1 \input texinfo @c -*-texinfo-*-
4 @setfilename krb5-user.info
5 @settitle Kerberos V5 UNIX User's Guide
6 @setchapternewpage odd @c chapter begins on next odd page
7 @c @setchapternewpage on @c chapter begins on next page
8 @c @smallbook @c Format for 7" X 9.25" paper
18 * krb5-user: (krb5-user). Kerberos V5 UNIX User's Guide
21 @include definitions.texinfo
24 @finalout @c don't print black warning boxes
27 @title @value{PRODUCT} UNIX User's Guide
28 @subtitle Release: @value{RELEASE}
29 @subtitle Document Edition: @value{EDITION}
30 @subtitle Last updated: @value{UPDATED}
31 @author @value{COMPANY}
34 @vskip 0pt plus 1filll
38 @comment node-name, next, previous, up
39 @node Top, Copyright, (dir), (dir)
42 This file describes how to use the @value{PRODUCT} client programs.
45 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
46 @c function. Don't forget to run M-x texinfo-every-node-update after
47 @c you add a new section or subsection, or after you've rearranged the
48 @c comand before each @section or @subsection! All you need to enter
51 @c @section New Section Name
53 @c M-x texinfo-every-node-update will take care of calculating the
54 @c node's forward and back pointers.
56 @c ---------------------------------------------------------------------
61 * Kerberos V5 Tutorial::
62 * Kerberos V5 Reference::
66 @node Copyright, Introduction, Top, Top
69 @include copyright.texinfo
71 @node Introduction, Kerberos V5 Tutorial, Copyright, Top
75 @value{PRODUCT} is based on the Kerberos V5 authentication system
79 Kerberos V5 is an authentication system developed at MIT.
81 Kerberos is named for the three-headed watchdog from Greek mythology,
82 who guarded the entrance to the underworld.
84 Under Kerberos, a client (generally either a user or a service) sends a
85 request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
86 creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
87 using the client's password as the key, and sends the encrypted TGT back
88 to the client. The client then attempts to decrypt the TGT, using its
89 password. If the client successfully decrypts the TGT (@i{i.e.}, if the
90 client gave the correct password), it keeps the decrypted TGT, which
91 indicates proof of the client's identity.
93 The TGT, which expires at a specified time, permits the client to obtain
94 additional tickets, which give permission for specific services. The
95 requesting and granting of these additional tickets is user-transparent.
97 Since Kerberos negotiates authenticated, and optionally encrypted,
98 communications between two points anywhere on the internet, it provides
99 a layer of security that is not dependent on which side of a firewall
100 either client is on. Since studies have shown that half of the computer
101 security breaches in industry happen from @i{inside} firewalls,
102 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
105 The @value{PRODUCT} package is designed to be easy to use. Most of the
106 commands are nearly identical to UNIX network programs you already
107 use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
108 that you have to type your password only once per session, and Kerberos
109 does the authenticating and encrypting transparently.
112 * What is a Ticket?::
113 * What is a Kerberos Principal?::
116 @node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
117 @section What is a Ticket?
119 Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
120 electronic information that can be used to verify your identity. Your
121 Kerberos tickets may be stored in a file, or they may exist only in
124 The first ticket you obtain is a @dfn{ticket-granting ticket}, which
125 permits you to obtain additional tickets. These additional tickets give
126 you permission for specific services. The requesting and granting of
127 these additional tickets happens transparently.
129 A good analogy for the ticket-granting ticket is a three-day ski pass
130 that is good at four different resorts. You show the pass at whichever
131 resort you decide to go to (until it expires), and you receive a lift
132 ticket for that resort. Once you have the lift ticket, you can ski all
133 you want at that resort. If you go to another resort the next day, you
134 once again show your pass, and you get an additional lift ticket for the
135 new resort. The difference is that the @value{PRODUCT} programs notice
136 that you have the weekend ski pass, and get the lift ticket for you, so
137 you don't have to perform the transactions yourself.
139 @node What is a Kerberos Principal?, , What is a Ticket?, Introduction
140 @section What is a Kerberos Principal?
142 A Kerberos @dfn{principal} is a unique identity to which Kerberos can
143 assign tickets. Principals can have an arbitrary number of
144 components. Each component is separated by a component separator,
145 generally `/'. The last component is the realm, separated from the
146 rest of the principal by the realm separator, generally `@@'. If there
147 is no realm component in the principal, then it will be assumed that
148 the principal is in the default realm for the context in which it is
151 Traditionally, a principal is divided into three parts: the
152 @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of
153 a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
156 @item The @dfn{primary} is the first part of the principal. In the case
157 of a user, it's the same as your username. For a host, the primary is
158 the word @code{host}.
160 @item The @dfn{instance} is an optional string that qualifies the
161 primary. The instance is separated from the primary by a slash
162 (@code{/}). In the case of a user, the instance is usually null, but a
163 user might also have an additional principal, with an instance called
164 @samp{admin}, which he/she uses to administrate a database. The
165 principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
166 separate from the principal
167 @code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
168 password, and separate permissions. In the case of a host, the instance
169 is the fully qualified hostname, e.g.,
170 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
172 @item The @dfn{realm} is your Kerberos realm. In most cases, your
173 Kerberos realm is your domain name, in upper-case letters. For example,
174 the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in
175 the realm @code{@value{SECONDREALM}}.
178 @node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
179 @chapter Kerberos V5 Tutorial
181 This tutorial is intended to familiarize you with the @value{PRODUCT}
182 client programs. We will represent your prompt as ``@code{shell%}''.
183 So an instruction to type the ``@kbd{ls}'' command would be represented as
193 In these examples, we will use sample usernames, such as
194 @code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
195 hostnames, such as @code{@value{RANDOMHOST1}} and
196 @code{@value{RANDOMHOST2}}, and sample domain names, such as
197 @code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
198 see one of these, substitute your username, hostname, or domain name
202 * Setting Up to Use Kerberos V5::
203 * Ticket Management::
204 * Password Management::
205 * Kerberos V5 Applications::
208 @node Setting Up to Use Kerberos V5, Ticket Management, Kerberos V5 Tutorial, Kerberos V5 Tutorial
209 @section Setting Up to Use @value{PRODUCT}
211 Your system administrator will have installed the @value{PRODUCT}
212 programs in whichever directory makes the most sense for your system.
213 We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
214 top-level directory @value{PRODUCT} directory. We will therefor use
215 @code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
216 programs. In your installation, the directory name may be different,
217 but whatever the directory name is, you should make sure it is included
218 in your path. You will probably want to put it @i{ahead of} the
219 directories @code{/bin} and @code{/usr/bin} so you will get the
220 @value{PRODUCT} network programs, rather than the standard UNIX
221 versions, when you type their command names.
223 @node Ticket Management, Password Management, Setting Up to Use Kerberos V5, Kerberos V5 Tutorial
224 @section Ticket Management
226 On many systems, Kerberos is built into the login program, and you get
227 tickets automatically when you log in. Other programs, such as
228 @code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
229 copies of your tickets to the remote host. Most of these programs also
230 automatically destroy your tickets when they exit. However,
231 @value{COMPANY} recommends that you explicitly destroy your Kerberos
232 tickets when you are through with them, just to be sure. One way to
233 help ensure that this happens is to add the @code{kdestroy} command to
234 your @code{.logout} file. Additionally, if you are going to be away
235 from your machine and are concerned about an intruder using your
236 permissions, it is safest to either destroy all copies of your tickets,
237 or use a screensaver that locks the screen.
241 * Kerberos Ticket Properties::
242 * Obtaining Tickets with kinit::
243 * Viewing Your Tickets with klist::
244 * Destroying Your Tickets with kdestroy::
247 @node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
248 @subsection Kerberos Ticket Properties
251 There are various properties that Kerberos tickets can have:
253 If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
254 a different network address based on the forwardable ticket. This
255 allows for authentication forwarding without requiring a password to be
256 typed in again. For example, if a user with a forwardable TGT logs
257 into a remote system, the KDC could issue a new TGT for that user with
258 the netword address of the remote system, allowing authentication on
259 that host to work as though the user were logged in locally.
261 When the KDC creates a new ticket based on a forwardable ticket, it
262 sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
263 created based on a ticket with the forwarded flag set will also have
264 their forwarded flags set.
266 A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
267 allows a service to take on the identity of the client. Unlike a
268 forwardable ticket, however, a proxiable ticket is only issued for
269 specific services. In other words, a ticket-granting ticket cannot be
270 issued based on a ticket that is proxiable but not forwardable.
272 A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
274 A @dfn{postdated} ticket is issued with the @i{invalid} flag set.
275 After the starting time listed on the ticket, it can be presented to
276 the KDC to obtain valid tickets.
278 Tickets with the @dfn{postdateable} flag set can be used to issue postdated
281 @dfn{Renewable} tickets can be used to obtain new session keys without
282 the user entering their password again. A renewable ticket has two
283 expiration times. The first is the time at which this particular
284 ticket expires. The second is the latest possible expiration time for
285 any ticket issued based on this renewable ticket.
287 A ticket with the @dfn{initial} flag set was issued based on the
288 authentication protocol, and not on a ticket-granting ticket. Clients
289 that wish to ensure that the user's key has been recently presented for
290 verification could specify that this flag must be set to accept the
293 An @dfn{invalid} ticket must be rejected by application servers. Postdated
294 tickets are usually issued with this flag set, and must be validated by
295 the KDC before they can be used.
297 A @dfn{preauthenticated} ticket is one that was only issued after the
298 client requesting the ticket had authenticated itself to the KDC.
300 The @dfn{hardware authentication} flag is set on a ticket which
301 required the use of hardware for authentication. The hardware is
302 expected to be possessed only by the client which requested the
305 If a ticket has the @dfn{transit policy checked} flag set, then the KDC that
306 issued this ticket implements the transited-realm check policy and
307 checked the transited-realms list on the ticket. The transited-realms
308 list contains a list of all intermediate realms between the realm of the
309 KDC that issued the first ticket and that of the one that issued the
310 current ticket. If this flag is not set, then the application server
311 must check the transited realms itself or else reject the ticket.
313 The @dfn{okay as delegate} flag indicates that the server specified in
314 the ticket is suitable as a delegate as determined by the policy of
315 that realm. A server that is acting as a delegate has been granted a
316 proxy or a forwarded TGT. This flag is a new addition to the
317 @value{PRODUCT} protocol and is not yet implemented on MIT servers.
319 An @dfn{anonymous} ticket is one in which the named principal is a generic
320 principal for that realm; it does not actually specify the individual
321 that will be using the ticket. This ticket is meant only to securely
322 distribute a session key. This is a new addition to the @value{PRODUCT}
323 protocol and is not yet implemented on MIT servers.
325 @node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
326 @subsection Obtaining Tickets with kinit
328 If your site is using the @value{PRODUCT} login program, you will get
329 Kerberos tickets automatically when you log in. If your site uses a
330 different login program, you may need to explicitly obtain your Kerberos
331 tickets, using the @code{kinit} program. Similarly, if your Kerberos
332 tickets expire, use the @code{kinit} program to obtain new ones.
335 To use the @code{kinit} program, simply type @kbd{kinit} and then type
336 your password at the prompt. For example, Jennifer (whose username is
337 @code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
338 with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
339 @code{@value{PRIMARYREALM}}). She would type:
344 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
350 If you type your password incorrectly, kinit will give you the following
356 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
357 @b{kinit: Password incorrect}
362 @noindent and you won't get Kerberos tickets.
364 @noindent Notice that @code{kinit} assumes you want tickets for your own
365 username in your default realm.
367 Suppose Jennifer's friend David is visiting, and he wants to borrow a
368 window to check his mail. David needs to get tickets for himself in his
369 own realm, @value{SECONDREALM}.@footnote{Note: the realm
370 @value{SECONDREALM} must be listed in your computer's Kerberos
371 configuration file, @code{/etc/krb5.conf}.} He would type:
375 @b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
376 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
381 @noindent David would then have tickets which he could use to log onto
382 his own machine. Note that he typed his password locally on Jennifer's
383 machine, but it never went over the network. Kerberos on the local host
384 performed the authentication to the KDC in the other realm.
387 If you want to be able to forward your tickets to another host, you need
388 to request @dfn{forwardable} tickets. You do this by specifying the
394 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
400 Note that @code{kinit} does not tell you that it obtained forwardable
401 tickets; you can verify this using the @code{klist} command
402 (@pxref{Viewing Your Tickets with klist}).
404 Normally, your tickets are good for your system's default ticket
405 lifetime, which is ten hours on many systems. You can specify a
406 different ticket lifetime with the @samp{-l} option. Add the letter
407 @samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
408 hours, or @samp{d} for days.
410 For example, to obtain forwardable tickets for
411 @code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
412 three hours, you would type:
416 @b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
417 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
423 You cannot mix units; specifying a lifetime of @samp{3h30m} would result
424 in an error. Note also that most systems specify a maximum ticket
425 lifetime. If you request a longer ticket lifetime, it will be
426 automatically truncated to the maximum lifetime.
428 @node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
429 @subsection Viewing Your Tickets with klist
431 The @code{klist} command shows your tickets. When you first obtain
432 tickets, you will have only the ticket-granting ticket. (@xref{What is
433 a Ticket?}.) The listing would look like this:
438 Ticket cache: /tmp/krb5cc_ttypa
439 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
441 Valid starting Expires Service principal
442 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
448 The ticket cache is the location of your ticket file. In the above
449 example, this file is named @code{/tmp/krb5cc_ttypa}. The default
450 principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
453 The ``valid starting'' and ``expires'' fields describe the period of
454 time during which the ticket is valid. The @dfn{service principal}
455 describes each ticket. The ticket-granting ticket has the primary
456 @code{krbtgt}, and the instance is the realm name.
459 Now, if @value{RANDOMUSER1} connected to the machine
460 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
461 @kbd{klist} again, she would have gotten the following result:
466 Ticket cache: /tmp/krb5cc_ttypa
467 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
469 Valid starting Expires Service principal
470 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
471 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
477 Here's what happened: when @value{RANDOMUSER1} used telnet to connect
478 to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
479 program presented her ticket-granting ticket to the KDC and requested a
480 host ticket for the host
481 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
482 ticket, which telnet then presented to the host
483 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
484 log in without typing her password.
487 Suppose your Kerberos tickets allow you to log into a host in another
488 domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
489 is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
490 telnet to this host, you will receive a ticket-granting ticket for the
491 realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
492 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
498 Ticket cache: /tmp/krb5cc_ttypa
499 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
501 Valid starting Expires Service principal
502 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
503 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
504 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
505 06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM}
510 You can use the @code{-f} option to view the @dfn{flags} that apply to
511 your tickets. The flags are:
533 @b{H}ardware authenticated
537 @b{T}ransit policy checked
545 Here is a sample listing. In this example, the user @value{RANDOMUSER1}
546 obtained her initial tickets (@samp{I}), which are forwardable
547 (@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
548 (@xref{kinit Reference}, for more information about postdated tickets.)
553 @b{Ticket cache: /tmp/krb5cc_320
554 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
556 Valid starting Expires Service principal
557 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
564 In the following example, the user @value{RANDOMUSER2}'s tickets were
565 forwarded (@samp{f}) to this host from another host. The tickets are
566 reforwardable (@samp{F}).
571 @b{Ticket cache: /tmp/krb5cc_p11795
572 Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
574 Valid starting Expires Service principal
575 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
577 07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
583 @node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
584 @subsection Destroying Your Tickets with kdestroy
586 Your Kerberos tickets are proof that you are indeed yourself, and
587 tickets can be stolen. If this happens, the person who has them can
588 masquerade as you until they expire. For this reason, you should
589 destroy your Kerberos tickets when you are away from your computer.
592 Destroying your tickets is easy. Simply type @kbd{kdestroy}.
602 If @code{kdestroy} fails to destroy your tickets, it will beep and give
603 an error message. For example, if @code{kdestroy} can't find any
604 tickets to destroy, it will give the following message:
609 @b{kdestroy: No credentials cache file found while destroying cache
614 @node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
615 @section Password Management
617 Your password is the only way Kerberos has of verifying your identity.
618 If someone finds out your password, that person can masquerade as
619 you---send email that comes from you, read, edit, or delete your files,
620 or log into other hosts as you---and no one will be able to tell the
621 difference. For this reason, it is important that you choose a good
622 password (@pxref{Password Advice}), and keep it secret. If you need to
623 give access to your account to someone else, you can do so through
624 Kerberos. (@xref{Granting Access to Your Account}.) You should
625 @i{never} tell your password to anyone, including your system
626 administrator, for any reason. You should change your password
627 frequently, particularly any time you think someone may have found out
631 * Changing Your Password::
633 * Granting Access to Your Account::
636 @node Changing Your Password, Password Advice, Password Management, Password Management
637 @subsection Changing Your Password
640 To change your Kerberos password, use the @code{kpasswd} command. It
641 will ask you for your old password (to prevent someone else from walking
642 up to your computer when you're not there and changing your password),
643 and then prompt you for the new one twice. (The reason you have to type
644 it twice is to make sure you have typed it correctly.) For example,
645 user @code{@value{RANDOMUSER2}} would do the following:
650 @b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
651 @b{Enter new password:} @i{<- Type your new password.}
652 @b{Enter it again:} @i{<- Type the new password again.}
653 @b{Password changed.}
659 If @value{RANDOMUSER2} typed the incorrect old password, he would get
660 the following message:
665 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
666 @b{kpasswd: Password incorrect while getting initial ticket
672 If you make a mistake and don't type the new password the same way
673 twice, @code{kpasswd} will ask you to try again:
678 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
679 @b{Enter new password:} @i{<- Type the new password.}
680 @b{Enter it again:} @i{<- Type a different new password.}
681 @b{kpasswd: Password mismatch while reading password
686 Once you change your password, it takes some time for the change to
687 propagate through the system. Depending on how your system is set up,
688 this might be anywhere from a few minutes to an hour or more. If you
689 need to get new Kerberos tickets shortly after changing your password,
690 try the new password. If the new password doesn't work, try again using
693 @node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
694 @subsection Password Advice
696 Your password can include almost any character you can type (except
697 control keys and the ``enter'' key). A good password is one you can
698 remember, but that no one else can easily guess. Examples of @i{bad}
699 passwords are words that can be found in a dictionary, any common or
700 popular name, especially a famous person (or cartoon character), your
701 name or username in any form (@i{e.g.}, forward, backward, repeated
702 twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
703 date, your social security number, and any sample password that appears
704 in this (or any other) manual.
707 @value{COMPANY} recommends that your password be at least 6 characters
708 long, and contain UPPER- and lower-case letters, numbers, and/or
709 punctuation marks. Some passwords that would be good if they weren't
710 listed in this manual include:
713 @item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
716 @item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
719 @item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
722 @noindent Note: don't actually use any of the above passwords. They're
723 only meant to show you how to make up a good password. Passwords that
724 appear in a manual are the first ones intruders will try.
727 @value{PRODUCT} allows your system administrators to automatically
728 reject bad passwords, based on certain criteria, such as a password
729 dictionary or a minimum length. For example, if the user
730 @code{@value{RANDOMUSER1}}, who had a policy "strict" that required a
731 minimum of 8 characaters, chose a password that was less than 8
732 characters, Kerberos would give an error message like the following:
737 @b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
739 @value{RANDOMUSER1}'s password is controlled by the policy strict, which
740 requires a minimum of 8 characters from at least 3 classes (the five classes
741 are lowercase, uppercase, numbers, punctuation, and all other characters).
743 @b{Enter new password:} @i{<- Type an insecure new password.}
744 @b{Enter it again:} @i{<- Type it again.}
746 kpasswd: Password is too short while attempting to change password.
747 Please choose another password.
749 @b{Enter new password:} @i{<- Type a good password here.}
750 @b{Enter it again:} @i{<- Type it again.}
756 @noindent Your system administrators can choose the message that is
757 displayed if you choose a bad password, so the message you see may be
758 different from the above example.
760 @node Granting Access to Your Account, , Password Advice, Password Management
761 @subsection Granting Access to Your Account
764 If you need to give someone access to log into your account, you can do
765 so through Kerberos, without telling the person your password. Simply
766 create a file called @code{.k5login} in your home directory. This file
767 should contain the Kerberos principal (@xref{What is a Kerberos
768 Principal?}.) of each person to whom you wish to give access. Each
769 principal must be on a separate line. Here is a sample @code{.k5login}
774 @value{RANDOMUSER1}@@@value{PRIMARYREALM}
775 @value{RANDOMUSER2}@@@value{SECONDREALM}
779 @noindent This file would allow the users @code{@value{RANDOMUSER1}} and
780 @code{@value{RANDOMUSER2}} to use your user ID, provided that they had
781 Kerberos tickets in their respective realms. If you will be logging
782 into other hosts across a network, you will want to include your own
783 Kerberos principal in your @code{.k5login} file on each of these hosts.
786 Using a @code{.k5login} file is much safer than giving out your
790 @item You can take access away any time simply by removing the principal
791 from your @code{.k5login} file.
793 @item Although the user has full access to your account on one
794 particular host (or set of hosts if your @code{.k5login} file is shared,
795 @i{e.g.}, over NFS), that user does not inherit your network privileges.
797 @item Kerberos keeps a log of who obtains tickets, so a system
798 administrator could find out, if necessary, who was capable of using
799 your user ID at a particular time.
802 One common application is to have a @code{.k5login} file in
803 @code{root}'s home directory, giving root access to that machine to the
804 Kerberos principals listed. This allows system administrators to allow
805 users to become root locally, or to log in remotely as @code{root},
806 without their having to give out the root password, and without anyone
807 having to type the root password over the network.
809 @node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
810 @section Kerberos V5 Applications
812 @value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
813 only have to type your password once, and the @value{PRODUCT} programs
814 do the authenticating (and optionally encrypting) for you. The way this
815 works is that Kerberos has been built into each of a suite of network
816 programs. For example, when you use a @value{PRODUCT} program to
817 connect to a remote host, the program, the KDC, and the remote host
818 perform a set of rapid negotiations. When these negotiations are
819 completed, your program has proven your identity on your behalf to the
820 remote host, and the remote host has granted you access, all in the
821 space of a few seconds.
823 The @value{PRODUCT} applications are versions of existing UNIX network
824 programs with the Kerberos features added.
827 * Overview of Additional Features::
836 @node Overview of Additional Features, telnet, Kerberos V5 Applications, Kerberos V5 Applications
837 @subsection Overview of Additional Features
839 The @value{PRODUCT} @dfn{network programs} are those programs that
840 connect to another host somewhere on the internet. These programs
841 include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
842 @code{rcp}, and @code{ksu}. These programs have all of the original
843 features of the corresponding non-Kerberos @code{rlogin}, @code{telnet},
844 @code{ftp}, @code{rsh}, @code{rcp}, and @code{su} programs, plus
845 additional features that transparently use your Kerberos tickets for
846 negotiating authentication and optional encryption with the remote host.
847 In most cases, all you'll notice is that you no longer have to type your
848 password, because Kerberos has already proven your identity.
850 The @value{PRODUCT} network programs allow you the options of forwarding
851 your tickets to the remote host (if you obtained forwardable tickets
852 with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
853 encrypting data transmitted between you and the remote host.
855 This section of the tutorial assumes you are familiar with the
856 non-Kerberos versions of these programs, and highlights the Kerberos
857 functions added in the @value{PRODUCT} package.
859 @node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
862 The @value{PRODUCT} @code{telnet} command works exactly like the
863 standard UNIX telnet program, with the following Kerberos options added:
867 forwards a copy of your tickets to the remote host.
870 forwards a copy of your tickets to the remote host, and marks them
871 re-forwardable from the remote host.
874 requests tickets for the remote host in the specified realm, instead of
875 determining the realm itself.
878 uses your tickets to authenticate to the remote host, but does not log
882 attempt automatic login using your tickets. @code{telnet} will assume
883 the same username unless you explicitly specify another.
891 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
892 UNIX telnet to connect to the machine
893 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
897 @b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN}
898 @b{Trying 128.0.0.5 ...
899 Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}.
900 Escape character is '^]'.
902 NetBSD/i386 (daffodil) (ttyp3)
904 login:} @value{RANDOMUSER2}
905 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
906 @b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
907 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
908 The Regents of the University of California. All rights reserved.
910 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
917 @noindent Note that the machine
918 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
919 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
920 was sent over the network unencrypted. If an intruder were watching
921 network traffic at the time, that intruder would know
922 @code{@value{RANDOMUSER2}}'s password.
925 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
926 @value{PRODUCT} telnet to connect to the machine
927 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
928 copy of her tickets, request an encrypted session, and log on as herself
933 @b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
934 @b{Trying 128.0.0.5...
935 Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}.
936 Escape character is '^]'.
937 [ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ]
938 [ Kerberos V5 accepted forwarded credentials ]
939 What you type is protected by encryption.
940 Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST1}.@value{SECONDDOMAIN}
941 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
947 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
948 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
949 and logged her in automatically as herself. She had an encrypted
950 session, a copy of her tickets already waiting for her, and she never
953 If you forwarded your Kerberos tickets, @code{telnet} automatically
954 destroys them when it exits. The full set of options to @value{PRODUCT}
955 @code{telnet} are discussed in the Reference section of this manual.
956 (@pxref{telnet Reference})
959 @node rlogin, FTP, telnet, Kerberos V5 Applications
963 The @value{PRODUCT} @code{rlogin} command works exactly like the
964 standard UNIX rlogin program, with the following Kerberos options added:
968 forwards a copy of your tickets to the remote host.
971 forwards a copy of your tickets to the remote host, and marks them
972 re-forwardable from the remote host.
975 requests tickets for the remote host in the specified realm, instead of
976 determining the realm itself.
979 encrypts the input and output data streams (the username is sent unencrypted)
984 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
985 UNIX rlogin to connect to the machine
986 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type:
990 @b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2}
991 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
992 @b{Last login: Fri Jun 21 10:36:32 from :0.0
993 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
994 The Regents of the University of California. All rights reserved.
996 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
1003 @noindent Note that the machine
1004 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
1005 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
1006 was sent over the network unencrypted. If an intruder were watching
1007 network traffic at the time, that intruder would know
1008 @code{@value{RANDOMUSER2}}'s password.
1011 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
1012 @value{PRODUCT} rlogin to connect to the machine
1013 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
1014 copy of her tickets, mark them as not forwardable from the remote host,
1015 and request an encrypted session as follows:
1019 @b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x
1020 @b{This rlogin session is using DES encryption for all data transmissions.
1021 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
1022 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
1027 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1028 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
1029 and logged her in automatically as herself. She had an encrypted
1030 session, a copy of her tickets were waiting for her, and she never typed
1033 If you forwarded your Kerberos tickets, @code{rlogin} automatically
1034 destroys them when it exits. The full set of options to @value{PRODUCT}
1035 @code{rlogin} are discussed in the Reference section of this manual.
1036 (@pxref{rlogin Reference})
1038 @node FTP, rsh, rlogin, Kerberos V5 Applications
1042 The @value{PRODUCT} @code{FTP} program works exactly like the standard
1043 UNIX FTP program, with the following Kerberos features added:
1047 requests tickets for the remote host in the specified realm, instead of
1048 determining the realm itself.
1051 requests that your tickets be forwarded to the remote host. The
1052 @kbd{-f} argument must be the last argument on the command line.
1054 @itemx protect @i{level}
1055 (issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1056 is no protection; ``safe'' ensures data integrity by verifying the
1057 checksum, and ``private'' encrypts the data. Encryption also ensures
1062 For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1063 @code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1064 on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1065 to encrypt the file transfer. The exchange would look like the
1070 @b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1071 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1072 220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1073 334 Using authentication type GSSAPI; ADAT must follow
1074 GSSAPI accepted as authentication type
1075 GSSAPI authentication succeeded
1076 200 Data channel protection level set to private.
1077 Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1078 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1079 230 User @value{RANDOMUSER1} logged in.
1080 Remote system type is UNIX.
1081 Using binary mode to transfer files.
1082 ftp> protect private
1083 200 Protection level set to Private.
1084 ftp> cd ~@value{RANDOMUSER1}/MAIL
1085 250 CWD command successful.
1087 227 Entering Passive Mode (128,0,0,5,16,49)
1088 150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1089 226 Transfer complete.
1090 361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1096 The full set of options to @value{PRODUCT} @code{FTP} are discussed
1097 in the Reference section of this manual. (@pxref{FTP Reference})
1099 @node rsh, rcp, FTP, Kerberos V5 Applications
1102 The @value{PRODUCT} @code{rsh} program works exactly like the standard
1103 UNIX rlogin program, with the following Kerberos features added:
1107 forwards a copy of your tickets to the remote host.
1110 forwards a copy of your tickets to the remote host, and marks them
1111 re-forwardable from the remote host.
1114 requests tickets for the remote host in the specified realm, instead of
1115 determining the realm itself.
1118 encrypts the input and output data streams (the command line is not encrypted)
1123 For example, if your Kerberos tickets allowed you to run programs on the
1124 host @* @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1125 run the @samp{date} program as follows:
1129 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1130 @b{This rsh session is using DES encryption for all data transmissions.
1131 Tue Jul 30 19:34:21 EDT 2002
1136 If you forwarded your Kerberos tickets, @code{rsh} automatically
1137 destroys them when it exits. The full set of options to @value{PRODUCT}
1138 @code{rsh} are discussed in the Reference section of this manual.
1139 (@pxref{rsh Reference})
1141 @node rcp, ksu, rsh, Kerberos V5 Applications
1145 The @value{PRODUCT} @code{rcp} program works exactly like the standard
1146 UNIX rcp program, with the following Kerberos features added:
1150 requests tickets for the remote host in the specified realm, instead of
1151 determining the realm itself.
1154 turns on encryption.
1159 For example, if you wanted to copy the file @code{/etc/motd} from the
1160 host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1161 directory, via an encrypted connection, you would simply type:
1164 @b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1167 The @kbd{rcp} program negotiates authentication and encryption
1168 transparently. The full set of options to @value{PRODUCT} @code{rcp}
1169 are discussed in the Reference section of this manual. (@pxref{rcp
1172 @node ksu, , rcp, Kerberos V5 Applications
1175 The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1176 program. @code{ksu} first authenticates you to Kerberos. Depending on
1177 the configuration of your system, @code{ksu} may ask for your Kerberos
1178 password if authentication fails. @emph{Note that you should never type
1179 your password if you are remotely logged in using an unencrypted
1182 Once @code{ksu} has authenticated you, if your Kerberos principal
1183 appears in the target's @code{.k5login} file (@pxref{Granting Access to
1184 Your Account}) or in the target's @code{.k5users} file (see below), it
1185 switches your user ID to the target user ID.
1188 For example, @code{@value{RANDOMUSER2}} has put
1189 @code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1190 file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1191 @code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1192 differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1193 prompt is represented as @code{@value{RANDOMUSER1}%} and
1194 @code{@value{RANDOMUSER2}}'s prompt is represented as
1195 @code{@value{RANDOMUSER2}%}.)
1199 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1200 @b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1201 Changing uid to @value{RANDOMUSER2} (3382)
1202 @value{RANDOMUSER2}%}
1207 Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1208 tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1209 with @samp{.1} appended to it:
1213 @b{@value{RANDOMUSER2}%} klist
1214 @b{Ticket cache: /tmp/krb5cc_3382.1
1215 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1217 Valid starting Expires Service principal
1218 07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1219 07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1220 @value{RANDOMUSER2}%}
1225 If @code{@value{RANDOMUSER1}} had not appeared in
1226 @code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1227 configured to ask for a password), the exchange would have looked like
1228 this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1229 precautions in protecting his password):
1233 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1234 @b{WARNING: Your password may be exposed if you enter it here and are logged
1235 in remotely using an unsecure (non-encrypted) channel.
1236 Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1237 @b{ksu: Password incorrect
1238 Authentication failed.
1239 @value{RANDOMUSER1}%}
1243 Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1244 @code{@value{RANDOMUSER1}} full access to his account, but wanted to
1245 give her permission to list his files and use the "more" command to view
1246 them. He could create a @code{.k5users} file giving her permission to
1247 run only those specific commands.
1250 The @code{.k5users} file is like the @code{.k5login} file, except that
1251 each principal is optionally followed by a list of commands. @code{ksu}
1252 will let those principals execute only the commands listed, using the
1253 @kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1254 might look like the following:
1258 @value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1259 @value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1260 @value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1261 @value{RANDOMUSER2}@@@value{SECONDREALM}
1265 @noindent The above @code{.k5users} file would let
1266 @code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1267 @code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1268 the command @code{/bin/ls} if he had regular tickets, but if he had
1269 tickets for his @code{admin} instance,
1270 @code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1271 to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1272 in the realm @value{SECONDREALM} permission to execute any command.
1273 (@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1274 giving that principal permission to execute @code{*}.) This is so that
1275 @value{RANDOMUSER2} can allow himself to execute commands when he logs
1276 in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1279 Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1284 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1285 @b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1286 Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1288 Changing uid to @value{RANDOMUSER2} (3382)
1289 Mail News Personal misc bin
1290 @value{RANDOMUSER1}%}
1294 @noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1295 command to @code{ksu}, it would have prompted for a password as with the
1298 Note that unless the @code{.k5users} file gives the target permission to
1299 run any command, the user must use @code{ksu} with the @kbd{-e}
1303 The @code{ksu} options you are most likely to use are:
1306 @itemx -n @i{principal}
1307 specifies which Kerberos principal you want to use for @code{ksu}.
1308 (@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1309 @code{admin} instance. @xref{What is a Ticket?}.)
1312 specifies the location of your Kerberos credentials cache (ticket file).
1315 tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1319 requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1320 is only applicable if @code{ksu} needs to obtain tickets.
1322 @itemx -l @i{lifetime}
1323 sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1324 only applicable if @code{ksu} needs to obtain tickets.
1327 tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1328 switching is the same as the Kerberos primary (either yours or the one
1329 specified by the @kbd{-n} option).
1332 tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1334 @itemx -e @i{command}
1335 tells @code{ksu} to execute @i{command} and then exit. See the
1336 description of the @code{.k5users} file above.
1339 (at the end of the command line) tells @code{ksu} to pass everything
1340 after @samp{-a} to the target shell.
1343 The full set of options to @value{PRODUCT} @code{ksu} are discussed
1344 in the Reference section of this manual. (@pxref{ksu Reference})
1346 @node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
1347 @chapter Kerberos V5 Reference
1349 This section will include copies of the manual pages for the
1350 @value{PRODUCT} client programs. You can read the manual entry for any
1351 command by typing @code{man} @i{command}, where @i{command} is the name
1352 of the command for which you want to read the manual entry. For
1353 example, to read the @code{kinit} manual entry, you would type:
1356 @b{shell%} man kinit
1359 Note: To be able to view the @value{PRODUCT} manual pages on line, you
1360 may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1361 environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1362 the top-level directory in which @value{PRODUCT} is installed.) For
1363 example, if you had the the following line in your @code{.login}
1364 file@footnote{The MANPATH variable may be specified in a different
1365 initialization file, depending on your operating system. Some of the
1366 files in which you might specify environment variables include
1367 @code{.login}, @code{.profile}, or @code{.cshrc}.}:
1370 setenv MANPATH /usr/local/man:/usr/man
1374 and the @value{PRODUCT} man pages were in the directory
1375 @code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1378 setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1382 Note to info users: the manual pages are not available within this info
1383 tree. You can read them from emacs with the command:
1386 M-x manual-entry @emph{command}
1396 * kdestroy Reference::
1397 * kpasswd Reference::
1398 * telnet Reference::
1400 * rlogin Reference::
1405 @node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
1406 @section kinit Reference
1409 @special{psfile=kinit1.ps voffset=-700 hoffset=-40}
1410 @centerline{Reference Manual for @code{kinit}}
1413 @special{psfile=kinit2.ps voffset=-700 hoffset=-40}
1414 @centerline{Reference Manual for @code{kinit}}
1419 Type @kbd{M-x manual-entry kinit} to read this manual page.
1424 <a href="kinit.html"> kinit manpage</a>
1428 @node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference
1429 @section klist Reference
1432 @special{psfile=klist1.ps voffset=-700 hoffset=-40}
1433 @centerline{Reference Manual for @code{klist}}
1438 @special{psfile=klist2.ps voffset=-700 hoffset=-40}
1439 @centerline{Reference Manual for @code{klist}}
1444 Type @kbd{M-x manual-entry klist} to read this manual page.
1449 <a href="klist.html"> klist manpage</a>
1453 @node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference
1454 @section ksu Reference
1457 @special{psfile=ksu1.ps voffset=-700 hoffset=-40}
1458 @centerline{Reference Manual for @code{ksu}}
1461 @special{psfile=ksu2.ps voffset=-700 hoffset=-40}
1462 @centerline{Reference Manual for @code{ksu}}
1465 @special{psfile=ksu3.ps voffset=-700 hoffset=-40}
1466 @centerline{Reference Manual for @code{ksu}}
1469 @special{psfile=ksu4.ps voffset=-700 hoffset=-40}
1470 @centerline{Reference Manual for @code{ksu}}
1473 @special{psfile=ksu5.ps voffset=-700 hoffset=-40}
1474 @centerline{Reference Manual for @code{ksu}}
1479 Type @kbd{M-x manual-entry ksu} to read this manual page.
1484 <a href="ksu.html"> ksu manpage</a>
1488 @node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference
1489 @section kdestroy Reference
1492 @special{psfile=kdestroy1.ps voffset=-700 hoffset=-60}
1493 @centerline{Reference Manual for @code{kdestroy}}
1498 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1503 <a href="kdestroy.html"> kdestroy manpage</a>
1507 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
1508 @section kpasswd Reference
1511 @special{psfile=kpasswd1.ps voffset=-700 hoffset=-40}
1512 @centerline{Reference Manual for @code{kpasswd}}
1517 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1522 <a href="kpasswd.html"> kpasswd manpage</a>
1526 @node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference
1527 @section telnet Reference
1530 @special{psfile=telnet1.ps voffset=-700 hoffset=-40}
1531 @centerline{Reference Manual for @code{telnet}}
1534 @special{psfile=telnet2.ps voffset=-700 hoffset=-40}
1535 @centerline{Reference Manual for @code{telnet}}
1538 @special{psfile=telnet3.ps voffset=-700 hoffset=-40}
1539 @centerline{Reference Manual for @code{telnet}}
1542 @special{psfile=telnet4.ps voffset=-700 hoffset=-40}
1543 @centerline{Reference Manual for @code{telnet}}
1546 @special{psfile=telnet5.ps voffset=-700 hoffset=-40}
1547 @centerline{Reference Manual for @code{telnet}}
1550 @special{psfile=telnet6.ps voffset=-700 hoffset=-40}
1551 @centerline{Reference Manual for @code{telnet}}
1554 @special{psfile=telnet7.ps voffset=-700 hoffset=-40}
1555 @centerline{Reference Manual for @code{telnet}}
1558 @special{psfile=telnet8.ps voffset=-700 hoffset=-40}
1559 @centerline{Reference Manual for @code{telnet}}
1562 @special{psfile=telnet9.ps voffset=-700 hoffset=-40}
1563 @centerline{Reference Manual for @code{telnet}}
1568 Type @kbd{M-x manual-entry telnet} to read this manual page.
1573 <a href="telnet.html"> telnet manpage</a>
1577 @node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference
1578 @section FTP Reference
1581 @special{psfile=ftp1.ps voffset=-700 hoffset=-40}
1582 @centerline{Reference Manual for @code{FTP}}
1585 @special{psfile=ftp2.ps voffset=-700 hoffset=-40}
1586 @centerline{Reference Manual for @code{FTP}}
1589 @special{psfile=ftp3.ps voffset=-700 hoffset=-40}
1590 @centerline{Reference Manual for @code{FTP}}
1593 @special{psfile=ftp4.ps voffset=-700 hoffset=-40}
1594 @centerline{Reference Manual for @code{FTP}}
1597 @special{psfile=ftp5.ps voffset=-700 hoffset=-40}
1598 @centerline{Reference Manual for @code{FTP}}
1601 @special{psfile=ftp6.ps voffset=-700 hoffset=-40}
1602 @centerline{Reference Manual for @code{FTP}}
1605 @special{psfile=ftp7.ps voffset=-700 hoffset=-40}
1606 @centerline{Reference Manual for @code{FTP}}
1609 @special{psfile=ftp8.ps voffset=-700 hoffset=-40}
1610 @centerline{Reference Manual for @code{FTP}}
1613 @special{psfile=ftp9.ps voffset=-700 hoffset=-40}
1614 @centerline{Reference Manual for @code{FTP}}
1619 Type @kbd{M-x manual-entry FTP} to read this manual page.
1624 <a href="ftp.html"> ftp manpage</a>
1628 @node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference
1629 @section rlogin Reference
1632 @special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
1633 @centerline{Reference Manual for @code{rlogin}}
1636 @special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
1637 @centerline{Reference Manual for @code{rlogin}}
1642 Type @kbd{M-x manual-entry rlogin} to read this manual page.
1647 <a href="rlogin.html"> rlogin manpage</a>
1651 @node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference
1652 @section rsh Reference
1655 @special{psfile=rsh1.ps voffset=-700 hoffset=-40}
1656 @centerline{Reference Manual for @code{rsh}}
1659 @special{psfile=rsh2.ps voffset=-700 hoffset=-40}
1660 @centerline{Reference Manual for @code{rsh}}
1665 Type @kbd{M-x manual-entry rsh} to read this manual page.
1670 <a href="rsh.html"> rsh manpage</a>
1674 @node rcp Reference, , rsh Reference, Kerberos V5 Reference
1675 @section rcp Reference
1678 @special{psfile=rcp1.ps voffset=-700 hoffset=-40}
1679 @centerline{Reference Manual for @code{rcp}}
1684 @special{psfile=rcp2.ps voffset=-700 hoffset=-40}
1685 @centerline{Reference Manual for @code{rcp}}
1690 Type @kbd{M-x manual-entry rcp} to read this manual page.
1695 <a href="rcp.html"> rcp manpage</a>
1699 @node Kerberos Glossary, , Kerberos V5 Reference, Top
1700 @appendix Kerberos Glossary
1702 @include glossary.texinfo