From 7cc1a302b339a42335c9fe97bbcce0eab5040a02 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Mon, 29 Apr 1996 21:05:29 +0000 Subject: * Makefile.in (install): Install correct set of man pages, and check for failures. * kshd.M, klogind.M: Renamed from kr*.M versions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7863 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/ChangeLog | 6 ++ src/appl/bsd/Makefile.in | 18 +++-- src/appl/bsd/klogind.M | 160 ++++++++++++++++++++++++++++++++++++++++ src/appl/bsd/krlogind.M | 160 ---------------------------------------- src/appl/bsd/krshd.M | 185 ----------------------------------------------- src/appl/bsd/kshd.M | 185 +++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 362 insertions(+), 352 deletions(-) create mode 100644 src/appl/bsd/klogind.M delete mode 100644 src/appl/bsd/krlogind.M delete mode 100644 src/appl/bsd/krshd.M create mode 100644 src/appl/bsd/kshd.M (limited to 'src') diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index e389418a2..fab67cb03 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,9 @@ +Mon Apr 29 17:02:44 1996 Ken Raeburn + + * Makefile.in (install): Install correct set of man pages, and + check for failures. + * kshd.M, klogind.M: Renamed from kr*.M versions. + Sun Apr 21 12:52:35 1996 Richard Basch * krshd.c: If checksumming is required & ALWAYS_V5_KUSEROK is diff --git a/src/appl/bsd/Makefile.in b/src/appl/bsd/Makefile.in index ffc511081..de249d94e 100644 --- a/src/appl/bsd/Makefile.in +++ b/src/appl/bsd/Makefile.in @@ -41,10 +41,11 @@ rlogin: krlogin.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS) install:: for f in rsh rcp rlogin; do \ - $(INSTALL_PROGRAM) $$f \ - $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'`; \ + ($(INSTALL_PROGRAM) $$f \ + $(DESTDIR)$(CLIENT_BINDIR)/`echo $$f|sed '$(transform)'` && \ $(INSTALL_DATA) $(srcdir)/$$f.M \ - ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ + ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1 \ + ) || exit 1; \ done kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS) @@ -55,10 +56,11 @@ klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS) install:: for f in kshd klogind; do \ - $(INSTALL_PROGRAM) $$f \ - $(DESTDIR)$(SERVER_BINDIR)/`echo $$f|sed '$(transform)'`; \ - $(INSTALL_DATA) $(srcdir)/krshd.M \ - ${DESTDIR}$(SERVER_MANDIR)/`echo $$f|sed '$(transform)'`.8; \ + ($(INSTALL_PROGRAM) $$f \ + $(DESTDIR)$(SERVER_BINDIR)/`echo $$f|sed '$(transform)'` && \ + $(INSTALL_DATA) $(srcdir)/$$f.M \ + ${DESTDIR}$(SERVER_MANDIR)/`echo $$f|sed '$(transform)'`.8 \ + ) || exit 1 ; \ done # @@ -73,6 +75,8 @@ login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(DEPLIBS) install:: $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5 + $(INSTALL_DATA) $(srcdir)/login.M \ + ${DESTDIR}$(SERVER_MANDIR)/login.krb5.8 getdtablesize.o: $(srcdir)/getdtablesize.c diff --git a/src/appl/bsd/klogind.M b/src/appl/bsd/klogind.M new file mode 100644 index 000000000..8322e7be9 --- /dev/null +++ b/src/appl/bsd/klogind.M @@ -0,0 +1,160 @@ +.\" Copyright (c) 1983 Regents of the University of California. +.\" All rights reserved. The Berkeley software License Agreement +.\" specifies the terms and conditions for redistribution. +.\" +.\" @(#)rlogind.8c 6.3 (Berkeley) 5/24/86 +.\" +.TH KRLOGIND 8C "Kerberos Version 5.0" "MIT Project Athena" +.SH NAME +krlogind \- remote login server +.SH SYNOPSIS +.B /etc/rlogind +[ +.B \-kr54cpPe +] +.SH DESCRIPTION +.I Krlogind +is the server for the +.IR rlogin (1C) +program. The server is +based on rlogind(8C) but uses kerberos authentication. +.PP +The +.I krlogind +server is invoked by \fIinetd(8c)\fP when it receives a +connection on the port indicated in /etc/inetd.conf. A typical +/etc/inetd.conf configuration line for \fIkrlogind\fP might be: + +klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -e5c + +When a service request is received, the following protocol is initiated: + +.IP 1) +Check authentication. +.IP 2) +Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP +and \fI.rhosts\fP in the user's home directory. +.IP 3) +Prompt for password if any checks fail and the \fI-p\fP option was supplied. +.PP +If the authentication succeeds, login the user by calling the accompanying +login.krb5 or /bin/login, according to the definition of +DO_NOT_USE_K_LOGIN. +.PP +The configuration of \fIkrlogind\fP is done +by command line arguments passed by inetd. The options are: +.IP \fB\-5\fP 10 +Allow Kerberos5 authentication with the \fI.k5login\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. + +.IP \fB\-4\fP +Allow Kerberos4 authentication with the \fI.klogin\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. + +.IP \fB\-k\fP +Allow Kerberos5 and Kerberos4 as acceptable authentication +mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. + +.IP \fB\-r\fP +Trust the remote hostname as an authentication system using the + \fI.rhosts\fP authorization list. This option may +be desupported in future version of klogind. + +.IP \fB\-p\fP + If all other authorization checks fail, prompt the user +for a password If this option is not included, access is denied +without successful authentication and authorization using one of the +previous mechanisms. + +.IP \fB\-P\fP +Prompt the user for a password. +If the -P option is passed, then the password is verified in addition +to all other checks. + +.IP \fB\-e\fP +Create an encrypted session. + +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic +checksum of initial connection information like the name of the user +that the client is trying to access in the initial authenticator. +This checksum provides additionl security by preventing an attacker +from changing the initial connection information. To benefit from +this security, only Kerberos5 should be trusted; Kerberos4 and rhosts +authentication do not include this checksum. If this option is +specified, older Kerberos5 clients that do not send a checksum in the +authenticator will not be able to authenticate to this server. This +option is mutually exclusive with the \fB-i\fP option. + + If neither the \fB-c\fP or \fB-i\fP options are specified,then +checksums are validated if presented. Since it is difficult to remove +a checksum from an authenticator without making the authenticator +invalid, this default mode is almost as significant of a security +improvement as \fB-c\fP if new clients are used. It has the additional +advantage of backwards compatability with some clients. +Unfortunately, clients before Kerberos V5, Beta5, generate invalid +checksums; if these clients are used, the \fB-i\fP option must be +used. + +.IP \fB\-i\fP +Ignore authenticator checksums if provided. This option +ignore authenticator checksusm presented by current Kerberos clients +to protect initial connection information; it is the opposite of +\fB-c\fP. This option is provided because some older +clients--particularly clients predating the release of Kerberos V5 +Beta5 (May 1995)--present bogus checksums that prevent Kerberos +authentication from succeeding in the default mode. + + +.PP +If the +~/.rhosts check is to be used, then the program verifies that the +client is connecting from a privileged port, before allowing login. + +.PP The parent of the login process manipulates the master side of the +pseduo terminal, operating as an intermediary between the login +process and the client instance of the .I rlogin(1C) program. In +normal operation, the packet protocol described in .IR pty (4) is +invoked to provide ^S/^Q type facilities and propagate interrupt +signals to the remote programs. The login process propagates the +client terminal's baud rate and terminal type, as found in the +environment variable, ``TERM''; see .IR environ (7). The screen or +window size of the terminal is requested from the client, and window +size changes from the client are propagated to the pseudo terminal. + +.PP .I Krlogind supports three options which are used for testing +purposes: + +.IP \fB\-S\ srvtab\fP 10 +Set the \fIsrvtab\fP file to use. + +.IP \fB\-M\ realm\fP +Set the Kerberos realm to use. + +.IP \fB\-L\ login\fP +Set the login program to use. This option only has an effect if +DO_NOT_USE_K_LOGIN was not defined when +.I krlogind +was compiled. +.SH DIAGNOSTICS +All diagnostic messages are returned on the connection +associated with the +.BR stderr , +after which any network connections are closed. +An error is indicated by a leading byte with a value of 1. +.PP +.B ``Try again.'' +.br +A +.I fork +by the server failed. +.PP +.B ``/bin/sh: ...'' +.br +The user's login shell could not be started. +.SH SEE ALSO +rlogind(8C), rlogin(1C) +.SH BUGS +A more extensible protocol should be used. diff --git a/src/appl/bsd/krlogind.M b/src/appl/bsd/krlogind.M deleted file mode 100644 index 8322e7be9..000000000 --- a/src/appl/bsd/krlogind.M +++ /dev/null @@ -1,160 +0,0 @@ -.\" Copyright (c) 1983 Regents of the University of California. -.\" All rights reserved. The Berkeley software License Agreement -.\" specifies the terms and conditions for redistribution. -.\" -.\" @(#)rlogind.8c 6.3 (Berkeley) 5/24/86 -.\" -.TH KRLOGIND 8C "Kerberos Version 5.0" "MIT Project Athena" -.SH NAME -krlogind \- remote login server -.SH SYNOPSIS -.B /etc/rlogind -[ -.B \-kr54cpPe -] -.SH DESCRIPTION -.I Krlogind -is the server for the -.IR rlogin (1C) -program. The server is -based on rlogind(8C) but uses kerberos authentication. -.PP -The -.I krlogind -server is invoked by \fIinetd(8c)\fP when it receives a -connection on the port indicated in /etc/inetd.conf. A typical -/etc/inetd.conf configuration line for \fIkrlogind\fP might be: - -klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -e5c - -When a service request is received, the following protocol is initiated: - -.IP 1) -Check authentication. -.IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. -.IP 3) -Prompt for password if any checks fail and the \fI-p\fP option was supplied. -.PP -If the authentication succeeds, login the user by calling the accompanying -login.krb5 or /bin/login, according to the definition of -DO_NOT_USE_K_LOGIN. -.PP -The configuration of \fIkrlogind\fP is done -by command line arguments passed by inetd. The options are: -.IP \fB\-5\fP 10 -Allow Kerberos5 authentication with the \fI.k5login\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. - -.IP \fB\-4\fP -Allow Kerberos4 authentication with the \fI.klogin\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. - -.IP \fB\-k\fP -Allow Kerberos5 and Kerberos4 as acceptable authentication -mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. - -.IP \fB\-r\fP -Trust the remote hostname as an authentication system using the - \fI.rhosts\fP authorization list. This option may -be desupported in future version of klogind. - -.IP \fB\-p\fP - If all other authorization checks fail, prompt the user -for a password If this option is not included, access is denied -without successful authentication and authorization using one of the -previous mechanisms. - -.IP \fB\-P\fP -Prompt the user for a password. -If the -P option is passed, then the password is verified in addition -to all other checks. - -.IP \fB\-e\fP -Create an encrypted session. - -.IP \fB\-c\fP -Require Kerberos5 clients to present a cryptographic -checksum of initial connection information like the name of the user -that the client is trying to access in the initial authenticator. -This checksum provides additionl security by preventing an attacker -from changing the initial connection information. To benefit from -this security, only Kerberos5 should be trusted; Kerberos4 and rhosts -authentication do not include this checksum. If this option is -specified, older Kerberos5 clients that do not send a checksum in the -authenticator will not be able to authenticate to this server. This -option is mutually exclusive with the \fB-i\fP option. - - If neither the \fB-c\fP or \fB-i\fP options are specified,then -checksums are validated if presented. Since it is difficult to remove -a checksum from an authenticator without making the authenticator -invalid, this default mode is almost as significant of a security -improvement as \fB-c\fP if new clients are used. It has the additional -advantage of backwards compatability with some clients. -Unfortunately, clients before Kerberos V5, Beta5, generate invalid -checksums; if these clients are used, the \fB-i\fP option must be -used. - -.IP \fB\-i\fP -Ignore authenticator checksums if provided. This option -ignore authenticator checksusm presented by current Kerberos clients -to protect initial connection information; it is the opposite of -\fB-c\fP. This option is provided because some older -clients--particularly clients predating the release of Kerberos V5 -Beta5 (May 1995)--present bogus checksums that prevent Kerberos -authentication from succeeding in the default mode. - - -.PP -If the -~/.rhosts check is to be used, then the program verifies that the -client is connecting from a privileged port, before allowing login. - -.PP The parent of the login process manipulates the master side of the -pseduo terminal, operating as an intermediary between the login -process and the client instance of the .I rlogin(1C) program. In -normal operation, the packet protocol described in .IR pty (4) is -invoked to provide ^S/^Q type facilities and propagate interrupt -signals to the remote programs. The login process propagates the -client terminal's baud rate and terminal type, as found in the -environment variable, ``TERM''; see .IR environ (7). The screen or -window size of the terminal is requested from the client, and window -size changes from the client are propagated to the pseudo terminal. - -.PP .I Krlogind supports three options which are used for testing -purposes: - -.IP \fB\-S\ srvtab\fP 10 -Set the \fIsrvtab\fP file to use. - -.IP \fB\-M\ realm\fP -Set the Kerberos realm to use. - -.IP \fB\-L\ login\fP -Set the login program to use. This option only has an effect if -DO_NOT_USE_K_LOGIN was not defined when -.I krlogind -was compiled. -.SH DIAGNOSTICS -All diagnostic messages are returned on the connection -associated with the -.BR stderr , -after which any network connections are closed. -An error is indicated by a leading byte with a value of 1. -.PP -.B ``Try again.'' -.br -A -.I fork -by the server failed. -.PP -.B ``/bin/sh: ...'' -.br -The user's login shell could not be started. -.SH SEE ALSO -rlogind(8C), rlogin(1C) -.SH BUGS -A more extensible protocol should be used. diff --git a/src/appl/bsd/krshd.M b/src/appl/bsd/krshd.M deleted file mode 100644 index 9b263ec0d..000000000 --- a/src/appl/bsd/krshd.M +++ /dev/null @@ -1,185 +0,0 @@ -.\" Copyright (c) 1983 Regents of the University of California. -.\" All rights reserved. The Berkeley software License Agreement -.\" specifies the terms and conditions for redistribution. -.\" -.\" @(#)rshd.8c 6.3 (Berkeley) 5/24/86 -.\" -.TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena" -.SH NAME -kshd \- kerberized remote shell server -.SH SYNOPSIS -.B /usr/local/sbin/kshd -kr45ec -.SH DESCRIPTION -.I Krshd -is the server for the -.IR rcmd (3X) -routine and, consequently, for the -.IR rsh (1C) -program. The server provides remote execution facilities -with authentication based on privileged port numbers from trusted hosts or -the Kerberos authentication system. -.PP -The -.I kshd -server is invoked by \fIinetd(8c)\fP when it receives a connection -on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf -configuration line for \fIkrshd\fP might be: - -kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c - -When a service request is received, the following protocol is initiated: - -.IP 1) -Authentication is checked -.IP 2) -Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP -and \fI.rhosts\fP in the user's home directory. -.IP 3) -A null byte is returned on the initial socket -and the command line is passed to the normal login -shell of the user. The -shell inherits the network connections established -by -.IR krshd . - -\fIKrshd\fP can be configured by command-line arguments passed -by \fIinetd(8)\fP. - The options are: - -.IP \fB\-5\fP 10 -Allow Kerberos5 authentication with the \fI.k5login\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. - -.IP \fB\-4\fP -Allow Kerberos4 authentication with the \fI.klogin\fP access control file -to be trusted. If this authentication system is used by the client and the -authorization check is passed, then the user is allowed to log in. - -.IP \fB\-k\fP -Allow Kerberos5 and Kerberos4 as acceptable authentication -mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. - -.IP \fB\-r\fP -Trust the remote hostname as an authentication system using the - \fI.rhosts\fP authorization list. This option may be desupported in a future version. - - -.IP \fB\-e\fP -Require the client to encrypt the connection. Only Kerberos5 clients -support encryption. - -.IP \fB\-c\fP -Require Kerberos5 clients to present a cryptographic -checksum of initial connection information like the name of the user -that the client is trying to access in the initial authenticator. -This checksum provides additionl security by preventing an attacker -from changing the initial connection information. To benefit from -this security, only Kerberos5 should be trusted; Kerberos4 and rhosts -authentication do not include this checksum. If this option is -specified, older Kerberos5 clients that do not send a checksum in the -authenticator will not be able to authenticate to this server. This -option is mutually exclusive with the \fB-i\fP option. - - If neither the \fB-c\fP or \fB-i\fP options are specified,then -checksums are validated if presented. Since it is difficult to remove -a checksum from an authenticator without making the authenticator -invalid, this default mode is almost as significant of a security -improvement as \fB-c\fP if new clients are used. It has the additional -advantage of backwards compatability with some clients. -Unfortunately, clients before Kerberos V5, Beta5, generate invalid -checksums; if these clients are used, the \fB-i\fP option must be -used. - -.IP \fB\-i\fP -Ignore authenticator checksums if provided. This option -ignore authenticator checksusm presented by current Kerberos clients -to protect initial connection information; it is the opposite of -\fB-c\fP. This option is provided because some older -clients--particularly clients predating the release of Kerberos V5 -Beta5 (May 1995)--present bogus checksums that prevent Kerberos -authentication from succeeding in the default mode. - - -.PP -If the \fB\-r\fP or \fB\-R\fP options are used, the client must -connect from a privileged port. -.PP -\fIKrshd\fP supports four options which may be used for testing: - -.IP \fB\-S\ srvtab\fP 10 -Set the \fIsrvtab\fP file to use. - -.IP \fB\-M\ realm\fP -Set the Kerberos realm to use. - -.IP \fB\-A\fP -Don't allocate a reserved port for the stderr connection. - -.IP \fB\-P\ path\fP -Use the argument to find the Kerberos binaries. Normally a compiled -in argument is used. -.SH DIAGNOSTICS -Except for the last one listed below, -all diagnostic messages -are returned on the initial socket, -after which any network connections are closed. -An error is indicated by a leading byte with a value of -1 (0 is returned in step 3 above upon successful completion -of all the steps prior to the execution of the login shell). -.PP -.B ``locuser too long'' -.br -The name of the user on the client's machine is -longer than 16 characters. -.PP -.B ``remuser too long'' -.br -The name of the user on the remote machine is -longer than 16 characters. -.PP -.B ``command too long '' -.br -The command line passed exceeds the size of the argument -list (as configured into the system). -.PP -.B ``Login incorrect.'' -.br -No password file entry for the user name existed. -.PP -.B ``No remote directory.'' -.br -The -.I chdir -command to the home directory failed. -.PP -.B ``Permission denied.'' -.br -The authentication procedure described above failed. -.PP -.B ``Can't make pipe.'' -.br -The pipe needed for the -.BR stderr , -wasn't created. -.PP -.B ``Try again.'' -.br -A -.I fork -by the server failed. -.PP -.B ``: ...'' -.br -The user's login shell could not be started. This message is returned -on the connection associated with the -.BR stderr , -and is not preceded by a flag byte. -.SH SEE ALSO -rshd(8C), rsh(1C), -rcmd(3X) -.SH BUGS -A facility to allow all data exchanges to be encrypted should be -present. -.PP -A more extensible protocol should be used. diff --git a/src/appl/bsd/kshd.M b/src/appl/bsd/kshd.M new file mode 100644 index 000000000..9b263ec0d --- /dev/null +++ b/src/appl/bsd/kshd.M @@ -0,0 +1,185 @@ +.\" Copyright (c) 1983 Regents of the University of California. +.\" All rights reserved. The Berkeley software License Agreement +.\" specifies the terms and conditions for redistribution. +.\" +.\" @(#)rshd.8c 6.3 (Berkeley) 5/24/86 +.\" +.TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena" +.SH NAME +kshd \- kerberized remote shell server +.SH SYNOPSIS +.B /usr/local/sbin/kshd -kr45ec +.SH DESCRIPTION +.I Krshd +is the server for the +.IR rcmd (3X) +routine and, consequently, for the +.IR rsh (1C) +program. The server provides remote execution facilities +with authentication based on privileged port numbers from trusted hosts or +the Kerberos authentication system. +.PP +The +.I kshd +server is invoked by \fIinetd(8c)\fP when it receives a connection +on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf +configuration line for \fIkrshd\fP might be: + +kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c + +When a service request is received, the following protocol is initiated: + +.IP 1) +Authentication is checked +.IP 2) +Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP +and \fI.rhosts\fP in the user's home directory. +.IP 3) +A null byte is returned on the initial socket +and the command line is passed to the normal login +shell of the user. The +shell inherits the network connections established +by +.IR krshd . + +\fIKrshd\fP can be configured by command-line arguments passed +by \fIinetd(8)\fP. + The options are: + +.IP \fB\-5\fP 10 +Allow Kerberos5 authentication with the \fI.k5login\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. + +.IP \fB\-4\fP +Allow Kerberos4 authentication with the \fI.klogin\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. + +.IP \fB\-k\fP +Allow Kerberos5 and Kerberos4 as acceptable authentication +mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. + +.IP \fB\-r\fP +Trust the remote hostname as an authentication system using the + \fI.rhosts\fP authorization list. This option may be desupported in a future version. + + +.IP \fB\-e\fP +Require the client to encrypt the connection. Only Kerberos5 clients +support encryption. + +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic +checksum of initial connection information like the name of the user +that the client is trying to access in the initial authenticator. +This checksum provides additionl security by preventing an attacker +from changing the initial connection information. To benefit from +this security, only Kerberos5 should be trusted; Kerberos4 and rhosts +authentication do not include this checksum. If this option is +specified, older Kerberos5 clients that do not send a checksum in the +authenticator will not be able to authenticate to this server. This +option is mutually exclusive with the \fB-i\fP option. + + If neither the \fB-c\fP or \fB-i\fP options are specified,then +checksums are validated if presented. Since it is difficult to remove +a checksum from an authenticator without making the authenticator +invalid, this default mode is almost as significant of a security +improvement as \fB-c\fP if new clients are used. It has the additional +advantage of backwards compatability with some clients. +Unfortunately, clients before Kerberos V5, Beta5, generate invalid +checksums; if these clients are used, the \fB-i\fP option must be +used. + +.IP \fB\-i\fP +Ignore authenticator checksums if provided. This option +ignore authenticator checksusm presented by current Kerberos clients +to protect initial connection information; it is the opposite of +\fB-c\fP. This option is provided because some older +clients--particularly clients predating the release of Kerberos V5 +Beta5 (May 1995)--present bogus checksums that prevent Kerberos +authentication from succeeding in the default mode. + + +.PP +If the \fB\-r\fP or \fB\-R\fP options are used, the client must +connect from a privileged port. +.PP +\fIKrshd\fP supports four options which may be used for testing: + +.IP \fB\-S\ srvtab\fP 10 +Set the \fIsrvtab\fP file to use. + +.IP \fB\-M\ realm\fP +Set the Kerberos realm to use. + +.IP \fB\-A\fP +Don't allocate a reserved port for the stderr connection. + +.IP \fB\-P\ path\fP +Use the argument to find the Kerberos binaries. Normally a compiled +in argument is used. +.SH DIAGNOSTICS +Except for the last one listed below, +all diagnostic messages +are returned on the initial socket, +after which any network connections are closed. +An error is indicated by a leading byte with a value of +1 (0 is returned in step 3 above upon successful completion +of all the steps prior to the execution of the login shell). +.PP +.B ``locuser too long'' +.br +The name of the user on the client's machine is +longer than 16 characters. +.PP +.B ``remuser too long'' +.br +The name of the user on the remote machine is +longer than 16 characters. +.PP +.B ``command too long '' +.br +The command line passed exceeds the size of the argument +list (as configured into the system). +.PP +.B ``Login incorrect.'' +.br +No password file entry for the user name existed. +.PP +.B ``No remote directory.'' +.br +The +.I chdir +command to the home directory failed. +.PP +.B ``Permission denied.'' +.br +The authentication procedure described above failed. +.PP +.B ``Can't make pipe.'' +.br +The pipe needed for the +.BR stderr , +wasn't created. +.PP +.B ``Try again.'' +.br +A +.I fork +by the server failed. +.PP +.B ``: ...'' +.br +The user's login shell could not be started. This message is returned +on the connection associated with the +.BR stderr , +and is not preceded by a flag byte. +.SH SEE ALSO +rshd(8C), rsh(1C), +rcmd(3X) +.SH BUGS +A facility to allow all data exchanges to be encrypted should be +present. +.PP +A more extensible protocol should be used. -- cgit