1 \input texinfo @c -*-texinfo-*-
4 @setfilename KerbNet-User.info
5 @settitle Kerb*Net UNIX User's Guide
6 @setchapternewpage odd @c chapter begins on next odd page
7 @c @setchapternewpage on @c chapter begins on next page
8 @smallbook @c Format for 7" X 9.25" paper
16 @include definitions.texinfo
19 @finalout @c don't print black warning boxes
22 @title @value{PRODUCT} UNIX User's Guide
23 @subtitle Release: @value{RELEASE}
24 @subtitle Document Edition: @value{EDITION}
25 @subtitle Last updated: @value{UPDATED}
26 @author @value{COMPANY}
29 @vskip 0pt plus 1filll
31 @include copyright.texinfo
34 @comment node-name, next, previous, up
35 @node Top, Introduction, (dir), (dir)
38 This file describes how to use the @value{PRODUCT} client programs.
40 @include copyright.texinfo
43 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
44 @c function. Don't forget to run M-x texinfo-every-node-update after
45 @c you add a new section or subsection, or after you've rearranged the
46 @c comand before each @section or @subsection! All you need to enter
50 @c @section New Section Name
52 @c M-x texinfo-every-node-update will take care of calculating the
53 @c node's forward and back pointers.
55 @c ---------------------------------------------------------------------
59 * @value{PRODUCT} Tutorial::
60 * @value{PRODUCT} Reference::
64 @node Introduction, @value{PRODUCT} Tutorial, Top, Top
67 @value{PRODUCT} is based on the Kerberos V5 authentication system
68 developed at MIT. Kerberos is named for the three-headed watchdog from
69 Greek mythology, who guarded the entrance to the underworld.
71 Under Kerberos, a client (generally either a user or a service) sends a
72 request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
73 creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
74 using the client's password as the key, and sends the encrypted TGT back
75 to the client. The client then attempts to decrypt the TGT, using its
76 password. If the client successfully decrypts the TGT (@i{i.e.}, if the
77 client gave the correct password), it keeps the decrypted TGT, which
78 indicates proof of the client's identity.
80 The TGT, which expires at a specified time, permits the client to obtain
81 additional tickets, which give permission for specific services. The
82 requesting and granting of these additional tickets is user-transparent.
84 Since Kerberos negotiates authenticated, and optionally encrypted,
85 communications between two points anywhere on the internet, it provides
86 a layer of security that is not dependent on which side of a firewall
87 either client is on. Since studies have shown that half of the computer
88 security breaches in industry happen from @i{inside} firewalls,
89 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
92 The @value{PRODUCT} package is designed to be easy to use. Most of the
93 commands are nearly identical to UNIX network programs you are already
94 used to. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
95 that you have to type your password only once per session, and Kerberos
96 does the authenticating and encrypting transparently.
103 * What is a Ticket?::
104 * What is a Kerberos Principal?::
107 @node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
108 @section What is a Ticket?
110 Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
111 electronic information that can be used to verify your identity. Your
112 Kerberos tickets may be stored in a file, or they may exist only in
115 The first ticket you obtain is a @dfn{ticket-granting ticket}, which
116 permits you to obtain additional tickets. These additional tickets give
117 you permission for specific services. The requesting and granting of
118 these additional tickets happens transparently.
120 A good analogy for the ticket-granting ticket is a three-day ski pass
121 that is good at four different resorts. You show the pass at whichever
122 resort you decide to go to (until it expires), and you receive a lift
123 ticket for that resort. Once you have the lift ticket, you can ski all
124 you want at that resort. If you go to another resort the next day, you
125 once again show your pass, and you get an additional lift ticket for the
126 new resort. The difference is that the @value{PRODUCT} programs notice
127 that you have the weekend ski pass, and get the lift ticket for you, so
128 you don't have to perform the transactions yourself.
134 @node What is a Kerberos Principal?, , What is a Ticket?, Introduction
135 @section What is a Kerberos Principal?
137 A Kerberos @dfn{principal} is a unique identity to which Kerberos can
138 assign tickets. By convention, a principal is divided into three parts:
139 the @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format
140 of a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
143 @item The @dfn{primary} is the first part of the principal. In the case
144 of a user, it's the same as your username. For a host, the primary is
145 the word @code{host}.
147 @item The @dfn{instance} is an optional string that qualifies the
148 primary. The instance is separated from the primary by a slash
149 (@code{/}). In the case of a user, the instance is usually null, but a
150 user might also have an additional principal, with an instance called
151 @samp{admin}, which he/she uses to administrate a database. The
152 principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
153 separate from the principal
154 @code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
155 password, and separate permissions. In the case of a host, the instance
156 is the fully qualified hostname, e.g.,
157 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
159 @item The @dfn{realm} is your Kerberos realm. In most cases, your
160 Kerberos realm is your domain name, in upper-case letters. For example,
161 the machine @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} would be in
162 the realm @code{@value{PRIMARYREALM}}.
165 @node @value{PRODUCT} Tutorial, @value{PRODUCT} Reference, Introduction, Top
166 @chapter @value{PRODUCT} Tutorial
168 This tutorial is intended to familiarize you with the @value{PRODUCT}
169 client programs. We will represent your prompt as ``@code{shell%}''.
170 So an instruction to type the ``@kbd{ls}'' command would be represented as
180 In these examples, we will use sample usernames, such as
181 @code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
182 hostnames, such as @code{@value{RANDOMHOST1}} and
183 @code{@value{RANDOMHOST2}}, and sample domain names, such as
184 @code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
185 see one of these, substitute your username, hostname, or domain name
189 * Setting Up to Use @value{PRODUCT}::
190 * Ticket Management::
191 * Password Management::
192 * @value{PRODUCT} Applications::
195 @node Setting Up to Use @value{PRODUCT}, Ticket Management, @value{PRODUCT} Tutorial, @value{PRODUCT} Tutorial
196 @section Setting Up to Use @value{PRODUCT}
198 Your system administrator will have installed the @value{PRODUCT}
199 programs in whichever directory makes the most sense for your system.
200 We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
201 top-level directory @value{PRODUCT} directory. We will therefor use
202 @code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
203 programs. In your installation, the directory name may be different,
204 but whatever the directory name is, you should make sure it is included
205 in your path. You will probably want to put it @i{ahead of} the
206 directories @code{/bin} and @code{/usr/bin} so you will get the
207 @value{PRODUCT} network programs, rather than the standard UNIX
208 versions, when you type their command names.
210 @node Ticket Management, Password Management, Setting Up to Use @value{PRODUCT}, @value{PRODUCT} Tutorial
211 @section Ticket Management
213 On many systems, Kerberos is built into the login program, and you get
214 tickets automatically when you log in. Other programs, such as
215 @code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
216 copies of your tickets to the remote host. Most of these programs also
217 automatically destroy your tickets when they exit. However,
218 @value{COMPANY} recommends that you explicitly destroy your Kerberos
219 tickets when you are through with them, just to be sure. One way to
220 help ensure that this happens is to add the @code{kdestroy} command to
221 your @code{.logout} file. Additionally, if you are going to be away
222 from your machine and are concerned about an intruder using your
223 permissions, it is safest to either destroy all copies of your tickets,
224 or use a screensaver that locks the screen.
228 * Obtaining Tickets with kinit::
229 * Viewing Your Tickets with klist::
230 * Destroying Your Tickets with kdestroy::
233 @node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
234 @subsection Obtaining Tickets with kinit
236 If your site is using the @value{PRODUCT} login program, you will get
237 Kerberos tickets automatically when you log in. If your site uses a
238 different login program, you may need to explicitly obtain your Kerberos
239 tickets, using the @code{kinit} program. Similarly, if your Kerberos
240 tickets expire, use the @code{kinit} program to obtain new ones.
243 To use the @code{kinit} program, simply type @kbd{kinit} and then type
244 your password at the prompt. For example, Jennifer (whose username is
245 @code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
246 with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
247 @code{@value{PRIMARYREALM}}). She would type:
252 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
258 If you type your password incorrectly, kinit will give you the following
264 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
265 @b{kinit: Password incorrect}
270 @noindent and you won't get Kerberos tickets.
272 @noindent Notice that @code{kinit} assumes you want tickets for your own
273 username in your default realm.
275 Suppose Jennifer's friend David is visiting, and he wants to borrow a
276 window to check his mail. David needs to get tickets for himself in his
277 own realm, @value{SECONDREALM}.@footnote{Note: the realm
278 @value{SECONDREALM} must be listed in your computer's Kerberos
279 configuration file, @code{/etc/krb5.conf}.} He would type:
283 @b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
284 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
289 @noindent David would then have tickets which he could use to log onto
290 his own machine. Note that he typed his password locally on Jennifer's
291 machine, but it never went over the network. Kerberos on the local host
292 performed the authentication to the KDC in the other realm.
295 If you want to be able to forward your tickets to another host, you need
296 to request @dfn{forwardable} tickets. You do this by specifying the
302 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
308 Note that @code{kinit} does not tell you that it obtained forwardable
309 tickets; you can verify this using the @code{klist} command
310 (@pxref{Viewing Your Tickets with klist}).
312 Normally, your tickets are good for your system's default ticket
313 lifetime, which is ten hours on many systems. You can specify a
314 different ticket lifetime with the @samp{-l} option. Add the letter
315 @samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
316 hours, or @samp{d} for days.
318 For example, to obtain forwardable tickets for
319 @code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
320 three hours, you would type:
324 @b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
325 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
331 You cannot mix units; specifying a lifetime of @samp{3h30m} would result
332 in an error. Note also that most systems specify a maximum ticket
333 lifetime. If you request a longer ticket lifetime, it will be
334 automatically truncated to the maximum lifetime.
340 @node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
341 @subsection Viewing Your Tickets with klist
343 The @code{klist} command shows your tickets. When you first obtain
344 tickets, you will have only the ticket-granting ticket. (@xref{What is
345 a Ticket?}.) The listing would look like this:
350 Ticket cache: /tmp/krb5cc_ttypa
351 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
353 Valid starting Expires Service principal
354 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
360 The ticket cache is the location of your ticket file. In the above
361 example, this file is named @code{/tmp/krb5cc_ttypa}. The default
362 principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
365 The ``valid starting'' and ``expires'' fields describe the period of
366 time during which the ticket is valid. The @dfn{service principal}
367 describes each ticket. The ticket-granting ticket has the primary
368 @code{krbtgt}, and the instance is the realm name.
371 Now, if @value{RANDOMUSER1} connected to the machine
372 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
373 @kbd{klist} again, she would have gotten the following result:
378 Ticket cache: /tmp/krb5cc_ttypa
379 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
381 Valid starting Expires Service principal
382 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
383 06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
389 Here's what happened: when @value{RANDOMUSER1} used telnet to connect
390 to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
391 program presented her ticket-granting ticket to the KDC and requested a
392 host ticket for the host
393 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
394 ticket, which telnet then presented to the host
395 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
396 log in without typing her password.
402 Suppose your Kerberos tickets allow you to log into a host in another
403 domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
404 is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
405 telnet to this host, you will receive a ticket-granting ticket for the
406 realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
407 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
413 Ticket cache: /tmp/krb5cc_ttypa
414 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
416 Valid starting Expires Service principal
417 06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
418 06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
419 06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
420 06/07/96 20:24:18 06/08/96 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM}
425 You can use the @code{-f} option to view the @dfn{flags} that apply to
426 your tickets. The flags are:
450 Here is a sample listing. In this example, the user @value{RANDOMUSER1}
451 obtained her initial tickets (@samp{I}), which are forwardable
452 (@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
453 (@xref{kinit Reference} for more information about postdated tickets.)
458 @b{Ticket cache: /tmp/krb5cc_320
459 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
461 Valid starting Expires Service principal
462 31 Jul 96 19:06:25 31 Jul 96 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
469 In the following example, the user @value{RANDOMUSER2}'s tickets were
470 forwarded (@samp{f}) to this host from another host. The tickets are
471 reforwardable (@samp{F}).
476 @b{Ticket cache: /tmp/krb5cc_p11795
477 Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
479 Valid starting Expires Service principal
480 07/31/96 11:52:29 07/31/96 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
482 07/31/96 12:03:48 07/31/96 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
492 @node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
493 @subsection Destroying Your Tickets with kdestroy
495 Your Kerberos tickets are proof that you are indeed yourself, and
496 tickets can be stolen. If this happens, the person who has them can
497 masquerade as you until they expire. For this reason, you should
498 destroy your Kerberos tickets when you are away from your computer.
501 Destroying your tickets is easy. Simply type @kbd{kdestroy}.
511 If @code{kdestroy} fails to destroy your tickets, it will beep and give
512 an error message. For example, if @code{kdestroy} can't find any
513 tickets to destroy, it will give the following message:
518 @b{kdestroy: No credentials cache file found while destroying cache
519 Ticket cache NOT destroyed!
528 @node Password Management, @value{PRODUCT} Applications, Ticket Management, @value{PRODUCT} Tutorial
529 @section Password Management
531 Your password is the only way Kerberos has of verifying your identity.
532 If someone finds out your password, that person can masquerade as
533 you---send email that comes from you, read, edit, or delete your files,
534 or log into other hosts as you---and no one will be able to tell the
535 difference. For this reason, it is important that you choose a good
536 password (@pxref{Password Advice}), and keep it secret. If you need to
537 give access to your account to someone else, you can do so through
538 Kerberos. (@xref{Granting Access to Your Account}.) You should
539 @i{never} tell your password to anyone, including your system
540 administrator, for any reason. You should change your password
541 frequently, particularly any time you think someone may have found out
549 * Changing Your Password::
551 * Granting Access to Your Account::
554 @node Changing Your Password, Password Advice, Password Management, Password Management
555 @subsection Changing Your Password
558 To change your Kerberos password, use the @code{kpasswd} command. It
559 will ask you for your old password (to prevent someone else from walking
560 up to your computer when you're not there and changing your password),
561 and then prompt you for the new one twice. (The reason you have to type
562 it twice is to make sure you have typed it correctly.) For example,
563 user @code{@value{RANDOMUSER2}} would do the following:
568 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
569 @b{New Password for @value{RANDOMUSER2}:} @i{<- Type your new password.}
570 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the new password again.}
571 @b{Password changed.}
577 If @value{RANDOMUSER2} typed the incorrect old password, he would get
578 the following message:
583 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
584 @b{Incorrect old password.
590 If you make a mistake and don't type the new password the same way
591 twice, @code{kpasswd} will ask you to try again:
596 @b{Old password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
597 @b{New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
598 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type a different new password.}
599 @b{Mismatch - try again
600 New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
601 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the same new password.}
607 Once you change your password, it takes some time for the change to
608 propagate through the system. Depending on how your system is set up,
609 this might be anywhere from a few minutes to an hour or more. If you
610 need to get new Kerberos tickets shortly after changing your password,
611 try the new password. If the new password doesn't work, try again using
618 @node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
619 @subsection Password Advice
621 Your password can include almost any character you can type (except
622 control keys and the ``enter'' key). A good password is one you can
623 remember, but that no one else can easily guess. Examples of @i{bad}
624 passwords are words that can be found in a dictionary, any common or
625 popular name, especially a famous person (or cartoon character), your
626 name or username in any form (@i{e.g.}, forward, backward, repeated
627 twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
628 date, your social security number, and any sample password that appears
629 in this (or any other) manual.
632 @value{COMPANY} recommends that your password be at least 6 characters
633 long, and contain UPPER- and lower-case letters, numbers, and/or
634 punctuation marks. Some passwords that would be good if they weren't
635 listed in this manual include:
638 @item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
641 @item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
644 @item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
647 @noindent Note: don't actually use any of the above passwords. They're
648 only meant to show you how to make up a good password. Passwords that
649 appear in a manual are the first ones intruders will try.
655 @value{PRODUCT} allows your system administrators to automatically
656 reject bad passwords, based on whatever criteria they choose. For
657 example, if the user @code{@value{RANDOMUSER1}} chose a bad password,
658 Kerberos would give an error message like the following:
663 @b{Old password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
664 @b{New Password for @value{RANDOMUSER1}:} @i{<- Type an insecure new password.}
665 @b{Verifying, please re-enter New Password for @value{RANDOMUSER1}:} @i{<- Type it again.}
667 ERROR: Insecure password not accepted. Please choose another.
669 kpasswd: Insecure password rejected while attempting to change password.
670 Please choose another password.
672 @b{New Password for @value{RANDOMUSER1}:} @i{<- Type a good password here.}
673 @b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type it again.}
679 @noindent Your system administrators can choose the message that is
680 displayed if you choose a bad password, so the message you see may be
681 different from the above example.
687 @node Granting Access to Your Account, , Password Advice, Password Management
688 @subsection Granting Access to Your Account
691 If you need to give someone access to log into your account, you can do
692 so through Kerberos, without telling the person your password. Simply
693 create a file called @code{.k5login} in your home directory. This file
694 should contain the Kerberos principal (@xref{What is a Kerberos
695 Principal?}) of each person to whom you wish to give access. Each
696 principal must be on a separate line. Here is a sample @code{.k5login}
701 @value{RANDOMUSER1}@@@value{PRIMARYREALM}
702 @value{RANDOMUSER2}@@@value{SECONDREALM}
706 @noindent This file would allow the users @code{@value{RANDOMUSER1}} and
707 @code{@value{RANDOMUSER2}} to use your user ID, provided that they had
708 Kerberos tickets in their respective realms. If you will be logging
709 into other hosts across a network, you will want to include your own
710 Kerberos principal in your @code{.k5login} file on each of these hosts.
713 Using a @code{.k5login} file is much safer than giving out your
717 @item You can take access away any time simply by removing the principal
718 from your @code{.k5login} file.
720 @item Although the user has full access to your account on one
721 particular host (or set of hosts if your @code{.k5login} file is shared,
722 @i{e.g.}, over NFS), that user does not inherit your network privileges.
724 @item Kerberos keeps a log of who obtains tickets, so a system
725 administrator could find out, if necessary, who was capable of using
726 your user ID at a particular time.
729 One common application is to have a @code{.k5login} file in
730 @code{root}'s home directory, giving root access to that machine to the
731 Kerberos principals listed. This allows system administrators to allow
732 users to become root locally, or to log in remotely as @code{root},
733 without their having to give out the root password, and without anyone
734 having to type the root password over the network.
741 @node @value{PRODUCT} Applications, , Password Management, @value{PRODUCT} Tutorial
742 @section @value{PRODUCT} Applications
744 @value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
745 only have to type your password once, and the @value{PRODUCT} programs
746 do the authenticating (and optionally encrypting) for you. The way this
747 works is that Kerberos has been built into each of a suite of network
748 programs. For example, when you use a @value{PRODUCT} program to
749 connect to a remote host, the program, the KDC, and the remote host
750 perform a set of rapid negotiations. When these negotiations are
751 completed, your program has proven your identity on your behalf to the
752 remote host, and the remote host has granted you access, all in the
753 space of a few seconds.
755 The @value{PRODUCT} applications are versions of existing UNIX network
756 programs with the Kerberos features added.
763 * Overview of Additional Features::
772 @node Overview of Additional Features, telnet, @value{PRODUCT} Applications, @value{PRODUCT} Applications
773 @subsection Overview of Additional Features
775 The @value{PRODUCT} @dfn{network programs} are those programs that
776 connect to another host somewhere on the internet. These programs
777 include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
778 @code{rcp}, @code{krdist}, and @code{ksu}. These programs have all of
779 the original features of the corresponding non-Kerberos @code{rlogin},
780 @code{telnet}, @code{ftp}, @code{rsh}, @code{rcp}, @code{rdist}, and
781 @code{su} programs, plus additional features that transparently use your
782 Kerberos tickets for negotiating authentication and optional encryption
783 with the remote host. In most cases, all you'll notice is that you no
784 longer have to type your password, because Kerberos has already proven
787 The @value{PRODUCT} network programs allow you the options of forwarding
788 your tickets to the remote host (if you obtained forwardable tickets
789 with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
790 encrypting data transmitted between you and the remote host.
792 This section of the tutorial assumes you are familiar with the
793 non-Kerberos versions of these programs, and highlights the Kerberos
794 functions added in the @value{PRODUCT} package.
800 @node telnet, rlogin, Overview of Additional Features, @value{PRODUCT} Applications
803 The @value{PRODUCT} @code{telnet} command works exactly like the
804 standard UNIX telnet program, with the following Kerberos options added:
808 forwards a copy of your tickets to the remote host.
811 turns off forwarding of tickets to the remote host. (This option
812 overrides any forwarding specified in your machine's configuration
815 @itemx -F, --forwardable
816 forwards a copy of your tickets to the remote host, and marks them
817 re-forwardable from the remote host.
819 @itemx --noforwardable
820 makes any forwarded tickets nonforwardable. (This option overrides any
821 forwardability specified in your machine's configuration files.)
824 requests tickets for the remote host in the specified realm, instead of
825 determining the realm itself.
828 uses your tickets to authenticate to the remote host, but does not log
832 attempt automatic login using your tickets. @code{telnet} will assume
833 the same username unless you explicitly specify another.
839 turns off encryption.
847 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
848 UNIX telnet to connect to the machine
849 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
853 @b{shell%} telnet @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
854 @b{Trying 128.0.0.5 ...
855 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
856 Escape character is '^]'.
858 NetBSD/i386 (@value{RANDOMHOST1}) (ttyp3)
860 login:} @value{RANDOMUSER2}
861 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
862 @b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{SECONDDOMAIN}
863 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
864 The Regents of the University of California. All rights reserved.
866 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
873 @noindent Note that the machine
874 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
875 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
876 was sent over the network unencrypted. If an intruder were watching
877 network traffic at the time, that intruder would know
878 @code{@value{RANDOMUSER2}}'s password.
884 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
885 @value{PRODUCT} telnet to connect to the machine
886 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
887 copy of her tickets, request an encrypted session, and log on as herself
892 @b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{SECONDDOMAIN}
893 @b{Trying 128.0.0.5...
894 Connected to @value{RANDOMHOST2}.@value{SECONDDOMAIN}.
895 Escape character is '^]'.
896 [ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{SECONDDOMAIN}'' ]
897 [ Kerberos V5 accepted forwarded credentials ]
898 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
905 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
906 to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
907 and logged her in automatically as herself. She had an encrypted
908 session, a copy of her tickets already waiting for her, and she never
911 If you forwarded your Kerberos tickets, @code{telnet} automatically
912 destroys them when it exits. The full set of options to @value{PRODUCT}
913 @code{telnet} are discussed in the Reference section of this manual.
914 (@pxref{telnet Reference})
920 @node rlogin, FTP, telnet, @value{PRODUCT} Applications
924 The @value{PRODUCT} @code{rlogin} command works exactly like the
925 standard UNIX rlogin program, with the following Kerberos options added:
929 forwards a copy of your tickets to the remote host.
932 turns off forwarding of tickets to the remote host. (This option
933 overrides any forwarding specified in your machine's configuration
936 @itemx -F, --forwardable
937 forwards a copy of your tickets to the remote host, and marks them
938 re-forwardable from the remote host.
940 @itemx --noforwardable
941 makes any forwarded tickets nonforwardable. (This option overrides any
942 forwardability specified in your machine's configuration files.)
945 requests tickets for the remote host in the specified realm, instead of
946 determining the realm itself.
952 turns off encryption.
956 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
957 UNIX rlogin to connect to the machine
958 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
962 @b{shell%} rlogin @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} -l @value{RANDOMUSER2}
963 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
964 @b{Last login: Fri Jun 21 10:36:32 from :0.0
965 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
966 The Regents of the University of California. All rights reserved.
968 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
975 @noindent Note that the machine
976 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
977 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
978 was sent over the network unencrypted. If an intruder were watching
979 network traffic at the time, that intruder would know
980 @code{@value{RANDOMUSER2}}'s password.
986 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
987 @value{PRODUCT} rlogin to connect to the machine
988 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
989 copy of her tickets, mark them as not forwardable from the remote host,
990 and request an encrypted session as follows:
994 @b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
995 @b{This rlogin session is using DES encryption for all data transmissions.
996 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
997 SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
998 Not checking quotas. Try quota.real if you need them.
1003 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1004 to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
1005 and logged her in automatically as herself. She had an encrypted
1006 session, a copy of her tickets were waiting for her, and she never typed
1009 If you forwarded your Kerberos tickets, @code{rlogin} automatically
1010 destroys them when it exits. The full set of options to @value{PRODUCT}
1011 @code{rlogin} are discussed in the Reference section of this manual.
1012 (@pxref{rlogin Reference})
1018 @node FTP, rsh, rlogin, @value{PRODUCT} Applications
1022 The @value{PRODUCT} @code{FTP} program works exactly like the standard
1023 UNIX FTP program, with the following Kerberos features added:
1027 requests tickets for the remote host in the specified realm, instead of
1028 determining the realm itself.
1031 requests that your tickets be forwarded to the remote host. The
1032 @kbd{-forward} argument must be the last argument on the command line.
1034 @itemx protect @i{level}
1035 (issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1036 is no protection; ``safe'' ensures data integrity by verifying the
1037 checksum, and ``private'' encrypts the data. Encryption also ensures
1042 For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1043 @code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1044 on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1045 to encrypt the file transfer. The exchange would look like the
1050 @b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1051 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1052 220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1053 334 Using authentication type GSSAPI; ADAT must follow
1054 GSSAPI accepted as authentication type
1055 GSSAPI authentication succeeded
1056 Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1057 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1058 230 User @value{RANDOMUSER1} logged in.
1059 Remote system type is UNIX.
1060 Using binary mode to transfer files.
1061 ftp> protect private
1062 200 Protection level set to Private.
1063 ftp> cd ~@value{RANDOMUSER1}/MAIL
1064 250 CWD command successful.
1066 227 Entering Passive Mode (128,0,0,5,16,49)
1067 150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1068 226 Transfer complete.
1069 361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1075 The full set of options to @value{PRODUCT} @code{FTP} are discussed
1076 in the Reference section of this manual. (@pxref{FTP Reference})
1082 @node rsh, rcp, FTP, @value{PRODUCT} Applications
1086 The @value{PRODUCT} @code{rsh} program works exactly like the standard
1087 UNIX rlogin program, with the following Kerberos features added:
1090 @itemx -f, --forward
1091 forwards a copy of your tickets to the remote host.
1094 turns off forwarding of tickets to the remote host. (This option
1095 overrides any forwarding specified in your machine's configuration
1098 @itemx -F, --forwardable
1099 forwards a copy of your tickets to the remote host, and marks them
1100 re-forwardable from the remote host.
1102 @itemx --noforwardable
1103 makes any forwarded tickets nonforwardable. (This option overrides any
1104 forwardability specified in your machine's configuration files.)
1107 requests tickets for the remote host in the specified realm, instead of
1108 determining the realm itself.
1110 @itemx -x, --encrypt
1111 turns on encryption.
1114 turns off encryption.
1118 For example, if your Kerberos tickets allowed you to run programs on the
1119 host @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1120 run the @samp{date} program as follows:
1124 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1125 @b{This rsh session is using DES encryption for all data transmissions.
1126 Fri Jun 21 17:06:12 EDT 1996
1131 If you forwarded your Kerberos tickets, @code{rsh} automatically
1132 destroys them when it exits. The full set of options to @value{PRODUCT}
1133 @code{rsh} are discussed in the Reference section of this manual.
1134 (@pxref{rsh Reference})
1140 @node rcp, ksu, rsh, @value{PRODUCT} Applications
1144 The @value{PRODUCT} @code{rcp} program works exactly like the standard
1145 UNIX rcp program, with the following Kerberos features added:
1149 requests tickets for the remote host in the specified realm, instead of
1150 determining the realm itself.
1152 @itemx -x, --encrypt
1153 turns on encryption.
1158 For example, if you wanted to copy the file @code{/etc/motd} from the
1159 host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1160 directory, via an encrypted connection, you would simply type:
1163 @b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1166 The @kbd{rcp} program negotiates authentication and encryption
1167 transparently. The full set of options to @value{PRODUCT} @code{rcp}
1168 are discussed in the Reference section of this manual. (@pxref{rcp
1175 @node ksu, , rcp, @value{PRODUCT} Applications
1178 The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1179 program. @code{ksu} first authenticates you to Kerberos. Depending on
1180 the configuration of your system, @code{ksu} may ask for your Kerberos
1181 password if authentication fails. @emph{Note that you should never type
1182 your password if you are remotely logged in using an unencrypted
1185 Once @code{ksu} has authenticated you, if your Kerberos principal
1186 appears in the target's @code{.k5login} file (@pxref{Granting Access to
1187 Your Account}) or in the target's @code{.k5users} file (see below), it
1188 switches your user ID to the target user ID.
1191 For example, @code{@value{RANDOMUSER2}} has put
1192 @code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1193 file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1194 @code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1195 differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1196 prompt is represented as @code{@value{RANDOMUSER1}%} and
1197 @code{@value{RANDOMUSER2}}'s prompt is represented as
1198 @code{@value{RANDOMUSER2}%}.)
1202 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1203 @b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1204 Changing uid to @value{RANDOMUSER2} (3382)
1205 @value{RANDOMUSER2}%}
1210 Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1211 tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1212 with @samp{.1} appended to it:
1216 @b{@value{RANDOMUSER2}%} klist
1217 @b{Ticket cache: /tmp/krb5cc_3382.1
1218 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1220 Valid starting Expires Service principal
1221 31 Jul 96 21:53:01 01 Aug 96 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1222 31 Jul 96 21:53:39 01 Aug 96 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1223 @value{RANDOMUSER2}%}
1228 If @code{@value{RANDOMUSER1}} had not appeared in
1229 @code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1230 configured to ask for a password), the exchange would have looked like
1231 this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1232 precautions in protecting his password):
1236 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1237 @b{WARNING: Your password may be exposed if you enter it here and are logged
1238 in remotely using an unsecure (non-encrypted) channel.
1239 Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1240 @b{ksu: Password incorrect
1241 Authentication failed.
1242 @value{RANDOMUSER1}%}
1246 Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1247 @code{@value{RANDOMUSER1}} full access to his account, but wanted to
1248 give her permission to list his files and use the "more" command to view
1249 them. He could create a @code{.k5users} file giving her permission to
1250 run only those specific commands.
1253 The @code{.k5users} file is like the @code{.k5login} file, except that
1254 each principal is optionally followed by a list of commands. @code{ksu}
1255 will let those principals execute only the commands listed, using the
1256 @kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1257 might look like the following:
1261 @value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1262 @value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1263 @value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1264 @value{RANDOMUSER2}@@@value{SECONDREALM}
1268 @noindent The above @code{.k5users} file would let
1269 @code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1270 @code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1271 the command @code{/bin/ls} if he had regular tickets, but if he had
1272 tickets for his @code{admin} instance,
1273 @code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1274 to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1275 in the realm @value{SECONDREALM} permission to execute any command.
1276 (@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1277 giving that principal permission to execute @code{*}.) This is so that
1278 @value{RANDOMUSER2} can allow himself to execute commands when he logs
1279 in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1282 Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1287 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1288 @b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1289 Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1291 Changing uid to @value{RANDOMUSER2} (3382)
1292 Mail News Personal misc bin
1293 @value{RANDOMUSER1}%}
1297 @noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1298 command to @code{ksu}, it would have prompted for a password as with the
1301 Note that unless the @code{.k5users} file gives the target permission to
1302 run any command, the user must use @code{ksu} with the @kbd{-e}
1306 The @code{ksu} options you are most likely to use are:
1309 @itemx -n @i{principal}
1310 specifies which Kerberos principal you want to use for @code{ksu}.
1311 (@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1312 @code{admin} instance. @xref{What is a Ticket?}.)
1315 specifies the location of your Kerberos credentials cache (ticket file).
1318 specifies the location you want the Kerberos credentials cache (ticket
1319 file) to be for the target user ID.
1322 tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1326 requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1327 is only applicable if @code{ksu} needs to obtain tickets.
1329 @itemx -l @i{lifetime}
1330 sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1331 only applicable if @code{ksu} needs to obtain tickets.
1334 tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1335 switching is the same as the Kerberos primary (either yours or the one
1336 specified by the @kbd{-n} option).
1339 tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1341 @itemx -e @i{command}
1342 tells @code{ksu} to execute @i{command} and then exit. See the
1343 description of the @code{.k5users} file above.
1346 (at the end of the command line) tells @code{ksu} to pass everything
1347 after @samp{-a} to the target shell.
1350 The full set of options to @value{PRODUCT} @code{ksu} are discussed
1351 in the Reference section of this manual. (@pxref{ksu Reference})
1353 @node @value{PRODUCT} Reference, Kerberos Glossary, @value{PRODUCT} Tutorial, Top
1354 @chapter @value{PRODUCT} Reference
1356 This section will include copies of the manual pages for the
1357 @value{PRODUCT} client programs. You can read the manual entry for any
1358 command by typing @code{man} @i{command}, where @i{command} is the name
1359 of the command for which you want to read the manual entry. For
1360 example, to read the @code{kinit} manual entry, you would type:
1363 @b{shell%} man kinit
1366 Note: To be able to view the @value{PRODUCT} manual pages on line, you
1367 may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1368 environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1369 the top-level directory in which @value{PRODUCT} is installed.) For
1370 example, if you had the the following line in your @code{.login}
1371 file@footnote{The MANPATH variable may be specified in a different
1372 initialization file, depending on your operating system. Some of the
1373 files in which you might specify environment variables include
1374 @code{.login}, @code{.profile}, or @code{.cshrc}.}:
1377 setenv MANPATH /usr/local/man:/usr/man
1381 and the @value{PRODUCT} man pages were in the directory
1382 @code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1385 setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1389 Note to info users: the manual pages are not available within this info
1390 tree. You can read them from emacs with the command:
1393 M-x manual-entry @emph{command}
1402 * kdestroy Reference::
1403 * kpasswd Reference::
1404 * telnet Reference::
1405 * rlogin Reference::
1410 * krdist Reference::
1413 @node kinit Reference, klist Reference, @value{PRODUCT} Reference, @value{PRODUCT} Reference
1414 @section kinit Reference
1417 @special{psfile=kinit1.ps voffset=-1115 hoffset=-40}
1418 @centerline{Reference Manual for @code{kinit}}
1421 @special{psfile=kinit2.ps voffset=-1115 hoffset=-40}
1422 @centerline{Reference Manual for @code{kinit}}
1426 Type @kbd{M-x manual-entry kinit} to read this manual page.
1429 @node klist Reference, kdestroy Reference, kinit Reference, @value{PRODUCT} Reference
1430 @section klist Reference
1433 @special{psfile=klist1.ps voffset=-1115 hoffset=-40}
1434 @centerline{Reference Manual for @code{klist}}
1438 Type @kbd{M-x manual-entry klist} to read this manual page.
1441 @node kdestroy Reference, kpasswd Reference, klist Reference, @value{PRODUCT} Reference
1442 @section kdestroy Reference
1445 @special{psfile=kdestroy1.ps voffset=-1115 hoffset=-60}
1446 @centerline{Reference Manual for @code{kdestroy}}
1450 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1453 @node kpasswd Reference, telnet Reference, kdestroy Reference, @value{PRODUCT} Reference
1454 @section kpasswd Reference
1457 @special{psfile=kpasswd1.ps voffset=-1115 hoffset=-40}
1458 @centerline{Reference Manual for @code{kpasswd}}
1462 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1465 @node telnet Reference, rlogin Reference, kpasswd Reference, @value{PRODUCT} Reference
1466 @section telnet Reference
1469 @special{psfile=telnet1.ps voffset=-1115 hoffset=-40}
1470 @centerline{Reference Manual for @code{telnet}}
1473 @special{psfile=telnet2.ps voffset=-1115 hoffset=-40}
1474 @centerline{Reference Manual for @code{telnet}}
1477 @special{psfile=telnet3.ps voffset=-1115 hoffset=-40}
1478 @centerline{Reference Manual for @code{telnet}}
1481 @special{psfile=telnet4.ps voffset=-1115 hoffset=-40}
1482 @centerline{Reference Manual for @code{telnet}}
1485 @special{psfile=telnet5.ps voffset=-1115 hoffset=-40}
1486 @centerline{Reference Manual for @code{telnet}}
1489 @special{psfile=telnet6.ps voffset=-1115 hoffset=-40}
1490 @centerline{Reference Manual for @code{telnet}}
1493 @special{psfile=telnet7.ps voffset=-1115 hoffset=-40}
1494 @centerline{Reference Manual for @code{telnet}}
1497 @special{psfile=telnet8.ps voffset=-1115 hoffset=-40}
1498 @centerline{Reference Manual for @code{telnet}}
1501 @special{psfile=telnet9.ps voffset=-1115 hoffset=-40}
1502 @centerline{Reference Manual for @code{telnet}}
1505 @special{psfile=telnet10.ps voffset=-1115 hoffset=-40}
1506 @centerline{Reference Manual for @code{telnet}}
1510 Type @kbd{M-x manual-entry telnet} to read this manual page.
1513 @node rlogin Reference, FTP Reference, telnet Reference, @value{PRODUCT} Reference
1514 @section rlogin Reference
1517 @special{psfile=rlogin1.ps voffset=-1115 hoffset=-40}
1518 @centerline{Reference Manual for @code{rlogin}}
1521 @special{psfile=rlogin2.ps voffset=-1115 hoffset=-40}
1522 @centerline{Reference Manual for @code{rlogin}}
1526 Type @kbd{M-x manual-entry rlogin} to read this manual page.
1529 @node FTP Reference, rsh Reference, rlogin Reference, @value{PRODUCT} Reference
1530 @section FTP Reference
1533 @special{psfile=ftp1.ps voffset=-1115 hoffset=-40}
1534 @centerline{Reference Manual for @code{FTP}}
1537 @special{psfile=ftp2.ps voffset=-1115 hoffset=-40}
1538 @centerline{Reference Manual for @code{FTP}}
1541 @special{psfile=ftp3.ps voffset=-1115 hoffset=-40}
1542 @centerline{Reference Manual for @code{FTP}}
1545 @special{psfile=ftp4.ps voffset=-1115 hoffset=-40}
1546 @centerline{Reference Manual for @code{FTP}}
1549 @special{psfile=ftp5.ps voffset=-1115 hoffset=-40}
1550 @centerline{Reference Manual for @code{FTP}}
1553 @special{psfile=ftp6.ps voffset=-1115 hoffset=-40}
1554 @centerline{Reference Manual for @code{FTP}}
1557 @special{psfile=ftp7.ps voffset=-1115 hoffset=-40}
1558 @centerline{Reference Manual for @code{FTP}}
1561 @special{psfile=ftp8.ps voffset=-1115 hoffset=-40}
1562 @centerline{Reference Manual for @code{FTP}}
1566 Type @kbd{M-x manual-entry FTP} to read this manual page.
1569 @node rsh Reference, rcp Reference, FTP Reference, @value{PRODUCT} Reference
1570 @section rsh Reference
1573 @special{psfile=rsh1.ps voffset=-1115 hoffset=-40}
1574 @centerline{Reference Manual for @code{rsh}}
1577 @special{psfile=rsh2.ps voffset=-1115 hoffset=-40}
1578 @centerline{Reference Manual for @code{rsh}}
1582 Type @kbd{M-x manual-entry rsh} to read this manual page.
1585 @node rcp Reference, ksu Reference, rsh Reference, @value{PRODUCT} Reference
1586 @section rcp Reference
1589 @special{psfile=rcp1.ps voffset=-1115 hoffset=-40}
1590 @centerline{Reference Manual for @code{rcp}}
1593 @special{psfile=rcp2.ps voffset=-1115 hoffset=-40}
1594 @centerline{Reference Manual for @code{rcp}}
1598 Type @kbd{M-x manual-entry rcp} to read this manual page.
1601 @node ksu Reference, krdist Reference, rcp Reference, @value{PRODUCT} Reference
1602 @section ksu Reference
1605 @special{psfile=ksu1.ps voffset=-1115 hoffset=-40}
1606 @centerline{Reference Manual for @code{ksu}}
1609 @special{psfile=ksu2.ps voffset=-1115 hoffset=-40}
1610 @centerline{Reference Manual for @code{ksu}}
1613 @special{psfile=ksu3.ps voffset=-1115 hoffset=-40}
1614 @centerline{Reference Manual for @code{ksu}}
1617 @special{psfile=ksu4.ps voffset=-1115 hoffset=-40}
1618 @centerline{Reference Manual for @code{ksu}}
1621 @special{psfile=ksu5.ps voffset=-1115 hoffset=-40}
1622 @centerline{Reference Manual for @code{ksu}}
1626 Type @kbd{M-x manual-entry ksu} to read this manual page.
1629 @node krdist Reference, , ksu Reference, @value{PRODUCT} Reference
1630 @section krdist Reference
1633 @special{psfile=krdist1.ps voffset=-1115 hoffset=-40}
1634 @centerline{Reference Manual for @code{krdist}}
1637 @special{psfile=krdist2.ps voffset=-1115 hoffset=-40}
1638 @centerline{Reference Manual for @code{krdist}}
1641 @special{psfile=krdist3.ps voffset=-1115 hoffset=-40}
1642 @centerline{Reference Manual for @code{krdist}}
1645 @special{psfile=krdist4.ps voffset=-1115 hoffset=-40}
1646 @centerline{Reference Manual for @code{krdist}}
1649 @special{psfile=krdist5.ps voffset=-1115 hoffset=-40}
1650 @centerline{Reference Manual for @code{krdist}}
1653 @special{psfile=krdist6.ps voffset=-1115 hoffset=-40}
1654 @centerline{Reference Manual for @code{krdist}}
1657 @special{psfile=krdist7.ps voffset=-1115 hoffset=-40}
1658 @centerline{Reference Manual for @code{krdist}}
1662 Type @kbd{M-x manual-entry krdist} to read this manual page.
1665 @node Kerberos Glossary, , @value{PRODUCT} Reference, Top
1666 @appendix Kerberos Glossary
1668 @include glossary.texinfo