1 \input texinfo @c -*-texinfo-*-
4 @setfilename krb5-user.info
5 @settitle Kerberos V5 UNIX User's Guide
6 @setchapternewpage odd @c chapter begins on next odd page
7 @c @setchapternewpage on @c chapter begins on next page
8 @c @smallbook @c Format for 7" X 9.25" paper
16 @include definitions.texinfo
19 @finalout @c don't print black warning boxes
22 @title @value{PRODUCT} UNIX User's Guide
23 @subtitle Release: @value{RELEASE}
24 @subtitle Document Edition: @value{EDITION}
25 @subtitle Last updated: @value{UPDATED}
26 @author @value{COMPANY}
29 @vskip 0pt plus 1filll
33 @comment node-name, next, previous, up
34 @node Top, Copyright, (dir), (dir)
37 This file describes how to use the @value{PRODUCT} client programs.
40 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
41 @c function. Don't forget to run M-x texinfo-every-node-update after
42 @c you add a new section or subsection, or after you've rearranged the
43 @c comand before each @section or @subsection! All you need to enter
46 @c @section New Section Name
48 @c M-x texinfo-every-node-update will take care of calculating the
49 @c node's forward and back pointers.
51 @c ---------------------------------------------------------------------
56 * Kerberos V5 Tutorial::
57 * Kerberos V5 Reference::
61 @node Copyright, Introduction, Top, Top
64 @include copyright.texinfo
66 @node Introduction, Kerberos V5 Tutorial, Copyright, Top
70 @value{PRODUCT} is based on the Kerberos V5 authentication system
74 Kerberos V5 is an authentication system developed at MIT.
76 Kerberos is named for the three-headed watchdog from Greek mythology,
77 who guarded the entrance to the underworld.
79 Under Kerberos, a client (generally either a user or a service) sends a
80 request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
81 creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
82 using the client's password as the key, and sends the encrypted TGT back
83 to the client. The client then attempts to decrypt the TGT, using its
84 password. If the client successfully decrypts the TGT (@i{i.e.}, if the
85 client gave the correct password), it keeps the decrypted TGT, which
86 indicates proof of the client's identity.
88 The TGT, which expires at a specified time, permits the client to obtain
89 additional tickets, which give permission for specific services. The
90 requesting and granting of these additional tickets is user-transparent.
92 Since Kerberos negotiates authenticated, and optionally encrypted,
93 communications between two points anywhere on the internet, it provides
94 a layer of security that is not dependent on which side of a firewall
95 either client is on. Since studies have shown that half of the computer
96 security breaches in industry happen from @i{inside} firewalls,
97 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
100 The @value{PRODUCT} package is designed to be easy to use. Most of the
101 commands are nearly identical to UNIX network programs you already
102 use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
103 that you have to type your password only once per session, and Kerberos
104 does the authenticating and encrypting transparently.
107 * What is a Ticket?::
108 * What is a Kerberos Principal?::
111 @node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
112 @section What is a Ticket?
114 Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
115 electronic information that can be used to verify your identity. Your
116 Kerberos tickets may be stored in a file, or they may exist only in
119 The first ticket you obtain is a @dfn{ticket-granting ticket}, which
120 permits you to obtain additional tickets. These additional tickets give
121 you permission for specific services. The requesting and granting of
122 these additional tickets happens transparently.
124 A good analogy for the ticket-granting ticket is a three-day ski pass
125 that is good at four different resorts. You show the pass at whichever
126 resort you decide to go to (until it expires), and you receive a lift
127 ticket for that resort. Once you have the lift ticket, you can ski all
128 you want at that resort. If you go to another resort the next day, you
129 once again show your pass, and you get an additional lift ticket for the
130 new resort. The difference is that the @value{PRODUCT} programs notice
131 that you have the weekend ski pass, and get the lift ticket for you, so
132 you don't have to perform the transactions yourself.
134 @node What is a Kerberos Principal?, , What is a Ticket?, Introduction
135 @section What is a Kerberos Principal?
137 A Kerberos @dfn{principal} is a unique identity to which Kerberos can
138 assign tickets. Principals can have an arbitrary number of
139 components. Each component is separated by a component separator,
140 generally `/'. The last component is the realm, separated from the
141 rest of the principal by the realm separator, generally `@@'. If there
142 is no realm component in the principal, then it will be assumed that
143 the principal is in the default realm for the context in which it is
146 Traditionally, a principal is divided into three parts: the
147 @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of
148 a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
151 @item The @dfn{primary} is the first part of the principal. In the case
152 of a user, it's the same as your username. For a host, the primary is
153 the word @code{host}.
155 @item The @dfn{instance} is an optional string that qualifies the
156 primary. The instance is separated from the primary by a slash
157 (@code{/}). In the case of a user, the instance is usually null, but a
158 user might also have an additional principal, with an instance called
159 @samp{admin}, which he/she uses to administrate a database. The
160 principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
161 separate from the principal
162 @code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
163 password, and separate permissions. In the case of a host, the instance
164 is the fully qualified hostname, e.g.,
165 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
167 @item The @dfn{realm} is your Kerberos realm. In most cases, your
168 Kerberos realm is your domain name, in upper-case letters. For example,
169 the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in
170 the realm @code{@value{SECONDREALM}}.
173 @node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
174 @chapter Kerberos V5 Tutorial
176 This tutorial is intended to familiarize you with the @value{PRODUCT}
177 client programs. We will represent your prompt as ``@code{shell%}''.
178 So an instruction to type the ``@kbd{ls}'' command would be represented as
188 In these examples, we will use sample usernames, such as
189 @code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
190 hostnames, such as @code{@value{RANDOMHOST1}} and
191 @code{@value{RANDOMHOST2}}, and sample domain names, such as
192 @code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
193 see one of these, substitute your username, hostname, or domain name
197 * Setting Up to Use Kerberos V5::
198 * Ticket Management::
199 * Password Management::
200 * Kerberos V5 Applications::
203 @node Setting Up to Use Kerberos V5, Ticket Management, Kerberos V5 Tutorial, Kerberos V5 Tutorial
204 @section Setting Up to Use @value{PRODUCT}
206 Your system administrator will have installed the @value{PRODUCT}
207 programs in whichever directory makes the most sense for your system.
208 We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
209 top-level directory @value{PRODUCT} directory. We will therefor use
210 @code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
211 programs. In your installation, the directory name may be different,
212 but whatever the directory name is, you should make sure it is included
213 in your path. You will probably want to put it @i{ahead of} the
214 directories @code{/bin} and @code{/usr/bin} so you will get the
215 @value{PRODUCT} network programs, rather than the standard UNIX
216 versions, when you type their command names.
218 @node Ticket Management, Password Management, Setting Up to Use Kerberos V5, Kerberos V5 Tutorial
219 @section Ticket Management
221 On many systems, Kerberos is built into the login program, and you get
222 tickets automatically when you log in. Other programs, such as
223 @code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
224 copies of your tickets to the remote host. Most of these programs also
225 automatically destroy your tickets when they exit. However,
226 @value{COMPANY} recommends that you explicitly destroy your Kerberos
227 tickets when you are through with them, just to be sure. One way to
228 help ensure that this happens is to add the @code{kdestroy} command to
229 your @code{.logout} file. Additionally, if you are going to be away
230 from your machine and are concerned about an intruder using your
231 permissions, it is safest to either destroy all copies of your tickets,
232 or use a screensaver that locks the screen.
236 * Kerberos Ticket Properties::
237 * Obtaining Tickets with kinit::
238 * Viewing Your Tickets with klist::
239 * Destroying Your Tickets with kdestroy::
242 @node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
243 @subsection Kerberos Ticket Properties
246 There are various properties that Kerberos tickets can have:
248 If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
249 a different network address based on the forwardable ticket. This
250 allows for authentication forwarding without requiring a password to be
251 typed in again. For example, if a user with a forwardable TGT logs
252 into a remote system, the KDC could issue a new TGT for that user with
253 the netword address of the remote system, allowing authentication on
254 that host to work as though the user were logged in locally.
256 When the KDC creates a new ticket based on a forwardable ticket, it
257 sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
258 created based on a ticket with the forwarded flag set will also have
259 their forwarded flags set.
261 A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
262 allows a service to take on the identity of the client. Unlike a
263 forwardable ticket, however, a proxiable ticket is only issued for
264 specific services. In other words, a ticket-granting ticket cannot be
265 issued based on a ticket that is proxiable but not forwardable.
267 A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
269 A @dfn{postdated} ticket is issued with the @i{invalid} flag set.
270 After the starting time listed on the ticket, it can be presented to
271 the KDC to obtain valid tickets.
273 Tickets with the @dfn{postdateable} flag set can be used to issue postdated
276 @dfn{Renewable} tickets can be used to obtain new session keys without
277 the user entering their password again. A renewable ticket has two
278 expiration times. The first is the time at which this particular
279 ticket expires. The second is the latest possible expiration time for
280 any ticket issued based on this renewable ticket.
282 A ticket with the @dfn{initial} flag set was issued based on the
283 authentication protocol, and not on a ticket-granting ticket. Clients
284 that wish to ensure that the user's key has been recently presented for
285 verification could specify that this flag must be set to accept the
288 An @dfn{invalid} ticket must be rejected by application servers. Postdated
289 tickets are usually issued with this flag set, and must be validated by
290 the KDC before they can be used.
292 A @dfn{preauthenticated} ticket is one that was only issued after the
293 client requesting the ticket had authenticated itself to the KDC.
295 The @dfn{hardware authentication} flag is set on a ticket which
296 required the use of hardware for authentication. The hardware is
297 expected to be possessed only by the client which requested the
300 If a ticket has the @dfn{transit policy checked} flag set, then the KDC that
301 issued this ticket implements the transited-realm check policy and
302 checked the transited-realms list on the ticket. The transited-realms
303 list contains a list of all intermediate realms between the realm of the
304 KDC that issued the first ticket and that of the one that issued the
305 current ticket. If this flag is not set, then the application server
306 must check the transited realms itself or else reject the ticket.
308 The @dfn{okay as delegate} flag indicates that the server specified in
309 the ticket is suitable as a delegate as determined by the policy of
310 that realm. A server that is acting as a delegate has been granted a
311 proxy or a forwarded TGT. This flag is a new addition to the
312 @value{PRODUCT} protocol and is not yet implemented on MIT servers.
314 An @dfn{anonymous} ticket is one in which the named principal is a generic
315 principal for that realm; it does not actually specify the individual
316 that will be using the ticket. This ticket is meant only to securely
317 distribute a session key. This is a new addition to the @value{PRODUCT}
318 protocol and is not yet implemented on MIT servers.
320 @node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
321 @subsection Obtaining Tickets with kinit
323 If your site is using the @value{PRODUCT} login program, you will get
324 Kerberos tickets automatically when you log in. If your site uses a
325 different login program, you may need to explicitly obtain your Kerberos
326 tickets, using the @code{kinit} program. Similarly, if your Kerberos
327 tickets expire, use the @code{kinit} program to obtain new ones.
330 To use the @code{kinit} program, simply type @kbd{kinit} and then type
331 your password at the prompt. For example, Jennifer (whose username is
332 @code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
333 with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
334 @code{@value{PRIMARYREALM}}). She would type:
339 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
345 If you type your password incorrectly, kinit will give you the following
351 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
352 @b{kinit: Password incorrect}
357 @noindent and you won't get Kerberos tickets.
359 @noindent Notice that @code{kinit} assumes you want tickets for your own
360 username in your default realm.
362 Suppose Jennifer's friend David is visiting, and he wants to borrow a
363 window to check his mail. David needs to get tickets for himself in his
364 own realm, @value{SECONDREALM}.@footnote{Note: the realm
365 @value{SECONDREALM} must be listed in your computer's Kerberos
366 configuration file, @code{/etc/krb5.conf}.} He would type:
370 @b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
371 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
376 @noindent David would then have tickets which he could use to log onto
377 his own machine. Note that he typed his password locally on Jennifer's
378 machine, but it never went over the network. Kerberos on the local host
379 performed the authentication to the KDC in the other realm.
382 If you want to be able to forward your tickets to another host, you need
383 to request @dfn{forwardable} tickets. You do this by specifying the
389 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
395 Note that @code{kinit} does not tell you that it obtained forwardable
396 tickets; you can verify this using the @code{klist} command
397 (@pxref{Viewing Your Tickets with klist}).
399 Normally, your tickets are good for your system's default ticket
400 lifetime, which is ten hours on many systems. You can specify a
401 different ticket lifetime with the @samp{-l} option. Add the letter
402 @samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
403 hours, or @samp{d} for days.
405 For example, to obtain forwardable tickets for
406 @code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
407 three hours, you would type:
411 @b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
412 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
418 You cannot mix units; specifying a lifetime of @samp{3h30m} would result
419 in an error. Note also that most systems specify a maximum ticket
420 lifetime. If you request a longer ticket lifetime, it will be
421 automatically truncated to the maximum lifetime.
423 @node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
424 @subsection Viewing Your Tickets with klist
426 The @code{klist} command shows your tickets. When you first obtain
427 tickets, you will have only the ticket-granting ticket. (@xref{What is
428 a Ticket?}.) The listing would look like this:
433 Ticket cache: /tmp/krb5cc_ttypa
434 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
436 Valid starting Expires Service principal
437 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
443 The ticket cache is the location of your ticket file. In the above
444 example, this file is named @code{/tmp/krb5cc_ttypa}. The default
445 principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
448 The ``valid starting'' and ``expires'' fields describe the period of
449 time during which the ticket is valid. The @dfn{service principal}
450 describes each ticket. The ticket-granting ticket has the primary
451 @code{krbtgt}, and the instance is the realm name.
454 Now, if @value{RANDOMUSER1} connected to the machine
455 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
456 @kbd{klist} again, she would have gotten the following result:
461 Ticket cache: /tmp/krb5cc_ttypa
462 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
464 Valid starting Expires Service principal
465 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
466 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
472 Here's what happened: when @value{RANDOMUSER1} used telnet to connect
473 to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
474 program presented her ticket-granting ticket to the KDC and requested a
475 host ticket for the host
476 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
477 ticket, which telnet then presented to the host
478 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
479 log in without typing her password.
482 Suppose your Kerberos tickets allow you to log into a host in another
483 domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
484 is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
485 telnet to this host, you will receive a ticket-granting ticket for the
486 realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
487 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
493 Ticket cache: /tmp/krb5cc_ttypa
494 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
496 Valid starting Expires Service principal
497 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
498 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
499 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
500 06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM}
505 You can use the @code{-f} option to view the @dfn{flags} that apply to
506 your tickets. The flags are:
528 @b{H}ardware authenticated
532 @b{T}ransit policy checked
540 Here is a sample listing. In this example, the user @value{RANDOMUSER1}
541 obtained her initial tickets (@samp{I}), which are forwardable
542 (@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
543 (@xref{kinit Reference}, for more information about postdated tickets.)
548 @b{Ticket cache: /tmp/krb5cc_320
549 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
551 Valid starting Expires Service principal
552 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
559 In the following example, the user @value{RANDOMUSER2}'s tickets were
560 forwarded (@samp{f}) to this host from another host. The tickets are
561 reforwardable (@samp{F}).
566 @b{Ticket cache: /tmp/krb5cc_p11795
567 Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
569 Valid starting Expires Service principal
570 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
572 07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
578 @node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
579 @subsection Destroying Your Tickets with kdestroy
581 Your Kerberos tickets are proof that you are indeed yourself, and
582 tickets can be stolen. If this happens, the person who has them can
583 masquerade as you until they expire. For this reason, you should
584 destroy your Kerberos tickets when you are away from your computer.
587 Destroying your tickets is easy. Simply type @kbd{kdestroy}.
597 If @code{kdestroy} fails to destroy your tickets, it will beep and give
598 an error message. For example, if @code{kdestroy} can't find any
599 tickets to destroy, it will give the following message:
604 @b{kdestroy: No credentials cache file found while destroying cache
609 @node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
610 @section Password Management
612 Your password is the only way Kerberos has of verifying your identity.
613 If someone finds out your password, that person can masquerade as
614 you---send email that comes from you, read, edit, or delete your files,
615 or log into other hosts as you---and no one will be able to tell the
616 difference. For this reason, it is important that you choose a good
617 password (@pxref{Password Advice}), and keep it secret. If you need to
618 give access to your account to someone else, you can do so through
619 Kerberos. (@xref{Granting Access to Your Account}.) You should
620 @i{never} tell your password to anyone, including your system
621 administrator, for any reason. You should change your password
622 frequently, particularly any time you think someone may have found out
626 * Changing Your Password::
628 * Granting Access to Your Account::
631 @node Changing Your Password, Password Advice, Password Management, Password Management
632 @subsection Changing Your Password
635 To change your Kerberos password, use the @code{kpasswd} command. It
636 will ask you for your old password (to prevent someone else from walking
637 up to your computer when you're not there and changing your password),
638 and then prompt you for the new one twice. (The reason you have to type
639 it twice is to make sure you have typed it correctly.) For example,
640 user @code{@value{RANDOMUSER2}} would do the following:
645 @b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
646 @b{Enter new password:} @i{<- Type your new password.}
647 @b{Enter it again:} @i{<- Type the new password again.}
648 @b{Password changed.}
654 If @value{RANDOMUSER2} typed the incorrect old password, he would get
655 the following message:
660 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
661 @b{kpasswd: Password incorrect while getting initial ticket
667 If you make a mistake and don't type the new password the same way
668 twice, @code{kpasswd} will ask you to try again:
673 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
674 @b{Enter new password:} @i{<- Type the new password.}
675 @b{Enter it again:} @i{<- Type a different new password.}
676 @b{kpasswd: Password mismatch while reading password
681 Once you change your password, it takes some time for the change to
682 propagate through the system. Depending on how your system is set up,
683 this might be anywhere from a few minutes to an hour or more. If you
684 need to get new Kerberos tickets shortly after changing your password,
685 try the new password. If the new password doesn't work, try again using
688 @node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
689 @subsection Password Advice
691 Your password can include almost any character you can type (except
692 control keys and the ``enter'' key). A good password is one you can
693 remember, but that no one else can easily guess. Examples of @i{bad}
694 passwords are words that can be found in a dictionary, any common or
695 popular name, especially a famous person (or cartoon character), your
696 name or username in any form (@i{e.g.}, forward, backward, repeated
697 twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
698 date, your social security number, and any sample password that appears
699 in this (or any other) manual.
702 @value{COMPANY} recommends that your password be at least 6 characters
703 long, and contain UPPER- and lower-case letters, numbers, and/or
704 punctuation marks. Some passwords that would be good if they weren't
705 listed in this manual include:
708 @item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
711 @item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
714 @item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
717 @noindent Note: don't actually use any of the above passwords. They're
718 only meant to show you how to make up a good password. Passwords that
719 appear in a manual are the first ones intruders will try.
722 @value{PRODUCT} allows your system administrators to automatically
723 reject bad passwords, based on certain criteria, such as a password
724 dictionary or a minimum length. For example, if the user
725 @code{@value{RANDOMUSER1}}, who had a policy "strict" that required a
726 minimum of 8 characaters, chose a password that was less than 8
727 characters, Kerberos would give an error message like the following:
732 @b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
734 @value{RANDOMUSER1}'s password is controlled by the policy strict, which
735 requires a minimum of 8 characters from at least 3 classes (the five classes
736 are lowercase, uppercase, numbers, punctuation, and all other characters).
738 @b{Enter new password:} @i{<- Type an insecure new password.}
739 @b{Enter it again:} @i{<- Type it again.}
741 kpasswd: Password is too short while attempting to change password.
742 Please choose another password.
744 @b{Enter new password:} @i{<- Type a good password here.}
745 @b{Enter it again:} @i{<- Type it again.}
751 @noindent Your system administrators can choose the message that is
752 displayed if you choose a bad password, so the message you see may be
753 different from the above example.
755 @node Granting Access to Your Account, , Password Advice, Password Management
756 @subsection Granting Access to Your Account
759 If you need to give someone access to log into your account, you can do
760 so through Kerberos, without telling the person your password. Simply
761 create a file called @code{.k5login} in your home directory. This file
762 should contain the Kerberos principal (@xref{What is a Kerberos
763 Principal?}.) of each person to whom you wish to give access. Each
764 principal must be on a separate line. Here is a sample @code{.k5login}
769 @value{RANDOMUSER1}@@@value{PRIMARYREALM}
770 @value{RANDOMUSER2}@@@value{SECONDREALM}
774 @noindent This file would allow the users @code{@value{RANDOMUSER1}} and
775 @code{@value{RANDOMUSER2}} to use your user ID, provided that they had
776 Kerberos tickets in their respective realms. If you will be logging
777 into other hosts across a network, you will want to include your own
778 Kerberos principal in your @code{.k5login} file on each of these hosts.
781 Using a @code{.k5login} file is much safer than giving out your
785 @item You can take access away any time simply by removing the principal
786 from your @code{.k5login} file.
788 @item Although the user has full access to your account on one
789 particular host (or set of hosts if your @code{.k5login} file is shared,
790 @i{e.g.}, over NFS), that user does not inherit your network privileges.
792 @item Kerberos keeps a log of who obtains tickets, so a system
793 administrator could find out, if necessary, who was capable of using
794 your user ID at a particular time.
797 One common application is to have a @code{.k5login} file in
798 @code{root}'s home directory, giving root access to that machine to the
799 Kerberos principals listed. This allows system administrators to allow
800 users to become root locally, or to log in remotely as @code{root},
801 without their having to give out the root password, and without anyone
802 having to type the root password over the network.
804 @node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
805 @section Kerberos V5 Applications
807 @value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
808 only have to type your password once, and the @value{PRODUCT} programs
809 do the authenticating (and optionally encrypting) for you. The way this
810 works is that Kerberos has been built into each of a suite of network
811 programs. For example, when you use a @value{PRODUCT} program to
812 connect to a remote host, the program, the KDC, and the remote host
813 perform a set of rapid negotiations. When these negotiations are
814 completed, your program has proven your identity on your behalf to the
815 remote host, and the remote host has granted you access, all in the
816 space of a few seconds.
818 The @value{PRODUCT} applications are versions of existing UNIX network
819 programs with the Kerberos features added.
822 * Overview of Additional Features::
831 @node Overview of Additional Features, telnet, Kerberos V5 Applications, Kerberos V5 Applications
832 @subsection Overview of Additional Features
834 The @value{PRODUCT} @dfn{network programs} are those programs that
835 connect to another host somewhere on the internet. These programs
836 include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
837 @code{rcp}, and @code{ksu}. These programs have all of the original
838 features of the corresponding non-Kerberos @code{rlogin}, @code{telnet},
839 @code{ftp}, @code{rsh}, @code{rcp}, and @code{su} programs, plus
840 additional features that transparently use your Kerberos tickets for
841 negotiating authentication and optional encryption with the remote host.
842 In most cases, all you'll notice is that you no longer have to type your
843 password, because Kerberos has already proven your identity.
845 The @value{PRODUCT} network programs allow you the options of forwarding
846 your tickets to the remote host (if you obtained forwardable tickets
847 with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
848 encrypting data transmitted between you and the remote host.
850 This section of the tutorial assumes you are familiar with the
851 non-Kerberos versions of these programs, and highlights the Kerberos
852 functions added in the @value{PRODUCT} package.
854 @node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
857 The @value{PRODUCT} @code{telnet} command works exactly like the
858 standard UNIX telnet program, with the following Kerberos options added:
862 forwards a copy of your tickets to the remote host.
865 forwards a copy of your tickets to the remote host, and marks them
866 re-forwardable from the remote host.
869 requests tickets for the remote host in the specified realm, instead of
870 determining the realm itself.
873 uses your tickets to authenticate to the remote host, but does not log
877 attempt automatic login using your tickets. @code{telnet} will assume
878 the same username unless you explicitly specify another.
886 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
887 UNIX telnet to connect to the machine
888 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
892 @b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN}
893 @b{Trying 128.0.0.5 ...
894 Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}.
895 Escape character is '^]'.
897 NetBSD/i386 (daffodil) (ttyp3)
899 login:} @value{RANDOMUSER2}
900 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
901 @b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
902 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
903 The Regents of the University of California. All rights reserved.
905 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
912 @noindent Note that the machine
913 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
914 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
915 was sent over the network unencrypted. If an intruder were watching
916 network traffic at the time, that intruder would know
917 @code{@value{RANDOMUSER2}}'s password.
920 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
921 @value{PRODUCT} telnet to connect to the machine
922 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
923 copy of her tickets, request an encrypted session, and log on as herself
928 @b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
929 @b{Trying 128.0.0.5...
930 Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}.
931 Escape character is '^]'.
932 [ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ]
933 [ Kerberos V5 accepted forwarded credentials ]
934 What you type is protected by encryption.
935 Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST}.@value{SECONDDOMAIN}
936 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
942 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
943 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
944 and logged her in automatically as herself. She had an encrypted
945 session, a copy of her tickets already waiting for her, and she never
948 If you forwarded your Kerberos tickets, @code{telnet} automatically
949 destroys them when it exits. The full set of options to @value{PRODUCT}
950 @code{telnet} are discussed in the Reference section of this manual.
951 (@pxref{telnet Reference})
954 @node rlogin, FTP, telnet, Kerberos V5 Applications
958 The @value{PRODUCT} @code{rlogin} command works exactly like the
959 standard UNIX rlogin program, with the following Kerberos options added:
963 forwards a copy of your tickets to the remote host.
966 forwards a copy of your tickets to the remote host, and marks them
967 re-forwardable from the remote host.
970 requests tickets for the remote host in the specified realm, instead of
971 determining the realm itself.
974 encrypts the input and output data streams (the username is sent unencrypted)
979 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
980 UNIX rlogin to connect to the machine
981 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type:
985 @b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2}
986 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
987 @b{Last login: Fri Jun 21 10:36:32 from :0.0
988 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
989 The Regents of the University of California. All rights reserved.
991 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
998 @noindent Note that the machine
999 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
1000 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
1001 was sent over the network unencrypted. If an intruder were watching
1002 network traffic at the time, that intruder would know
1003 @code{@value{RANDOMUSER2}}'s password.
1006 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
1007 @value{PRODUCT} rlogin to connect to the machine
1008 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
1009 copy of her tickets, mark them as not forwardable from the remote host,
1010 and request an encrypted session as follows:
1014 @b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x
1015 @b{This rlogin session is using DES encryption for all data transmissions.
1016 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
1017 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
1022 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1023 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
1024 and logged her in automatically as herself. She had an encrypted
1025 session, a copy of her tickets were waiting for her, and she never typed
1028 If you forwarded your Kerberos tickets, @code{rlogin} automatically
1029 destroys them when it exits. The full set of options to @value{PRODUCT}
1030 @code{rlogin} are discussed in the Reference section of this manual.
1031 (@pxref{rlogin Reference})
1033 @node FTP, rsh, rlogin, Kerberos V5 Applications
1037 The @value{PRODUCT} @code{FTP} program works exactly like the standard
1038 UNIX FTP program, with the following Kerberos features added:
1042 requests tickets for the remote host in the specified realm, instead of
1043 determining the realm itself.
1046 requests that your tickets be forwarded to the remote host. The
1047 @kbd{-f} argument must be the last argument on the command line.
1049 @itemx protect @i{level}
1050 (issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1051 is no protection; ``safe'' ensures data integrity by verifying the
1052 checksum, and ``private'' encrypts the data. Encryption also ensures
1057 For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1058 @code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1059 on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1060 to encrypt the file transfer. The exchange would look like the
1065 @b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1066 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1067 220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1068 334 Using authentication type GSSAPI; ADAT must follow
1069 GSSAPI accepted as authentication type
1070 GSSAPI authentication succeeded
1071 200 Data channel protection level set to private.
1072 Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1073 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1074 230 User @value{RANDOMUSER1} logged in.
1075 Remote system type is UNIX.
1076 Using binary mode to transfer files.
1077 ftp> protect private
1078 200 Protection level set to Private.
1079 ftp> cd ~@value{RANDOMUSER1}/MAIL
1080 250 CWD command successful.
1082 227 Entering Passive Mode (128,0,0,5,16,49)
1083 150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1084 226 Transfer complete.
1085 361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1091 The full set of options to @value{PRODUCT} @code{FTP} are discussed
1092 in the Reference section of this manual. (@pxref{FTP Reference})
1094 @node rsh, rcp, FTP, Kerberos V5 Applications
1097 The @value{PRODUCT} @code{rsh} program works exactly like the standard
1098 UNIX rlogin program, with the following Kerberos features added:
1102 forwards a copy of your tickets to the remote host.
1105 forwards a copy of your tickets to the remote host, and marks them
1106 re-forwardable from the remote host.
1109 requests tickets for the remote host in the specified realm, instead of
1110 determining the realm itself.
1113 encrypts the input and output data streams (the command line is not encrypted)
1118 For example, if your Kerberos tickets allowed you to run programs on the
1119 host @* @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1120 run the @samp{date} program as follows:
1124 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1125 @b{This rsh session is using DES encryption for all data transmissions.
1126 Tue Jul 30 19:34:21 EDT 2002
1131 If you forwarded your Kerberos tickets, @code{rsh} automatically
1132 destroys them when it exits. The full set of options to @value{PRODUCT}
1133 @code{rsh} are discussed in the Reference section of this manual.
1134 (@pxref{rsh Reference})
1136 @node rcp, ksu, rsh, Kerberos V5 Applications
1140 The @value{PRODUCT} @code{rcp} program works exactly like the standard
1141 UNIX rcp program, with the following Kerberos features added:
1145 requests tickets for the remote host in the specified realm, instead of
1146 determining the realm itself.
1149 turns on encryption.
1154 For example, if you wanted to copy the file @code{/etc/motd} from the
1155 host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1156 directory, via an encrypted connection, you would simply type:
1159 @b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1162 The @kbd{rcp} program negotiates authentication and encryption
1163 transparently. The full set of options to @value{PRODUCT} @code{rcp}
1164 are discussed in the Reference section of this manual. (@pxref{rcp
1167 @node ksu, , rcp, Kerberos V5 Applications
1170 The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1171 program. @code{ksu} first authenticates you to Kerberos. Depending on
1172 the configuration of your system, @code{ksu} may ask for your Kerberos
1173 password if authentication fails. @emph{Note that you should never type
1174 your password if you are remotely logged in using an unencrypted
1177 Once @code{ksu} has authenticated you, if your Kerberos principal
1178 appears in the target's @code{.k5login} file (@pxref{Granting Access to
1179 Your Account}) or in the target's @code{.k5users} file (see below), it
1180 switches your user ID to the target user ID.
1183 For example, @code{@value{RANDOMUSER2}} has put
1184 @code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1185 file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1186 @code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1187 differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1188 prompt is represented as @code{@value{RANDOMUSER1}%} and
1189 @code{@value{RANDOMUSER2}}'s prompt is represented as
1190 @code{@value{RANDOMUSER2}%}.)
1194 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1195 @b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1196 Changing uid to @value{RANDOMUSER2} (3382)
1197 @value{RANDOMUSER2}%}
1202 Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1203 tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1204 with @samp{.1} appended to it:
1208 @b{@value{RANDOMUSER2}%} klist
1209 @b{Ticket cache: /tmp/krb5cc_3382.1
1210 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1212 Valid starting Expires Service principal
1213 07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1214 07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1215 @value{RANDOMUSER2}%}
1220 If @code{@value{RANDOMUSER1}} had not appeared in
1221 @code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1222 configured to ask for a password), the exchange would have looked like
1223 this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1224 precautions in protecting his password):
1228 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1229 @b{WARNING: Your password may be exposed if you enter it here and are logged
1230 in remotely using an unsecure (non-encrypted) channel.
1231 Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1232 @b{ksu: Password incorrect
1233 Authentication failed.
1234 @value{RANDOMUSER1}%}
1238 Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1239 @code{@value{RANDOMUSER1}} full access to his account, but wanted to
1240 give her permission to list his files and use the "more" command to view
1241 them. He could create a @code{.k5users} file giving her permission to
1242 run only those specific commands.
1245 The @code{.k5users} file is like the @code{.k5login} file, except that
1246 each principal is optionally followed by a list of commands. @code{ksu}
1247 will let those principals execute only the commands listed, using the
1248 @kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1249 might look like the following:
1253 @value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1254 @value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1255 @value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1256 @value{RANDOMUSER2}@@@value{SECONDREALM}
1260 @noindent The above @code{.k5users} file would let
1261 @code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1262 @code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1263 the command @code{/bin/ls} if he had regular tickets, but if he had
1264 tickets for his @code{admin} instance,
1265 @code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1266 to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1267 in the realm @value{SECONDREALM} permission to execute any command.
1268 (@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1269 giving that principal permission to execute @code{*}.) This is so that
1270 @value{RANDOMUSER2} can allow himself to execute commands when he logs
1271 in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1274 Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1279 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1280 @b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1281 Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1283 Changing uid to @value{RANDOMUSER2} (3382)
1284 Mail News Personal misc bin
1285 @value{RANDOMUSER1}%}
1289 @noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1290 command to @code{ksu}, it would have prompted for a password as with the
1293 Note that unless the @code{.k5users} file gives the target permission to
1294 run any command, the user must use @code{ksu} with the @kbd{-e}
1298 The @code{ksu} options you are most likely to use are:
1301 @itemx -n @i{principal}
1302 specifies which Kerberos principal you want to use for @code{ksu}.
1303 (@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1304 @code{admin} instance. @xref{What is a Ticket?}.)
1307 specifies the location of your Kerberos credentials cache (ticket file).
1310 tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1314 requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1315 is only applicable if @code{ksu} needs to obtain tickets.
1317 @itemx -l @i{lifetime}
1318 sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1319 only applicable if @code{ksu} needs to obtain tickets.
1322 tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1323 switching is the same as the Kerberos primary (either yours or the one
1324 specified by the @kbd{-n} option).
1327 tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1329 @itemx -e @i{command}
1330 tells @code{ksu} to execute @i{command} and then exit. See the
1331 description of the @code{.k5users} file above.
1334 (at the end of the command line) tells @code{ksu} to pass everything
1335 after @samp{-a} to the target shell.
1338 The full set of options to @value{PRODUCT} @code{ksu} are discussed
1339 in the Reference section of this manual. (@pxref{ksu Reference})
1341 @node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
1342 @chapter Kerberos V5 Reference
1344 This section will include copies of the manual pages for the
1345 @value{PRODUCT} client programs. You can read the manual entry for any
1346 command by typing @code{man} @i{command}, where @i{command} is the name
1347 of the command for which you want to read the manual entry. For
1348 example, to read the @code{kinit} manual entry, you would type:
1351 @b{shell%} man kinit
1354 Note: To be able to view the @value{PRODUCT} manual pages on line, you
1355 may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1356 environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1357 the top-level directory in which @value{PRODUCT} is installed.) For
1358 example, if you had the the following line in your @code{.login}
1359 file@footnote{The MANPATH variable may be specified in a different
1360 initialization file, depending on your operating system. Some of the
1361 files in which you might specify environment variables include
1362 @code{.login}, @code{.profile}, or @code{.cshrc}.}:
1365 setenv MANPATH /usr/local/man:/usr/man
1369 and the @value{PRODUCT} man pages were in the directory
1370 @code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1373 setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1377 Note to info users: the manual pages are not available within this info
1378 tree. You can read them from emacs with the command:
1381 M-x manual-entry @emph{command}
1391 * kdestroy Reference::
1392 * kpasswd Reference::
1393 * telnet Reference::
1395 * rlogin Reference::
1400 @node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
1401 @section kinit Reference
1404 @special{psfile=kinit1.ps voffset=-700 hoffset=-40}
1405 @centerline{Reference Manual for @code{kinit}}
1408 @special{psfile=kinit2.ps voffset=-700 hoffset=-40}
1409 @centerline{Reference Manual for @code{kinit}}
1414 Type @kbd{M-x manual-entry kinit} to read this manual page.
1419 <a href="kinit.html"> kinit manpage</a>
1423 @node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference
1424 @section klist Reference
1427 @special{psfile=klist1.ps voffset=-700 hoffset=-40}
1428 @centerline{Reference Manual for @code{klist}}
1433 @special{psfile=klist2.ps voffset=-700 hoffset=-40}
1434 @centerline{Reference Manual for @code{klist}}
1439 Type @kbd{M-x manual-entry klist} to read this manual page.
1444 <a href="klist.html"> klist manpage</a>
1448 @node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference
1449 @section ksu Reference
1452 @special{psfile=ksu1.ps voffset=-700 hoffset=-40}
1453 @centerline{Reference Manual for @code{ksu}}
1456 @special{psfile=ksu2.ps voffset=-700 hoffset=-40}
1457 @centerline{Reference Manual for @code{ksu}}
1460 @special{psfile=ksu3.ps voffset=-700 hoffset=-40}
1461 @centerline{Reference Manual for @code{ksu}}
1464 @special{psfile=ksu4.ps voffset=-700 hoffset=-40}
1465 @centerline{Reference Manual for @code{ksu}}
1468 @special{psfile=ksu5.ps voffset=-700 hoffset=-40}
1469 @centerline{Reference Manual for @code{ksu}}
1474 Type @kbd{M-x manual-entry ksu} to read this manual page.
1479 <a href="ksu.html"> ksu manpage</a>
1483 @node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference
1484 @section kdestroy Reference
1487 @special{psfile=kdestroy1.ps voffset=-700 hoffset=-60}
1488 @centerline{Reference Manual for @code{kdestroy}}
1493 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1498 <a href="kdestroy.html"> kdestroy manpage</a>
1502 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
1503 @section kpasswd Reference
1506 @special{psfile=kpasswd1.ps voffset=-700 hoffset=-40}
1507 @centerline{Reference Manual for @code{kpasswd}}
1512 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1517 <a href="kpasswd.html"> kpasswd manpage</a>
1521 @node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference
1522 @section telnet Reference
1525 @special{psfile=telnet1.ps voffset=-700 hoffset=-40}
1526 @centerline{Reference Manual for @code{telnet}}
1529 @special{psfile=telnet2.ps voffset=-700 hoffset=-40}
1530 @centerline{Reference Manual for @code{telnet}}
1533 @special{psfile=telnet3.ps voffset=-700 hoffset=-40}
1534 @centerline{Reference Manual for @code{telnet}}
1537 @special{psfile=telnet4.ps voffset=-700 hoffset=-40}
1538 @centerline{Reference Manual for @code{telnet}}
1541 @special{psfile=telnet5.ps voffset=-700 hoffset=-40}
1542 @centerline{Reference Manual for @code{telnet}}
1545 @special{psfile=telnet6.ps voffset=-700 hoffset=-40}
1546 @centerline{Reference Manual for @code{telnet}}
1549 @special{psfile=telnet7.ps voffset=-700 hoffset=-40}
1550 @centerline{Reference Manual for @code{telnet}}
1553 @special{psfile=telnet8.ps voffset=-700 hoffset=-40}
1554 @centerline{Reference Manual for @code{telnet}}
1557 @special{psfile=telnet9.ps voffset=-700 hoffset=-40}
1558 @centerline{Reference Manual for @code{telnet}}
1563 Type @kbd{M-x manual-entry telnet} to read this manual page.
1568 <a href="telnet.html"> telnet manpage</a>
1572 @node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference
1573 @section FTP Reference
1576 @special{psfile=ftp1.ps voffset=-700 hoffset=-40}
1577 @centerline{Reference Manual for @code{FTP}}
1580 @special{psfile=ftp2.ps voffset=-700 hoffset=-40}
1581 @centerline{Reference Manual for @code{FTP}}
1584 @special{psfile=ftp3.ps voffset=-700 hoffset=-40}
1585 @centerline{Reference Manual for @code{FTP}}
1588 @special{psfile=ftp4.ps voffset=-700 hoffset=-40}
1589 @centerline{Reference Manual for @code{FTP}}
1592 @special{psfile=ftp5.ps voffset=-700 hoffset=-40}
1593 @centerline{Reference Manual for @code{FTP}}
1596 @special{psfile=ftp6.ps voffset=-700 hoffset=-40}
1597 @centerline{Reference Manual for @code{FTP}}
1600 @special{psfile=ftp7.ps voffset=-700 hoffset=-40}
1601 @centerline{Reference Manual for @code{FTP}}
1604 @special{psfile=ftp8.ps voffset=-700 hoffset=-40}
1605 @centerline{Reference Manual for @code{FTP}}
1608 @special{psfile=ftp9.ps voffset=-700 hoffset=-40}
1609 @centerline{Reference Manual for @code{FTP}}
1614 Type @kbd{M-x manual-entry FTP} to read this manual page.
1619 <a href="ftp.html"> ftp manpage</a>
1623 @node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference
1624 @section rlogin Reference
1627 @special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
1628 @centerline{Reference Manual for @code{rlogin}}
1631 @special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
1632 @centerline{Reference Manual for @code{rlogin}}
1637 Type @kbd{M-x manual-entry rlogin} to read this manual page.
1642 <a href="rlogin.html"> rlogin manpage</a>
1646 @node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference
1647 @section rsh Reference
1650 @special{psfile=rsh1.ps voffset=-700 hoffset=-40}
1651 @centerline{Reference Manual for @code{rsh}}
1654 @special{psfile=rsh2.ps voffset=-700 hoffset=-40}
1655 @centerline{Reference Manual for @code{rsh}}
1660 Type @kbd{M-x manual-entry rsh} to read this manual page.
1665 <a href="rsh.html"> rsh manpage</a>
1669 @node rcp Reference, , rsh Reference, Kerberos V5 Reference
1670 @section rcp Reference
1673 @special{psfile=rcp1.ps voffset=-700 hoffset=-40}
1674 @centerline{Reference Manual for @code{rcp}}
1679 @special{psfile=rcp2.ps voffset=-700 hoffset=-40}
1680 @centerline{Reference Manual for @code{rcp}}
1685 Type @kbd{M-x manual-entry rcp} to read this manual page.
1690 <a href="rcp.html"> rcp manpage</a>
1694 @node Kerberos Glossary, , Kerberos V5 Reference, Top
1695 @appendix Kerberos Glossary
1697 @include glossary.texinfo