1 \input texinfo @c -*-texinfo-*-
4 @setfilename krb5-user.info
5 @settitle Kerberos V5 UNIX User's Guide
6 @setchapternewpage odd @c chapter begins on next odd page
7 @c @setchapternewpage on @c chapter begins on next page
8 @c @smallbook @c Format for 7" X 9.25" paper
16 @include definitions.texinfo
19 @finalout @c don't print black warning boxes
22 @title @value{PRODUCT} UNIX User's Guide
23 @subtitle Release: @value{RELEASE}
24 @subtitle Document Edition: @value{EDITION}
25 @subtitle Last updated: @value{UPDATED}
26 @author @value{COMPANY}
29 @vskip 0pt plus 1filll
31 @include copyright.texinfo
34 @comment node-name, next, previous, up
35 @node Top, Introduction, (dir), (dir)
38 This file describes how to use the @value{PRODUCT} client programs.
40 @include copyright.texinfo
43 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
44 @c function. Don't forget to run M-x texinfo-every-node-update after
45 @c you add a new section or subsection, or after you've rearranged the
46 @c comand before each @section or @subsection! All you need to enter
49 @c @section New Section Name
51 @c M-x texinfo-every-node-update will take care of calculating the
52 @c node's forward and back pointers.
54 @c ---------------------------------------------------------------------
58 * Kerberos V5 Tutorial::
59 * Kerberos V5 Reference::
63 @node Introduction, Kerberos V5 Tutorial, Top, Top
66 @value{PRODUCT} is based on the Kerberos V5 authentication system
67 developed at MIT. Kerberos is named for the three-headed watchdog from
68 Greek mythology, who guarded the entrance to the underworld.
70 Under Kerberos, a client (generally either a user or a service) sends a
71 request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
72 creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
73 using the client's password as the key, and sends the encrypted TGT back
74 to the client. The client then attempts to decrypt the TGT, using its
75 password. If the client successfully decrypts the TGT (@i{i.e.}, if the
76 client gave the correct password), it keeps the decrypted TGT, which
77 indicates proof of the client's identity.
79 The TGT, which expires at a specified time, permits the client to obtain
80 additional tickets, which give permission for specific services. The
81 requesting and granting of these additional tickets is user-transparent.
83 Since Kerberos negotiates authenticated, and optionally encrypted,
84 communications between two points anywhere on the internet, it provides
85 a layer of security that is not dependent on which side of a firewall
86 either client is on. Since studies have shown that half of the computer
87 security breaches in industry happen from @i{inside} firewalls,
88 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
91 The @value{PRODUCT} package is designed to be easy to use. Most of the
92 commands are nearly identical to UNIX network programs you are already
93 used to. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
94 that you have to type your password only once per session, and Kerberos
95 does the authenticating and encrypting transparently.
102 * What is a Ticket?::
103 * What is a Kerberos Principal?::
106 @node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
107 @section What is a Ticket?
109 Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
110 electronic information that can be used to verify your identity. Your
111 Kerberos tickets may be stored in a file, or they may exist only in
114 The first ticket you obtain is a @dfn{ticket-granting ticket}, which
115 permits you to obtain additional tickets. These additional tickets give
116 you permission for specific services. The requesting and granting of
117 these additional tickets happens transparently.
119 A good analogy for the ticket-granting ticket is a three-day ski pass
120 that is good at four different resorts. You show the pass at whichever
121 resort you decide to go to (until it expires), and you receive a lift
122 ticket for that resort. Once you have the lift ticket, you can ski all
123 you want at that resort. If you go to another resort the next day, you
124 once again show your pass, and you get an additional lift ticket for the
125 new resort. The difference is that the @value{PRODUCT} programs notice
126 that you have the weekend ski pass, and get the lift ticket for you, so
127 you don't have to perform the transactions yourself.
133 @node What is a Kerberos Principal?, , What is a Ticket?, Introduction
134 @section What is a Kerberos Principal?
136 A Kerberos @dfn{principal} is a unique identity to which Kerberos can
137 assign tickets. By convention, a principal is divided into three parts:
138 the @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format
139 of a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
142 @item The @dfn{primary} is the first part of the principal. In the case
143 of a user, it's the same as your username. For a host, the primary is
144 the word @code{host}.
146 @item The @dfn{instance} is an optional string that qualifies the
147 primary. The instance is separated from the primary by a slash
148 (@code{/}). In the case of a user, the instance is usually null, but a
149 user might also have an additional principal, with an instance called
150 @samp{admin}, which he/she uses to administrate a database. The
151 principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
152 separate from the principal
153 @code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
154 password, and separate permissions. In the case of a host, the instance
155 is the fully qualified hostname, e.g.,
156 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
158 @item The @dfn{realm} is your Kerberos realm. In most cases, your
159 Kerberos realm is your domain name, in upper-case letters. For example,
160 the machine @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} would be in
161 the realm @code{@value{PRIMARYREALM}}.
164 @node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
165 @chapter @value{PRODUCT} Tutorial
167 This tutorial is intended to familiarize you with the @value{PRODUCT}
168 client programs. We will represent your prompt as ``@code{shell%}''.
169 So an instruction to type the ``@kbd{ls}'' command would be represented as
179 In these examples, we will use sample usernames, such as
180 @code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
181 hostnames, such as @code{@value{RANDOMHOST1}} and
182 @code{@value{RANDOMHOST2}}, and sample domain names, such as
183 @code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
184 see one of these, substitute your username, hostname, or domain name
188 * Setting Up to Use Kerberos V5::
189 * Ticket Management::
190 * Password Management::
191 * Kerberos V5 Applications::
194 @node Setting Up to Use Kerberos V5, Ticket Management, Kerberos V5 Tutorial, Kerberos V5 Tutorial
195 @section Setting Up to Use @value{PRODUCT}
197 Your system administrator will have installed the @value{PRODUCT}
198 programs in whichever directory makes the most sense for your system.
199 We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
200 top-level directory @value{PRODUCT} directory. We will therefor use
201 @code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
202 programs. In your installation, the directory name may be different,
203 but whatever the directory name is, you should make sure it is included
204 in your path. You will probably want to put it @i{ahead of} the
205 directories @code{/bin} and @code{/usr/bin} so you will get the
206 @value{PRODUCT} network programs, rather than the standard UNIX
207 versions, when you type their command names.
209 @node Ticket Management, Password Management, Setting Up to Use Kerberos V5, Kerberos V5 Tutorial
210 @section Ticket Management
212 On many systems, Kerberos is built into the login program, and you get
213 tickets automatically when you log in. Other programs, such as
214 /@code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
215 copies of your tickets to the remote host. Most of these programs also
216 automatically destroy your tickets when they exit. However,
217 @value{COMPANY} recommends that you explicitly destroy your Kerberos
218 tickets when you are through with them, just to be sure. One way to
219 help ensure that this happens is to add the @code{kdestroy} command to
220 your @code{.logout} file. Additionally, if you are going to be away
221 from your machine and are concerned about an intruder using your
222 permissions, it is safest to either destroy all copies of your tickets,
223 or use a screensaver that locks the screen.
227 * Obtaining Tickets with kinit::
228 * Viewing Your Tickets with klist::
229 * Destroying Your Tickets with kdestroy::
232 @node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
233 @subsection Obtaining Tickets with kinit
235 If your site is using the @value{PRODUCT} login program, you will get
236 Kerberos tickets automatically when you log in. If your site uses a
237 different login program, you may need to explicitly obtain your Kerberos
238 tickets, using the @code{kinit} program. Similarly, if your Kerberos
239 tickets expire, use the @code{kinit} program to obtain new ones.
242 To use the @code{kinit} program, simply type @kbd{kinit} and then type
243 your password at the prompt. For example, Jennifer (whose username is
244 @code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
245 with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
246 @code{@value{PRIMARYREALM}}). She would type:
251 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
257 If you type your password incorrectly, kinit will give you the following
263 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
264 @b{kinit: Password incorrect}
269 @noindent and you won't get Kerberos tickets.
271 @noindent Notice that @code{kinit} assumes you want tickets for your own
272 username in your default realm.
274 Suppose Jennifer's friend David is visiting, and he wants to borrow a
275 window to check his mail. David needs to get tickets for himself in his
276 own realm, @value{SECONDREALM}.@footnote{Note: the realm
277 @value{SECONDREALM} must be listed in your computer's Kerberos
278 configuration file, @code{/etc/krb5.conf}.} He would type:
282 @b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
283 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
288 @noindent David would then have tickets which he could use to log onto
289 his own machine. Note that he typed his password locally on Jennifer's
290 machine, but it never went over the network. Kerberos on the local host
291 performed the authentication to the KDC in the other realm.
294 If you want to be able to forward your tickets to another host, you need
295 to request @dfn{forwardable} tickets. You do this by specifying the
301 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
307 Note that @code{kinit} does not tell you that it obtained forwardable
308 tickets; you can verify this using the @code{klist} command
309 (@pxref{Viewing Your Tickets with klist}).
311 Normally, your tickets are good for your system's default ticket
312 lifetime, which is ten hours on many systems. You can specify a
313 different ticket lifetime with the @samp{-l} option. Add the letter
314 @samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
315 hours, or @samp{d} for days.
317 For example, to obtain forwardable tickets for
318 @code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
319 three hours, you would type:
323 @b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
324 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
330 You cannot mix units; specifying a lifetime of @samp{3h30m} would result
331 in an error. Note also that most systems specify a maximum ticket
332 lifetime. If you request a longer ticket lifetime, it will be
333 automatically truncated to the maximum lifetime.
339 @node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
340 @subsection Viewing Your Tickets with klist
342 The @code{klist} command shows your tickets. When you first obtain
343 tickets, you will have only the ticket-granting ticket. (@xref{What is
344 a Ticket?}.) The listing would look like this:
349 Ticket cache: /tmp/krb5cc_ttypa
350 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
352 Valid starting Expires Service principal
353 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
359 The ticket cache is the location of your ticket file. In the above
360 example, this file is named @code{/tmp/krb5cc_ttypa}. The default
361 principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
364 The ``valid starting'' and ``expires'' fields describe the period of
365 time during which the ticket is valid. The @dfn{service principal}
366 describes each ticket. The ticket-granting ticket has the primary
367 @code{krbtgt}, and the instance is the realm name.
370 Now, if @value{RANDOMUSER1} connected to the machine
371 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
372 @kbd{klist} again, she would have gotten the following result:
377 Ticket cache: /tmp/krb5cc_ttypa
378 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
380 Valid starting Expires Service principal
381 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
382 06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
388 Here's what happened: when @value{RANDOMUSER1} used telnet to connect
389 to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
390 program presented her ticket-granting ticket to the KDC and requested a
391 host ticket for the host
392 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
393 ticket, which telnet then presented to the host
394 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
395 log in without typing her password.
401 Suppose your Kerberos tickets allow you to log into a host in another
402 domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
403 is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
404 telnet to this host, you will receive a ticket-granting ticket for the
405 realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
406 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
412 Ticket cache: /tmp/krb5cc_ttypa
413 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
415 Valid starting Expires Service principal
416 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
417 06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
418 06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
419 06/07/96 20:24:18 06/08/96 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM}
424 You can use the @code{-f} option to view the @dfn{flags} that apply to
425 your tickets. The flags are:
449 Here is a sample listing. In this example, the user @value{RANDOMUSER1}
450 obtained her initial tickets (@samp{I}), which are forwardable
451 (@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
452 (@xref{kinit Reference} for more information about postdated tickets.)
457 @b{Ticket cache: /tmp/krb5cc_320
458 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
460 Valid starting Expires Service principal
461 31 Jul 96 19:06:25 31 Jul 96 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
468 In the following example, the user @value{RANDOMUSER2}'s tickets were
469 forwarded (@samp{f}) to this host from another host. The tickets are
470 reforwardable (@samp{F}).
475 @b{Ticket cache: /tmp/krb5cc_p11795
476 Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
478 Valid starting Expires Service principal
479 07/31/96 11:52:29 07/31/96 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
481 07/31/96 12:03:48 07/31/96 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
491 @node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
492 @subsection Destroying Your Tickets with kdestroy
494 Your Kerberos tickets are proof that you are indeed yourself, and
495 tickets can be stolen. If this happens, the person who has them can
496 masquerade as you until they expire. For this reason, you should
497 destroy your Kerberos tickets when you are away from your computer.
500 Destroying your tickets is easy. Simply type @kbd{kdestroy}.
510 If @code{kdestroy} fails to destroy your tickets, it will beep and give
511 an error message. For example, if @code{kdestroy} can't find any
512 tickets to destroy, it will give the following message:
517 @b{kdestroy: No credentials cache file found while destroying cache
518 Ticket cache NOT destroyed!
527 @node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
528 @section Password Management
530 Your password is the only way Kerberos has of verifying your identity.
531 If someone finds out your password, that person can masquerade as
532 you---send email that comes from you, read, edit, or delete your files,
533 or log into other hosts as you---and no one will be able to tell the
534 difference. For this reason, it is important that you choose a good
535 password (@pxref{Password Advice}), and keep it secret. If you need to
536 give access to your account to someone else, you can do so through
537 Kerberos. (@xref{Granting Access to Your Account}.) You should
538 @i{never} tell your password to anyone, including your system
539 administrator, for any reason. You should change your password
540 frequently, particularly any time you think someone may have found out
548 * Changing Your Password::
550 * Granting Access to Your Account::
553 @node Changing Your Password, Password Advice, Password Management, Password Management
554 @subsection Changing Your Password
557 To change your Kerberos password, use the @code{kpasswd} command. It
558 will ask you for your old password (to prevent someone else from walking
559 up to your computer when you're not there and changing your password),
560 and then prompt you for the new one twice. (The reason you have to type
561 it twice is to make sure you have typed it correctly.) For example,
562 user @code{@value{RANDOMUSER2}} would do the following:
567 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
568 @b{New Password for @value{RANDOMUSER2}:} @i{<- Type your new password.}
569 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the new password again.}
570 @b{Password changed.}
576 If @value{RANDOMUSER2} typed the incorrect old password, he would get
577 the following message:
582 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
583 @b{Incorrect old password.
589 If you make a mistake and don't type the new password the same way
590 twice, @code{kpasswd} will ask you to try again:
595 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
596 @b{New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
597 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type a different new password.}
598 @b{Mismatch - try again
599 New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
600 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the same new password.}
606 Once you change your password, it takes some time for the change to
607 propagate through the system. Depending on how your system is set up,
608 this might be anywhere from a few minutes to an hour or more. If you
609 need to get new Kerberos tickets shortly after changing your password,
610 try the new password. If the new password doesn't work, try again using
617 @node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
618 @subsection Password Advice
620 Your password can include almost any character you can type (except
621 control keys and the ``enter'' key). A good password is one you can
622 remember, but that no one else can easily guess. Examples of @i{bad}
623 passwords are words that can be found in a dictionary, any common or
624 popular name, especially a famous person (or cartoon character), your
625 name or username in any form (@i{e.g.}, forward, backward, repeated
626 twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
627 date, your social security number, and any sample password that appears
628 in this (or any other) manual.
631 @value{COMPANY} recommends that your password be at least 6 characters
632 long, and contain UPPER- and lower-case letters, numbers, and/or
633 punctuation marks. Some passwords that would be good if they weren't
634 listed in this manual include:
637 @item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
640 @item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
643 @item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
646 @noindent Note: don't actually use any of the above passwords. They're
647 only meant to show you how to make up a good password. Passwords that
648 appear in a manual are the first ones intruders will try.
654 @value{PRODUCT} allows your system administrators to automatically
655 reject bad passwords, based on whatever criteria they choose. For
656 example, if the user @code{@value{RANDOMUSER1}} chose a bad password,
657 Kerberos would give an error message like the following:
662 @b{Old password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
663 @b{New Password for @value{RANDOMUSER1}:} @i{<- Type an insecure new password.}
664 @b{Verifying, please re-enter New Password for @value{RANDOMUSER1}:} @i{<- Type it again.}
666 ERROR: Insecure password not accepted. Please choose another.
668 kpasswd: Insecure password rejected while attempting to change password.
669 Please choose another password.
671 @b{New Password for @value{RANDOMUSER1}:} @i{<- Type a good password here.}
672 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type it again.}
678 @noindent Your system administrators can choose the message that is
679 displayed if you choose a bad password, so the message you see may be
680 different from the above example.
686 @node Granting Access to Your Account, , Password Advice, Password Management
687 @subsection Granting Access to Your Account
690 If you need to give someone access to log into your account, you can do
691 so through Kerberos, without telling the person your password. Simply
692 create a file called @code{.k5login} in your home directory. This file
693 should contain the Kerberos principal (@xref{What is a Kerberos
694 Principal?}) of each person to whom you wish to give access. Each
695 principal must be on a separate line. Here is a sample @code{.k5login}
700 @value{RANDOMUSER1}@@@value{PRIMARYREALM}
701 @value{RANDOMUSER2}@@@value{SECONDREALM}
705 @noindent This file would allow the users @code{@value{RANDOMUSER1}} and
706 @code{@value{RANDOMUSER2}} to use your user ID, provided that they had
707 Kerberos tickets in their respective realms. If you will be logging
708 into other hosts across a network, you will want to include your own
709 Kerberos principal in your @code{.k5login} file on each of these hosts.
712 Using a @code{.k5login} file is much safer than giving out your
716 @item You can take access away any time simply by removing the principal
717 from your @code{.k5login} file.
719 @item Although the user has full access to your account on one
720 particular host (or set of hosts if your @code{.k5login} file is shared,
721 @i{e.g.}, over NFS), that user does not inherit your network privileges.
723 @item Kerberos keeps a log of who obtains tickets, so a system
724 administrator could find out, if necessary, who was capable of using
725 your user ID at a particular time.
728 One common application is to have a @code{.k5login} file in
729 @code{root}'s home directory, giving root access to that machine to the
730 Kerberos principals listed. This allows system administrators to allow
731 users to become root locally, or to log in remotely as @code{root},
732 without their having to give out the root password, and without anyone
733 having to type the root password over the network.
740 @node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
741 @section @value{PRODUCT} Applications
743 @value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
744 only have to type your password once, and the @value{PRODUCT} programs
745 do the authenticating (and optionally encrypting) for you. The way this
746 works is that Kerberos has been built into each of a suite of network
747 programs. For example, when you use a @value{PRODUCT} program to
748 connect to a remote host, the program, the KDC, and the remote host
749 perform a set of rapid negotiations. When these negotiations are
750 completed, your program has proven your identity on your behalf to the
751 remote host, and the remote host has granted you access, all in the
752 space of a few seconds.
754 The @value{PRODUCT} applications are versions of existing UNIX network
755 programs with the Kerberos features added.
762 * Overview of Additional Features::
771 @node Overview of Additional Features, telnet, Kerberos V5 Applications, Kerberos V5 Applications
772 @subsection Overview of Additional Features
774 The @value{PRODUCT} @dfn{network programs} are those programs that
775 connect to another host somewhere on the internet. These programs
776 include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
777 @code{rcp}, and @code{ksu}. These programs have all of the original
778 features of the corresponding non-Kerberos @code{rlogin}, @code{telnet},
779 @code{ftp}, @code{rsh}, @code{rcp}, and @code{su} programs, plus
780 additional features that transparently use your Kerberos tickets for
781 negotiating authentication and optional encryption with the remote host.
782 In most cases, all you'll notice is that you no longer have to type your
783 password, because Kerberos has already proven your identity.
785 The @value{PRODUCT} network programs allow you the options of forwarding
786 your tickets to the remote host (if you obtained forwardable tickets
787 with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
788 encrypting data transmitted between you and the remote host.
790 This section of the tutorial assumes you are familiar with the
791 non-Kerberos versions of these programs, and highlights the Kerberos
792 functions added in the @value{PRODUCT} package.
798 @node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
801 The @value{PRODUCT} @code{telnet} command works exactly like the
802 standard UNIX telnet program, with the following Kerberos options added:
806 forwards a copy of your tickets to the remote host.
809 turns off forwarding of tickets to the remote host. (This option
810 overrides any forwarding specified in your machine's configuration
813 @itemx -F, --forwardable
814 forwards a copy of your tickets to the remote host, and marks them
815 re-forwardable from the remote host.
817 @itemx --noforwardable
818 makes any forwarded tickets nonforwardable. (This option overrides any
819 forwardability specified in your machine's configuration files.)
822 requests tickets for the remote host in the specified realm, instead of
823 determining the realm itself.
826 uses your tickets to authenticate to the remote host, but does not log
830 attempt automatic login using your tickets. @code{telnet} will assume
831 the same username unless you explicitly specify another.
837 turns off encryption.
845 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
846 UNIX telnet to connect to the machine
847 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
851 @b{shell%} telnet @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
852 @b{Trying 128.0.0.5 ...
853 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
854 Escape character is '^]'.
856 NetBSD/i386 (@value{RANDOMHOST1}) (ttyp3)
858 login:} @value{RANDOMUSER2}
859 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
860 @b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{SECONDDOMAIN}
861 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
862 The Regents of the University of California. All rights reserved.
864 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
871 @noindent Note that the machine
872 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
873 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
874 was sent over the network unencrypted. If an intruder were watching
875 network traffic at the time, that intruder would know
876 @code{@value{RANDOMUSER2}}'s password.
882 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
883 @value{PRODUCT} telnet to connect to the machine
884 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
885 copy of her tickets, request an encrypted session, and log on as herself
890 @b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{SECONDDOMAIN}
891 @b{Trying 128.0.0.5...
892 Connected to @value{RANDOMHOST2}.@value{SECONDDOMAIN}.
893 Escape character is '^]'.
894 [ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{SECONDDOMAIN}'' ]
895 [ Kerberos V5 accepted forwarded credentials ]
896 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
903 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
904 to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
905 and logged her in automatically as herself. She had an encrypted
906 session, a copy of her tickets already waiting for her, and she never
909 If you forwarded your Kerberos tickets, @code{telnet} automatically
910 destroys them when it exits. The full set of options to @value{PRODUCT}
911 @code{telnet} are discussed in the Reference section of this manual.
912 (@pxref{telnet Reference})
918 @node rlogin, FTP, telnet, Kerberos V5 Applications
922 The @value{PRODUCT} @code{rlogin} command works exactly like the
923 standard UNIX rlogin program, with the following Kerberos options added:
927 forwards a copy of your tickets to the remote host.
930 turns off forwarding of tickets to the remote host. (This option
931 overrides any forwarding specified in your machine's configuration
934 @itemx -F, --forwardable
935 forwards a copy of your tickets to the remote host, and marks them
936 re-forwardable from the remote host.
938 @itemx --noforwardable
939 makes any forwarded tickets nonforwardable. (This option overrides any
940 forwardability specified in your machine's configuration files.)
943 requests tickets for the remote host in the specified realm, instead of
944 determining the realm itself.
950 turns off encryption.
954 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
955 UNIX rlogin to connect to the machine
956 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
960 @b{shell%} rlogin @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} -l @value{RANDOMUSER2}
961 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
962 @b{Last login: Fri Jun 21 10:36:32 from :0.0
963 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
964 The Regents of the University of California. All rights reserved.
966 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
973 @noindent Note that the machine
974 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
975 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
976 was sent over the network unencrypted. If an intruder were watching
977 network traffic at the time, that intruder would know
978 @code{@value{RANDOMUSER2}}'s password.
984 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
985 @value{PRODUCT} rlogin to connect to the machine
986 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
987 copy of her tickets, mark them as not forwardable from the remote host,
988 and request an encrypted session as follows:
992 @b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
993 @b{This rlogin session is using DES encryption for all data transmissions.
994 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
995 SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
996 Not checking quotas. Try quota.real if you need them.
1001 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1002 to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
1003 and logged her in automatically as herself. She had an encrypted
1004 session, a copy of her tickets were waiting for her, and she never typed
1007 If you forwarded your Kerberos tickets, @code{rlogin} automatically
1008 destroys them when it exits. The full set of options to @value{PRODUCT}
1009 @code{rlogin} are discussed in the Reference section of this manual.
1010 (@pxref{rlogin Reference})
1016 @node FTP, rsh, rlogin, Kerberos V5 Applications
1020 The @value{PRODUCT} @code{FTP} program works exactly like the standard
1021 UNIX FTP program, with the following Kerberos features added:
1025 requests tickets for the remote host in the specified realm, instead of
1026 determining the realm itself.
1029 requests that your tickets be forwarded to the remote host. The
1030 @kbd{-forward} argument must be the last argument on the command line.
1032 @itemx protect @i{level}
1033 (issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1034 is no protection; ``safe'' ensures data integrity by verifying the
1035 checksum, and ``private'' encrypts the data. Encryption also ensures
1040 For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1041 @code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1042 on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1043 to encrypt the file transfer. The exchange would look like the
1048 @b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1049 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1050 220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1051 334 Using authentication type GSSAPI; ADAT must follow
1052 GSSAPI accepted as authentication type
1053 GSSAPI authentication succeeded
1054 Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1055 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1056 230 User @value{RANDOMUSER1} logged in.
1057 Remote system type is UNIX.
1058 Using binary mode to transfer files.
1059 ftp> protect private
1060 200 Protection level set to Private.
1061 ftp> cd ~@value{RANDOMUSER1}/MAIL
1062 250 CWD command successful.
1064 227 Entering Passive Mode (128,0,0,5,16,49)
1065 150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1066 226 Transfer complete.
1067 361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1073 The full set of options to @value{PRODUCT} @code{FTP} are discussed
1074 in the Reference section of this manual. (@pxref{FTP Reference})
1080 @node rsh, rcp, FTP, Kerberos V5 Applications
1084 The @value{PRODUCT} @code{rsh} program works exactly like the standard
1085 UNIX rlogin program, with the following Kerberos features added:
1088 @itemx -f, --forward
1089 forwards a copy of your tickets to the remote host.
1092 turns off forwarding of tickets to the remote host. (This option
1093 overrides any forwarding specified in your machine's configuration
1096 @itemx -F, --forwardable
1097 forwards a copy of your tickets to the remote host, and marks them
1098 re-forwardable from the remote host.
1100 @itemx --noforwardable
1101 makes any forwarded tickets nonforwardable. (This option overrides any
1102 forwardability specified in your machine's configuration files.)
1105 requests tickets for the remote host in the specified realm, instead of
1106 determining the realm itself.
1108 @itemx -x, --encrypt
1109 turns on encryption.
1112 turns off encryption.
1116 For example, if your Kerberos tickets allowed you to run programs on the
1117 host @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1118 run the @samp{date} program as follows:
1122 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1123 @b{This rsh session is using DES encryption for all data transmissions.
1124 Fri Jun 21 17:06:12 EDT 1996
1129 If you forwarded your Kerberos tickets, @code{rsh} automatically
1130 destroys them when it exits. The full set of options to @value{PRODUCT}
1131 @code{rsh} are discussed in the Reference section of this manual.
1132 (@pxref{rsh Reference})
1138 @node rcp, ksu, rsh, Kerberos V5 Applications
1142 The @value{PRODUCT} @code{rcp} program works exactly like the standard
1143 UNIX rcp program, with the following Kerberos features added:
1147 requests tickets for the remote host in the specified realm, instead of
1148 determining the realm itself.
1150 @itemx -x, --encrypt
1151 turns on encryption.
1156 For example, if you wanted to copy the file @code{/etc/motd} from the
1157 host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1158 directory, via an encrypted connection, you would simply type:
1161 @b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1164 The @kbd{rcp} program negotiates authentication and encryption
1165 transparently. The full set of options to @value{PRODUCT} @code{rcp}
1166 are discussed in the Reference section of this manual. (@pxref{rcp
1173 @node ksu, , rcp, Kerberos V5 Applications
1176 The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1177 program. @code{ksu} first authenticates you to Kerberos. Depending on
1178 the configuration of your system, @code{ksu} may ask for your Kerberos
1179 password if authentication fails. @emph{Note that you should never type
1180 your password if you are remotely logged in using an unencrypted
1183 Once @code{ksu} has authenticated you, if your Kerberos principal
1184 appears in the target's @code{.k5login} file (@pxref{Granting Access to
1185 Your Account}) or in the target's @code{.k5users} file (see below), it
1186 switches your user ID to the target user ID.
1189 For example, @code{@value{RANDOMUSER2}} has put
1190 @code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1191 file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1192 @code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1193 differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1194 prompt is represented as @code{@value{RANDOMUSER1}%} and
1195 @code{@value{RANDOMUSER2}}'s prompt is represented as
1196 @code{@value{RANDOMUSER2}%}.)
1200 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1201 @b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1202 Changing uid to @value{RANDOMUSER2} (3382)
1203 @value{RANDOMUSER2}%}
1208 Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1209 tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1210 with @samp{.1} appended to it:
1214 @b{@value{RANDOMUSER2}%} klist
1215 @b{Ticket cache: /tmp/krb5cc_3382.1
1216 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1218 Valid starting Expires Service principal
1219 31 Jul 96 21:53:01 01 Aug 96 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1220 31 Jul 96 21:53:39 01 Aug 96 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1221 @value{RANDOMUSER2}%}
1226 If @code{@value{RANDOMUSER1}} had not appeared in
1227 @code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1228 configured to ask for a password), the exchange would have looked like
1229 this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1230 precautions in protecting his password):
1234 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1235 @b{WARNING: Your password may be exposed if you enter it here and are logged
1236 in remotely using an unsecure (non-encrypted) channel.
1237 Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1238 @b{ksu: Password incorrect
1239 Authentication failed.
1240 @value{RANDOMUSER1}%}
1244 Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1245 @code{@value{RANDOMUSER1}} full access to his account, but wanted to
1246 give her permission to list his files and use the "more" command to view
1247 them. He could create a @code{.k5users} file giving her permission to
1248 run only those specific commands.
1251 The @code{.k5users} file is like the @code{.k5login} file, except that
1252 each principal is optionally followed by a list of commands. @code{ksu}
1253 will let those principals execute only the commands listed, using the
1254 @kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1255 might look like the following:
1259 @value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1260 @value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1261 @value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1262 @value{RANDOMUSER2}@@@value{SECONDREALM}
1266 @noindent The above @code{.k5users} file would let
1267 @code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1268 @code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1269 the command @code{/bin/ls} if he had regular tickets, but if he had
1270 tickets for his @code{admin} instance,
1271 @code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1272 to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1273 in the realm @value{SECONDREALM} permission to execute any command.
1274 (@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1275 giving that principal permission to execute @code{*}.) This is so that
1276 @value{RANDOMUSER2} can allow himself to execute commands when he logs
1277 in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1280 Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1285 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1286 @b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1287 Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1289 Changing uid to @value{RANDOMUSER2} (3382)
1290 Mail News Personal misc bin
1291 @value{RANDOMUSER1}%}
1295 @noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1296 command to @code{ksu}, it would have prompted for a password as with the
1299 Note that unless the @code{.k5users} file gives the target permission to
1300 run any command, the user must use @code{ksu} with the @kbd{-e}
1304 The @code{ksu} options you are most likely to use are:
1307 @itemx -n @i{principal}
1308 specifies which Kerberos principal you want to use for @code{ksu}.
1309 (@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1310 @code{admin} instance. @xref{What is a Ticket?}.)
1313 specifies the location of your Kerberos credentials cache (ticket file).
1316 specifies the location you want the Kerberos credentials cache (ticket
1317 file) to be for the target user ID.
1320 tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1324 requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1325 is only applicable if @code{ksu} needs to obtain tickets.
1327 @itemx -l @i{lifetime}
1328 sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1329 only applicable if @code{ksu} needs to obtain tickets.
1332 tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1333 switching is the same as the Kerberos primary (either yours or the one
1334 specified by the @kbd{-n} option).
1337 tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1339 @itemx -e @i{command}
1340 tells @code{ksu} to execute @i{command} and then exit. See the
1341 description of the @code{.k5users} file above.
1344 (at the end of the command line) tells @code{ksu} to pass everything
1345 after @samp{-a} to the target shell.
1348 The full set of options to @value{PRODUCT} @code{ksu} are discussed
1349 in the Reference section of this manual. (@pxref{ksu Reference})
1351 @node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
1352 @chapter @value{PRODUCT} Reference
1354 This section will include copies of the manual pages for the
1355 @value{PRODUCT} client programs. You can read the manual entry for any
1356 command by typing @code{man} @i{command}, where @i{command} is the name
1357 of the command for which you want to read the manual entry. For
1358 example, to read the @code{kinit} manual entry, you would type:
1361 @b{shell%} man kinit
1364 Note: To be able to view the @value{PRODUCT} manual pages on line, you
1365 may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1366 environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1367 the top-level directory in which @value{PRODUCT} is installed.) For
1368 example, if you had the the following line in your @code{.login}
1369 file@footnote{The MANPATH variable may be specified in a different
1370 initialization file, depending on your operating system. Some of the
1371 files in which you might specify environment variables include
1372 @code{.login}, @code{.profile}, or @code{.cshrc}.}:
1375 setenv MANPATH /usr/local/man:/usr/man
1379 and the @value{PRODUCT} man pages were in the directory
1380 @code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1383 setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1387 Note to info users: the manual pages are not available within this info
1388 tree. You can read them from emacs with the command:
1391 M-x manual-entry @emph{command}
1400 * kdestroy Reference::
1401 * kpasswd Reference::
1402 * telnet Reference::
1403 * rlogin Reference::
1410 @node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
1411 @section kinit Reference
1414 @special{psfile=kinit1.ps voffset=-700 hoffset=-40}
1415 @centerline{Reference Manual for @code{kinit}}
1418 @special{psfile=kinit2.ps voffset=-700 hoffset=-40}
1419 @centerline{Reference Manual for @code{kinit}}
1423 Type @kbd{M-x manual-entry kinit} to read this manual page.
1426 @node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference
1427 @section klist Reference
1430 @special{psfile=klist1.ps voffset=-700 hoffset=-40}
1431 @centerline{Reference Manual for @code{klist}}
1435 Type @kbd{M-x manual-entry klist} to read this manual page.
1438 @node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference
1439 @section kdestroy Reference
1442 @special{psfile=kdestroy1.ps voffset=-700 hoffset=-60}
1443 @centerline{Reference Manual for @code{kdestroy}}
1447 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1450 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
1451 @section kpasswd Reference
1454 @special{psfile=kpasswd1.ps voffset=-700 hoffset=-40}
1455 @centerline{Reference Manual for @code{kpasswd}}
1459 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1462 @node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference
1463 @section telnet Reference
1466 @special{psfile=telnet1.ps voffset=-700 hoffset=-40}
1467 @centerline{Reference Manual for @code{telnet}}
1470 @special{psfile=telnet2.ps voffset=-700 hoffset=-40}
1471 @centerline{Reference Manual for @code{telnet}}
1474 @special{psfile=telnet3.ps voffset=-700 hoffset=-40}
1475 @centerline{Reference Manual for @code{telnet}}
1478 @special{psfile=telnet4.ps voffset=-700 hoffset=-40}
1479 @centerline{Reference Manual for @code{telnet}}
1482 @special{psfile=telnet5.ps voffset=-700 hoffset=-40}
1483 @centerline{Reference Manual for @code{telnet}}
1486 @special{psfile=telnet6.ps voffset=-700 hoffset=-40}
1487 @centerline{Reference Manual for @code{telnet}}
1490 @special{psfile=telnet7.ps voffset=-700 hoffset=-40}
1491 @centerline{Reference Manual for @code{telnet}}
1494 @special{psfile=telnet8.ps voffset=-700 hoffset=-40}
1495 @centerline{Reference Manual for @code{telnet}}
1498 @special{psfile=telnet9.ps voffset=-700 hoffset=-40}
1499 @centerline{Reference Manual for @code{telnet}}
1502 @special{psfile=telnet10.ps voffset=-700 hoffset=-40}
1503 @centerline{Reference Manual for @code{telnet}}
1507 Type @kbd{M-x manual-entry telnet} to read this manual page.
1510 @node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference
1511 @section rlogin Reference
1514 @special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
1515 @centerline{Reference Manual for @code{rlogin}}
1518 @special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
1519 @centerline{Reference Manual for @code{rlogin}}
1523 Type @kbd{M-x manual-entry rlogin} to read this manual page.
1526 @node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference
1527 @section FTP Reference
1530 @special{psfile=ftp1.ps voffset=-700 hoffset=-40}
1531 @centerline{Reference Manual for @code{FTP}}
1534 @special{psfile=ftp2.ps voffset=-700 hoffset=-40}
1535 @centerline{Reference Manual for @code{FTP}}
1538 @special{psfile=ftp3.ps voffset=-700 hoffset=-40}
1539 @centerline{Reference Manual for @code{FTP}}
1542 @special{psfile=ftp4.ps voffset=-700 hoffset=-40}
1543 @centerline{Reference Manual for @code{FTP}}
1546 @special{psfile=ftp5.ps voffset=-700 hoffset=-40}
1547 @centerline{Reference Manual for @code{FTP}}
1550 @special{psfile=ftp6.ps voffset=-700 hoffset=-40}
1551 @centerline{Reference Manual for @code{FTP}}
1554 @special{psfile=ftp7.ps voffset=-700 hoffset=-40}
1555 @centerline{Reference Manual for @code{FTP}}
1558 @special{psfile=ftp8.ps voffset=-700 hoffset=-40}
1559 @centerline{Reference Manual for @code{FTP}}
1563 Type @kbd{M-x manual-entry FTP} to read this manual page.
1566 @node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference
1567 @section rsh Reference
1570 @special{psfile=rsh1.ps voffset=-700 hoffset=-40}
1571 @centerline{Reference Manual for @code{rsh}}
1574 @special{psfile=rsh2.ps voffset=-700 hoffset=-40}
1575 @centerline{Reference Manual for @code{rsh}}
1579 Type @kbd{M-x manual-entry rsh} to read this manual page.
1582 @node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference
1583 @section rcp Reference
1586 @special{psfile=rcp1.ps voffset=-700 hoffset=-40}
1587 @centerline{Reference Manual for @code{rcp}}
1590 @special{psfile=rcp2.ps voffset=-700 hoffset=-40}
1591 @centerline{Reference Manual for @code{rcp}}
1595 Type @kbd{M-x manual-entry rcp} to read this manual page.
1598 @node ksu Reference, , rcp Reference, Kerberos V5 Reference
1599 @section ksu Reference
1602 @special{psfile=ksu1.ps voffset=-700 hoffset=-40}
1603 @centerline{Reference Manual for @code{ksu}}
1606 @special{psfile=ksu2.ps voffset=-700 hoffset=-40}
1607 @centerline{Reference Manual for @code{ksu}}
1610 @special{psfile=ksu3.ps voffset=-700 hoffset=-40}
1611 @centerline{Reference Manual for @code{ksu}}
1614 @special{psfile=ksu4.ps voffset=-700 hoffset=-40}
1615 @centerline{Reference Manual for @code{ksu}}
1618 @special{psfile=ksu5.ps voffset=-700 hoffset=-40}
1619 @centerline{Reference Manual for @code{ksu}}
1623 Type @kbd{M-x manual-entry ksu} to read this manual page.
1626 @node Kerberos Glossary, , Kerberos V5 Reference, Top
1627 @appendix Kerberos Glossary
1629 @include glossary.texinfo