@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper
+@documentencoding UTF-8
@c %**end of header
+@copying
+Copyright @copyright{} 1985-2010 by the Massachusetts Institute of Technology.
+@end copying
@paragraphindent 0
@iftex
@parskip 6pt plus 6pt
@end iftex
+@dircategory Kerberos
+@direntry
+* krb5-user: (krb5-user). Kerberos V5 UNIX User's Guide
+@end direntry
+
@include definitions.texinfo
-@set EDITION b7-1
+@set EDITION 1.0
@finalout @c don't print black warning boxes
@page
@vskip 0pt plus 1filll
-
-@include copyright.texinfo
+@insertcopying
@end titlepage
@comment node-name, next, previous, up
@ifinfo
This file describes how to use the @value{PRODUCT} client programs.
-@include copyright.texinfo
+@insertcopying
@end ifinfo
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
* Kerberos V5 Tutorial::
* Kerberos V5 Reference::
* Kerberos Glossary::
+* Copyright::
@end menu
@node Introduction, Kerberos V5 Tutorial, Top, Top
@chapter Introduction
+@ifset CYGNUS
@value{PRODUCT} is based on the Kerberos V5 authentication system
-developed at MIT. Kerberos is named for the three-headed watchdog from
-Greek mythology, who guarded the entrance to the underworld.
+developed at MIT.
+@end ifset
+@ifset MIT
+Kerberos V5 is an authentication system developed at MIT.
+@end ifset
+Kerberos is named for the three-headed watchdog from Greek mythology,
+who guarded the entrance to the underworld.
Under Kerberos, a client (generally either a user or a service) sends a
request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
either client is on. Since studies have shown that half of the computer
security breaches in industry happen from @i{inside} firewalls,
@value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
-nework security.
+network security.
The @value{PRODUCT} package is designed to be easy to use. Most of the
-commands are nearly identical to UNIX network programs you are already
-used to. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
+commands are nearly identical to UNIX network programs you already
+use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
that you have to type your password only once per session, and Kerberos
does the authenticating and encrypting transparently.
-@iftex
-@vfil
-@end iftex
-@need 2000
@menu
* What is a Ticket?::
* What is a Kerberos Principal?::
that you have the weekend ski pass, and get the lift ticket for you, so
you don't have to perform the transactions yourself.
-@iftex
-@vfil
-@end iftex
-@need 2000
@node What is a Kerberos Principal?, , What is a Ticket?, Introduction
@section What is a Kerberos Principal?
A Kerberos @dfn{principal} is a unique identity to which Kerberos can
-assign tickets. By convention, a principal is divided into three parts:
-the @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format
-of a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
+assign tickets. Principals can have an arbitrary number of
+components. Each component is separated by a component separator,
+generally `/'. The last component is the realm, separated from the
+rest of the principal by the realm separator, generally `@@'. If there
+is no realm component in the principal, then it will be assumed that
+the principal is in the default realm for the context in which it is
+being used.
+
+Traditionally, a principal is divided into three parts: the
+@dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of
+a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
@itemize @bullet
@item The @dfn{primary} is the first part of the principal. In the case
@item The @dfn{realm} is your Kerberos realm. In most cases, your
Kerberos realm is your domain name, in upper-case letters. For example,
-the machine @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} would be in
-the realm @code{@value{PRIMARYREALM}}.
+the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in
+the realm @code{@value{SECONDREALM}}.
@end itemize
@node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
-@chapter @value{PRODUCT} Tutorial
+@chapter Kerberos V5 Tutorial
This tutorial is intended to familiarize you with the @value{PRODUCT}
client programs. We will represent your prompt as ``@code{shell%}''.
On many systems, Kerberos is built into the login program, and you get
tickets automatically when you log in. Other programs, such as
-/@code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
+@code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
copies of your tickets to the remote host. Most of these programs also
automatically destroy your tickets when they exit. However,
@value{COMPANY} recommends that you explicitly destroy your Kerberos
@need 2000
@menu
+* Kerberos Ticket Properties::
* Obtaining Tickets with kinit::
* Viewing Your Tickets with klist::
* Destroying Your Tickets with kdestroy::
@end menu
-@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Ticket Management, Ticket Management
+@node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
+@subsection Kerberos Ticket Properties
+
+@noindent
+There are various properties that Kerberos tickets can have:
+
+If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
+a different network address based on the forwardable ticket. This
+allows for authentication forwarding without requiring a password to be
+typed in again. For example, if a user with a forwardable TGT logs
+into a remote system, the KDC could issue a new TGT for that user with
+the network address of the remote system, allowing authentication on
+that host to work as though the user were logged in locally.
+
+When the KDC creates a new ticket based on a forwardable ticket, it
+sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
+created based on a ticket with the forwarded flag set will also have
+their forwarded flags set.
+
+A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
+allows a service to take on the identity of the client. Unlike a
+forwardable ticket, however, a proxiable ticket is only issued for
+specific services. In other words, a ticket-granting ticket cannot be
+issued based on a ticket that is proxiable but not forwardable.
+
+A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
+
+A @dfn{postdated} ticket is issued with the @i{invalid} flag set.
+After the starting time listed on the ticket, it can be presented to
+the KDC to obtain valid tickets.
+
+Tickets with the @dfn{postdateable} flag set can be used to issue postdated
+tickets.
+
+@dfn{Renewable} tickets can be used to obtain new session keys without
+the user entering their password again. A renewable ticket has two
+expiration times. The first is the time at which this particular
+ticket expires. The second is the latest possible expiration time for
+any ticket issued based on this renewable ticket.
+
+A ticket with the @dfn{initial} flag set was issued based on the
+authentication protocol, and not on a ticket-granting ticket. Clients
+that wish to ensure that the user's key has been recently presented for
+verification could specify that this flag must be set to accept the
+ticket.
+
+An @dfn{invalid} ticket must be rejected by application servers. Postdated
+tickets are usually issued with this flag set, and must be validated by
+the KDC before they can be used.
+
+A @dfn{preauthenticated} ticket is one that was only issued after the
+client requesting the ticket had authenticated itself to the KDC.
+
+The @dfn{hardware authentication} flag is set on a ticket which
+required the use of hardware for authentication. The hardware is
+expected to be possessed only by the client which requested the
+tickets.
+
+If a ticket has the @dfn{transit policy checked} flag set, then the KDC that
+issued this ticket implements the transited-realm check policy and
+checked the transited-realms list on the ticket. The transited-realms
+list contains a list of all intermediate realms between the realm of the
+KDC that issued the first ticket and that of the one that issued the
+current ticket. If this flag is not set, then the application server
+must check the transited realms itself or else reject the ticket.
+
+The @dfn{okay as delegate} flag indicates that the server specified in
+the ticket is suitable as a delegate as determined by the policy of
+that realm. A server that is acting as a delegate has been granted a
+proxy or a forwarded TGT. This flag is a new addition to the
+@value{PRODUCT} protocol and is not yet implemented on MIT servers.
+
+An @dfn{anonymous} ticket is one in which the named principal is a generic
+principal for that realm; it does not actually specify the individual
+that will be using the ticket. This ticket is meant only to securely
+distribute a session key. This is a new addition to the @value{PRODUCT}
+protocol and is not yet implemented on MIT servers.
+
+@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
@subsection Obtaining Tickets with kinit
If your site is using the @value{PRODUCT} login program, you will get
lifetime. If you request a longer ticket lifetime, it will be
automatically truncated to the maximum lifetime.
-@iftex
-@vfil
-@end iftex
-@need 3000
@node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
@subsection Viewing Your Tickets with klist
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
Valid starting Expires Service principal
-06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
+06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
@b{shell%}
@end group
@end smallexample
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
Valid starting Expires Service principal
-06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
-06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
+06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
+06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
@b{shell%}
@end group
@end smallexample
ticket, which telnet then presented to the host
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
log in without typing her password.
-@iftex
-@vfil
-@end iftex
@need 3000
Suppose your Kerberos tickets allow you to log into a host in another
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
Valid starting Expires Service principal
-06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
-06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
-06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
-06/07/96 20:24:18 06/08/96 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM}
+06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
+06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
+06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
+06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
@b{shell%}
@end group
@end smallexample
@b{I}nitial
@itemx i
@b{i}nvalid
+@itemx H
+@b{H}ardware authenticated
+@itemx A
+pre@b{A}uthenticated
+@itemx T
+@b{T}ransit policy checked
+@itemx O
+@b{O}kay as delegate
+@itemx a
+@b{a}nonymous
@end table
@need 1500
Here is a sample listing. In this example, the user @value{RANDOMUSER1}
obtained her initial tickets (@samp{I}), which are forwardable
(@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
-(@xref{kinit Reference} for more information about postdated tickets.)
+(@xref{kinit Reference}, for more information about postdated tickets.)
@smallexample
@group
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
Valid starting Expires Service principal
-31 Jul 96 19:06:25 31 Jul 96 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
+31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
Flags: FdiI
shell%}
@end group
Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
Valid starting Expires Service principal
-07/31/96 11:52:29 07/31/96 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
+07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
Flags: Ff
-07/31/96 12:03:48 07/31/96 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
+07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
Flags: Ff
shell%}
@end group
@end smallexample
-@iftex
-@vfil
-@end iftex
-@need 2000
@node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
@subsection Destroying Your Tickets with kdestroy
@group
@b{shell%} kdestroy
@b{kdestroy: No credentials cache file found while destroying cache
-Ticket cache NOT destroyed!
shell%}
@end group
@end smallexample
-@iftex
-@vfil
-@end iftex
-@need 2000
@node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
@section Password Management
frequently, particularly any time you think someone may have found out
what it is.
-@iftex
-@vfil
-@end iftex
-@need 2000
@menu
* Changing Your Password::
* Password Advice::
@smallexample
@group
@b{shell%} kpasswd
-@b{Old password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
-@b{New Password for @value{RANDOMUSER2}:} @i{<- Type your new password.}
-@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the new password again.}
+@b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
+@b{Enter new password:} @i{<- Type your new password.}
+@b{Enter it again:} @i{<- Type the new password again.}
@b{Password changed.}
@b{shell%}
@end group
@smallexample
@group
@b{shell%} kpasswd
-@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
-@b{Incorrect old password.
+@b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
+@b{kpasswd: Password incorrect while getting initial ticket
shell%}
@end group
@end smallexample
@smallexample
@group
@b{shell%} kpasswd
-@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
-@b{New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
-@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type a different new password.}
-@b{Mismatch - try again
-New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.}
-@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the same new password.}
-@b{Password changed.
+@b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
+@b{Enter new password:} @i{<- Type the new password.}
+@b{Enter it again:} @i{<- Type a different new password.}
+@b{kpasswd: Password mismatch while reading password
shell%}
@end group
@end smallexample
need to get new Kerberos tickets shortly after changing your password,
try the new password. If the new password doesn't work, try again using
the old one.
-@iftex
-@vfil
-@end iftex
-@need 2000
@node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
@subsection Password Advice
@noindent Note: don't actually use any of the above passwords. They're
only meant to show you how to make up a good password. Passwords that
appear in a manual are the first ones intruders will try.
-@iftex
-@vfil
-@end iftex
-@need 3800
+@need 3800
@value{PRODUCT} allows your system administrators to automatically
-reject bad passwords, based on whatever criteria they choose. For
-example, if the user @code{@value{RANDOMUSER1}} chose a bad password,
-Kerberos would give an error message like the following:
+reject bad passwords, based on certain criteria, such as a password
+dictionary or a minimum length. For example, if the user
+@code{@value{RANDOMUSER1}}, who had a policy "strict" that required a
+minimum of 8 characaters, chose a password that was less than 8
+characters, Kerberos would give an error message like the following:
@smallexample
@group
@b{shell%} kpasswd
-@b{Old password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
-@b{New Password for @value{RANDOMUSER1}:} @i{<- Type an insecure new password.}
-@b{Verifying, please re-enter New Password for @value{RANDOMUSER1}:} @i{<- Type it again.}
+@b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
+
+@value{RANDOMUSER1}'s password is controlled by the policy strict, which
+requires a minimum of 8 characters from at least 3 classes (the five classes
+are lowercase, uppercase, numbers, punctuation, and all other characters).
-ERROR: Insecure password not accepted. Please choose another.
+@b{Enter new password:} @i{<- Type an insecure new password.}
+@b{Enter it again:} @i{<- Type it again.}
-kpasswd: Insecure password rejected while attempting to change password.
+kpasswd: Password is too short while attempting to change password.
Please choose another password.
-@b{New Password for @value{RANDOMUSER1}:} @i{<- Type a good password here.}
-@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type it again.}
+@b{Enter new password:} @i{<- Type a good password here.}
+@b{Enter it again:} @i{<- Type it again.}
@b{Password changed.
shell%}
@end group
displayed if you choose a bad password, so the message you see may be
different from the above example.
-@iftex
-@vfil
-@end iftex
-@need 2000
@node Granting Access to Your Account, , Password Advice, Password Management
@subsection Granting Access to Your Account
so through Kerberos, without telling the person your password. Simply
create a file called @code{.k5login} in your home directory. This file
should contain the Kerberos principal (@xref{What is a Kerberos
-Principal?}) of each person to whom you wish to give access. Each
+Principal?}.) of each person to whom you wish to give access. Each
principal must be on a separate line. Here is a sample @code{.k5login}
file:
without their having to give out the root password, and without anyone
having to type the root password over the network.
-@iftex
-@vfil
-@end iftex
-@need 2000
-
@node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
-@section @value{PRODUCT} Applications
+@section Kerberos V5 Applications
@value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
only have to type your password once, and the @value{PRODUCT} programs
The @value{PRODUCT} applications are versions of existing UNIX network
programs with the Kerberos features added.
-@iftex
-@vfil
-@end iftex
-@need 2000
@menu
* Overview of Additional Features::
* telnet::
non-Kerberos versions of these programs, and highlights the Kerberos
functions added in the @value{PRODUCT} package.
-@iftex
-@vfil
-@end iftex
-@need 2000
@node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
@subsection telnet
standard UNIX telnet program, with the following Kerberos options added:
@table @kbd
-@itemx -f, --forward
+@itemx -f
forwards a copy of your tickets to the remote host.
-@itemx --noforward
-turns off forwarding of tickets to the remote host. (This option
-overrides any forwarding specified in your machine's configuration
-files.)
-
-@itemx -F, --forwardable
+@itemx -F
forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.
-@itemx --noforwardable
-makes any forwarded tickets nonforwardable. (This option overrides any
-forwardability specified in your machine's configuration files.)
-
@itemx -k @i{realm}
requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
attempt automatic login using your tickets. @code{telnet} will assume
the same username unless you explicitly specify another.
-@itemx -x, --encrypt
+@itemx -x
turns on encryption.
-@itemx --noencrypt
-turns off encryption.
@end table
-@iftex
-@vfil
-@end iftex
-
@need 4000
For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
UNIX telnet to connect to the machine
@smallexample
@group
-@b{shell%} telnet @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
+@b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN}
@b{Trying 128.0.0.5 ...
-Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
+Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}.
Escape character is '^]'.
-NetBSD/i386 (@value{RANDOMHOST1}) (ttyp3)
+NetBSD/i386 (daffodil) (ttyp3)
login:} @value{RANDOMUSER2}
@b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
-@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{SECONDDOMAIN}
+@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
@end smallexample
@noindent Note that the machine
-@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
+@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
@code{@value{RANDOMUSER2}}'s password. When he typed it, his password
was sent over the network unencrypted. If an intruder were watching
network traffic at the time, that intruder would know
@code{@value{RANDOMUSER2}}'s password.
-@iftex
-@vfil
-@end iftex
@need 4000
If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
@value{PRODUCT} telnet to connect to the machine
-@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
+@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
copy of her tickets, request an encrypted session, and log on as herself
as follows:
@smallexample
@group
-@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{SECONDDOMAIN}
+@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
@b{Trying 128.0.0.5...
-Connected to @value{RANDOMHOST2}.@value{SECONDDOMAIN}.
+Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}.
Escape character is '^]'.
-[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{SECONDDOMAIN}'' ]
+[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ]
[ Kerberos V5 accepted forwarded credentials ]
-NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
+What you type is protected by encryption.
+Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST1}.@value{SECONDDOMAIN}
+Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
-Welcome to NetBSD!
shell%}
@end group
@end smallexample
@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
-to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
+to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
and logged her in automatically as herself. She had an encrypted
session, a copy of her tickets already waiting for her, and she never
typed her password.
@code{telnet} are discussed in the Reference section of this manual.
(@pxref{telnet Reference})
-@iftex
-@vfil
-@end iftex
@need 2000
@node rlogin, FTP, telnet, Kerberos V5 Applications
@subsection rlogin
standard UNIX rlogin program, with the following Kerberos options added:
@table @kbd
-@itemx -f, --forward
+@itemx -f
forwards a copy of your tickets to the remote host.
-@itemx --noforward
-turns off forwarding of tickets to the remote host. (This option
-overrides any forwarding specified in your machine's configuration
-files.)
-
-@itemx -F, --forwardable
+@itemx -F
forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.
-@itemx --noforwardable
-makes any forwarded tickets nonforwardable. (This option overrides any
-forwardability specified in your machine's configuration files.)
-
@itemx -k @i{realm}
requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
-@itemx -x, --encrypt
-turns on encryption.
+@itemx -x
+encrypts the input and output data streams (the username is sent unencrypted)
-@itemx --noencrypt
-turns off encryption.
@end table
@need 3000
For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
UNIX rlogin to connect to the machine
-@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
+@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type:
@smallexample
@group
-@b{shell%} rlogin @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} -l @value{RANDOMUSER2}
+@b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2}
@b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
@b{Last login: Fri Jun 21 10:36:32 from :0.0
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
@end smallexample
@noindent Note that the machine
-@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for
+@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
@code{@value{RANDOMUSER2}}'s password. When he typed it, his password
was sent over the network unencrypted. If an intruder were watching
network traffic at the time, that intruder would know
@code{@value{RANDOMUSER2}}'s password.
-@iftex
-@vfil
-@end iftex
@need 4000
If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
@value{PRODUCT} rlogin to connect to the machine
-@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a
+@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
copy of her tickets, mark them as not forwardable from the remote host,
and request an encrypted session as follows:
@smallexample
@group
-@b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x
+@b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x
@b{This rlogin session is using DES encryption for all data transmissions.
Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
-SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995
-Not checking quotas. Try quota.real if you need them.
+Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
shell%}
@end group
@end smallexample
@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
-to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}},
+to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
and logged her in automatically as herself. She had an encrypted
session, a copy of her tickets were waiting for her, and she never typed
her password.
@code{rlogin} are discussed in the Reference section of this manual.
(@pxref{rlogin Reference})
-@iftex
-@vfil
-@end iftex
-@need 2000
@node FTP, rsh, rlogin, Kerberos V5 Applications
@subsection FTP
requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
-@itemx -forward
+@itemx -f
requests that your tickets be forwarded to the remote host. The
-@kbd{-forward} argument must be the last argument on the command line.
+@kbd{-f} argument must be the last argument on the command line.
@itemx protect @i{level}
(issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
+200 Data channel protection level set to private.
Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
230 User @value{RANDOMUSER1} logged in.
The full set of options to @value{PRODUCT} @code{FTP} are discussed
in the Reference section of this manual. (@pxref{FTP Reference})
-@iftex
-@vfil
-@end iftex
-@need 2000
@node rsh, rcp, FTP, Kerberos V5 Applications
@subsection rsh
-@need 1000
The @value{PRODUCT} @code{rsh} program works exactly like the standard
UNIX rlogin program, with the following Kerberos features added:
@table @kbd
-@itemx -f, --forward
+@itemx -f
forwards a copy of your tickets to the remote host.
-@itemx --noforward
-turns off forwarding of tickets to the remote host. (This option
-overrides any forwarding specified in your machine's configuration
-files.)
-
-@itemx -F, --forwardable
+@itemx -F
forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.
-@itemx --noforwardable
-makes any forwarded tickets nonforwardable. (This option overrides any
-forwardability specified in your machine's configuration files.)
-
@itemx -k @i{realm}
requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
-@itemx -x, --encrypt
-turns on encryption.
+@itemx -x
+encrypts the input and output data streams (the command line is not encrypted)
-@itemx --noencrypt
-turns off encryption.
@end table
@need 1800
For example, if your Kerberos tickets allowed you to run programs on the
-host @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
+host @* @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
run the @samp{date} program as follows:
@smallexample
@group
@b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
@b{This rsh session is using DES encryption for all data transmissions.
-Fri Jun 21 17:06:12 EDT 1996
+Tue Jul 30 19:34:21 EDT 2002
shell%}
@end group
@end smallexample
@code{rsh} are discussed in the Reference section of this manual.
(@pxref{rsh Reference})
-@iftex
-@vfil
-@end iftex
-@need 2000
@node rcp, ksu, rsh, Kerberos V5 Applications
@subsection rcp
requests tickets for the remote host in the specified realm, instead of
determining the realm itself.
-@itemx -x, --encrypt
+@itemx -x
turns on encryption.
@end table
are discussed in the Reference section of this manual. (@pxref{rcp
Reference})
-@iftex
-@vfil
-@end iftex
-@need 2000
@node ksu, , rcp, Kerberos V5 Applications
@subsection ksu
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
Valid starting Expires Service principal
-31 Jul 96 21:53:01 01 Aug 96 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
-31 Jul 96 21:53:39 01 Aug 96 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
+07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
+07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
@value{RANDOMUSER2}%}
@end group
@end smallexample
@itemx -c
specifies the location of your Kerberos credentials cache (ticket file).
-@itemx -C
-specifies the location you want the Kerberos credentials cache (ticket
-file) to be for the target user ID.
-
@itemx -k
tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
finished.
in the Reference section of this manual. (@pxref{ksu Reference})
@node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
-@chapter @value{PRODUCT} Reference
+@chapter Kerberos V5 Reference
This section will include copies of the manual pages for the
@value{PRODUCT} client programs. You can read the manual entry for any
@menu
* kinit Reference::
* klist Reference::
+* ksu Reference::
* kdestroy Reference::
* kpasswd Reference::
* telnet Reference::
-* rlogin Reference::
* FTP Reference::
+* rlogin Reference::
* rsh Reference::
* rcp Reference::
-* ksu Reference::
@end menu
@node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
@centerline{Reference Manual for @code{kinit}}
@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry kinit} to read this manual page.
@end ifinfo
-@node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference
+@ifhtml
+@html
+<a href="kinit.html"> kinit manpage</a>
+@end html
+@end ifhtml
+
+@node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference
@section klist Reference
@iftex
@centerline{Reference Manual for @code{klist}}
@page
@end iftex
+
+@iftex
+@special{psfile=klist2.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{klist}}
+@page
+@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry klist} to read this manual page.
@end ifinfo
-@node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference
+@ifhtml
+@html
+<a href="klist.html"> klist manpage</a>
+@end html
+@end ifhtml
+
+@node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference
+@section ksu Reference
+
+@iftex
+@special{psfile=ksu1.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{ksu}}
+@page
+
+@special{psfile=ksu2.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{ksu}}
+@page
+
+@special{psfile=ksu3.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{ksu}}
+@page
+
+@special{psfile=ksu4.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{ksu}}
+@page
+
+@special{psfile=ksu5.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{ksu}}
+@page
+@end iftex
+
+@ifinfo
+Type @kbd{M-x manual-entry ksu} to read this manual page.
+@end ifinfo
+
+@ifhtml
+@html
+<a href="ksu.html"> ksu manpage</a>
+@end html
+@end ifhtml
+
+@node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference
@section kdestroy Reference
@iftex
@centerline{Reference Manual for @code{kdestroy}}
@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry kdestroy} to read this manual page.
@end ifinfo
+@ifhtml
+@html
+<a href="kdestroy.html"> kdestroy manpage</a>
+@end html
+@end ifhtml
+
@node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
@section kpasswd Reference
@centerline{Reference Manual for @code{kpasswd}}
@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry kpasswd} to read this manual page.
@end ifinfo
-@node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference
+@ifhtml
+@html
+<a href="kpasswd.html"> kpasswd manpage</a>
+@end html
+@end ifhtml
+
+@node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference
@section telnet Reference
@iftex
@special{psfile=telnet9.ps voffset=-700 hoffset=-40}
@centerline{Reference Manual for @code{telnet}}
@page
-
-@special{psfile=telnet10.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{telnet}}
-@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry telnet} to read this manual page.
@end ifinfo
-@node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference
-@section rlogin Reference
+@ifhtml
+@html
+<a href="telnet.html"> telnet manpage</a>
+@end html
+@end ifhtml
-@iftex
-@special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{rlogin}}
-@page
-
-@special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{rlogin}}
-@page
-@end iftex
-@ifinfo
-Type @kbd{M-x manual-entry rlogin} to read this manual page.
-@end ifinfo
-
-@node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference
+@node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference
@section FTP Reference
@iftex
@special{psfile=ftp8.ps voffset=-700 hoffset=-40}
@centerline{Reference Manual for @code{FTP}}
@page
+
+@special{psfile=ftp9.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{FTP}}
+@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry FTP} to read this manual page.
@end ifinfo
-@node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference
+@ifhtml
+@html
+<a href="ftp.html"> ftp manpage</a>
+@end html
+@end ifhtml
+
+@node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference
+@section rlogin Reference
+
+@iftex
+@special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{rlogin}}
+@page
+
+@special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
+@centerline{Reference Manual for @code{rlogin}}
+@page
+@end iftex
+
+@ifinfo
+Type @kbd{M-x manual-entry rlogin} to read this manual page.
+@end ifinfo
+
+@ifhtml
+@html
+<a href="rlogin.html"> rlogin manpage</a>
+@end html
+@end ifhtml
+
+@node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference
@section rsh Reference
@iftex
@centerline{Reference Manual for @code{rsh}}
@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry rsh} to read this manual page.
@end ifinfo
-@node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference
+@ifhtml
+@html
+<a href="rsh.html"> rsh manpage</a>
+@end html
+@end ifhtml
+
+@node rcp Reference, , rsh Reference, Kerberos V5 Reference
@section rcp Reference
@iftex
@special{psfile=rcp1.ps voffset=-700 hoffset=-40}
@centerline{Reference Manual for @code{rcp}}
@page
+@end iftex
+@iftex
@special{psfile=rcp2.ps voffset=-700 hoffset=-40}
@centerline{Reference Manual for @code{rcp}}
@page
@end iftex
+
@ifinfo
Type @kbd{M-x manual-entry rcp} to read this manual page.
@end ifinfo
-@node ksu Reference, , rcp Reference, Kerberos V5 Reference
-@section ksu Reference
+@ifhtml
+@html
+<a href="rcp.html"> rcp manpage</a>
+@end html
+@end ifhtml
-@iftex
-@special{psfile=ksu1.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{ksu}}
-@page
-
-@special{psfile=ksu2.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{ksu}}
-@page
-
-@special{psfile=ksu3.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{ksu}}
-@page
-
-@special{psfile=ksu4.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{ksu}}
-@page
-
-@special{psfile=ksu5.ps voffset=-700 hoffset=-40}
-@centerline{Reference Manual for @code{ksu}}
-@page
-@end iftex
-@ifinfo
-Type @kbd{M-x manual-entry ksu} to read this manual page.
-@end ifinfo
-
-@node Kerberos Glossary, , Kerberos V5 Reference, Top
+@node Kerberos Glossary, Copyright, Kerberos V5 Reference, Top
@appendix Kerberos Glossary
@include glossary.texinfo
+@node Copyright, , Kerberos Glossary, Top
+@appendix Copyright
+
+@include copyright.texinfo
+
@contents
@bye