + +@node The Keytab File, Some Advice about Secure Hosts, Server Configuration Files, UNIX Application Servers +@subsection The Keytab File + +All Kerberos server machines need a @dfn{keytab} file, called +@code{/etc/v5srvtab},@footnote{The keytab was called a @dfn{srvtab} in +Kerberos V4. The @code{v5srvtab} file has not been renamed to reflect +the change in terminology.} to authenticate to the KDC. The keytab file +is an encrypted, local, on-disk copy of the host's key. The keytab +file, like the stash file (@ref{Create the Database}) is a potential +point-of-entry for a break-in, and if compromised, would allow +unrestricted access to its host. The keytab file should be readable +only by root, and should exist only on the machine's local disk. The +file should not be part of any backup of the machine, unless access to +the backup data is secured as tightly as access to the machine's root +password itself. + +In order to generate a keytab for a host, the host must have a principal +in the Kerberos database. The procedure for adding hosts to the +database is described fully in the ``Adding or Modifying Principals'' +section of the @cite{@value{PRODUCT} System Administrator's Guide}. +@xref{Create Host Keys for the Slave KDCs} for a brief description.) +The keytab is generated by running @code{kadmin} and issuing the +@code{ktadd} command. + +@need 1100 +For example, to generate a keytab file to allow the host +trillium.@value{PRIMARYDOMAIN} to authenticate for the services +@code{host}, @code{ftp}, and @code{pop}, the administrator +@code{@value{ADMINUSER}} would issue the command (on +trillium.@value{PRIMARYDOMAIN}): + +@smallexample +@group +@b{trillium%} @value{ROOTDIR}/sbin/kadmin +@b{kadmin5:} ktadd host/trillium.@value{PRIMARYDOMAIN} ftp/trillium.@value{PRIMARYDOMAIN} +@result{} pop/trillium.@value{PRIMARYDOMAIN} +@b{kadmin: Entry for principal host/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with +kvno 3, encryption type DES-CBC-CRC added to keytab +WRFILE:/etc/v5srvtab. +kadmin: Entry for principal ftp/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with +kvno 3, encryption type DES-CBC-CRC added to keytab +WRFILE:/etc/v5srvtab. +kadmin: Entry for principal pop/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with +kvno 3, encryption type DES-CBC-CRC added to keytab +WRFILE:/etc/v5srvtab. +kadmin5:} quit +@b{trillium%} +@end group +@end smallexample + +If you generate the keytab file on another host, you need to get a copy +of the keytab file onto the destination host (@code{trillium}, in the +above example) without sending it unencrypted over the network. If you +have installed the @value{PRODUCT} client programs, you can use +encrypted @code{rcp}. + +@node Some Advice about Secure Hosts, , The Keytab File, UNIX Application Servers +@subsection Some Advice about Secure Hosts + +@value{PRODUCT} can protect your host from certain types of break-ins, +but it is possible to install @value{PRODUCT} and still leave your host +vulnerable to attack. Obviously an installation guide is not the place +to try to include an exhaustive list of countermeasures for every +possible attack, but it is worth noting some of the larger holes and how +to close them. + +As stated earlier in this section, @value{COMPANY} recommends that on a +secure host, you disable the standard @code{ftp}, @code{login}, +@code{telnet}, @code{shell}, and @code{exec} services in +@code{/etc/services}. We also recommend that secure hosts have an empty +@code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file +in @code{root}'s home directory. You can grant Kerberos-authenticated +root access to specific Kerberos principals by placing those principals +in the file @code{.k5login} in root's home directory. + +We recommend that backups of secure machines exclude the keytab file +(@code{/etc/v5srvtab}). If this is not possible, the backups should at +least be done locally, rather than over a network, and the backup tapes +should be physically secured. + +Finally, the keytab file and any programs run by root, including the +@value{PRODUCT} binaries, should be kept on local disk. The keytab file +should be readable only by root. + +@node Support, Files, Installing @value{PRODUCT}, Top +@chapter Support + +If you have problems installing @value{PRODUCT}, please use the +@code{send-pr} program to fill out a Problem Report. + +@include send-pr.texinfo + +@node Files, , Support, Top +@appendix Files + +@menu +* krb5.conf:: +* kdc.conf:: +@end menu + +@node krb5.conf, kdc.conf, Files, Files +@appendixsec krb5.conf + +Here is an example of a generic @code{krb5.conf} file: + +@smallexample +@group +[libdefaults] + ticket_lifetime = 600 + default_realm = @value{PRIMARYREALM} + default_tkt_enctypes = des-cbc-crc + default_tgs_enctypes = des-cbc-crc + +[realms] + @value{PRIMARYREALM} = @{ + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 + default_domain = @value{PRIMARYDOMAIN} + @} + @} + +[domain_realm] + .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} +@end group +@end smallexample + +For the KDCs, add a section onto the end of the @code{krb5.conf} file +telling where the @code{kdc.conf} file is located, as in the following +example: + +@smallexample +@group +[kdc] + profile = @value{ROOTDIR}/lib/krb5kdc/kdc.conf + +[logging] + kdc = FILE:/dev/ttyp9 + admin_server = FILE:/dev/ttyp9 + default = FILE:/dev/ttyp9 +@end group +@end smallexample + +@iftex +@vfill +@end iftex +@page + +@node kdc.conf, , krb5.conf, Files +@appendixsec kdc.conf + +Here's an example of a generic kdc.conf file: + +@smallexample +@group +[kdcdefaults] + kdc_ports = 88,750 + +[realms] + @value{PRIMARYREALM} = @{ + profile = /etc/krb5.conf + database_name = @value{ROOTDIR}/lib/krb5kdc/principal + admin_database_name = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5 + admin_database_lockfile = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5.lock + admin_keytab = @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab + acl_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.acl + dict_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.dict + key_stash_file = @value{ROOTDIR}/lib/krb5kdc/.k5.@value{PRIMARYREALM} + kadmind_port = 749 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des-cbc-crc + supported_enctypes = des-cbc-crc:normal + @} +@end group +@end smallexample + +To add Kerberos V4 support, change the @code{supported_enctypes} line to: + +@smallexample + supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 +@end smallexample + +@menu +* Encryption Types and Salt Types:: +@end menu + +@node Encryption Types and Salt Types, , kdc.conf, kdc.conf +@appendixsubsec Encryption Types and Salt Types + +Currently, @value{PRODUCT} supports only DES encryption. The encoding +type is @code{des-cbc-crc}. The @dfn{salt} is additional information +encoded within the key that tells what kind of key it is. The only +salts that you will be likely to encounter are: + +@itemize @bullet +@item @dfn{normal}, which @value{COMPANY} recommends using for all of +your @value{PRODUCT} keys + +@item @dfn{v4}, which is necessary only for compatibility with a v4 KDC + +@item @dfn{afs}, which you will never need to generate, and which you will +encounter only if you dump an AFS database into a Kerberos database +@end itemize + +Support for additional encryption types is planned in the future. + +@contents +@bye diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo new file mode 100644 index 0000000000..25e30cb2be --- /dev/null +++ b/doc/definitions.texinfo @@ -0,0 +1,28 @@ +@set ADMINUSER joeadmin +@set COMPANY Cygnus Support +@set KDCSERVER kerberos +@set KDCSLAVE1 @value{KDCSERVER}-1 +@set KDCSLAVE2 @value{KDCSERVER}-2 +@set PRIMARYDOMAIN mit.edu +@set PRIMARYREALM ATHENA.MIT.EDU +@set PRODUCT Kerberos V5 +@set CPRODUCT Kerberos +@set LCPRODUCT krb5 +@set RANDOMHOST1 daffodil +@set RANDOMHOST1IP 18.72.0.44 +@set RANDOMHOST2 trillium +@set RANDOMHOST2IP 253.46.124.7 +@set RANDOMUSER johndoe +@set RANDOMUSER1 jennifer +@set RANDOMUSER2 david +@set RELEASE beta 7 +@set PREVRELEASE beta 6 +@set INSTALLDIR /usr/@value{LCPRODUCT} +@set PREVINSTALLDIR @value{INSTALLDIR} +@set ROOTDIR /usr/@value{LCPRODUCT} +@set BINDIR @value{ROOTDIR}/bin +@set SECONDDOMAIN fubar.org +@set SECONDREALM FUBAR.ORG +@set UPDATED @today + + diff --git a/doc/document-list.texinfo b/doc/document-list.texinfo new file mode 100644 index 0000000000..0c0620dc9d --- /dev/null +++ b/doc/document-list.texinfo @@ -0,0 +1,21 @@ +@itemize @bullet +@item +@b{@value{PRODUCT} Installation Guide}: a concise guide for installing +@value{PRODUCT}. Kerberos administrators (particularly whoever will be +making site-wide decisions about the installation) and the system +administrators who will be installing the software should read this +guide. + +@item +@b{@value{PRODUCT} System Administrator's Guide}: a sysadmin's guide to +administering a Kerberos installation. The System Administrator's Guide +describes the administration software and suggests policies and +procedures for administering a Kerberos installation. Anyone who will +have administrative access to your Kerberos database should read this +guide. + +@item +@b{@value{PRODUCT} UNIX User's Guide}: a guide to using the Kerberos +UNIX client programs. All users on UNIX systems should read this guide, +particularly the ``Tutorial'' section. +@end itemize diff --git a/doc/glossary.texinfo b/doc/glossary.texinfo new file mode 100644 index 0000000000..5fbaa634a1 --- /dev/null +++ b/doc/glossary.texinfo @@ -0,0 +1,63 @@ +@table @b +@item client +an entity that can obtain a ticket. This entity is usually either a +user or a host. + +@item host +a computer that can be accessed over a network. + +@item Kerberos +in Greek mythology, the three-headed dog that guards the entrance to the +underworld. In the computing world, Kerberos is a network security +package that was developed at MIT. + +@item KDC +Key Distribution Center. A machine that issues Kerberos tickets. + +@item keytab +a @b{key tab}le file containing one or more keys. A host or service +uses a @dfn{keytab} file in much the same way as a user uses his/her +password. + +@item principal +a string that names a specific entity to which a set of credentials may +be assigned. It generally has three parts: + +@table @b +@item primary +the first part of a Kerberos @i{principal}. In the case of a user, it +is the username. In the case of a service, it is the name of the +service. + +@item instance +the second part of a Kerberos @i{principal}. It gives information that +qualifies the primary. The instance may be null. In the case of a +user, the instance is often used to describe the intended use of the +corresponding credentials. In the case of a host, the instance is the +fully qualified hostname. + +@item realm +the logical network served by a single Kerberos database and a set of +Key Distribution Centers. By convention, realm names are generally all +uppercase letters, to differentiate the realm from the internet domain. +@end table + +@noindent +The typical format of a typical Kerberos principal is +primary/instance@@REALM. + +@item service +any program or computer you access over a network. Examples of services +include ``host'' (a host, @i{e.g.}, when you use @code{telnet} and +@code{rsh}), ``ftp'' (FTP), ``krbtgt'' (authentication; +cf. @i{ticket-granting ticket}), and ``pop'' (email). + +@item ticket +a temporary set of electronic credentials that verify the identity of a +client for a particular service. + +@item TGT +Ticket-Granting Ticket. A special Kerberos ticket that permits the +client to obtain additional Kerberos tickets within the same Kerberos +realm. +@end table diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo new file mode 100644 index 0000000000..0c34315bd1 --- /dev/null +++ b/doc/krb425.texinfo @@ -0,0 +1,479 @@ +\input texinfo @c -*-texinfo-*- +@c Note: the above texinfo file must include the "doubleleftarrow" +@c definitions added by jcb. +@c %**start of header +@c guide +@setfilename Kerb*Net-Upgrading.info +@settitle Upgrading to Kerb*Net from Kerberos V4 +@c @setchapternewpage odd @c chapter begins on next odd page +@setchapternewpage on @c chapter begins on next page +@smallbook @c Format for 7" X 9.25" paper +@c %**end of header + +@paragraphindent 0 +@iftex +@parskip 6pt plus 6pt +@end iftex + +@include definitions.texinfo +@set EDITION 0.1 alpha + +@c @finalout @c don't print black warning boxes + +@titlepage +@title Upgrading to @value{PRODUCT} from Kerberos V4 +@subtitle Release: @value{RELEASE} +@subtitle Document Edition: @value{EDITION} +@subtitle Last updated: @value{UPDATED} +@author @value{COMPANY} + +@page + +@vskip 0pt plus 1filll + +@include copyright.texinfo +@end titlepage + + +@node Upgrading to @value{PRODUCT} from Kerberos V4, Installing @value{PRODUCT} at Your Site +@top Upgrading to @value{PRODUCT} from Kerberos V4 + +@ifinfo +This document describes how to convert to @value{PRODUCT} from Kerberos V4. + +@include copyright.texinfo +@end ifinfo + +@menu +* Installing CNS:: Installing CNS at Your Site +@end menu + +@node Installing @value{PRODUCT} at Your Site +@chapter Installing @value{PRODUCT} at Your Site + +@value{COMPANY} developed Cygnus Network Security (CNS) to provide strong +system access security, with minimal impact on users' ease of access. +Using Kerberos Version 5 encryption and client-server technology, CNS +assures that user identities can be checked securely without +transmitting passwords in clear over the Net. CNS is useful in closing +up several large security holes: eavesdroppers recording login names and +passwords as your users log in from remote locations; and active attacks +based on providing a fake TCP/IP source address (IP address spoofing). + +Introducing CNS to an existing site involves more planning and execution +than installing the average software package. CNS software is required +on both ends of the remote login connections, and remote users must +change their habits. + +To install CNS and make it useful, you have to: + +@itemize @bullet +@item +Install and configure the CNS software on the machines at your site. +@item +Set up a CNS Key Distribution Center server machine. +@item +[Optional] Set up one or more slave servers for reliability. +@item +Install and configure CNS client software on the machines from which +your remote users log in. +@item +Add users and their passwords to your CNS server. (If you are converting +from a CNS V4 system or a Transarc AFS "KAserver" system, there are +tools to migrate the user entries and passwords directly.) +@item +Inform your users about CNS. +@item +[Optional] Turn off ordinary @code{rlogin}, @code{telnet}, @code{ftp}, and +@code{rsh} services so that users are @emph{required} to use CNS rather +than potentially exposing their passwords. +@end itemize + +This manual covers only basic installation and configuration of the CNS +software. See the @ref{Top,,Administration Tools,kerbman,Cygnus Network +Security User and Administrator Documentation for CNS Version 5}, manual +for more detailed information. + + +@menu +* What:: Contents of the CNS V5 distribution. +* Where:: Where programs should be installed +* Config Files:: Configuration Files affected +* quick start:: Getting Started from an existing Realm +* AFS enhancements:: Using CNS V5 with AFS +* kprop:: Redundant Slave Servers +* interrealm:: Arranging Interrealm Authentication +* CNS V4 Compatibility:: CNS V4 Backward Compatibility Support +@end menu + +@node What, Where, Installing @value{PRODUCT} at Your Site, Installing @value{PRODUCT} at Your Site +@section Contents of the CNS V5 distribution. + +A collection of programs are included in CNS. The categories are +@itemize @bullet +@item user programs +such as @code{kinit}, @code{klist}, @code{kdestroy}, @code{kpasswd}, +@code{krb524init} +@item replacement programs +such as @code{rlogin}, @code{rcp}, @code{rsh}, @code{telnet}, +@code{ftp}, @code{ksu} +@item demos +such as @code{sim_client}, @code{sclient}, @code{uuclient}, @code{gss-client} +@item administration tools +such as @code{kdb5_anadd}, @code{kdb5_convert}, @code{kdb5_create}, +@code{kdb5_destroy}, @code{kdb5_edit}, +@code{kdb5_stash}, and the client program @code{kadmin5} +@item programming support +such as include files and libraries for writing kerberized +@footnote{The verb @dfn{to kerberize} means to modify (usually an +application) to use Kerberos for authentication and possibly encryption.} +applications. +@item documentation +in the form of man pages. +@item kerberized application servers +such as @code{ftpd}, @code{krlogind}, @code{krshd}, @code{popper}, +@code{telnetd}, @code{sim_server}, @code{sserver}, +@code{uuserver} +@item kerberos management servers +such as @code{kadmind5}, @code{kpropd}, @code{krb524d}, @code{krb5kdc}, +@code{v4kadmind} +@end itemize + +@node Where, Config Files, What, Installing @value{PRODUCT} at Your Site +@section Where programs should be installed + +Cygnus releases unpack in directories named +@file{/usr/cygnus/@var{package}-@var{release}}. It is suggested that a +user-convenience +symlink be placed in @file{/usr/cygnus} pointing from @var{package} to +@var{package}-@var{release}, for example from @file{cns5} to +@file{cns5-95q2}, to simplify +upgrades (a new release can be installed in the new directory, tested +there, and then the symlink can be moved to make the code available by +default to the user community.) + +It should be noted that while the programs simply need to be on +reliable storage (possibly read-only, but protected from network +replacement) the @file{lib/krb5kdc} directory should be local to the security +server and not visible to other machines at all. One approach that +permits sharing is to create a symlink from @file{lib/krb5kdc} to a +local directory, perhaps in @file{/var}. +@example +mkdir /var/krb5kdc +chmod 700 /var/krb5kdc +ln -s /var/krb5kdc /usr/cygnus/cns5/lib/krb5kdc +@end example + +Also, @file{/usr/cygnus/cns5/lib/krb5.conf} is a fallback location for a +common config file -- @file{/etc/krb5.conf} is examined instead if present, and +the user can override by setting the environment variable @samp{KRB5_CONFIG}. +Since @file{/etc} is usually local, if you want to avoid maintaining +@file{krb.conf} files on all machines, one approach is to create a +@file{/usr/cygnus/krb.conf} and make a symlink to it from the release +directory. You still need to remember to recreate the symlink when you +install a new release. + +@node Config Files, quick start, Where, Installing @value{PRODUCT} at Your Site +@section Configuration Files affected + +A number of files should be adjusted for kerberos use. +@table @file +@item /etc/services +needs to contain additional entries for kerberos and application servers. +@item /etc/inetd.conf +needs to contain lines for the new kerberized services +@item /etc/rc.local +(or equivalent) needs to contain commands to start up long-running +kerberos servers (@code{kadmind5}, @code{krb5kdc}, and @code{krb524d}) +@end table + +@node quick start, AFS enhancements, Config Files, Installing @value{PRODUCT} at Your Site +@section Getting Started from an existing Realm +If you're converting from a V4 realm, you can do +@example + @dots{}/admin/kdb5_convert +@end example +directly from an existing database, or +@example + /usr/kerberos/bin/kdb_util dump v4db + @dots{}/admin/kdb5_convert -f v4db +@end example +to make a slave dump file and work from that (useful if you've got a +V4 system with slave servers and want to add a V5 slave on a trial +basis.) + +If you're creating a V5 realm from scratch, you need to +@example + .../admin/kdb5_create +@end example +and possibly +@example + .../admin/kdb5_stash +@end example + +The config files for this release are completely different from the V4 +config files; they're much more like windows @code{.ini} files, and are +called @dfn{profiles}. The default location (which can be adjusted via the +@samp{KRB_CONF} environment variable) is @file{/etc/krb5.conf}. An example file +follows. You'll need to change the @code{default_realm} and add a @dfn{stanza} +(like the CYGNUS.COM=@{...@} section) for your realm. + +@example +[libdefaults] + ticket_lifetime = 600 + default_realm = ATHENA.MIT.EDU + +[realms] + ATHENA.MIT.EDU = @{ + kdc = KERBEROS-2.MIT.EDU:750 + kdc = KERBEROS.MIT.EDU + kdc = KERBEROS-1.MIT.EDU + admin_server = KERBEROS.MIT.EDU + default_domain = MIT.EDU + @} + CYGNUS.COM = @{ + kdc = KERBEROS.CYGNUS.COM + kdc = KERBEROS-1.CYGNUS.COM + @} + +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + .media.mit.edu = MEDIA-LAB.MIT.EDU + media.mit.edu = MEDIA-LAB.MIT.EDU + .ucsc.edu = CATS.UCSC.EDU +@end example + + +@node AFS enhancements, kprop, quick start, Installing @value{PRODUCT} at Your Site +@section Using CNS V5 with AFS + +It is possible to run a TransArc AFS cell off of CNS5 security servers, +instead of using the "KAserver". There are a few tools that help (note +that because they use TransArc libraries which we are not licensed to +distribute, you'll need to compile these yourself.) + +@menu +* asetkey:: asetkey +@end menu + +@node asetkey, , AFS enhancements, AFS enhancements +@subsection asetkey + +The asetkey program is a replacement for the existing setkey or asetkey +program which informs an AFS file server of the keys it uses. The steps +to get the keys into a V5 database are: + +@example +% kdb5_edit +kdb5_edit: av4k afs/@var{cell.name} +kdb5_edit: xst @var{cell.name} afs +@end example + +which should create a @file{@var{cell.name}-new-srvtab} which should be +securely moved to the afs server and placed in @file{/etc/v5srvtab}. + +To double check, +@example +% klist -k @var{cell.name}-new-srvtab +@end example + +and find out what the key version number is (I use 1 in the example +below, it may be larger if you've changed the key since creating it.) + +Then, running +@example +% asetkey add 1 /etc/v5srvtab afs/@var{cell.name} +@end example + +(where 1 is the key version number, and @samp{afs/@var{cell.name}} is the +principal for the server [which will get converted by @file{krb524d} to +@samp{afs.@var{cell.name}}]) will initialize the afs key list. +@example +% asetkey list +@end example + +should show the current list. + +If you're using @code{cklog} for interrealm AFS, you may need to duplicate +the @samp{afs/@var{cell.name}@@@var{REALM}} key as @samp{afs@@@var{REALM}}. + +@node kprop, interrealm, AFS enhancements, Installing @value{PRODUCT} at Your Site +@section Redundant Slave Servers + +CNS V5 supports redundant @dfn{slave} servers. The @dfn{master} server +has the primary copy of the database; the slaves get periodic updates of +that database, usually every few hours. Clients are normally configured +to talk to the master first, and to timeout and talk to a slave if the +master is unreachable. It is sometimes useful to have geographically +seperated slaves, and to have clients configured (via @file{krb5.conf}) +to talk to the nearest one instead. Note that all password changes and +other administrative operations must go through the master server. + +@enumerate +@item +On both the master and slave, add the following line to @file{/etc/services}: +@example +krb5_prop 754/tcp # Kerberos slave propagation +@end example +@end enumerate + +On the slave, +@enumerate +@item +Add the principal name for the master to the @sc{acl} for @code{kpropd}. +@example + echo host/@var{master.host.name}@@@var{REALM} > /usr/cygnus/cns5/lib/krb5kdc/kpropd.acl +@end example + +@item +Add a line to @file{/etc/inetd.conf} that enables the receiving @code{kpropd}. +@example +krb5_prop stream tcp nowait root /usr/cygnus/cns5/sbin/kpropd kpropd +@end example + +@end enumerate + +@enumerate +On the master: +@item +Be sure that the master has a @file{v5srvtab} (created with +@example + sbin/kdb5_edit + ark host/@var{master.host.name} + xst @var{master.host.name} host + mv @var{master.host.name}-new-srvtab /etc/v5srvtab +@end example +you've probably already done this.) + +@item +Create an initial database dump for transfer to the slave. +@example + echo ddb /usr/cygnus/cns5/lib/krb5kdc/slave_datatrans | admin/kdb5_edit + sbin/kprop slavehost +@end example + +@item +Back on the slave, securely install the stash file, and start the kdc: +@example + rcp -xp root@@@var{master}:/.k5.@var{REALM} /.k5.@var{REALM} + sbin/krb5kdc +@end example + +@item +On any clients, add an addition +@example + kdc = @var{master.host.name} +@end example +line to the @samp{REALM} entry in the @samp{[realms]} section of +@file{krb5.conf}. + +@end enumerate + +For continued operation, +@enumerate +@item +Run @file{sbin/krb5kdc} on the slave (usually from @file{/etc/rc.local}). +@item +On the master, Periodically (using the @code{cron} facility) run +@example + echo ddb /usr/cygnus/cns5/lib/krb5kdc/slave_datatrans | admin/kdb5_edit + sbin/kprop @var{slave.host.name} +@end example +@end enumerate + +Note that the first time through, the master will indicates success, but +the slave server may indicate failure. Once a database has actually +propagated once, it will work correctly. + +@node interrealm, CNS V4 Compatibility, kprop, Installing @value{PRODUCT} at Your Site +@section Arranging Interrealm Authentication + +Kerberos V4 supports simple automatic cross-realm +authentication. Given two realms @var{REALM1} and @var{REALM2}, the +administrators +agree on a common key, and then create +@example + krbtgt.@var{REALM2} (in the @var{REALM1} database) + krbtgt.@var{REALM1} (in the @var{REALM2} database.) +@end example +At this point, a user with tickets @var{user@@REALM1} can get tickets for +servers in @var{REALM2} automatically, and is authenticated as +@var{user@@REALM1}, +not as simply @var{user}. + +Kerberos V5 uses the same mechanism with different names. +@example + krbtgt/@var{REALM2} (in the @var{REALM1} database) + krbtgt/@var{REALM1} (in the @var{REALM2} database.) +@end example + +If you convert a V4 database with interrealm keys, you'll +automatically get working keys for V5 interrealm use as well. If +you're doing a new V5 database, +@example + % kdb5_edit + kdb5_edit: ank krbtgt/@var{REALM2} +@end example +(and the corresponding @samp{krbtgt/@var{REALM1}} on the other server) is +sufficient. If you need to do interrealm using V4 backwards +compatibility, even though this is a new V5 realm, you should create the +keys as V4 keys instead: +@example + % kdb5_edit + kdb5_edit: av4k krbtgt/@var{REALM2} +@end example + +@node CNS V4 Compatibility, , interrealm, Installing @value{PRODUCT} at Your Site +@section CNS V4 Backward Compatibility Support + +CNS V5 has a variety of forms of support for the continued use of CNS V4 +clients and servers. This permits gradually phasing out older software, +and gives time for the user community to adjust to new tools. + + +@menu +* V4 servers:: Servers that support V4 clients +* krb524d:: krb524d +* v4kadmind:: Version 4 Adminstration Server +@end menu + +@node V4 servers, krb524d, CNS V4 Compatibility, CNS V4 Compatibility +@subsection Servers that support V4 clients + +The @code{rlogind} and @code{telnetd} servers can accept authentication +from CNS V4 clients. To enable this, it is sufficient for the servers to +be able to find a CNS V4 srvtab with the correct key. + +Normally the servers will look in @file{/etc/krb-srvtab}, but this can +be changed in the @file{krb5.conf} file by setting the variable +@code{krb5_srvtab} in the @code{[libdefaults]} stanza to a filename. + +@node krb524d, v4kadmind, V4 servers, CNS V4 Compatibility +@subsection krb524d + +If you're using Kerberos V4 backwards compatibility, it may be easier to +have users get V5 tickets and then convert them to V4 tickets when +needed. (For example, only V5 tickets can be forwarded, but the +forwarded ticket could be used to get a local V4 ticket.) + +@node v4kadmind, , krb524d, CNS V4 Compatibility +@subsection Version 4 Adminstration Server + +Many existing clients support password change functions using the old V4 +administrative protocol. @code{v4kadmind} provides this V4 interface to +a V5 database. This also provides an easy path to incrementally update +from V4 to V5. Simply convert the database, move or link the @sc{acl} +files from @file{/usr/kerberos/lib/admin_acl.@var{tag}} to +@file{/usr/cygnus/cns5/lib/krb5kdc/v4acl.@var{tag}}@footnote{@var{tag} +can be one of @code{add}, @code{del}, @code{get}, or @code{mod}.} and +run @code{v4kadmind}. + + + + +@contents +@c second page break makes sure right-left page alignment works right +@c with a one-page toc, even though we don't have setchapternewpage odd. +@c end of texinfo file +@bye diff --git a/doc/man2ps b/doc/man2ps new file mode 100644 index 0000000000..33162d4022 --- /dev/null +++ b/doc/man2ps @@ -0,0 +1,42 @@ +#!/bin/sh + +com=`basename $0` +files=$* +docdir=`pwd` +mandir=$docdir/man + +cd $mandir + +for file in $files +do + troff -C -man -Tps $mandir/man?/$file.? | grops -g > $file.ps + + pages=`grep '%%Pages\:' $file.ps | awk '{print $2}'` + pp=$(($pages - 1)) + + echo $file': '$pages' pages' + + if [ -e csplit ]; then + csplit -k $file.ps /Page:/ \{$pp\} + + counter=0 + + for number in `ls xx*` + do + cat xx00 > $docdir/$file$counter.ps + echo '.7 dup scale' >> $docdir/$file$counter.ps + cat $number >> $docdir/$file$counter.ps + if [ $counter != $pages ]; + then + echo '%%Trailer' >> $docdir/$file$counter.ps + echo 'end' >> $docdir/$file$counter.ps + echo '%%EOF' >> $docdir/$file$counter.ps + fi + counter=$(($counter + 1)) + done + + rm $file.ps $docdir/$file'0.ps' xx* + else + echo "Can't find the csplit command. You'll have to split $file.ps manually." + fi +done diff --git a/doc/send-pr.texinfo b/doc/send-pr.texinfo new file mode 100644 index 0000000000..f83af4f310 --- /dev/null +++ b/doc/send-pr.texinfo @@ -0,0 +1,200 @@ +The @code{send-pr} program is installed in the directory +@code{@value{ROOTDIR}/bin}. + +@need 1100 +Before using @code{send-pr} for the first time, you need to install your +customer support ID into the program, by typing the command: + +@smallexample +@b{shell%} install-sid @i{customerID} +@end smallexample + +@noindent replacing @i{customerID} with your customer ID, which your +sales representative will supply. + +The @code{send-pr} program enters the problem report into our Problem +Report Management System (PRMS), which automatically assigns it to the +engineer best able to help you with problems in the assigned category. +The engineer will work with you via email, telephone, or both, and all +email related to this Problem Report will be tracked by PRMS for future +reference. If the engineer does not reply to you after a certain time, +a reminder is automatically generated. If you need to talk to someone +else in our organization about the problem (@i{e.g.}, if the engineer +gets hit by a truck), we can find out what the current state is through +the PR number. @value{COMPANY} uses PRMS for almost all of the real +problems we handle. + +The @code{send-pr} program will try to intelligently fill in as many +fields as it can. You need to choose the @dfn{category}, @dfn{class}, +@dfn{severity}, and @dfn{priority} of the problem, as well as giving us +as much information as you can about its exact nature. + +@need 1000 +The PR @b{category} will be one of: + +@smallexample +@group +kerberos kerbnet doc help-request +info-request install query-pr id-request +send-pr +@end group +@end smallexample + +In general, if specific knowledge about Kerberos is requried to answer a +PR, use the @i{kerberos} or @i{doc} categories. The @i{install} +category is for problems retrieving the code off the media (@i{e.g.}, +the data on a tape seems to be corrupted.) Questions about the +installation procedures described in this document would fall under the +category @i{kerberos}. The @i{help-request} and @i{info-request} +categories are for general questions about your contract, or other +issues not necessarily related to @value{PRODUCT}. Use @i{query-pr} to +receive a current copy of your Problem Report, @i{id-request} if you +need a customer ID, and @i{send-pr} if you're having trouble using +send-pr. If your question is related to @value{PRODUCT} and you're not +sure what the most appropriate category should be, use @i{kerberos}. +The engineer can change the category if necessary. + +The @b{class} can be @dfn{sw-bug}, @dfn{doc-bug}, @dfn{change-request}, +or @dfn{support}. The first two are exactly as their names imply. The +@i{change-request} class is to inform us of changes, such as new email +addresses or new contact information. The @i{support} class is intended +for general questions about using the @value{PRODUCT} clients or +libraries. + +The @b{severity} of the problem indicates the problem's impact on the +usability of the @value{PRODUCT} software package. If a problem is +@dfn{critical}, that means the product, component or concept is +completely non-operational, or some essential functionality is missing, +and no workaround is known. A @dfn{serious} problem is one in which the +product, component or concept is not working properly or significant +functionality is missing. Problems that would otherwise be considered +@i{critical} are rated @i{serious} when a workaround is known. A +@dfn{non-critical} problem is one that is indeed a problem, but one that +is having a minimal affect on your ability to use @value{PRODUCT}. +@i{E.g.}, The product, component or concept is working in general, but +lacks features, has irritating behavior, does something wrong, or +doesn't match its documentation. The default severity is @i{serious}. + +The @b{priority} indicates how urgent this particular problem is in +relation to your work. Note that low priority does not imply low +importance. @value{COMPANY} considers all problems important, and +encourages its customers to be realistic about priority ratings. A +priority of @dfn{high} means a solution is needed as soon as possible. +A priority of @dfn{medium} means the problem should be solved no later +than the next release. A priority of @dfn{low} means the problem should +be solved in a future release, but it is not important to your work how +soon this happens. The default priority is @i{medium}. + +Note that a given severity does not necessarily imply a given priority. +For example, a non-critical problem might still have a high priority if +you are faced with a hard deadline. Conversely, a serious problem might +have a low priority if the feature it is disabling is one that you do +not need. + +The @b{release} is as labeled on the software that was shipped. +@i{e.g.}, @code{kerbnet-@value{RELEASE}}. It is important that you tell +us which release you are using, and whether or not you have made any +private changes. + +Bug reports that include proposed fixes are especially welcome. If you +include proposed fixes, please send them using either context diffs +(@samp{diff -c}) or unified diffs (@samp{diff -u}). + +@iftex +@vfill +@end iftex + +@page +A sample filled-out form from a company named ``Toasters, Inc.'' might +look like this: + +@smallexample +@group +To: bugs@@cygnus.com +Subject: "KDC reply did not match expectations" error +From: joe.smith@@toasters.com +Reply-To: joe.smith@@toasters.com +X-send-pr-version: 3.97-96q1 + +>Submitter-Id: toastersinc +>Confidential: yes +>Originator: Joe Smith (+1 415 903 1400) +>Organization: +----- +Joe Smith joe.smith@@toasters.com +Toasters, Inc. + ``The best UI in the world'' + +>Synopsis: "KDC reply did not match expectations" error message +>Severity: non-critical +>Priority: low +>Category: kerberos +>Class: sw-bug +>Release: kerbnet-1.0 +>Environment: +NetBSD viola 1.1 NetBSD 1.1 (ATHENAADP) #0: Tue May 21 00:31:42 EDT 1996 +i386 +System: Intel P166 +Architecture: NetBSD + +>Description: + <description of problem goes here> + Getting "KDC reply did not match expectations" message. This + does not seem to be affecting anything else. + +>How-To-Repeat: + <A code sample is worth a thousand words.> + <If the Problem Report is marked ``Confidential: yes'',> + <it will not be available to anyone but our engineers,> + <please contact us if you are concerned about sensitive source> + <code.> + It happens when I type kinit. + +>Fix: + <If you have already found a correct way to stop this problem,> + <please let us know!> + None. Sorry. +@end group +@end smallexample + +@iftex +@vfill +@end iftex + +@page +If the @code{send-pr} program does not work for you, you can use the +following template instead: + +@smallexample +@group +To: bugs@@cygnus.com +Subject: +From: +Reply-To: +X-send-pr-version: none (typed manually) + +>Submitter-Id: +>Originator: +>Organization: + <organization of PR author (multiple lines)> +>Confidential: <[ yes | no ] (one line)> +>Synopsis: <synopsis of the problem (one line)> +>Severity: <[ non-critical | serious | critical ] (one line)> +>Priority: <[ low | medium | high ] (one line)> +>Category: <name of the product (one line)> +>Class: <[ sw-bug | doc-bug | change-request | support ] (one line)> +>Release: cns-9?q? +>Environment: + <machine, os, target, libraries (multiple lines)> +System: +Architecture: + + +>Description: + <precise description of the problem (multiple lines)> +>How-To-Repeat: + <code/input/activities to reproduce the problem (multiple lines)> +>Fix: + <how to correct or work around the problem, if known (multiple lines)> +@end group +@end smallexample diff --git a/doc/user-guide.texinfo b/doc/user-guide.texinfo new file mode 100644 index 0000000000..d62664ccd3 --- /dev/null +++ b/doc/user-guide.texinfo @@ -0,0 +1,1671 @@ +\input texinfo @c -*-texinfo-*- +@c %**start of header +@c guide +@setfilename KerbNet-User.info +@settitle Kerb*Net UNIX User's Guide +@setchapternewpage odd @c chapter begins on next odd page +@c @setchapternewpage on @c chapter begins on next page +@smallbook @c Format for 7" X 9.25" paper +@c %**end of header + +@paragraphindent 0 +@iftex +@parskip 6pt plus 6pt +@end iftex + +@include definitions.texinfo +@set EDITION 0.9 beta + +@finalout @c don't print black warning boxes + +@titlepage +@title @value{PRODUCT} UNIX User's Guide +@subtitle Release: @value{RELEASE} +@subtitle Document Edition: @value{EDITION} +@subtitle Last updated: @value{UPDATED} +@author @value{COMPANY} + +@page +@vskip 0pt plus 1filll + +@include copyright.texinfo +@end titlepage + +@comment node-name, next, previous, up +@node Top, Introduction, (dir), (dir) + +@ifinfo +This file describes how to use the @value{PRODUCT} client programs. + +@include copyright.texinfo +@end ifinfo + +@c The master menu is updated using emacs19's M-x texinfo-all-menus-update +@c function. Don't forget to run M-x texinfo-every-node-update after +@c you add a new section or subsection, or after you've rearranged the +@c comand before each @section or @subsection! All you need to enter +@c is: +@c + +@c @section New Section Name +@c +@c M-x texinfo-every-node-update will take care of calculating the +@c node's forward and back pointers. +@c +@c --------------------------------------------------------------------- + +@menu +* Introduction:: +* @value{PRODUCT} Tutorial:: +* @value{PRODUCT} Reference:: +* Kerberos Glossary:: +@end menu + +@node Introduction, @value{PRODUCT} Tutorial, Top, Top +@chapter Introduction + +@value{PRODUCT} is based on the Kerberos V5 authentication system +developed at MIT. Kerberos is named for the three-headed watchdog from +Greek mythology, who guarded the entrance to the underworld. + +Under Kerberos, a client (generally either a user or a service) sends a +request for a ticket to the @i{Key Distribution Center} (KDC). The KDC +creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it +using the client's password as the key, and sends the encrypted TGT back +to the client. The client then attempts to decrypt the TGT, using its +password. If the client successfully decrypts the TGT (@i{i.e.}, if the +client gave the correct password), it keeps the decrypted TGT, which +indicates proof of the client's identity. + +The TGT, which expires at a specified time, permits the client to obtain +additional tickets, which give permission for specific services. The +requesting and granting of these additional tickets is user-transparent. + +Since Kerberos negotiates authenticated, and optionally encrypted, +communications between two points anywhere on the internet, it provides +a layer of security that is not dependent on which side of a firewall +either client is on. Since studies have shown that half of the computer +security breaches in industry happen from @i{inside} firewalls, +@value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your +nework security. + +The @value{PRODUCT} package is designed to be easy to use. Most of the +commands are nearly identical to UNIX network programs you are already +used to. @value{PRODUCT} is a @dfn{single-sign-on} system, which means +that you have to type your password only once per session, and Kerberos +does the authenticating and encrypting transparently. + +@iftex +@vfil +@end iftex +@need 2000 +@menu +* What is a Ticket?:: +* What is a Kerberos Principal?:: +@end menu + +@node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction +@section What is a Ticket? + +Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of +electronic information that can be used to verify your identity. Your +Kerberos tickets may be stored in a file, or they may exist only in +memory. + +The first ticket you obtain is a @dfn{ticket-granting ticket}, which +permits you to obtain additional tickets. These additional tickets give +you permission for specific services. The requesting and granting of +these additional tickets happens transparently. + +A good analogy for the ticket-granting ticket is a three-day ski pass +that is good at four different resorts. You show the pass at whichever +resort you decide to go to (until it expires), and you receive a lift +ticket for that resort. Once you have the lift ticket, you can ski all +you want at that resort. If you go to another resort the next day, you +once again show your pass, and you get an additional lift ticket for the +new resort. The difference is that the @value{PRODUCT} programs notice +that you have the weekend ski pass, and get the lift ticket for you, so +you don't have to perform the transactions yourself. + +@iftex +@vfil +@end iftex +@need 2000 +@node What is a Kerberos Principal?, , What is a Ticket?, Introduction +@section What is a Kerberos Principal? + +A Kerberos @dfn{principal} is a unique identity to which Kerberos can +assign tickets. By convention, a principal is divided into three parts: +the @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format +of a typical Kerberos V5 principal is @code{primary/instance@@REALM}. + +@itemize @bullet +@item The @dfn{primary} is the first part of the principal. In the case +of a user, it's the same as your username. For a host, the primary is +the word @code{host}. + +@item The @dfn{instance} is an optional string that qualifies the +primary. The instance is separated from the primary by a slash +(@code{/}). In the case of a user, the instance is usually null, but a +user might also have an additional principal, with an instance called +@samp{admin}, which he/she uses to administrate a database. The +principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely +separate from the principal +@code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate +password, and separate permissions. In the case of a host, the instance +is the fully qualified hostname, e.g., +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. + +@item The @dfn{realm} is your Kerberos realm. In most cases, your +Kerberos realm is your domain name, in upper-case letters. For example, +the machine @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} would be in +the realm @code{@value{PRIMARYREALM}}. +@end itemize + +@node @value{PRODUCT} Tutorial, @value{PRODUCT} Reference, Introduction, Top +@chapter @value{PRODUCT} Tutorial + +This tutorial is intended to familiarize you with the @value{PRODUCT} +client programs. We will represent your prompt as ``@code{shell%}''. +So an instruction to type the ``@kbd{ls}'' command would be represented as +follows: + +@need 600 +@smallexample +@group +@b{shell%} ls +@end group +@end smallexample + +In these examples, we will use sample usernames, such as +@code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample +hostnames, such as @code{@value{RANDOMHOST1}} and +@code{@value{RANDOMHOST2}}, and sample domain names, such as +@code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you +see one of these, substitute your username, hostname, or domain name +accordingly. + +@menu +* Setting Up to Use @value{PRODUCT}:: +* Ticket Management:: +* Password Management:: +* @value{PRODUCT} Applications:: +@end menu + +@node Setting Up to Use @value{PRODUCT}, Ticket Management, @value{PRODUCT} Tutorial, @value{PRODUCT} Tutorial +@section Setting Up to Use @value{PRODUCT} + +Your system administrator will have installed the @value{PRODUCT} +programs in whichever directory makes the most sense for your system. +We will use @code{@value{ROOTDIR}} throughout this guide to refer to the +top-level directory @value{PRODUCT} directory. We will therefor use +@code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user +programs. In your installation, the directory name may be different, +but whatever the directory name is, you should make sure it is included +in your path. You will probably want to put it @i{ahead of} the +directories @code{/bin} and @code{/usr/bin} so you will get the +@value{PRODUCT} network programs, rather than the standard UNIX +versions, when you type their command names. + +@node Ticket Management, Password Management, Setting Up to Use @value{PRODUCT}, @value{PRODUCT} Tutorial +@section Ticket Management + +On many systems, Kerberos is built into the login program, and you get +tickets automatically when you log in. Other programs, such as +@code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward +copies of your tickets to the remote host. Most of these programs also +automatically destroy your tickets when they exit. However, +@value{COMPANY} recommends that you explicitly destroy your Kerberos +tickets when you are through with them, just to be sure. One way to +help ensure that this happens is to add the @code{kdestroy} command to +your @code{.logout} file. Additionally, if you are going to be away +from your machine and are concerned about an intruder using your +permissions, it is safest to either destroy all copies of your tickets, +or use a screensaver that locks the screen. + +@need 2000 +@menu +* Obtaining Tickets with kinit:: +* Viewing Your Tickets with klist:: +* Destroying Your Tickets with kdestroy:: +@end menu + +@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management +@subsection Obtaining Tickets with kinit + +If your site is using the @value{PRODUCT} login program, you will get +Kerberos tickets automatically when you log in. If your site uses a +different login program, you may need to explicitly obtain your Kerberos +tickets, using the @code{kinit} program. Similarly, if your Kerberos +tickets expire, use the @code{kinit} program to obtain new ones. + +@need 1500 +To use the @code{kinit} program, simply type @kbd{kinit} and then type +your password at the prompt. For example, Jennifer (whose username is +@code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company +with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm +@code{@value{PRIMARYREALM}}). She would type: + +@smallexample +@group +@b{shell%} kinit +@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]} +@b{shell%} +@end group +@end smallexample + +@need 1000 +If you type your password incorrectly, kinit will give you the following +error message: + +@smallexample +@group +@b{shell%} kinit +@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]} +@b{kinit: Password incorrect} +@b{shell%} +@end group +@end smallexample + +@noindent and you won't get Kerberos tickets. + +@noindent Notice that @code{kinit} assumes you want tickets for your own +username in your default realm. +@need 1500 +Suppose Jennifer's friend David is visiting, and he wants to borrow a +window to check his mail. David needs to get tickets for himself in his +own realm, @value{SECONDREALM}.@footnote{Note: the realm +@value{SECONDREALM} must be listed in your computer's Kerberos +configuration file, @code{/etc/krb5.conf}.} He would type: + +@smallexample +@group +@b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM} +@b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]} +@b{shell%} +@end group +@end smallexample + +@noindent David would then have tickets which he could use to log onto +his own machine. Note that he typed his password locally on Jennifer's +machine, but it never went over the network. Kerberos on the local host +performed the authentication to the KDC in the other realm. + +@need 1000 +If you want to be able to forward your tickets to another host, you need +to request @dfn{forwardable} tickets. You do this by specifying the +@kbd{-f} option: + +@smallexample +@group +@b{shell%} kinit -f +@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]} +@b{shell%} +@end group +@end smallexample + +@noindent +Note that @code{kinit} does not tell you that it obtained forwardable +tickets; you can verify this using the @code{klist} command +(@pxref{Viewing Your Tickets with klist}). + +Normally, your tickets are good for your system's default ticket +lifetime, which is ten hours on many systems. You can specify a +different ticket lifetime with the @samp{-l} option. Add the letter +@samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for +hours, or @samp{d} for days. +@need 1500 +For example, to obtain forwardable tickets for +@code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for +three hours, you would type: + +@smallexample +@group +@b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM} +@b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]} +@b{shell%} +@end group +@end smallexample + +@noindent +You cannot mix units; specifying a lifetime of @samp{3h30m} would result +in an error. Note also that most systems specify a maximum ticket +lifetime. If you request a longer ticket lifetime, it will be +automatically truncated to the maximum lifetime. + +@iftex +@vfil +@end iftex +@need 3000 +@node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management +@subsection Viewing Your Tickets with klist + +The @code{klist} command shows your tickets. When you first obtain +tickets, you will have only the ticket-granting ticket. (@xref{What is +a Ticket?}.) The listing would look like this: + +@smallexample +@group +@b{shell%} klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} + +Valid starting Expires Service principal +06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +@b{shell%} +@end group +@end smallexample + +@noindent +The ticket cache is the location of your ticket file. In the above +example, this file is named @code{/tmp/krb5cc_ttypa}. The default +principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos +Principal?}) + +The ``valid starting'' and ``expires'' fields describe the period of +time during which the ticket is valid. The @dfn{service principal} +describes each ticket. The ticket-granting ticket has the primary +@code{krbtgt}, and the instance is the realm name. + +@need 2000 +Now, if @value{RANDOMUSER1} connected to the machine +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed +@kbd{klist} again, she would have gotten the following result: + +@smallexample +@group +@b{shell%} klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} + +Valid starting Expires Service principal +06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@b{shell%} +@end group +@end smallexample + +@noindent +Here's what happened: when @value{RANDOMUSER1} used telnet to connect +to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet +program presented her ticket-granting ticket to the KDC and requested a +host ticket for the host +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host +ticket, which telnet then presented to the host +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to +log in without typing her password. +@iftex +@vfil +@end iftex + +@need 3000 +Suppose your Kerberos tickets allow you to log into a host in another +domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which +is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you +telnet to this host, you will receive a ticket-granting ticket for the +realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for +@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now +show: + +@smallexample +@group +@b{shell%} klist +Ticket cache: /tmp/krb5cc_ttypa +Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} + +Valid starting Expires Service principal +06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} +06/07/96 20:24:18 06/08/96 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM} +@b{shell%} +@end group +@end smallexample + +You can use the @code{-f} option to view the @dfn{flags} that apply to +your tickets. The flags are: + +@table @b +@itemx F +@b{F}orwardable +@itemx f +@b{f}orwarded +@itemx P +@b{P}roxiable +@itemx p +@b{p}roxy +@itemx D +post@b{D}ateable +@itemx d +post@b{d}ated +@itemx R +@b{R}enewable +@itemx I +@b{I}nitial +@itemx i +@b{i}nvalid +@end table + +@need 1500 +Here is a sample listing. In this example, the user @value{RANDOMUSER1} +obtained her initial tickets (@samp{I}), which are forwardable +(@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}). +(@xref{kinit Reference} for more information about postdated tickets.) + +@smallexample +@group +@b{shell%} klist -f +@b{Ticket cache: /tmp/krb5cc_320 +Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} + +Valid starting Expires Service principal +31 Jul 96 19:06:25 31 Jul 96 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} + Flags: FdiI +shell%} +@end group +@end smallexample + +@need 1500 +In the following example, the user @value{RANDOMUSER2}'s tickets were +forwarded (@samp{f}) to this host from another host. The tickets are +reforwardable (@samp{F}). + +@smallexample +@group +@b{shell%} klist -f +@b{Ticket cache: /tmp/krb5cc_p11795 +Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM} + +Valid starting Expires Service principal +07/31/96 11:52:29 07/31/96 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM} + Flags: Ff +07/31/96 12:03:48 07/31/96 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM} + Flags: Ff +shell%} +@end group +@end smallexample + +@iftex +@vfil +@end iftex +@need 2000 +@node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management +@subsection Destroying Your Tickets with kdestroy + +Your Kerberos tickets are proof that you are indeed yourself, and +tickets can be stolen. If this happens, the person who has them can +masquerade as you until they expire. For this reason, you should +destroy your Kerberos tickets when you are away from your computer. + +@need 1000 +Destroying your tickets is easy. Simply type @kbd{kdestroy}. + +@smallexample +@group +@b{shell%} kdestroy +@b{shell%} +@end group +@end smallexample + +@need 1500 +If @code{kdestroy} fails to destroy your tickets, it will beep and give +an error message. For example, if @code{kdestroy} can't find any +tickets to destroy, it will give the following message: + +@smallexample +@group +@b{shell%} kdestroy +@b{kdestroy: No credentials cache file found while destroying cache +Ticket cache NOT destroyed! +shell%} +@end group +@end smallexample + +@iftex +@vfil +@end iftex +@need 2000 +@node Password Management, @value{PRODUCT} Applications, Ticket Management, @value{PRODUCT} Tutorial +@section Password Management + +Your password is the only way Kerberos has of verifying your identity. +If someone finds out your password, that person can masquerade as +you---send email that comes from you, read, edit, or delete your files, +or log into other hosts as you---and no one will be able to tell the +difference. For this reason, it is important that you choose a good +password (@pxref{Password Advice}), and keep it secret. If you need to +give access to your account to someone else, you can do so through +Kerberos. (@xref{Granting Access to Your Account}.) You should +@i{never} tell your password to anyone, including your system +administrator, for any reason. You should change your password +frequently, particularly any time you think someone may have found out +what it is. + +@iftex +@vfil +@end iftex +@need 2000 +@menu +* Changing Your Password:: +* Password Advice:: +* Granting Access to Your Account:: +@end menu + +@node Changing Your Password, Password Advice, Password Management, Password Management +@subsection Changing Your Password + +@need 2500 +To change your Kerberos password, use the @code{kpasswd} command. It +will ask you for your old password (to prevent someone else from walking +up to your computer when you're not there and changing your password), +and then prompt you for the new one twice. (The reason you have to type +it twice is to make sure you have typed it correctly.) For example, +user @code{@value{RANDOMUSER2}} would do the following: + +@smallexample +@group +@b{shell%} kpasswd +@b{Old password for @value{RANDOMUSER2}:} @i{<- Type your old password.} +@b{New Password for @value{RANDOMUSER2}:} @i{<- Type your new password.} +@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the new password again.} +@b{Password changed.} +@b{shell%} +@end group +@end smallexample + +@need 1800 +If @value{RANDOMUSER2} typed the incorrect old password, he would get +the following message: + +@smallexample +@group +@b{shell%} kpasswd +@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.} +@b{Incorrect old password. +shell%} +@end group +@end smallexample + +@need 2500 +If you make a mistake and don't type the new password the same way +twice, @code{kpasswd} will ask you to try again: + +@smallexample +@group +@b{shell%} kpasswd +@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the old password.} +@b{New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.} +@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type a different new password.} +@b{Mismatch - try again +New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.} +@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the same new password.} +@b{Password changed. +shell%} +@end group +@end smallexample + +Once you change your password, it takes some time for the change to +propagate through the system. Depending on how your system is set up, +this might be anywhere from a few minutes to an hour or more. If you +need to get new Kerberos tickets shortly after changing your password, +try the new password. If the new password doesn't work, try again using +the old one. +@iftex +@vfil +@end iftex + +@need 2000 +@node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management +@subsection Password Advice + +Your password can include almost any character you can type (except +control keys and the ``enter'' key). A good password is one you can +remember, but that no one else can easily guess. Examples of @i{bad} +passwords are words that can be found in a dictionary, any common or +popular name, especially a famous person (or cartoon character), your +name or username in any form (@i{e.g.}, forward, backward, repeated +twice, @i{etc.}), your spouse's, child's, or pet's name, your birth +date, your social security number, and any sample password that appears +in this (or any other) manual. + +@need 2200 +@value{COMPANY} recommends that your password be at least 6 characters +long, and contain UPPER- and lower-case letters, numbers, and/or +punctuation marks. Some passwords that would be good if they weren't +listed in this manual include: + +@itemize @bullet +@item some initials, like ``GykoR-66.'' for ``Get your kicks on Route +66.'' + +@item an easy-to-pronounce nonsense word, like ``slaRooBey'' or +``krang-its'' + +@item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!'' +@end itemize + +@noindent Note: don't actually use any of the above passwords. They're +only meant to show you how to make up a good password. Passwords that +appear in a manual are the first ones intruders will try. +@iftex +@vfil +@end iftex + +@need 3800 +@value{PRODUCT} allows your system administrators to automatically +reject bad passwords, based on whatever criteria they choose. For +example, if the user @code{@value{RANDOMUSER1}} chose a bad password, +Kerberos would give an error message like the following: + +@smallexample +@group +@b{shell%} kpasswd +@b{Old password for @value{RANDOMUSER1}:} @i{<- Type your old password here.} +@b{New Password for @value{RANDOMUSER1}:} @i{<- Type an insecure new password.} +@b{Verifying, please re-enter New Password for @value{RANDOMUSER1}:} @i{<- Type it again.} + +ERROR: Insecure password not accepted. Please choose another. + +kpasswd: Insecure password rejected while attempting to change password. +Please choose another password. + +@b{New Password for @value{RANDOMUSER1}:} @i{<- Type a good password here.} +@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type it again.} +@b{Password changed. +shell%} +@end group +@end smallexample + +@noindent Your system administrators can choose the message that is +displayed if you choose a bad password, so the message you see may be +different from the above example. + +@iftex +@vfil +@end iftex +@need 2000 +@node Granting Access to Your Account, , Password Advice, Password Management +@subsection Granting Access to Your Account + +@need 1800 +If you need to give someone access to log into your account, you can do +so through Kerberos, without telling the person your password. Simply +create a file called @code{.k5login} in your home directory. This file +should contain the Kerberos principal (@xref{What is a Kerberos +Principal?}) of each person to whom you wish to give access. Each +principal must be on a separate line. Here is a sample @code{.k5login} +file: + +@smallexample +@group +@value{RANDOMUSER1}@@@value{PRIMARYREALM} +@value{RANDOMUSER2}@@@value{SECONDREALM} +@end group +@end smallexample + +@noindent This file would allow the users @code{@value{RANDOMUSER1}} and +@code{@value{RANDOMUSER2}} to use your user ID, provided that they had +Kerberos tickets in their respective realms. If you will be logging +into other hosts across a network, you will want to include your own +Kerberos principal in your @code{.k5login} file on each of these hosts. + +@need 1000 +Using a @code{.k5login} file is much safer than giving out your +password, because: + +@itemize @bullet +@item You can take access away any time simply by removing the principal +from your @code{.k5login} file. + +@item Although the user has full access to your account on one +particular host (or set of hosts if your @code{.k5login} file is shared, +@i{e.g.}, over NFS), that user does not inherit your network privileges. + +@item Kerberos keeps a log of who obtains tickets, so a system +administrator could find out, if necessary, who was capable of using +your user ID at a particular time. +@end itemize + +One common application is to have a @code{.k5login} file in +@code{root}'s home directory, giving root access to that machine to the +Kerberos principals listed. This allows system administrators to allow +users to become root locally, or to log in remotely as @code{root}, +without their having to give out the root password, and without anyone +having to type the root password over the network. + +@iftex +@vfil +@end iftex +@need 2000 + +@node @value{PRODUCT} Applications, , Password Management, @value{PRODUCT} Tutorial +@section @value{PRODUCT} Applications + +@value{PRODUCT} is a @dfn{single-sign-on} system. This means that you +only have to type your password once, and the @value{PRODUCT} programs +do the authenticating (and optionally encrypting) for you. The way this +works is that Kerberos has been built into each of a suite of network +programs. For example, when you use a @value{PRODUCT} program to +connect to a remote host, the program, the KDC, and the remote host +perform a set of rapid negotiations. When these negotiations are +completed, your program has proven your identity on your behalf to the +remote host, and the remote host has granted you access, all in the +space of a few seconds. + +The @value{PRODUCT} applications are versions of existing UNIX network +programs with the Kerberos features added. + +@iftex +@vfil +@end iftex +@need 2000 +@menu +* Overview of Additional Features:: +* telnet:: +* rlogin:: +* FTP:: +* rsh:: +* rcp:: +* ksu:: +@end menu + +@node Overview of Additional Features, telnet, @value{PRODUCT} Applications, @value{PRODUCT} Applications +@subsection Overview of Additional Features + +The @value{PRODUCT} @dfn{network programs} are those programs that +connect to another host somewhere on the internet. These programs +include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh}, +@code{rcp}, @code{krdist}, and @code{ksu}. These programs have all of +the original features of the corresponding non-Kerberos @code{rlogin}, +@code{telnet}, @code{ftp}, @code{rsh}, @code{rcp}, @code{rdist}, and +@code{su} programs, plus additional features that transparently use your +Kerberos tickets for negotiating authentication and optional encryption +with the remote host. In most cases, all you'll notice is that you no +longer have to type your password, because Kerberos has already proven +your identity. + +The @value{PRODUCT} network programs allow you the options of forwarding +your tickets to the remote host (if you obtained forwardable tickets +with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and +encrypting data transmitted between you and the remote host. + +This section of the tutorial assumes you are familiar with the +non-Kerberos versions of these programs, and highlights the Kerberos +functions added in the @value{PRODUCT} package. + +@iftex +@vfil +@end iftex +@need 2000 +@node telnet, rlogin, Overview of Additional Features, @value{PRODUCT} Applications +@subsection telnet + +The @value{PRODUCT} @code{telnet} command works exactly like the +standard UNIX telnet program, with the following Kerberos options added: + +@table @kbd +@itemx -f, --forward +forwards a copy of your tickets to the remote host. + +@itemx --noforward +turns off forwarding of tickets to the remote host. (This option +overrides any forwarding specified in your machine's configuration +files.) + +@itemx -F, --forwardable +forwards a copy of your tickets to the remote host, and marks them +re-forwardable from the remote host. + +@itemx --noforwardable +makes any forwarded tickets nonforwardable. (This option overrides any +forwardability specified in your machine's configuration files.) + +@itemx -k @i{realm} +requests tickets for the remote host in the specified realm, instead of +determining the realm itself. + +@itemx -K +uses your tickets to authenticate to the remote host, but does not log +you in. + +@itemx -a +attempt automatic login using your tickets. @code{telnet} will assume +the same username unless you explicitly specify another. + +@itemx -x, --encrypt +turns on encryption. + +@itemx --noencrypt +turns off encryption. +@end table + +@iftex +@vfil +@end iftex + +@need 4000 +For example, if @code{@value{RANDOMUSER2}} wanted to use the standard +UNIX telnet to connect to the machine +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type: + +@smallexample +@group +@b{shell%} telnet @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} +@b{Trying 128.0.0.5 ... +Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}. +Escape character is '^]'. + +NetBSD/i386 (@value{RANDOMHOST1}) (ttyp3) + +login:} @value{RANDOMUSER2} +@b{Password:} @i{<- @value{RANDOMUSER2} types his password here} +@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{SECONDDOMAIN} +Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + +NetBSD 1.1: Tue May 21 00:31:42 EDT 1996 + +Welcome to NetBSD! +shell%} +@end group +@end smallexample + +@noindent Note that the machine +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for +@code{@value{RANDOMUSER2}}'s password. When he typed it, his password +was sent over the network unencrypted. If an intruder were watching +network traffic at the time, that intruder would know +@code{@value{RANDOMUSER2}}'s password. + +@iftex +@vfil +@end iftex +@need 4000 +If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the +@value{PRODUCT} telnet to connect to the machine +@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a +copy of her tickets, request an encrypted session, and log on as herself +as follows: + +@smallexample +@group +@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{SECONDDOMAIN} +@b{Trying 128.0.0.5... +Connected to @value{RANDOMHOST2}.@value{SECONDDOMAIN}. +Escape character is '^]'. +[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{SECONDDOMAIN}'' ] +[ Kerberos V5 accepted forwarded credentials ] +NetBSD 1.1: Tue May 21 00:31:42 EDT 1996 + +Welcome to NetBSD! +shell%} +@end group +@end smallexample + +@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos +to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, +and logged her in automatically as herself. She had an encrypted +session, a copy of her tickets already waiting for her, and she never +typed her password. + +If you forwarded your Kerberos tickets, @code{telnet} automatically +destroys them when it exits. The full set of options to @value{PRODUCT} +@code{telnet} are discussed in the Reference section of this manual. +(@pxref{telnet Reference}) + +@iftex +@vfil +@end iftex +@need 2000 +@node rlogin, FTP, telnet, @value{PRODUCT} Applications +@subsection rlogin + +@need 1000 +The @value{PRODUCT} @code{rlogin} command works exactly like the +standard UNIX rlogin program, with the following Kerberos options added: + +@table @kbd +@itemx -f, --forward +forwards a copy of your tickets to the remote host. + +@itemx --noforward +turns off forwarding of tickets to the remote host. (This option +overrides any forwarding specified in your machine's configuration +files.) + +@itemx -F, --forwardable +forwards a copy of your tickets to the remote host, and marks them +re-forwardable from the remote host. + +@itemx --noforwardable +makes any forwarded tickets nonforwardable. (This option overrides any +forwardability specified in your machine's configuration files.) + +@itemx -k @i{realm} +requests tickets for the remote host in the specified realm, instead of +determining the realm itself. + +@itemx -x, --encrypt +turns on encryption. + +@itemx --noencrypt +turns off encryption. +@end table + +@need 3000 +For example, if @code{@value{RANDOMUSER2}} wanted to use the standard +UNIX rlogin to connect to the machine +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type: + +@smallexample +@group +@b{shell%} rlogin @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} -l @value{RANDOMUSER2} +@b{Password:} @i{<- @value{RANDOMUSER2} types his password here} +@b{Last login: Fri Jun 21 10:36:32 from :0.0 +Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + +NetBSD 1.1: Tue May 21 00:31:42 EDT 1996 + +Welcome to NetBSD! +shell%} +@end group +@end smallexample + +@noindent Note that the machine +@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for +@code{@value{RANDOMUSER2}}'s password. When he typed it, his password +was sent over the network unencrypted. If an intruder were watching +network traffic at the time, that intruder would know +@code{@value{RANDOMUSER2}}'s password. + +@iftex +@vfil +@end iftex +@need 4000 +If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use +@value{PRODUCT} rlogin to connect to the machine +@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a +copy of her tickets, mark them as not forwardable from the remote host, +and request an encrypted session as follows: + +@smallexample +@group +@b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x +@b{This rlogin session is using DES encryption for all data transmissions. +Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1} +SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995 +Not checking quotas. Try quota.real if you need them. +shell%} +@end group +@end smallexample + +@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos +to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, +and logged her in automatically as herself. She had an encrypted +session, a copy of her tickets were waiting for her, and she never typed +her password. + +If you forwarded your Kerberos tickets, @code{rlogin} automatically +destroys them when it exits. The full set of options to @value{PRODUCT} +@code{rlogin} are discussed in the Reference section of this manual. +(@pxref{rlogin Reference}) + +@iftex +@vfil +@end iftex +@need 2000 +@node FTP, rsh, rlogin, @value{PRODUCT} Applications +@subsection FTP + +@need 1000 +The @value{PRODUCT} @code{FTP} program works exactly like the standard +UNIX FTP program, with the following Kerberos features added: + +@table @kbd +@itemx -k @i{realm} +requests tickets for the remote host in the specified realm, instead of +determining the realm itself. + +@itemx -forward +requests that your tickets be forwarded to the remote host. The +@kbd{-forward} argument must be the last argument on the command line. + +@itemx protect @i{level} +(issued at the @code{ftp>} prompt) sets the protection level. ``Clear'' +is no protection; ``safe'' ensures data integrity by verifying the +checksum, and ``private'' encrypts the data. Encryption also ensures +data integrity. +@end table + +@need 5000 +For example, suppose @code{@value{RANDOMUSER1}} wants to get her +@code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail}, +on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants +to encrypt the file transfer. The exchange would look like the +following: + +@smallexample +@group +@b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} +Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}. +220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready. +334 Using authentication type GSSAPI; ADAT must follow +GSSAPI accepted as authentication type +GSSAPI authentication succeeded +Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}): +232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1} +230 User @value{RANDOMUSER1} logged in. +Remote system type is UNIX. +Using binary mode to transfer files. +ftp> protect private +200 Protection level set to Private. +ftp> cd ~@value{RANDOMUSER1}/MAIL +250 CWD command successful. +ftp> get RMAIL +227 Entering Passive Mode (128,0,0,5,16,49) +150 Opening BINARY mode data connection for RMAIL (361662 bytes). +226 Transfer complete. +361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s) +ftp> quit +@b{shell%} +@end group +@end smallexample + +The full set of options to @value{PRODUCT} @code{FTP} are discussed +in the Reference section of this manual. (@pxref{FTP Reference}) + +@iftex +@vfil +@end iftex +@need 2000 +@node rsh, rcp, FTP, @value{PRODUCT} Applications +@subsection rsh + +@need 1000 +The @value{PRODUCT} @code{rsh} program works exactly like the standard +UNIX rlogin program, with the following Kerberos features added: + +@table @kbd +@itemx -f, --forward +forwards a copy of your tickets to the remote host. + +@itemx --noforward +turns off forwarding of tickets to the remote host. (This option +overrides any forwarding specified in your machine's configuration +files.) + +@itemx -F, --forwardable +forwards a copy of your tickets to the remote host, and marks them +re-forwardable from the remote host. + +@itemx --noforwardable +makes any forwarded tickets nonforwardable. (This option overrides any +forwardability specified in your machine's configuration files.) + +@itemx -k @i{realm} +requests tickets for the remote host in the specified realm, instead of +determining the realm itself. + +@itemx -x, --encrypt +turns on encryption. + +@itemx --noencrypt +turns off encryption. +@end table + +@need 1800 +For example, if your Kerberos tickets allowed you to run programs on the +host @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could +run the @samp{date} program as follows: + +@smallexample +@group +@b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date +@b{This rsh session is using DES encryption for all data transmissions. +Fri Jun 21 17:06:12 EDT 1996 +shell%} +@end group +@end smallexample + +If you forwarded your Kerberos tickets, @code{rsh} automatically +destroys them when it exits. The full set of options to @value{PRODUCT} +@code{rsh} are discussed in the Reference section of this manual. +(@pxref{rsh Reference}) + +@iftex +@vfil +@end iftex +@need 2000 +@node rcp, ksu, rsh, @value{PRODUCT} Applications +@subsection rcp + +@need 1000 +The @value{PRODUCT} @code{rcp} program works exactly like the standard +UNIX rcp program, with the following Kerberos features added: + +@table @kbd +@itemx -k @i{realm} +requests tickets for the remote host in the specified realm, instead of +determining the realm itself. + +@itemx -x, --encrypt +turns on encryption. +@end table + + +@need 1500 +For example, if you wanted to copy the file @code{/etc/motd} from the +host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current +directory, via an encrypted connection, you would simply type: + +@smallexample +@b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd . +@end smallexample + +The @kbd{rcp} program negotiates authentication and encryption +transparently. The full set of options to @value{PRODUCT} @code{rcp} +are discussed in the Reference section of this manual. (@pxref{rcp +Reference}) + +@iftex +@vfil +@end iftex +@need 2000 +@node ksu, , rcp, @value{PRODUCT} Applications +@subsection ksu + +The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su +program. @code{ksu} first authenticates you to Kerberos. Depending on +the configuration of your system, @code{ksu} may ask for your Kerberos +password if authentication fails. @emph{Note that you should never type +your password if you are remotely logged in using an unencrypted +connection.} + +Once @code{ksu} has authenticated you, if your Kerberos principal +appears in the target's @code{.k5login} file (@pxref{Granting Access to +Your Account}) or in the target's @code{.k5users} file (see below), it +switches your user ID to the target user ID. + +@need 2000 +For example, @code{@value{RANDOMUSER2}} has put +@code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login} +file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become +@code{@value{RANDOMUSER2}}, the exchange would look like this. (To +differentiate between the two shells, @code{@value{RANDOMUSER1}}'s +prompt is represented as @code{@value{RANDOMUSER1}%} and +@code{@value{RANDOMUSER2}}'s prompt is represented as +@code{@value{RANDOMUSER2}%}.) + +@smallexample +@group +@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} +@b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful +Changing uid to @value{RANDOMUSER2} (3382) +@value{RANDOMUSER2}%} +@end group +@end smallexample + +@noindent +Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s +tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID +with @samp{.1} appended to it: + +@smallexample +@group +@b{@value{RANDOMUSER2}%} klist +@b{Ticket cache: /tmp/krb5cc_3382.1 +Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} + +Valid starting Expires Service principal +31 Jul 96 21:53:01 01 Aug 96 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +31 Jul 96 21:53:39 01 Aug 96 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +@value{RANDOMUSER2}%} +@end group +@end smallexample + +@need 2500 +If @code{@value{RANDOMUSER1}} had not appeared in +@code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was +configured to ask for a password), the exchange would have looked like +this (assuming @code{@value{RANDOMUSER2}} has taken appropriate +precautions in protecting his password): + +@smallexample +@group +@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} +@b{WARNING: Your password may be exposed if you enter it here and are logged + in remotely using an unsecure (non-encrypted) channel. +Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.} +@b{ksu: Password incorrect +Authentication failed. +@value{RANDOMUSER1}%} +@end group +@end smallexample + +Now, suppose @code{@value{RANDOMUSER2}} did not want to give +@code{@value{RANDOMUSER1}} full access to his account, but wanted to +give her permission to list his files and use the "more" command to view +them. He could create a @code{.k5users} file giving her permission to +run only those specific commands. + +@need 3500 +The @code{.k5users} file is like the @code{.k5login} file, except that +each principal is optionally followed by a list of commands. @code{ksu} +will let those principals execute only the commands listed, using the +@kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file +might look like the following: + +@smallexample +@group +@value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more +@value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls +@value{ADMINUSER}/admin@@@value{PRIMARYREALM} * +@value{RANDOMUSER2}@@@value{SECONDREALM} +@end group +@end smallexample + +@noindent The above @code{.k5users} file would let +@code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and +@code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only +the command @code{/bin/ls} if he had regular tickets, but if he had +tickets for his @code{admin} instance, +@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able +to execute any command. The last line gives @code{@value{RANDOMUSER2}} +in the realm @value{SECONDREALM} permission to execute any command. +(@i{I.e.}, having only a Kerberos principal on a line is equivalent to +giving that principal permission to execute @code{*}.) This is so that +@value{RANDOMUSER2} can allow himself to execute commands when he logs +in, using Kerberos, from a machine in the realm @value{SECONDREALM}. + +@need 2500 +Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory, +she would type: + +@smallexample +@group +@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2} +@b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM} +Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of + /bin/ls successful +Changing uid to @value{RANDOMUSER2} (3382) +Mail News Personal misc bin +@value{RANDOMUSER1}%} +@end group +@end smallexample + +@noindent If @code{@value{RANDOMUSER1}} had tried to give a different +command to @code{ksu}, it would have prompted for a password as with the +previous example. + +Note that unless the @code{.k5users} file gives the target permission to +run any command, the user must use @code{ksu} with the @kbd{-e} +@i{command} option. + +@need 1000 +The @code{ksu} options you are most likely to use are: + +@table @kbd +@itemx -n @i{principal} +specifies which Kerberos principal you want to use for @code{ksu}. +(@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his +@code{admin} instance. @xref{What is a Ticket?}.) + +@itemx -c +specifies the location of your Kerberos credentials cache (ticket file). + +@itemx -C +specifies the location you want the Kerberos credentials cache (ticket +file) to be for the target user ID. + +@itemx -k +tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is +finished. + +@itemx -f +requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This +is only applicable if @code{ksu} needs to obtain tickets. + +@itemx -l @i{lifetime} +sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is +only applicable if @code{ksu} needs to obtain tickets. + +@itemx -z +tells @code{ksu} to copy your Kerberos tickets only if the UID you are +switching is the same as the Kerberos primary (either yours or the one +specified by the @kbd{-n} option). + +@itemx -Z +tells @code{ksu} not to copy any Kerberos tickets to the new UID. + +@itemx -e @i{command} +tells @code{ksu} to execute @i{command} and then exit. See the +description of the @code{.k5users} file above. + +@itemx -a @i{text} +(at the end of the command line) tells @code{ksu} to pass everything +after @samp{-a} to the target shell. +@end table + +The full set of options to @value{PRODUCT} @code{ksu} are discussed +in the Reference section of this manual. (@pxref{ksu Reference}) + +@node @value{PRODUCT} Reference, Kerberos Glossary, @value{PRODUCT} Tutorial, Top +@chapter @value{PRODUCT} Reference + +This section will include copies of the manual pages for the +@value{PRODUCT} client programs. You can read the manual entry for any +command by typing @code{man} @i{command}, where @i{command} is the name +of the command for which you want to read the manual entry. For +example, to read the @code{kinit} manual entry, you would type: + +@smallexample +@b{shell%} man kinit +@end smallexample + +Note: To be able to view the @value{PRODUCT} manual pages on line, you +may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH +environment variable. (Remember to replace @code{@value{ROOTDIR}} with +the top-level directory in which @value{PRODUCT} is installed.) For +example, if you had the the following line in your @code{.login} +file@footnote{The MANPATH variable may be specified in a different +initialization file, depending on your operating system. Some of the +files in which you might specify environment variables include +@code{.login}, @code{.profile}, or @code{.cshrc}.}: + +@smallexample +setenv MANPATH /usr/local/man:/usr/man +@end smallexample + +@noindent +and the @value{PRODUCT} man pages were in the directory +@code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following: + +@smallexample +setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man +@end smallexample + +@ifinfo +Note to info users: the manual pages are not available within this info +tree. You can read them from emacs with the command: + +@smallexample +M-x manual-entry @emph{command} +@end smallexample +@end ifinfo + +@page + +@menu +* kinit Reference:: +* klist Reference:: +* kdestroy Reference:: +* kpasswd Reference:: +* telnet Reference:: +* rlogin Reference:: +* FTP Reference:: +* rsh Reference:: +* rcp Reference:: +* ksu Reference:: +* krdist Reference:: +@end menu + +@node kinit Reference, klist Reference, @value{PRODUCT} Reference, @value{PRODUCT} Reference +@section kinit Reference + +@iftex +@special{psfile=kinit1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{kinit}} +@page + +@special{psfile=kinit2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{kinit}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry kinit} to read this manual page. +@end ifinfo + +@node klist Reference, kdestroy Reference, kinit Reference, @value{PRODUCT} Reference +@section klist Reference + +@iftex +@special{psfile=klist1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{klist}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry klist} to read this manual page. +@end ifinfo + +@node kdestroy Reference, kpasswd Reference, klist Reference, @value{PRODUCT} Reference +@section kdestroy Reference + +@iftex +@special{psfile=kdestroy1.ps voffset=-1115 hoffset=-60} +@centerline{Reference Manual for @code{kdestroy}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry kdestroy} to read this manual page. +@end ifinfo + +@node kpasswd Reference, telnet Reference, kdestroy Reference, @value{PRODUCT} Reference +@section kpasswd Reference + +@iftex +@special{psfile=kpasswd1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{kpasswd}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry kpasswd} to read this manual page. +@end ifinfo + +@node telnet Reference, rlogin Reference, kpasswd Reference, @value{PRODUCT} Reference +@section telnet Reference + +@iftex +@special{psfile=telnet1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet3.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet4.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet5.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet6.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet7.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet8.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet9.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page + +@special{psfile=telnet10.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{telnet}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry telnet} to read this manual page. +@end ifinfo + +@node rlogin Reference, FTP Reference, telnet Reference, @value{PRODUCT} Reference +@section rlogin Reference + +@iftex +@special{psfile=rlogin1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rlogin}} +@page + +@special{psfile=rlogin2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rlogin}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry rlogin} to read this manual page. +@end ifinfo + +@node FTP Reference, rsh Reference, rlogin Reference, @value{PRODUCT} Reference +@section FTP Reference + +@iftex +@special{psfile=ftp1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp3.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp4.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp5.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp6.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp7.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page + +@special{psfile=ftp8.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{FTP}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry FTP} to read this manual page. +@end ifinfo + +@node rsh Reference, rcp Reference, FTP Reference, @value{PRODUCT} Reference +@section rsh Reference + +@iftex +@special{psfile=rsh1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rsh}} +@page + +@special{psfile=rsh2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rsh}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry rsh} to read this manual page. +@end ifinfo + +@node rcp Reference, ksu Reference, rsh Reference, @value{PRODUCT} Reference +@section rcp Reference + +@iftex +@special{psfile=rcp1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rcp}} +@page + +@special{psfile=rcp2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{rcp}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry rcp} to read this manual page. +@end ifinfo + +@node ksu Reference, krdist Reference, rcp Reference, @value{PRODUCT} Reference +@section ksu Reference + +@iftex +@special{psfile=ksu1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu3.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu4.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu5.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry ksu} to read this manual page. +@end ifinfo + +@node krdist Reference, , ksu Reference, @value{PRODUCT} Reference +@section krdist Reference + +@iftex +@special{psfile=krdist1.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist2.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist3.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist4.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist5.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist6.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page + +@special{psfile=krdist7.ps voffset=-1115 hoffset=-40} +@centerline{Reference Manual for @code{krdist}} +@page +@end iftex +@ifinfo +Type @kbd{M-x manual-entry krdist} to read this manual page. +@end ifinfo + +@node Kerberos Glossary, , @value{PRODUCT} Reference, Top +@appendix Kerberos Glossary + +@include glossary.texinfo + +@contents +@bye |