From: Greg Hudson Date: Thu, 18 Dec 2008 19:28:23 +0000 (+0000) Subject: Remove documentation references to krb4 functionality we no longer X-Git-Tag: krb5-1.7-alpha1~143 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=fa74009956316521d45ae4745fa8916dc9626e54;p=krb5.git Remove documentation references to krb4 functionality we no longer have. Remove the krb425 transition guide since we no longer have compatibility code to assist with a transition. ticket: 6303 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21545 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/Makefile b/doc/Makefile index 1bfaaa59c..d9b315e30 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -26,11 +26,8 @@ MANPAGES=$(SRCDIR)/appl/gssftp/ftp/ftp.M $(SRCDIR)/clients/kdestroy/kdestroy.M $ USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES) -KRB425_INCLUDES=definitions.texinfo copyright.texinfo -KRB425_DEPS=krb425.texinfo $(KRB425_INCLUDES) - .PHONY: all -all:: admin-guide-full install-guide-full user-guide-full krb425-guide-full clean-temp-ps clean-tex +all:: admin-guide-full install-guide-full user-guide-full clean-temp-ps clean-tex .PHONY: admin-guide-full admin-guide-full:: admin-guide admin-guide-info admin-guide-html @@ -118,28 +115,6 @@ user-guide.html: $(USER_GUIDE_DEPS) $(MANTXT) $(SRCDIR)/kadmin/passwd/kpasswd.M | $(MANHTML) > kpasswd.html $(HTML) user-guide.texinfo -.PHONY: krb425-guide-full -krb425-guide-full:: krb425-guide krb425-guide-info krb425-guide-html - -.PHONY: krb425-guide -krb425-guide:: krb425-guide.ps - -krb425-guide.ps: $(KRB425_DEPS) - $(DVI) krb425.texinfo - $(DVIPS) krb425 - -.PHONY: krb425-guide-html -krb425-guide-html:: krb425.html - -krb425.html:: $(KRB425_DEPS) - $(HTML) krb425.texinfo - -.PHONY: krb425-guide-info -krb425-guide-info:: krb425.info - -krb425.info: $(KRB425_DEPS) - $(INFO) krb425.texinfo - .PHONY: implementor.ps implementor.pdf implementor.info implementor.pdf: implementor.ps $(PSPDF) implementor.ps diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 79608f372..d067b7803 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -502,18 +502,6 @@ The default lifetime of a ticket. The default is code. @end ignore -@itemx krb4_srvtab -Specifies the location of the Kerberos V4 srvtab file. Default is -@value{DefaultKrb4Srvtab}. - -@itemx krb4_config -Specifies the location of hte Kerberos V4 configuration file. Default -is @value{DefaultKrb4Config}. - -@itemx krb4_realms -Specifies the location of the Kerberos V4 domain/realm translation -file. Default is @value{DefaultKrb4Realms}. - @itemx dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for @@ -637,32 +625,6 @@ The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section. -A special application name (afs_krb5) is used by the krb524 service to -know whether new format AFS tokens based on Kerberos 5 can be used -rather than the older format which used a converted Kerberos 4 ticket. -The new format allows for cross-realm authentication without -introducing a security hole. It is used by default. Older AFS -servers (before OpenAFS 1.2.8) will not support the new format. If -servers in your cell do not support the new format, you will need to -add an @code{afs_krb5} relation to the @code{appdefaults} section. -The following config file shows how to disable new format AFS tickets -for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm. - -@smallexample -@group -[appdefaults] - afs_krb5 = @{ - EXAMPLE.COM = @{ - afs/afs.example.com = false - @} - @} - -@end group -@end smallexample - - - - @node login, realms (krb5.conf), appdefaults, krb5.conf @subsection [login] @@ -675,20 +637,6 @@ login.krb5. This section may contain any of the following relations: Indicate whether or not to use a user's password to get V5 tickets. The default value is @value{DefaultKrb5GetTickets}. -@itemx krb4_get_tickets -Indicate whether or not to user a user's password to get V4 tickets. -The default value is @value{DefaultKrb4GetTickets}. - -@itemx krb4_convert -Indicate whether or not to use the Kerberos conversion daemon to get V4 -tickets. The default value is @value{DefaultKrb4Convert}. If this is -set to false and krb4_get_tickets is true, then login will get the V5 -tickets directly using the Kerberos V4 protocol directly. This does -not currently work with non-MIT-V4 salt types (such as the AFS3 salt -type). Note that if this is set to true and krb524d is not running, -login will hang for approximately a minute under Solaris, due to a -Solaris socket emulation bug. - @itemx krb_run_aklog Indicate whether or not to run aklog. The default value is @value{DefaultKrbRunAklog}. @@ -1493,13 +1441,7 @@ If you wish to change this (which we do not recommend, because the current implementation has little protection against denial-of-service attacks), the standard port number assigned for Kerberos TCP traffic is port 88. - -@itemx v4_mode -This string specifies how the KDC should respond to Kerberos 4 -packets. The possible values are none, disable, full, and nopreauth. -The default value is @value{DefaultV4Mode}. -@comment these values found in krb5/src/kdc/kerberos_v4.c in v4mode_table -@end table +-@end table @node realms (kdc.conf), pkinit kdc options, kdcdefaults, kdc.conf @subsection [realms] @@ -4353,7 +4295,6 @@ kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changep krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation @c kpop 1109/tcp # Pop with Kerberos eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin -krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator @end group @end smallexample diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 529445f48..cce3905b4 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -131,10 +131,6 @@ krb5/src/appl/bsd/login.c @end ignore @set DefaultKrb5GetTickets true @comment login_krb5_get_tickets -@set DefaultKrb4GetTickets false -@comment login_krb4_get_tickets -@set DefaultKrb4Convert false -@comment login_krb4_convert @set DefaultKrbRunAklog false @comment login_krb_run_aklog @set DefaultAklogPath $(prefix)/bin/aklog @@ -142,13 +138,6 @@ krb5/src/appl/bsd/login.c @set DefaultAcceptPasswd false @comment login_accept_password -@ignore -the following defaults should be consistent with the values set in -krb5/src/kdc/kerberos_v4 -@end ignore -@set DefaultV4Mode none -@comment KDC_V4_DEFAULT_MODE - @ignore these defaults are based on code in krb5/src/aclocal.m4 @end ignore @@ -175,14 +164,6 @@ the following are based on variables in krb5/src/include/kerberosIV/krbports.h @set DefaultFTPPort 21 @set DefaultKrb524Port 4444 -@comment src/include/kerberosIV/krb.h -@set DefaultKrb4Srvtab /etc/srvtab -@comment line 131 -@set DefaultKrb4Config /etc/krb.conf -@comment KRB_CONF -@set DefaultKrb4Realms /etc/krb.realms -@comment KRB_RLM_TRANS - @comment krb5/src/lib/krb5/krb/get_in_tkt.c @set DefaultRenewLifetime 0 @set DefaultNoaddresses set diff --git a/doc/dnssrv.texinfo b/doc/dnssrv.texinfo index c969fb269..1a401ac14 100644 --- a/doc/dnssrv.texinfo +++ b/doc/dnssrv.texinfo @@ -59,10 +59,6 @@ will also need the @code{admin_server} entry in @code{krb5.conf}. This should list port @value{DefaultKpasswdPort} on your master KDC. It is used when a user changes her password. -@item _kerberos-iv._udp -This should refer to your KDCs that serve Kerberos version 4 requests, -if you have Kerberos v4 enabled. - @end table Be aware, however, that the DNS SRV specification requires that the diff --git a/doc/install.texinfo b/doc/install.texinfo index 4ed345840..f9c682f5f 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -206,9 +206,6 @@ The hostnames of your master and slave KDCs. @item How frequently you will propagate the database from the master KDC to the slave KDCs. - -@item -Whether you need backward compatibility with Kerberos V4. @end itemize @menu @@ -1184,17 +1181,6 @@ to just insert the following code: @smallexample @group -# -# Note --- if you are using Kerberos V4 and you either: -# -# (a) haven't converted all your master or slave KDCs to V5, or -# -# (b) are worried about inter-realm interoperability with other KDC's -# that are still using V4 -# -# you will need to switch the "kerberos" service to port 750 and create a -# "kerberos-sec" service on port 88. -# kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin @@ -1208,13 +1194,6 @@ krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket tra @end group @end smallexample -@noindent As described in the comments in the above code, if your master -KDC or any of your slave KDCs is running Kerberos V4, (or if you will be -authenticating to any Kerberos V4 KDCs in another realm) you will need -to switch the port number for @code{kerberos} to 750 and create a -@code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos -V4 KDC(s) will continue to work properly. - @menu * Mac OS X Configuration:: @end menu diff --git a/doc/krb4-xrealm.txt b/doc/krb4-xrealm.txt deleted file mode 100644 index f8c4566e5..000000000 --- a/doc/krb4-xrealm.txt +++ /dev/null @@ -1,143 +0,0 @@ -The following text was taken from the patchkit disabling cross-realm -authentication and triple-DES in krb4. - -PATCH KIT DESCRIPTION -===================== - -** FLAG DAY REQUIRED ** - -One of the things we decided to do (and must do for security reasons) -was drop support for the 3DES krb4 TGTs. Unfortunately the current -code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new -code issues only DES TGTs, the old code will not understand its v4 -TGTs if the site has a 3DES key available for the krbtgt principal. -The new code will understand and accept both DES and 3DES v4 TGTs. - -So, the easiest upgrade option is to deploy the code on all KDCs at -once, being sure to deploy it on the master KDC last. Under this -scenario, a brief window exists where slaves may be able to issue -tickets that the master will not understand. However, the slaves will -understand tickets issued by the master throughout the upgrade. - -An alternate and more annoying upgrade strategy exists. At least one -max TGT life time before the upgrade, the TGT key can be changed to be -a single-des key. Since we support adding a new TGT key while -preserving the old one, this does not create an interruption in -service. Since no 3DES key is available then both the old and new -code will issue and accept DES v4 TGTs. After the upgrade, the TGT -key can again be rekeyed to add 3DES keys. This does require two TGT -key changes and creates a window where DES is used for the v5 TGT, but -creates no window in which slaves will issue TGTs the master cannot -accept. - -* What the patch does -===================== - -1) Kerberos 4 cross-realm authentication is disabled by default. A - "-X" switch is added to both krb524d and krb5kdc to enable v4 - cross-realm. This switch logs a note that a security hole has been - opened in the KDC log. We said while designing the patch, that we - were going to try to allow per-realm configuration; because of a - design problem in the kadm5 library, we could not do this without - bumping the ABI version of that library. We are unwilling to bump - an ABI version in a security patch release to get that feature, so - the configuration of v4 cross-realm is a global switch. - -2) Code responsible for v5 TGTs has been changed to require that the - enctype of the ticket service key be the same as the enctype that - would currently be issued for that kvno. This means that even if a - service has multiple keys, you cannot use a weak key to fake the - KDC into accepting tickets for that service. If you have a non-DES - TGT key, this separates keys used for v4 and v5. We actually relax - this requirement for cross-realm TGT keys (which in the new code - are only used for v5) because we cannot guarantee other Kerberos - implementations will choose keys the same way. - -3) We no longer issue 3DES v4 tickets either in the KDC or krb524d. - We add code to accept either DES or 3DES tickets for v4. None of - the attacks discovered so far can be implemented given a KDC that - accepts but does not issue 3DES tickets, so we believe that leaving - this functionality in as compatibility for a version or two is - reasonable. Note however that the attacks described do allow - successful attackers to print future tickets, so sites probably - want to rekey important keys after installing this update. Note - also that even if issuance of 3DES v4 tickets has been disabled, - outstanding tickets may be used to perform the 3DES cut-and-paste - attack. - -* Test Cases -============ - -This code is difficult to test for two reasons. First, you need a -cross-realm relationship between two KDCs. Secondly, you need a KDC -that will issue 3DES v4 tickets even though the code with the patch -applied can no longer do this. - -I propose to meet these requirements by setting up a cross-realm 3DES -key between a realm I control and the test environment. In order to -provide concrete examples of what I plan to test with the automated -tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the -test realm PATCH. - -In all of the following tests I assume the following configuration. -A principal v4test@PREPATCH.KRBTEST.COM exists with known password and -without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will -issue v4 tickets for this principal. A principal test@PATCH exists -with known password and without requiring preauthentication. A -principal service@PATCH exists. The TGT for the PATCH realm has a -3des and des key. The shared TGT keys between PATCH and -PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and -support both 3DES and DES keys. - -1) Run krb524d and krb5kdc for PATCH with no special options using a - krb5.conf without permitted_enctypes (fully permissive). - - -A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 -service@PATCH fails with an unknown principal error and logs an error -about cross-realm being denied to the PATCH KDC log. This confirms -that v4 cross-realm is not accepted. - -B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init --p service@PATCH fails with a prohibited by policy error, but that -klist -5 includes a ticket for service@PATCH. This confirms that v5 -cross-realm works but the krb524d denies converting such a ticket into -a cross-realm ticket. Note that the krb524init currently in the -mainline source tree will not be useful for this test because the -client denies cross-realm for the simple reason that the v4 ticket -file format is not flexible enough to support it. The krb524init in -the 1.2.x release is useful for this test. - - -2) Restart the krb5kdc and krb524d for PATCH with the -X option - enabling v4 cross-realm. - -A) Confirm that the security warning is written to kdc.log. - -B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 -service@PATCH works and leaves a service@PATCH ticket in the cache. -This confirms that v4 cross-realm works in the KDC. It also confirms -that the KDC can accept 3DES v4 TGTs. The code path for decrypting a -TGT is the same for the local realm and for foreign realms, so I don't -see a need to test local 3DES TGTs in an automated manner although I -did test it manually. - -C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init --p service@PATCH works. This confirms that krb524d will issue -cross-realm tickets. They're completely useless because the v4 ticket -file can't represent them, but that's not our problem today. - -3) Start the kdc and krb524d with a krb5.conf that includes - permitted_enctypes only listing des-cbc-crc. Get tickets as - test@PATCH. Restart the KDC and confirm that kvno service fails - logging an error about permitted enctypes. This confirms that if - you manage to obtain a ticket of the wrong enctype it will not be - accepted later. - -These tests do not check to make sure that 3DES tickets are not -issued by the v4 code. I'm fairly certain that is true as I've -physically remove the calls to the routine that generates 3DES tickets -from the code in both the KDC and krb524d. These tests also do not -check to make sure that cross-realm TGTs are not required to follow -the strict enctype policy. I've tested that manually but don't know -how to test that without significantly complicating the test setup. diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo deleted file mode 100644 index fdeb033c1..000000000 --- a/doc/krb425.texinfo +++ /dev/null @@ -1,322 +0,0 @@ -\input texinfo @c -*-texinfo-*- -@c Note: the above texinfo file must include the "doubleleftarrow" -@c definitions added by jcb. -@c %**start of header -@c guide -@setfilename krb425.info -@settitle Upgrading to Kerberos V5 from Kerberos V4 -@c @setchapternewpage odd @c chapter begins on next odd page -@c @setchapternewpage on @c chapter begins on next page -@c @smallbook @c Format for 7" X 9.25" paper -@c %**end of header - -@paragraphindent 0 -@iftex -@parskip 6pt plus 6pt -@end iftex - -@dircategory Kerberos -@direntry -* krb425: (krb425). Upgrading to Kerberos V5 from V4 -@end direntry - -@include definitions.texinfo -@set EDITION 1.0 -@set UPDATED May 22, 2003 - -@finalout @c don't print black warning boxes - -@titlepage -@title Upgrading to @value{PRODUCT} from Kerberos V4 -@subtitle Release: @value{RELEASE} -@subtitle Document Edition: @value{EDITION} -@subtitle Last updated: @value{UPDATED} -@author @value{COMPANY} - -@page -@vskip 0pt plus 1filll - -@end titlepage - -@node Top, Copyright, (dir), (dir) - -@ifinfo -This document describes how to convert to @value{PRODUCT} from Kerberos V4. -@end ifinfo - -@menu -* Copyright:: -* Introduction:: -* Configuration Files:: -* Upgrading KDCs:: -* Upgrading Application Servers:: -* Upgrading Client machines:: -* Firewall Considerations:: -@end menu - -@node Copyright, Introduction, Top, Top -@unnumbered Copyright -@include copyright.texinfo - -@node Introduction, Configuration Files, Copyright, Top -@chapter Introduction - -As with most software upgrades, @value{PRODUCT} is generally backward -compatible but not necessarily forward compatible. The @value{PRODUCT} -daemons can interoperate with Kerberos V4 clients, but most of the -Kerberos V4 daemons can not interoperate with Kerberos V5 clients. This -suggests the following strategy for performing the upgrade: - -@enumerate -@item -@strong{Upgrade your KDCs.} This must be done first, so that -interactions with the Kerberos database, whether by Kerberos V5 clients -or by Kerberos V4 clients, will succeed. - -@item -@strong{Upgrade your servers.} This must be done before upgrading -client machines, so that the servers are able to respond to both -Kerberos V5 and Kerberos V4 queries. - -@item -@strong{Upgrade your client machines.} Do this only after your KDCs and -application servers are upgraded, so that all of your Kerberos V5 -clients will be talking to Kerberos V5 daemons. -@end enumerate - -@node Configuration Files, Upgrading KDCs, Introduction, Top -@chapter Configuration Files - -The Kerberos @code{krb5.conf} and KDC @code{kdc.conf} configuration -files allow additional tags for Kerberos V4 compatibility. - -@menu -* krb5.conf:: -* kdc.conf:: -@end menu - -@node krb5.conf, kdc.conf, Configuration Files, Configuration Files -@section krb5.conf - -If you used the defaults, both when you installed Kerberos V4 and when -you installed @value{PRODUCT}, you should not need to include any of -these tags. However, some or all of them may be necessary for -nonstandard installations. - -@menu -* libdefaults:: -* realms (krb5.conf):: -* AFS and the Appdefaults Section:: -@end menu - -@node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf -@subsection [libdefaults] - -In the [libdefaults] section, the following additional tags may be used: - -@table @b -@item krb4_srvtab -Specifies the location of the Kerberos V4 srvtab file. Default is -@value{DefaultKrb4Srvtab}. - -@item krb4_config -Specifies the location of the Kerberos V4 configuration file. Default -is @value{DefaultKrb4Config}. - -@item krb4_realms -Specifies the location of the Kerberos V4 domain/realm translation -file. Default is @value{DefaultKrb4Realms}. -@end table - -@node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf -@subsection [realms] - -In the [realms] section, the following Kerberos V4 tags may be used: -@table @b -@itemx default_domain -Identifies the default domain for hosts in this realm. This is needed -for translating V4 principal names (which do not contain a domain name) -to V5 principal names. The default is your Kerberos realm name, -converted to lower case. - -@itemx v4_instance_convert -This subsection allows the administrator to configure exceptions to the -default_domain mapping rule. It contains V4 instances (tag name) which -should be translated to some specific hostname (tag value) as the second -component in a Kerberos V5 principal name. - -@itemx v4_realm -This relation allows the administrator to configure a different -realm name to be used when converting V5 principals to V4 -ones. This should only be used when running separate V4 and V5 -realms, with some external means of password sychronization -between the realms. - -@end table - -@node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf -@subsection AFS and the Appdefaults Section - -Many Kerberos 4 sites also run the Andrew File System (AFS). - -Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format. -This allows AFS to use Kerberos 5 tickets rather than version 4 -tickets, enabling cross-realm authentication. By default, the -@file{krb524d} service will issue the new AFS 2b tokens. If you are -using old AFS servers, you will need to disable these new tokens. -Please see the documentation of the @code{appdefaults} section of -@file{krb5.conf} in the Kerberos Administration guide. - - - -@node kdc.conf, , krb5.conf, Configuration Files -@section kdc.conf - -Because Kerberos V4 requires a different type of salt for the encryption -type, you will need to change the @code{supported_enctypes} line in the -[realms] section to: - -@smallexample -supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 -@end smallexample - -This is the only change needed to the @code{kdc.conf} file. - -@node Upgrading KDCs, Upgrading Application Servers, Configuration Files, Top -@chapter Upgrading KDCs - -To convert your KDCs from Kerberos V4 to @value{PRODUCT}, do the -following: - -@enumerate -@item -Install @value{PRODUCT} on each KDC, according to the instructions in -the @value{PRODUCT} Installation Guide, up to the point where it tells -you to create the database. - -@item -Find the @code{kadmind} (V4) daemon process on the master KDC and kill -it. This will prevent changes to the Kerberos database while you -convert the database to the new Kerberos V5 format. - -@item -Create a dump of the V4 database in the directory where your V5 database -will reside by issuing the command: - -@smallexample -% kdb_util dump @value{ROOTDIR}/var/krb5kdc/v4-dump -@end smallexample - -@item -Load the V4 dump into a Kerberos V5 database, by issuing the command: - -@smallexample -% kdb5_util load_v4 v4-dump -@end smallexample - -@item -Create a Kerberos V5 stash file, if desired, by issuing the command: - -@smallexample -% kdb5_util stash -@end smallexample - -@item -Proceed with the rest of the @value{PRODUCT} installation as described -in the @value{PRODUCT} Installation Guide. When you get to the section -that tells you to start the @code{krb5kdc} and @code{kadmind} daemons, -first find and kill the Kerberos V4 @code{kerberos} daemon on each of -the KDCs. Then start the @code{krb5kdc} and @code{kadmind} daemons as -You will need to specify an argument to the @code{-4} command line option to enable Kerberos 4 compatibility. -See the @code{krb5kdc} man page for details. -directed. Finally, start the Kerberos V5 to V4 ticket translator -daemon, @code{krb524d}, by issuing the command: - -@smallexample -% @value{ROOTDIR}/sbin/krb524d -m > /dev/null & -@end smallexample - -If you have a stash file and you start the @code{krb5kdc} and -@code{kadmind} daemons at boot time, you should add the above line to -your @code{/etc/rc} (or @code{/etc/rc.local}) file on each KDC. -@end enumerate - -@node Upgrading Application Servers, Upgrading Client machines, Upgrading KDCs, Top -@chapter Upgrading Application Servers - -Install @value{PRODUCT} on each application server, according to the -instructions in the @value{PRODUCT} Installation Guide, with the -following exceptions: - -@itemize @bullet -@item -In the file @code{/etc/services}, add or edit the lines described in the -@value{PRODUCT} Installation Guide, with the following exception: - -in place of: - -@smallexample -@group -kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC -kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC -@end group -@end smallexample - -@noindent -add instead: - -@smallexample -@group -kerberos-sec @value{DefaultPort}/udp kdc # Kerberos V5 KDC -kerberos-sec @value{DefaultPort}/tcp kdc # Kerberos V5 KDC -@end group -@end smallexample - -@item -Convert your Kerberos V4 srvtab file to Kerberos V5 keytab file as -follows: - -@smallexample -@group -@b{#} @value{ROOTDIR}/sbin/ktutil -@b{ktutil:} rst /etc/krb-srvtab -@b{ktutil:} wkt /etc/krb5.keytab -@b{ktutil:} q -@b{#} -@end group -@end smallexample -@end itemize - -@node Upgrading Client machines, Firewall Considerations, Upgrading Application Servers, Top -@chapter Upgrading Client machines - -Install @value{PRODUCT} on each client machine, according to the -instructions in the @value{PRODUCT} Installation Guide. - -Tell your users to add the appropriate directory to their paths. On -UNIX machines, this will probably be @code{@value{BINDIR}}. - -Note that if you upgrade your client machines before all of your -application servers are upgraded, your users will need to use the -Kerberos V4 programs to connect to application servers that are still -running Kerberos V4. (The one exception is the UNIX version of -@value{PRODUCT} telnet, which can connect to a Kerberos V4 and Kerberos -V5 application servers.) Users can use either the Kerberos V4 or -@value{PRODUCT} programs to connect to Kerberos V5 servers. - -@node Firewall Considerations, , Upgrading Client machines, Top -@chapter Firewall Considerations - -@value{PRODUCT} uses port @value{DefaultPort}, which is the port -assigned by the IETF, for KDC requests. Kerberos V4 used port -@value{DefaultSecondPort}. If your users will need to get to any KDCs -outside your firewall, you will need to allow TCP and UDP requests on -port @value{DefaultPort} for your users to get to off-site Kerberos V5 -KDCs, and on port @value{DefaultSecondPort} for your users to get to -off-site Kerberos V4 KDCs. - -@contents -@c second page break makes sure right-left page alignment works right -@c with a one-page toc, even though we don't have setchapternewpage odd. -@c end of texinfo file -@bye diff --git a/doc/old-V4-docs/README b/doc/old-V4-docs/README deleted file mode 100644 index 8858655cb..000000000 --- a/doc/old-V4-docs/README +++ /dev/null @@ -1,4 +0,0 @@ -These documentation files are old --- and refer to the Kerberos V4 -implementation. They are included because the equivalent V5 documentation -set have not been written yet, and the concepts contained in these documents -may be helpful. diff --git a/doc/old-V4-docs/installation.PS b/doc/old-V4-docs/installation.PS deleted file mode 100644 index 7609d4e64..000000000 --- a/doc/old-V4-docs/installation.PS +++ /dev/null @@ -1,2338 +0,0 @@ -%!PS-Adobe-2.0 -%%Title: installation.mss -%%DocumentFonts: (atend) -%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700) -%%CreationDate: 4 January 1990 11:56 -%%Pages: (atend) -%%EndComments -% PostScript Prelude for Scribe. -/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def -/ES {showpage SV restore} bind def -/SC {setrgbcolor} bind def -/FMTX matrix def -/RDF {WFT SLT 0.0 eq - {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore} - {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore} - ifelse makefont setfont} bind def -/SLT 0.0 def -/SI { /SLT exch cvr def RDF} bind def -/WFT /Courier findfont def -/SF { /WFT exch findfont def RDF} bind def -/SSZ 1000.0 def -/SS { /SSZ exch 100.0 mul def RDF} bind def -/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def -/MT /moveto load def -/XM {currentpoint exch pop moveto} bind def -/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto - setlinewidth 0.0 rlineto stroke grestore} bind def -/LH {gsave newpath moveto setlinewidth - 0.0 rlineto - gsave stroke grestore} bind def -/LV {gsave newpath moveto setlinewidth - 0.0 exch rlineto - gsave stroke grestore} bind def -/BX {gsave newpath moveto setlinewidth - exch - dup 0.0 rlineto - exch 0.0 exch neg rlineto - neg 0.0 rlineto - closepath - gsave stroke grestore} bind def -/BX1 {grestore} bind def -/BX2 {setlinewidth 1 setgray stroke grestore} bind def -/PB {/PV save def newpath translate - 100.0 -100.0 scale pop /showpage {} def} bind def -/PE {PV restore} bind def -/GB {/PV save def newpath translate rotate - div dup scale 100.0 -100.0 scale /showpage {} def} bind def -/GE {PV restore} bind def -/FB {dict dup /FontMapDict exch def begin} bind def -/FM {cvn exch cvn exch def} bind def -/FE {end /original-findfont /findfont load def /findfont - {dup FontMapDict exch known{FontMapDict exch get} if - original-findfont} def} bind def -/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def -/EC /grestore load def -/SH /show load def -/MX {exch show 0.0 rmoveto} bind def -/W {0 32 4 -1 roll widthshow} bind def -/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def -/RC {100.0 -100.0 scale -612.0 0.0 translate --90.0 rotate -.01 -.01 scale} bind def -/URC {100.0 -100.0 scale -90.0 rotate --612.0 0.0 translate -.01 -.01 scale} bind def -/RCC {100.0 -100.0 scale -0.0 -792.0 translate 90.0 rotate -.01 -.01 scale} bind def -/URCC {100.0 -100.0 scale --90.0 rotate 0.0 792.0 translate -.01 -.01 scale} bind def -%%EndProlog -%%Page: 0 1 -BS -0 SI -20 /Times-Bold AF -18823 13788 MT -(Kerberos Installation Notes)SH -27156 15798 MT -(DRAFT)SH -16 /Times-Roman AF -27021 23502 MT -(Bill Bryant)SH -25557 25150 MT -(Jennifer Steiner)SH -27289 26798 MT -(John Kohl)SH -23957 30444 MT -(Project Athena, MIT)SH -/Times-Bold SF -19489 36042 MT -(Initial Release, January 24, 1989)SH -/Times-Italic SF -17558 37690 MT -(\050plus later patches through patchlevel 7\051)SH -11 /Times-Roman AF -7200 45644 MT -(The release consists of three parts.)SH -7200 47942 MT -(The first part consists of the core Kerberos system, which was developed at MIT and does not require)SH -7200 49138 MT -(additional licenses for us to distribute. Included in this part are the Kerberos authentication server, the)SH -7200 50334 MT -(Kerberos library, the)SH -/Times-Italic SF -16606 XM -(ndbm)SH -/Times-Roman SF -19325 XM -(database interface library, user programs, administration programs, manual)SH -7200 51530 MT -(pages, some applications which use Kerberos for authentication, and some utilities.)SH -7200 53828 MT -(The second part is the Data Encryption Standard \050DES\051 library, which we are distributing only within the)SH -7200 55024 MT -(United States.)SH -7200 57322 MT -(The third part contains Kerberos modifications to Sun's NFS, which we distribute as ``context diffs'' to)SH -7200 58518 MT -(the Sun NFS source code. Its distribution is controlled to provide an accounting of who has retrieved the)SH -7200 59714 MT -(patches, so that Project Athena can comply with its agreements with Sun regarding distribution of these)SH -7200 60910 MT -(changes.)SH -ES -%%Page: 1 2 -BS -0 SI -16 /Times-Bold AF -7200 8272 MT -(1. Organization) -400 W( of the Source Directory)SH -11 /Times-Roman AF -7200 10467 MT -(The Kerberos building and installation process, as described in this document, builds the binaries and)SH -7200 11663 MT -(executables from the files contained in the Kerberos source tree, and deposits them in a separate object)SH -7200 12859 MT -(tree. This) -275 W( is intended to easily support several different build trees from a single source tree \050this is useful)SH -7200 14055 MT -(if you support several machine architectures\051. We suggest that you copy the Kerberos sources into a)SH -/Times-Italic SF -7200 15251 MT -(/mit/kerberos/src)SH -/Times-Roman SF -14991 XM -(directory, and create as well a)SH -/Times-Italic SF -28396 XM -(/mit/kerberos/obj)SH -/Times-Roman SF -36249 XM -(directory in which to hold the)SH -7200 16447 MT -(executables. In) -275 W( the rest of this document, we'll refer to the Kerberos source and object directories as)SH -7200 17643 MT -([SOURCE_DIR] and [OBJ_DIR], respectively.)SH -7200 19941 MT -(Below is a brief overview of the organization of the complete source directory. More detailed)SH -7200 21137 MT -(descriptions follow.)SH -/Times-Bold SF -7200 23088 MT -(admin)SH -/Times-Roman SF -18200 XM -(utilities for the Kerberos administrator)SH -/Times-Bold SF -7200 24783 MT -(appl)SH -/Times-Roman SF -18200 XM -(applications that use Kerberos)SH -/Times-Bold SF -7200 26478 MT -(appl/bsd)SH -/Times-Roman SF -18200 XM -(Berkeley's rsh/rlogin suite, using Kerberos)SH -/Times-Bold SF -7200 28173 MT -(appl/knetd)SH -/Times-Roman SF -18200 XM -(\050old\051 software for inetd-like multiplexing of a single TCP listening port)SH -/Times-Bold SF -7200 29868 MT -(appl/sample)SH -/Times-Roman SF -18200 XM -(sample application servers and clients)SH -/Times-Bold SF -7200 31563 MT -(appl/tftp)SH -/Times-Roman SF -18200 XM -(Trivial File Transfer Protocol, using Kerberos)SH -/Times-Bold SF -7200 33258 MT -(include)SH -/Times-Roman SF -18200 XM -(include files)SH -/Times-Bold SF -7200 34953 MT -(kadmin)SH -/Times-Roman SF -18200 XM -(remote administrative interface to the Kerberos master database)SH -/Times-Bold SF -7200 36648 MT -(kuser)SH -/Times-Roman SF -18200 XM -(assorted user programs)SH -/Times-Bold SF -7200 38343 MT -(lib)SH -/Times-Roman SF -18200 XM -(libraries for use with/by Kerberos)SH -/Times-Bold SF -7200 40038 MT -(lib/acl)SH -/Times-Roman SF -18200 XM -(Access Control List library)SH -/Times-Bold SF -7200 41733 MT -(lib/des)SH -/Times-Roman SF -18200 XM -(Data Encryption Standard library \050US only\051)SH -/Times-Bold SF -7200 43428 MT -(lib/kadm)SH -/Times-Roman SF -18200 XM -(administrative interface library)SH -/Times-Bold SF -7200 45123 MT -(lib/kdb)SH -/Times-Roman SF -18200 XM -(Kerberos server library interface to)SH -/Times-Italic SF -33925 XM -(ndbm)SH -/Times-Bold SF -7200 46818 MT -(lib/knet)SH -/Times-Roman SF -18200 XM -(\050old\051 library for use with)SH -/Times-Bold SF -29349 XM -(knetd)SH -7200 48513 MT -(lib/krb)SH -/Times-Roman SF -18200 XM -(Kerberos library)SH -/Times-Bold SF -7200 50208 MT -(man)SH -/Times-Roman SF -18200 XM -(manual pages)SH -/Times-Bold SF -7200 51903 MT -(prototypes)SH -/Times-Roman SF -18200 XM -(sample configuration files)SH -/Times-Bold SF -7200 53598 MT -(server)SH -/Times-Roman SF -18200 XM -(the authentication server)SH -/Times-Bold SF -7200 55293 MT -(slave)SH -/Times-Roman SF -18200 XM -(Kerberos slave database propagation software)SH -/Times-Bold SF -7200 56988 MT -(tools)SH -/Times-Roman SF -18200 XM -(shell scripts for maintaining the source tree)SH -/Times-Bold SF -7200 58683 MT -(util)SH -/Times-Roman SF -18200 XM -(utilities)SH -/Times-Bold SF -7200 60378 MT -(util/imake)SH -/Times-Roman SF -18200 XM -(Imakefile-to-Makefile ``compilation'' tool)SH -/Times-Bold SF -7200 62073 MT -(util/ss)SH -/Times-Roman SF -18200 XM -(Sub-system library \050for command line subsystems\051)SH -/Times-Bold SF -7200 63768 MT -(util/et)SH -/Times-Roman SF -18200 XM -(Error-table library \050for independent, unique error codes\051)SH -/Times-Bold SF -7200 65463 MT -(util/makedepend)SH -/Times-Roman SF -18200 XM -(Makefile dependency generator tool)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(1)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 2 3 -BS -0 SI -14 /Times-Bold AF -7200 8167 MT -(1.1 The)350 W -/Times-BoldItalic SF -12334 XM -(admin)SH -/Times-Bold SF -16340 XM -(Directory)SH -11 /Times-Roman AF -7200 10362 MT -(This directory contains source for the Kerberos master database administration tools.)SH -/Times-Bold SF -7200 12313 MT -(kdb_init)SH -/Times-Roman SF -18200 XM -(This program creates and initializes the Kerberos master database. It prompts)SH -18200 13509 MT -(for a Kerberos realmname, and the Kerberos master password.)SH -/Times-Bold SF -7200 15204 MT -(kstash)SH -/Times-Roman SF -18200 XM -(This program ``stashes'' the master password in the file)SH -/Times-Italic SF -43033 XM -(/.k)SH -/Times-Roman SF -44377 XM -(so that the master)SH -18200 16400 MT -(server machine can restart the Kerberos server automatically after an unattended)SH -18200 17596 MT -(reboot. The) -275 W( hidden password is also available to administrative programs that)SH -18200 18792 MT -(have been set to run automatically.)SH -/Times-Bold SF -7200 20487 MT -(kdb_edit)SH -/Times-Roman SF -18200 XM -(This program is a low-level tool for editing the master database.)SH -/Times-Bold SF -7200 22182 MT -(kdb_destroy)SH -/Times-Roman SF -18200 XM -(This program deletes the master database.)SH -/Times-Bold SF -7200 23877 MT -(kdb_util)SH -/Times-Roman SF -18200 XM -(This program can be used to dump the master database into an ascii file, and can)SH -18200 25073 MT -(also be used to load the ascii file into the master database.)SH -/Times-Bold SF -7200 26768 MT -(ext_srvtab)SH -/Times-Roman SF -18200 XM -(This program extracts information from the master database and creates a host-)SH -18200 27964 MT -(dependent)SH -/Times-Italic SF -22995 XM -(srvtab)SH -/Times-Roman SF -26020 XM -(file. This) -275 W( file contains the Kerberos keys for the host's)SH -18200 29160 MT -(``Kerberized'' services. These services look up their keys in the)SH -/Times-Italic SF -46846 XM -(srvtab)SH -/Times-Roman SF -49871 XM -(file for)SH -18200 30356 MT -(use in the authentication process.)SH -14 /Times-Bold AF -7200 34203 MT -(1.2 The)350 W -/Times-BoldItalic SF -12334 XM -(kuser)SH -/Times-Bold SF -15874 XM -(Directory)SH -11 /Times-Roman AF -7200 36398 MT -(This directory contains the source code for several user-oriented programs.)SH -/Times-Bold SF -7200 38349 MT -(kinit)SH -/Times-Roman SF -18200 XM -(This program prompts users for their usernames and Kerberos passwords, then)SH -18200 39545 MT -(furnishes them with Kerberos ticket-granting tickets.)SH -/Times-Bold SF -7200 41240 MT -(kdestroy)SH -/Times-Roman SF -18200 XM -(This program destroys any active tickets. Users should use)SH -/Times-Italic SF -44563 XM -(kdestroy)SH -/Times-Roman SF -48564 XM -(before they)SH -18200 42436 MT -(log off their workstations.)SH -/Times-Bold SF -7200 44131 MT -(klist)SH -/Times-Roman SF -18200 XM -(This program lists a user's active tickets.)SH -/Times-Bold SF -7200 45826 MT -(ksrvtgt)SH -/Times-Roman SF -18200 XM -(This retrieves a ticket-granting ticket with a life time of five minutes, using a)SH -18200 47022 MT -(server's secret key in lieu of a password. It is primarily for use in shell scripts)SH -18200 48218 MT -(and other batch facilities.)SH -/Times-Bold SF -7200 49913 MT -(ksu)SH -/Times-Roman SF -18200 XM -(Substitute user id, using Kerberos to mediate attempts to change to ``root''.)SH -14 /Times-Bold AF -7200 53760 MT -(1.3 The)350 W -/Times-BoldItalic SF -12334 XM -(appl)SH -/Times-Bold SF -15173 XM -(Directory)SH -11 /Times-Roman AF -7200 55955 MT -(If your site has the appropriate BSD license, your Kerberos release provides certain Unix utilities The)SH -7200 57151 MT -(Berkeley programs that have been modified to use Kerberos authentication are found in the)SH -/Times-Italic SF -47640 XM -(appl/bsd)SH -/Times-Roman SF -7200 58347 MT -(directory. They) -275 W( include)SH -/Times-Italic SF -18043 XM -(login)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -20855 XM -(rlogin)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -24095 XM -(rsh)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -27914 XM -(rcp)SH -/Times-Roman SF -(, as well as the associated daemon programs)SH -/Times-Italic SF -49081 XM -(kshd)SH -/Times-Roman SF -51372 XM -(and)SH -/Times-Italic SF -7200 59543 MT -(klogind)SH -/Times-Roman SF -(. The)275 W -/Times-Italic SF -13310 XM -(login)SH -/Times-Roman SF -15847 XM -(program obtains ticket-granting tickets for users upon login; the other utilities provide)SH -7200 60739 MT -(authenticated Unix network services.)SH -7200 63037 MT -(The)SH -/Times-Italic SF -9185 XM -(appl)SH -/Times-Roman SF -11416 XM -(directory also contains samples Kerberos application client and server programs, an)SH -7200 64233 MT -(authenticated)SH -/Times-Italic SF -13339 XM -(tftp)SH -/Times-Roman SF -15082 XM -(program,)SH -/Times-Italic SF -19358 XM -(knetd)SH -/Times-Roman SF -(, an authenticated inet daemon.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(2)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 3 4 -BS -0 SI -14 /Times-Bold AF -7200 8167 MT -(1.4 The)350 W -/Times-BoldItalic SF -12334 XM -(server)SH -/Times-Bold SF -16185 XM -(Directory)SH -11 /Times-Roman AF -7200 10362 MT -(The)SH -/Times-Italic SF -9185 XM -(server)SH -/Times-Roman SF -12208 XM -(directory contains the Kerberos KDC server, called)SH -/Times-Italic SF -35052 XM -(kerberos)SH -/Times-Roman SF -(. This) -275 W( program manages read-)SH -7200 11558 MT -(only requests made to the master database, distributing tickets and encryption keys to clients requesting)SH -7200 12754 MT -(authentication service.)SH -14 /Times-Bold AF -7200 16601 MT -(1.5 The)350 W -/Times-BoldItalic SF -12334 XM -(kadmin)SH -/Times-Bold SF -17040 XM -(Directory)SH -11 /Times-Roman AF -7200 18796 MT -(The)SH -/Times-Italic SF -9185 XM -(kadmin)SH -/Times-Roman SF -12698 XM -(directory contains the Kerberos administration server and associated client programs. The)SH -7200 19992 MT -(server accepts network requests from the user program)SH -/Times-Italic SF -31570 XM -(kpasswd)SH -/Times-Roman SF -35573 XM -(\050used to change a user's password\051, the)SH -7200 21188 MT -(Kerberos administration program)SH -/Times-Italic SF -22137 XM -(kadmin)SH -/Times-Roman SF -(, and the srvtab utility program)SH -/Times-Italic SF -39276 XM -(ksrvutil)SH -/Times-Roman SF -(. The) -275 W( administration)SH -7200 22384 MT -(server can make modifications to the master database.)SH -14 /Times-Bold AF -7200 26231 MT -(1.6 The)350 W -/Times-BoldItalic SF -12334 XM -(include)SH -/Times-Bold SF -16962 XM -(Directory)SH -11 /Times-Roman AF -7200 28426 MT -(This directory contains the)SH -/Times-Italic SF -19236 XM -(include)SH -/Times-Roman SF -22749 XM -(files needed to build the Kerberos system.)SH -14 /Times-Bold AF -7200 32273 MT -(1.7 The)350 W -/Times-BoldItalic SF -12334 XM -(lib)SH -/Times-Bold SF -14162 XM -(Directory)SH -11 /Times-Roman AF -7200 34468 MT -(The)SH -/Times-Italic SF -9185 XM -(lib)SH -/Times-Roman SF -10622 XM -(directory has six subdirectories:)SH -/Times-Italic SF -25193 XM -(acl)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -27087 XM -(des)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -29103 XM -(kadm)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -32035 XM -(kdb)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -34173 XM -(knet)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -38418 XM -(krb)SH -/Times-Roman SF -(. The)275 W -/Times-Italic SF -42694 XM -(des)SH -/Times-Roman SF -44435 XM -(directory contains)SH -7200 35664 MT -(source for the DES encryption library. The)SH -/Times-Italic SF -26595 XM -(kadm)SH -/Times-Roman SF -29252 XM -(directory contains source for the Kerberos)SH -7200 36860 MT -(administration server utility library. The)SH -/Times-Italic SF -25439 XM -(kdb)SH -/Times-Roman SF -27302 XM -(directory contains source for the Kerberos database routine)SH -7200 38056 MT -(library. The)275 W -/Times-Italic SF -12942 XM -(knet)SH -/Times-Roman SF -15049 XM -(directory contains source for a library used by clients of the)SH -/Times-Italic SF -41530 XM -(knetd)SH -/Times-Roman SF -44187 XM -(server. The)275 W -/Times-Italic SF -49683 XM -(krb)SH -/Times-Roman SF -7200 39252 MT -(directory contains source for the)SH -/Times-Italic SF -21707 XM -(libkrb.a)SH -/Times-Roman SF -25435 XM -(library. This) -275 W( library contains routines that are used by the)SH -7200 40448 MT -(Kerberos server program, and by applications programs that require authentication service.)SH -14 /Times-Bold AF -7200 44295 MT -(1.8 The)350 W -/Times-BoldItalic SF -12334 XM -(man)SH -/Times-Bold SF -15251 XM -(Directory)SH -11 /Times-Roman AF -7200 46490 MT -(This directory contains manual pages for Kerberos programs and library routines.)SH -14 /Times-Bold AF -7200 50337 MT -(1.9 The)350 W -/Times-BoldItalic SF -12334 XM -(prototypes)SH -/Times-Bold SF -18596 XM -(Directory)SH -11 /Times-Roman AF -7200 52532 MT -(This directory contains prototype)SH -/Times-Italic SF -22108 XM -(/etc/services)SH -/Times-Roman SF -27819 XM -(and)SH -/Times-Italic SF -29682 XM -(/etc/krb.conf)SH -/Times-Roman SF -35486 XM -(files. New) -275 W( entries must be added to the)SH -/Times-Italic SF -7200 53728 MT -(/etc/services)SH -/Times-Roman SF -12911 XM -(file for the Kerberos server, and possibly for Kerberized applications \050)SH -/Times-Italic SF -(services.append)SH -/Times-Roman SF -7200 54924 MT -(contains the entries used by the Athena-provided servers & applications, and is suitable for appending to)SH -7200 56120 MT -(your existing)SH -/Times-Italic SF -13250 XM -(/etc/services)SH -/Times-Roman SF -18961 XM -(file.\051. The)275 W -/Times-Italic SF -23878 XM -(/etc/krb.conf)SH -/Times-Roman SF -29682 XM -(file defines the local Kerberos realm for its host and)SH -7200 57316 MT -(lists Kerberos servers for given realms. The)SH -/Times-Italic SF -26961 XM -(/etc/krb.realms)SH -/Times-Roman SF -33865 XM -(file defines exceptions for mapping machine)SH -7200 58512 MT -(names to Kerberos realms.)SH -14 /Times-Bold AF -7200 62359 MT -(1.10 The)350 W -/Times-BoldItalic SF -13034 XM -(tools)SH -/Times-Bold SF -16107 XM -(Directory)SH -11 /Times-Roman AF -7200 64554 MT -(This directory contains a makefile to set up a directory tree for building the software in, and a shell script)SH -7200 65750 MT -(to format code in the style we use.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(3)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 4 5 -BS -0 SI -14 /Times-Bold AF -7200 8167 MT -(1.11 The)350 W -/Times-BoldItalic SF -13034 XM -(util)SH -/Times-Bold SF -15329 XM -(Directory)SH -11 /Times-Roman AF -7200 10362 MT -(This directory contains several utility programs and libraries. Included are Larry Wall's)SH -/Times-Italic SF -46296 XM -(patch)SH -/Times-Roman SF -49015 XM -(program, a)SH -/Times-Italic SF -7200 11558 MT -(make)SH -/Times-Roman SF -9795 XM -(pre-processor program called)SH -/Times-Italic SF -22956 XM -(imake)SH -/Times-Roman SF -(, and a program for generating Makefile dependencies,)SH -/Times-Italic SF -7200 12754 MT -(makedepend)SH -/Times-Roman SF -(, as well as the Sub-system library and utilities \050)SH -/Times-Italic SF -(ss)SH -/Times-Roman SF -(\051, and the Error table library and utilities)SH -7200 13950 MT -(\050)SH -/Times-Italic SF -(et)SH -/Times-Roman SF -(\051.)SH -16 /Times-Bold AF -7200 18622 MT -(2. Preparing) -400 W( for Installation)SH -11 /Times-Roman AF -7200 20817 MT -(This document assumes that you will build the system on the machine on which you plan to install the)SH -7200 22013 MT -(Kerberos master server and its database. You'll need about 10 megabytes for source and executables.)SH -7200 24311 MT -(By default, there must be a)SH -/Times-Italic SF -19327 XM -(/kerberos)SH -/Times-Roman SF -23756 XM -(directory on the master server machine in which to store the)SH -7200 25507 MT -(Kerberos database files. If the master server machine does not have room on its root partition for these)SH -7200 26703 MT -(files, create a)SH -/Times-Italic SF -13306 XM -(/kerberos)SH -/Times-Roman SF -17735 XM -(symbolic link to another file system.)SH -16 /Times-Bold AF -7200 31375 MT -(3. Preparing) -400 W( for the Build)SH -11 /Times-Roman AF -7200 33570 MT -(Before you build the system, you have to choose a)SH -/Times-Bold SF -29653 XM -(realm name)SH -/Times-Roman SF -(, the name that specifies the system's)SH -7200 34766 MT -(administrative domain. Project Athena uses the internet domain name ATHENA.MIT.EDU to specify its)SH -7200 35962 MT -(Kerberos realm name. We recommend using a name of this form.)SH -/Times-Bold SF -36857 XM -(NOTE:)SH -/Times-Roman SF -40616 XM -(the realm-name is case)SH -7200 37158 MT -(sensitive; by convention, we suggest that you use your internet domain name, in capital letters.)SH -7200 39456 MT -(Edit the [SOURCE_DIR]/)SH -/Times-Italic SF -(include/krb.h)SH -/Times-Roman SF -24860 XM -(file and look for the following lines of code:)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(4)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 5 6 -BS -0 SI -11 /Courier AF -8520 7886 MT -(/*)SH -9180 9000 MT -(* Kerberos specific definitions)SH -9180 10114 MT -(*)SH -9180 11228 MT -(* KRBLOG is the log file for the kerberos master server.)SH -9180 12342 MT -(* KRB_CONF is the configuration file where different host)SH -9180 13456 MT -(* machines running master and slave servers can be found.)SH -9180 14570 MT -(* KRB_MASTER is the name of the machine with the master)SH -9180 15684 MT -(* database. The admin_server runs on this machine, and all)SH -9180 16798 MT -(* changes to the db \050as opposed to read-only requests, which)SH -9180 17912 MT -(* can go to slaves\051 must go to it.)SH -9180 19026 MT -(* KRB_HOST is the default machine when looking for a kerberos)SH -9180 20140 MT -(* slave server. Other possibilities are in the KRB_CONF file.)SH -9180 21254 MT -(* KRB_REALM is the name of the realm.)SH -9180 22368 MT -(*/)SH -8520 24596 MT -(#ifdef notdef)SH -8520 25710 MT -(this is server-only, does not belong here;)SH -8520 26824 MT -(#define KRBLOG) -3960 W( "/kerberos/kerberos.log")5940 W -8520 27938 MT -(are these used anyplace '?';)SH -8520 29052 MT -(#define VX_KRB_HSTFILE) -9240 W( "/etc/krbhst")660 W -8520 30166 MT -(#define PC_KRB_HSTFILE) -9240 W( "\134\134kerberos\134\134krbhst")660 W -8520 31280 MT -(#endif)SH -8520 33508 MT -(#define KRB_CONF) -9240 W( "/etc/krb.conf")4620 W -8520 34622 MT -(#define KRB_RLM_TRANS) -9240 W( "/etc/krb.realms")1320 W -8520 35736 MT -(#define KRB_MASTER) -9240 W( "kerberos")3300 W -8520 36850 MT -(#define KRB_HOST) -9240 W( KRB_MASTER)5280 W -8520 37964 MT -(#define KRB_REALM) -9240 W( "ATHENA.MIT.EDU")3960 W -/Times-Roman SF -7200 39559 MT -(Edit the last line as follows:)SH -9400 41510 MT -(1.)SH -10500 XM -(Change the KRB_REALM definition so that it specifies the realm name you have chosen)SH -10500 42706 MT -(for your Kerberos system. This is a default which is usually overridden by a configuration)SH -10500 43902 MT -(file on each machine; however, if that config file is absent, many programs will use this)SH -10500 45098 MT -("built-in" realm name.)SH -14 /Times-Bold AF -7200 48945 MT -(3.1 The)350 W -/Times-BoldItalic SF -12334 XM -(/etc/krb.conf)SH -/Times-Bold SF -19956 XM -(File)SH -11 /Times-Roman AF -7200 51140 MT -(Create a)SH -/Times-Italic SF -11108 XM -(/etc/krb.conf)SH -/Times-Roman SF -16912 XM -(file using the following format:)SH -/Times-BoldItalic SF -8520 52740 MT -(realm_name)SH -8520 53854 MT -(realm_name master_server_name)1045 W -/Courier SF -25594 XM -(admin server)SH -/Times-Roman SF -7200 55449 MT -(where)SH -/Times-Italic SF -10161 XM -(realm_name)SH -/Times-Roman SF -15934 XM -(specifies the system's realm name, and)SH -/Times-Italic SF -33375 XM -(master_server_name)SH -/Times-Roman SF -42874 XM -(specifies the machine)SH -7200 56645 MT -(name on which you will run the master server. The words 'admin server' must appear next to the name of)SH -7200 57841 MT -(the server on which you intend to run the administration server \050which must be a machine with access to)SH -7200 59037 MT -(the database\051.)SH -7200 61335 MT -(For example, if your realm name is)SH -/Times-Italic SF -22962 XM -(tim.edu)SH -/Times-Roman SF -26506 XM -(and your master server's name is)SH -/Times-Italic SF -41288 XM -(kerberos.tim.edu)SH -/Times-Roman SF -(, the file)SH -7200 62531 MT -(should have these contents:)SH -/Courier SF -8520 64057 MT -(tim.edu)SH -8520 65171 MT -(tim.edu kerberos.tim.edu) -660 W( admin server)SH -/Times-Roman SF -7200 67469 MT -(See the [SOURCE_DIR]/)SH -/Times-Italic SF -(prototypes/etc.krb.conf)SH -/Times-Roman SF -28921 XM -(file for an example)SH -/Times-Italic SF -37533 XM -(/etc/krb.conf)SH -/Times-Roman SF -43337 XM -(file. That) -275 W( file has)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(5)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 6 7 -BS -0 SI -11 /Times-Roman AF -7200 7955 MT -(examples of how to provide backup servers for a given realm \050additional lines with the same leading)SH -7200 9151 MT -(realm name\051 and how to designate servers for remote realms.)SH -14 /Times-Bold AF -7200 12998 MT -(3.2 The)350 W -/Times-BoldItalic SF -12334 XM -(/etc/krb.realms)SH -/Times-Bold SF -21280 XM -(File)SH -11 /Times-Roman AF -7200 15193 MT -(In many situations, the default realm in which a host operates will be identical to the domain portion its)SH -7200 16389 MT -(Internet domain name.)SH -7200 18687 MT -(If this is not the case, you will need to establish a translation from host name or domain name to realm)SH -7200 19883 MT -(name. This) -275 W( is accomplished with the)SH -/Times-Italic SF -23820 XM -(/etc/krb.realms)SH -/Times-Roman SF -30724 XM -(file.)SH -7200 22181 MT -(Each line of the translation file specifies either a hostname or domain name, and its associated realm:)SH -/Courier SF -8520 23707 MT -(.domain.name kerberos.realm1)SH -8520 24821 MT -(host.name kerberos.realm2)SH -/Times-Roman SF -7200 26416 MT -(For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1 but the host)SH -7200 27612 MT -(FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read:)SH -/Courier SF -8520 29138 MT -(.LSC.TIM.EDU KRB.REALM1)SH -8520 30252 MT -(FILMS.LSC.TIM.EDU KRB.REALM2)SH -/Times-Roman SF -7200 31847 MT -(If a particular host matches both a domain and a host entry, the host entry takes precedence.)SH -16 /Times-Bold AF -7200 36519 MT -(4. Building) -400 W( the Software)SH -11 /Times-Roman AF -7200 38714 MT -(Before you build the software read the)SH -/Times-Bold SF -24395 XM -(README)SH -/Times-Roman SF -29558 XM -(file in [SOURCE_DIR]. What follows is a more)SH -7200 39910 MT -(detailed description of the instructions listed in README.)SH -9400 41861 MT -(1.)SH -10500 XM -(Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you are about to)SH -10500 43057 MT -(build, for example,)SH -/Times-Italic SF -19145 XM -(/mit/kerberos/obj)SH -/Times-Roman SF -(.)SH -9400 44951 MT -(2.)SH -10500 XM -(Change directory to [OBJ_DIR]. The following command creates directories under)SH -10500 46147 MT -([OBJ_DIR] and installs Makefiles for the final build.)SH -/Courier SF -11820 47724 MT -(host%)SH -/Times-Bold SF -15780 XM -(make -f [SOURCE_DIR]/tools/makeconfig SRCDIR=[SOURCE_DIR])275 W -/Times-Roman SF -9400 49618 MT -(3.)SH -10500 XM -(Change directory to util/imake.includes. Read through config.Imakefile, turning on)SH -10500 50814 MT -(appropriate flags for your installation. Change SRCTOP so that it is set to the top level of)SH -10500 52010 MT -(your source directory.)SH -9400 53904 MT -(4.)SH -10500 XM -(Check that your machine type has a definition in include/osconf.h & related files in the)SH -10500 55100 MT -(source tree \050if it doesn't, then you may need to create your own; if you get successful)SH -10500 56296 MT -(results, please post to kerberos@athena.mit.edu\051)SH -9400 58190 MT -(5.)SH -10500 XM -(Change directory to [OBJ_DIR]. The next command generates new Makefiles based on the)SH -10500 59386 MT -(configuration you selected in config.Imakefile, then adds dependency information to the)SH -10500 60582 MT -(Makefiles, and finally builds the system:)SH -/Courier SF -11820 62159 MT -(host%)SH -/Times-Bold SF -15780 XM -(make world)275 W -/Times-Roman SF -10500 63754 MT -(This command takes a while to complete; you may wish to redirect the output onto a file)SH -10500 64950 MT -(and put the job in the background:)SH -/Courier SF -11820 66527 MT -(host%)SH -/Times-Bold SF -15780 XM -(make world) -275 W( >&WORLDLOG_891201 &)SH -/Times-Roman SF -10500 68122 MT -(If you need to rebuild the Kerberos programs and libraries after making a change, you can)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(6)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 7 8 -BS -0 SI -11 /Times-Roman AF -10500 7955 MT -(usually just type:)SH -/Courier SF -11820 9532 MT -(host%)SH -/Times-Bold SF -15780 XM -(make all)275 W -/Times-Roman SF -10500 11127 MT -(However, if you changed the configuration in config.Imakefile or modified the Imakefiles)SH -10500 12323 MT -(or Makefiles, you should run)SH -/Times-Italic SF -23514 XM -(make world)SH -/Times-Roman SF -28952 XM -(to re-build all the Makefiles and dependency lists.)SH -14 /Times-Bold AF -7200 16141 MT -(4.1 Testing) -350 W( the DES Library)SH -11 /Times-Roman AF -7200 18336 MT -(Use the)SH -/Times-Italic SF -10804 XM -(verify)SH -/Times-Roman SF -13583 XM -(command to test the DES library implementation:)SH -/Courier SF -8520 19913 MT -(host%)SH -/Times-Bold SF -12480 XM -([OBJ_DIR]/lib/des/verify)SH -/Times-Roman SF -7200 21508 MT -(The command should display the following:)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(7)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 8 9 -BS -0 SI -11 /Courier AF -8520 7886 MT -(Examples per FIPS publication 81, keys ivs and cipher)SH -8520 9000 MT -(in hex. These are the correct answers, see below for)SH -8520 10114 MT -(the actual answers.)SH -8520 12342 MT -(Examples per Davies and Price.)SH -8520 14570 MT -(EXAMPLE ECB) -SH( key) -2640 W( = 08192a3b4c5d6e7f)SH -13800 15684 MT -(clear = 0)SH -13800 16798 MT -(cipher = 25 dd ac 3e 96 17 64 67)SH -8520 17912 MT -(ACTUAL ECB)SH -13800 19026 MT -(clear "")SH -13800 20140 MT -(cipher =) -660 W( \050low to high bytes\051)SH -19080 21254 MT -(25 dd ac 3e 96 17 64 67)SH -8520 23482 MT -(EXAMPLE ECB) -SH( key) -2640 W( = 0123456789abcdef)SH -13800 24596 MT -(clear = "Now is the time for all ")SH -13800 25710 MT -(cipher = 3f a4 0e 8a 98 4d 48 15 ...)SH -8520 26824 MT -(ACTUAL ECB)SH -13800 27938 MT -(clear "Now is the time for all ")SH -13800 29052 MT -(cipher =) -660 W( \050low to high bytes\051)SH -19080 30166 MT -(3f a4 0e 8a 98 4d 48 15)SH -8520 32394 MT -(EXAMPLE CBC) -SH( key) -2640 W( = 0123456789abcdef iv = 1234567890abcdef)SH -13800 33508 MT -(clear = "Now is the time for all ")SH -13800 34622 MT -(cipher =) -SH( e5) -4620 W( c7 cd de 87 2b f2 7c)SH -24360 35736 MT -(43 e9 34 00 8c 38 9c 0f)SH -24360 36850 MT -(68 37 88 49 9a 7c 05 f6)SH -8520 37964 MT -(ACTUAL CBC)SH -13800 39078 MT -(clear "Now is the time for all ")SH -13800 40192 MT -(ciphertext = \050low to high bytes\051)SH -19080 41306 MT -(e5 c7 cd de 87 2b f2 7c)SH -19080 42420 MT -(43 e9 34 00 8c 38 9c 0f)SH -19080 43534 MT -(68 37 88 49 9a 7c 05 f6)SH -19080 44648 MT -(00 00 00 00 00 00 00 00)SH -19080 45762 MT -(00 00 00 00 00 00 00 00)SH -19080 46876 MT -(00 00 00 00 00 00 00 00)SH -19080 47990 MT -(00 00 00 00 00 00 00 00)SH -19080 49104 MT -(00 00 00 00 00 00 00 00)SH -13800 50218 MT -(decrypted clear_text = "Now is the time for all ")SH -8520 51332 MT -(EXAMPLE CBC checksum) -SH( key) -1980 W( = 0123456789abcdef iv = 1234567890abcdef)SH -13800 52446 MT -(clear =) -SH( "7654321) -5280 W( Now is the time for ")SH -13800 53560 MT -(checksum 58) -4620 W( d2 e7 7e 86 06 27 33 or some part thereof)SH -8520 54674 MT -(ACTUAL CBC checksum)SH -19080 55788 MT -(encrypted cksum = \050low to high bytes\051)SH -19080 56902 MT -(58 d2 e7 7e 86 06 27 33)SH -/Times-Roman SF -7200 59200 MT -(If the)SH -/Times-Italic SF -9826 XM -(verify)SH -/Times-Roman SF -12605 XM -(command fails to display this information as specified above, the implementation of DES for)SH -7200 60396 MT -(your hardware needs to be adjusted. Your Kerberos system cannot work properly if your DES library)SH -7200 61592 MT -(fails this test.)SH -7200 63890 MT -(When you have finished building the software, you will find the executables in the object tree as follows:)SH -/Times-Bold SF -7200 65841 MT -([OBJ_DIR]/admin)SH -/Times-Italic SF -18200 XM -(ext_srvtab)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -23332 XM -(kdb_destroy)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -29258 XM -(kdb_edit)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -33596 XM -(kdb_init)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -37752 XM -(kdb_util)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -43771 XM -(kstash)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 67536 MT -([OBJ_DIR]/kuser)SH -/Times-Italic SF -18200 XM -(kdestroy)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -22476 XM -(kinit)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -24982 XM -(klist)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -27366 XM -(ksrvtgt)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -32773 XM -(ksu)SH -/Times-Roman SF -(.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(8)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 9 10 -BS -0 SI -11 /Times-Bold AF -7200 7955 MT -([OBJ_DIR]/server)SH -/Times-Italic SF -18200 XM -(kerberos)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 9650 MT -([OBJ_DIR]/appl/bsd)SH -/Times-Italic SF -18200 XM -(klogind)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -22050 XM -(kshd)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -24616 XM -(login.krb)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -29169 XM -(rcp)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -31185 XM -(rlogin)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -36288 XM -(rsh)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 11345 MT -([OBJ_DIR]/appl/knetd)SH -/Times-Italic SF -18200 XM -(knetd)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 13040 MT -([OBJ_DIR]/appl/sample)SH -/Times-Italic SF -18200 14236 MT -(sample_server)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -25164 XM -(sample_client)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -31824 XM -(simple_server)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -40407 XM -(simple_client)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 15931 MT -([OBJ_DIR]/appl/tftp)SH -/Times-Italic SF -18200 XM -(tcom)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -20888 XM -(tftpd)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -25319 XM -(tftp)SH -/Times-Roman SF -(.)SH -/Times-Bold SF -7200 17626 MT -([OBJ_DIR]/slave)SH -/Times-Italic SF -18200 XM -(kprop)SH -/Times-Roman SF -21041 XM -(and)SH -/Times-Italic SF -22904 XM -(kpropd)SH -/Times-Roman SF -(.)SH -16 /Times-Bold AF -7200 22298 MT -(5. Installing) -400 W( the Software)SH -11 /Times-Roman AF -7200 24493 MT -(To install the software, issue the)SH -/Times-Italic SF -21711 XM -(make install)SH -/Times-Roman SF -27333 XM -(command from the [OBJ_DIR] \050you need to be a privileged)SH -7200 25689 MT -(user in order to properly install the programs\051. Programs can either be installed in default directories, or)SH -7200 26885 MT -(under a given root directory, as described below.)SH -14 /Times-Bold AF -7200 30703 MT -(5.1 The) -350 W( ``Standard'' Places)SH -11 /Times-Roman AF -7200 32898 MT -(If you use the)SH -/Times-Italic SF -13492 XM -(make)SH -/Times-Roman SF -16087 XM -(command as follows:)SH -/Courier SF -8520 34475 MT -(host#)SH -/Times-Bold SF -12480 XM -(make install)275 W -/Times-Roman SF -7200 36070 MT -(the installation process will try to install the various parts of the system in ``standard'' directories. This)SH -7200 37266 MT -(process creates the ``standard'' directories as needed.)SH -7200 39564 MT -(The standard installation process copies things as follows:)SH -/Symbol SF -9169 41640 MT -(\267)SH -/Times-Roman SF -9950 XM -(The)SH -/Times-Italic SF -11935 XM -(include)SH -/Times-Roman SF -15448 XM -(files)SH -/Times-Italic SF -17617 XM -(krb.h)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -20458 XM -(des.h)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -23299 XM -(mit-copyright.h)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -30662 XM -(kadm.h)SH -/Times-Roman SF -34144 XM -(and)SH -/Times-Italic SF -36007 XM -(kadm_err.h)SH -/Times-Roman SF -41383 XM -(get copied to the)SH -/Times-Italic SF -9950 42836 MT -(/usr/include)SH -/Times-Roman SF -15481 XM -(directory.)SH -/Symbol SF -9169 44730 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos libraries)SH -/Times-Italic SF -20119 XM -(libdes.a)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -24122 XM -(libkrb.a)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -28125 XM -(libkdb.a)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -32250 XM -(libkadm.a)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -37169 XM -(libknet.a)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -43401 XM -(libacl.a)SH -/Times-Roman SF -47007 XM -(get)SH -9950 45926 MT -(copied to the)SH -/Times-Italic SF -15907 XM -(/usr/athena/lib)SH -/Times-Roman SF -22662 XM -(\050or wherever you pointed LIBDIR in config.Imakefile\051)SH -9950 47122 MT -(directory.)SH -/Symbol SF -9169 49016 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos master database utilities)SH -/Times-Italic SF -27085 XM -(kdb_init)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -31241 XM -(kdb_destroy)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -37167 XM -(kdb_edit)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -41505 XM -(kdb_util)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -45661 XM -(kstash)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -9950 50212 MT -(ext_srvtab)SH -/Times-Roman SF -14807 XM -(get copied to the)SH -/Times-Italic SF -22383 XM -(/usr/etc)SH -/Times-Roman SF -25958 XM -(\050DAEMDIR\051 directory.)SH -/Symbol SF -9169 52106 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos user utilities)SH -/Times-Italic SF -21924 XM -(kinit)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -24430 XM -(kdestroy)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -28706 XM -(klist)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -31090 XM -(ksrvtgt)SH -/Times-Roman SF -34359 XM -(and)SH -/Times-Italic SF -36222 XM -(ksu)SH -/Times-Roman SF -37963 XM -(get copied to the)SH -/Times-Italic SF -45539 XM -(/usr/athena)SH -/Times-Roman SF -9950 53302 MT -(\050PROGDIR\051 directory.)SH -/Symbol SF -9169 55196 MT -(\267)SH -/Times-Roman SF -9950 XM -(The modified Berkeley utilities)SH -/Times-Italic SF -24004 XM -(rsh)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -25960 XM -(rlogin)SH -/Times-Roman SF -28925 XM -(get copied to the)SH -/Times-Italic SF -36501 XM -(/usr/ucb)SH -/Times-Roman SF -40382 XM -(\050UCBDIR\051 directory;)SH -/Times-Italic SF -9950 56392 MT -(rcp)SH -/Times-Roman SF -11691 XM -(gets copied to the)SH -/Times-Italic SF -19695 XM -(/bin)SH -/Times-Roman SF -21682 XM -(\050SLASHBINDIR\051 directory; and)SH -/Times-Italic SF -36375 XM -(rlogind)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -40165 XM -(rshd)SH -/Times-Roman SF -(, and)SH -/Times-Italic SF -44534 XM -(login.krb)SH -/Times-Roman SF -48812 XM -(get)SH -9950 57588 MT -(copied to the)SH -/Times-Italic SF -15907 XM -(/usr/etc)SH -/Times-Roman SF -19482 XM -(\050DAEMDIR\051 directory. The old copies of the user programs are)SH -9950 58784 MT -(renamed)SH -/Times-Italic SF -14011 XM -(rsh.ucb)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -17830 XM -(rlogin.ucb)SH -/Times-Roman SF -22658 XM -(and)SH -/Times-Italic SF -24521 XM -(rcp.ucb)SH -/Times-Roman SF -(, respectively. The Kerberos versions of these)SH -9950 59980 MT -(programs are designed to fall back and execute the original versions if something prevents)SH -9950 61176 MT -(the Kerberos versions from succeeding.)SH -/Symbol SF -9169 63070 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos version of)SH -/Times-Italic SF -20944 XM -(tftp)SH -/Times-Roman SF -22687 XM -(and)SH -/Times-Italic SF -24550 XM -(tcom)SH -/Times-Roman SF -26963 XM -(get copied to the)SH -/Times-Italic SF -34539 XM -(/usr/athena)SH -/Times-Roman SF -39826 XM -(\050PROGDIR\051 directory;)SH -/Times-Italic SF -9950 64266 MT -(tftpd)SH -/Times-Roman SF -12243 XM -(gets copied to the)SH -/Times-Italic SF -20247 XM -(/etc)SH -/Times-Roman SF -22110 XM -(\050ETCDIR\051 directory.)SH -/Times-Italic SF -31884 XM -(tftp)SH -/Times-Roman SF -33627 XM -(and)SH -/Times-Italic SF -35490 XM -(tftpd)SH -/Times-Roman SF -37783 XM -(are installed set-uid to an)SH -9950 65462 MT -(unprivileged user \050user id of DEF_UID\051.)SH -/Symbol SF -9169 67356 MT -(\267)SH -/Times-Roman SF -9950 XM -(The)SH -/Times-Italic SF -11935 XM -(knetd)SH -/Times-Roman SF -14592 XM -(daemon gets copied to the)SH -/Times-Italic SF -26353 XM -(/usr/etc)SH -/Times-Roman SF -29928 XM -(\050DAEMDIR\051 directory.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(9)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 10 11 -BS -0 SI -11 /Symbol AF -9169 8080 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos server)SH -/Times-Italic SF -19201 XM -(kerberos)SH -/Times-Roman SF -(, the slave propagation software)SH -/Times-Italic SF -37343 XM -(kprop)SH -/Times-Roman SF -40184 XM -(and)SH -/Times-Italic SF -42047 XM -(kpropd)SH -/Times-Roman SF -(, and the)SH -9950 9276 MT -(administration server)SH -/Times-Italic SF -19542 XM -(kadmind)SH -/Times-Roman SF -23605 XM -(get copied to the)SH -/Times-Italic SF -31181 XM -(/usr/etc)SH -/Times-Roman SF -34756 XM -(\050SVRDIR, SVRDIR, and)SH -9950 10472 MT -(DAEMDIR\051 directory.)SH -/Symbol SF -9169 12366 MT -(\267)SH -/Times-Roman SF -9950 XM -(The remote administration tools)SH -/Times-Italic SF -24310 XM -(kpasswd)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -28588 XM -(ksrvutil)SH -/Times-Roman SF -32163 XM -(and)SH -/Times-Italic SF -34026 XM -(kadmin)SH -/Times-Roman SF -37539 XM -(get copied to the)SH -/Times-Italic SF -45115 XM -(/usr/athena)SH -/Times-Roman SF -9950 13562 MT -(\050PROGDIR\051 directory.)SH -/Symbol SF -9169 15456 MT -(\267)SH -/Times-Roman SF -9950 XM -(The Kerberos manual pages get installed in the appropriate)SH -/Times-Italic SF -36187 XM -(/usr/man)SH -/Times-Roman SF -40374 XM -(directories. Don't)275 W -9950 16652 MT -(forget to run)SH -/Times-Italic SF -15723 XM -(makewhatis)SH -/Times-Roman SF -21192 XM -(after installing the manual pages.)SH -14 /Times-Bold AF -7200 20470 MT -(5.2 ``Non-Standard'') -350 W( Installation)SH -11 /Times-Roman AF -7200 22665 MT -(If you'd rather install the software in a different location, you can use the)SH -/Times-Italic SF -39667 XM -(make)SH -/Times-Roman SF -42262 XM -(command as follows,)SH -7200 23861 MT -(where [DEST_DIR] specifies an alternate destination directory which will be used as the root for the)SH -7200 25057 MT -(installed programs, i.e. programs that would normally be installed in /usr/athena would be installed in)SH -7200 26253 MT -([DEST_DIR]/usr/athena.)SH -/Courier SF -8520 27830 MT -(host#)SH -/Times-Bold SF -12480 XM -(make install DESTDIR=[DEST_DIR])275 W -16 SS -7200 32502 MT -(6. Conclusion)400 W -11 /Times-Roman AF -7200 34697 MT -(Now that you have built and installed your Kerberos system, use the accompanying Kerberos Operation)SH -4030 50 44224 34897 UL -4398 50 48529 34897 UL -7200 35893 MT -(Notes to create a Kerberos Master database, install authenticated services, and start the Kerberos server.)SH -2566 50 7200 36093 UL -16 /Times-Bold AF -7200 40565 MT -(7. Acknowledgements)400 W -11 /Times-Roman AF -7200 42760 MT -(We'd like to thank Henry Mensch and Jon Rochlis for helping us debug this document.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30100 XM -(10)SH -47890 XM -(4 January 1990)SH -ES -%%Page: i 12 -BS -0 SI -14 /Times-Bold AF -25272 8138 MT -(Table of Contents)SH -13 SS -7200 9781 MT -(1. Organization) -325 W( of the Source Directory)SH -53350 XM -(1)SH -12 /Times-Roman AF -9000 11136 MT -(1.1 The)300 W -/Times-BoldItalic SF -13266 XM -(admin)SH -/Times-Roman SF -16701 XM -(Directory)SH -53400 XM -(2)SH -9000 12491 MT -(1.2 The)300 W -/Times-BoldItalic SF -13266 XM -(kuser)SH -/Times-Roman SF -16300 XM -(Directory)SH -53400 XM -(2)SH -9000 13846 MT -(1.3 The)300 W -/Times-BoldItalic SF -13266 XM -(appl)SH -/Times-Roman SF -15700 XM -(Directory)SH -53400 XM -(2)SH -9000 15201 MT -(1.4 The)300 W -/Times-BoldItalic SF -13266 XM -(server)SH -/Times-Roman SF -16566 XM -(Directory)SH -53400 XM -(3)SH -9000 16556 MT -(1.5 The)300 W -/Times-BoldItalic SF -13266 XM -(kadmin)SH -/Times-Roman SF -17301 XM -(Directory)SH -53400 XM -(3)SH -9000 17911 MT -(1.6 The)300 W -/Times-BoldItalic SF -13266 XM -(include)SH -/Times-Roman SF -17234 XM -(Directory)SH -53400 XM -(3)SH -9000 19266 MT -(1.7 The)300 W -/Times-BoldItalic SF -13266 XM -(lib)SH -/Times-Roman SF -14834 XM -(Directory)SH -53400 XM -(3)SH -9000 20621 MT -(1.8 The)300 W -/Times-BoldItalic SF -13266 XM -(man)SH -/Times-Roman SF -15767 XM -(Directory)SH -53400 XM -(3)SH -9000 21976 MT -(1.9 The)300 W -/Times-BoldItalic SF -13266 XM -(prototypes)SH -/Times-Roman SF -18634 XM -(Directory)SH -53400 XM -(3)SH -9000 23331 MT -(1.10 The)300 W -/Times-BoldItalic SF -13866 XM -(tools)SH -/Times-Roman SF -16501 XM -(Directory)SH -53400 XM -(3)SH -9000 24686 MT -(1.11 The)300 W -/Times-BoldItalic SF -13866 XM -(util)SH -/Times-Roman SF -15835 XM -(Directory)SH -53400 XM -(4)SH -13 /Times-Bold AF -7200 26329 MT -(2. Preparing) -325 W( for Installation)SH -53350 XM -(4)SH -7200 27972 MT -(3. Preparing) -325 W( for the Build)SH -53350 XM -(4)SH -12 /Times-Roman AF -9000 29327 MT -(3.1 The)300 W -/Times-BoldItalic SF -13266 XM -(/etc/krb.conf)SH -/Times-Roman SF -19801 XM -(File)SH -53400 XM -(5)SH -9000 30682 MT -(3.2 The)300 W -/Times-BoldItalic SF -13266 XM -(/etc/krb.realms)SH -/Times-Roman SF -20936 XM -(File)SH -53400 XM -(6)SH -13 /Times-Bold AF -7200 32325 MT -(4. Building) -325 W( the Software)SH -53350 XM -(6)SH -12 /Times-Roman AF -9000 33674 MT -(4.1 Testing) -300 W( the DES Library)SH -53400 XM -(7)SH -13 /Times-Bold AF -7200 35317 MT -(5. Installing) -325 W( the Software)SH -53350 XM -(9)SH -12 /Times-Roman AF -9000 36666 MT -(5.1 The) -300 W( ``Standard'' Places)SH -53400 XM -(9)SH -9000 38015 MT -(5.2 ``Non-Standard'') -300 W( Installation)SH -52800 XM -(10)SH -13 /Times-Bold AF -7200 39658 MT -(6. Conclusion)325 W -52700 XM -(10)SH -7200 41301 MT -(7. Acknowledgements)325 W -52700 XM -(10)SH -10 /Times-Roman AF -7200 75600 MT -(MIT Project Athena)SH -30461 XM -(i)SH -47890 XM -(4 January 1990)SH -ES -%%Trailer -%%Pages: 12 -%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol diff --git a/doc/old-V4-docs/installation.mss b/doc/old-V4-docs/installation.mss deleted file mode 100644 index 0a2ae7595..000000000 --- a/doc/old-V4-docs/installation.mss +++ /dev/null @@ -1,681 +0,0 @@ -@Comment[ $Source$] -@Comment[ $Author$] -@Comment[ $Id$] -@Comment[] -@device[postscript] -@make[report] -@comment[ -@DefineFont(HeadingFont, - P=, - B=, - I=, - R=) -] -@DefineFont(HeadingFont, - P=, - B=, - I=, - R=) -@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I], - IncrementedBy Use,Announced) -@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ], - IncrementedBy Use,Referenced [@1],Announced) -@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ], - IncrementedBy,Referenced [@A],Announced,Alias Chapter) -@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias - Chapter) -@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2, - Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy - Use,Announced) -@Counter(AppendixSection,Within Appendix,TitleEnv HD2, - ContentsEnv tc2, - Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy - Use,Announced) -@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3, - Numbered [@#@:.@1 ],IncrementedBy Use, - Referenced [@#@:.@1 ]) -@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3, - ContentsEnv tc3, - Numbered [@#@:.@1 ],IncrementedBy Use, - Referenced [@#@:.@1 ]) -@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4, - Numbered [@#@:.@1 ],Referenced [@#@:.@1], - IncrementedBy Use) -@modify(CopyrightNotice, Fixed -1 inch, Flushright) -@Modify(Titlebox, Fixed 3.0 inches) -@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off) -@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept) -@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept) -@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line) -@Modify(Tc1, Above .5, Facecode B) -@Modify(Tc2, Above .25, Below .25, Facecode R) -@Modify(Tc3,Facecode R) -@Modify(Tc4,Facecode R) -@Modify(Itemize,Above 1line,Below 1line) -@Modify(Insert,LeftMargin +2, RightMargin +2) -@libraryfile[stable] -@comment[@Style(Font NewCenturySchoolBook, size 11)] -@Style(Font TimesRoman, size 11) -@Style(Spacing 1.1, indent 0) -@Style(leftmargin 1.0inch) -@Style(justification no) -@Style(BottomMargin 1.5inch) -@Style(ChangeBarLocation Right) -@Style(ChangeBars=off) -@pageheading[immediate] -@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)", -right = "@value(date)"] -@set[page = 0] -@blankspace[.5 inches] -@begin[group, size 20] -@begin(center) -@b[Kerberos Installation Notes] -@b[DRAFT] -@end[center] -@end(group) -@blankspace[.5 inches] -@begin[group, size 16] -@begin(center) -Bill Bryant -Jennifer Steiner -John Kohl -@blankspace[1 line] -Project Athena, MIT -@blankspace[.5 inches] -@b[Initial Release, January 24, 1989] -@i[(plus later patches through patchlevel 7)] -@end[center] -@end(group) -@begin[group, size 10] -@end[group] -@blankspace[.75 inches] - - -The release consists of three parts. - -The first part consists of the core Kerberos system, which was developed -at MIT and does not require additional licenses for us to distribute. -Included in this part are the Kerberos authentication server, the -Kerberos library, the -@i[ndbm] -database interface library, user programs, administration programs, -manual pages, some applications which use Kerberos for authentication, -and some utilities. - -The second part is the Data Encryption Standard (DES) library, which we -are distributing only within the United States. - -The third part contains Kerberos modifications to Sun's NFS, which we -distribute as ``context diffs'' to the Sun NFS source code. Its -distribution is controlled to provide an accounting of who has retrieved -the patches, so that Project Athena can comply with its agreements with -Sun regarding distribution of these changes. - -@newpage() -@chapter[Organization of the Source Directory] - -The Kerberos building and installation process, -as described in this document, -builds the binaries and executables from the files contained in the Kerberos -source tree, and deposits them in a separate object tree. -This is intended to easily support several different build trees from a -single source tree (this is useful if you support several machine -architectures). -We suggest that you copy the Kerberos sources into a -@i[/mit/kerberos/src] directory, -and create as well a @i[/mit/kerberos/obj] directory in which -to hold the executables. -In the rest of this document, we'll refer to the Kerberos -source and object directories as [SOURCE_DIR] -and [OBJ_DIR], respectively. - -Below is a brief overview of the organization of the complete -source directory. -More detailed descriptions follow. - -@begin[description] - -@b[admin]@\utilities for the Kerberos administrator - -@b[appl]@\applications that use Kerberos - -@b[appl/bsd]@\Berkeley's rsh/rlogin suite, using Kerberos - -@b[appl/knetd]@\(old) software for inetd-like multiplexing of a single -TCP listening port - -@b[appl/sample]@\sample application servers and clients - -@b[appl/tftp]@\Trivial File Transfer Protocol, using Kerberos - -@b[include]@\include files - -@b[kadmin]@\remote administrative interface to the Kerberos master database - -@b[kuser]@\assorted user programs - -@b[lib]@\libraries for use with/by Kerberos - -@b[lib/acl]@\Access Control List library - -@b[lib/des]@\Data Encryption Standard library (US only) - -@b[lib/kadm]@\administrative interface library - -@b[lib/kdb]@\Kerberos server library interface to @i[ndbm] - -@b[lib/knet]@\(old) library for use with @b[knetd] - -@b[lib/krb]@\Kerberos library - -@b[man]@\manual pages - -@b[prototypes]@\sample configuration files - -@b[server]@\the authentication server - -@b[slave]@\Kerberos slave database propagation software - -@b[tools]@\shell scripts for maintaining the source tree - -@b[util]@\utilities - -@b[util/imake]@\Imakefile-to-Makefile ``compilation'' tool - -@b[util/ss]@\Sub-system library (for command line subsystems) - -@b[util/et]@\Error-table library (for independent, unique error codes) - -@b[util/makedepend]@\Makefile dependency generator tool - -@end[description] - -@section[The @p(admin) Directory] - -This directory contains source for -the Kerberos master database administration tools. -@begin[description] -@b[kdb_init]@\This program creates and initializes the -Kerberos master database. -It prompts for a Kerberos realmname, and the Kerberos master password. - -@b[kstash]@\This program ``stashes'' the master password in the file -@i[/.k] so that the master server machine can restart the Kerberos -server automatically after an unattended reboot. -The hidden password is also available to administrative programs -that have been set to run automatically. - -@b[kdb_edit]@\This program is a low-level tool for editing -the master database. - -@b[kdb_destroy]@\This program deletes the master database. - -@b[kdb_util]@\This program can be used to dump the master database -into an ascii file, and can also be used to load the ascii file -into the master database. - -@b[ext_srvtab]@\This program extracts information from the master -database and creates a host-dependent @i[srvtab] file. -This file contains the Kerberos keys for the host's -``Kerberized'' services. -These services look up their keys in the @i[srvtab] file -for use in the authentication process. -@end[description] - -@section[The @p(kuser) Directory] - -This directory contains the source code for several user-oriented -programs. -@begin[description] -@b[kinit]@\This program prompts users for their usernames and -Kerberos passwords, then furnishes them with Kerberos ticket-granting -tickets. - -@b[kdestroy]@\This program destroys any active tickets. -Users should use @i[kdestroy] before they log off their workstations. - -@b[klist]@\This program lists a user's active tickets. - -@b[ksrvtgt]@\This retrieves a ticket-granting ticket with a life time -of five minutes, using a server's secret key in lieu of a password. It -is primarily for use in shell scripts and other batch facilities. - -@b[ksu]@\Substitute user id, using Kerberos to mediate attempts to -change to ``root''. -@end[description] - -@section[The @p(appl) Directory] - -If your site has the appropriate BSD license, -your Kerberos release provides certain Unix utilities -The Berkeley programs that have been modified to use Kerberos -authentication are found in the @i[appl/bsd] directory. -They include @i[login], @i[rlogin], @i[rsh], and @i[rcp], as well as the -associated daemon programs @i[kshd] and @i[klogind]. -The @i[login] program obtains ticket-granting tickets for users -upon login; the other utilities provide authenticated -Unix network services. - -The @i[appl] directory also contains samples Kerberos application -client and server programs, an authenticated @i[tftp] program, -@i[knetd], an authenticated inet daemon. - -@section[The @p(server) Directory] - -The @i[server] directory contains the Kerberos KDC server, called -@i[kerberos]. -This program manages read-only requests made to the -master database, -distributing tickets and encryption keys to clients requesting -authentication service. - -@section[The @p(kadmin) Directory] - -The @i[kadmin] directory contains the Kerberos administration server and -associated client programs. -The server accepts network requests from the -user program @i[kpasswd] (used to change a user's password), the -Kerberos administration program @i(kadmin), and the srvtab utility -program @i[ksrvutil]. -The administration server can make modifications to the master database. - -@section[The @p(include) Directory] - -This directory contains the @i[include] files needed to -build the Kerberos system. - -@section[The @p(lib) Directory] - -The @i[lib] directory has six subdirectories: -@i[acl], @i[des], @i[kadm], @i[kdb], @i[knet], and @i[krb]. -The @i[des] directory contains source for the DES encryption library. -The @i[kadm] directory contains source for the Kerberos administration -server utility library. -The @i[kdb] directory contains source for the Kerberos database -routine library. -The @i[knet] directory contains source for a library used by clients of -the @i[knetd] server. -The @i[krb] directory contains source for the @i[libkrb.a] -library. -This library contains routines that are used by the Kerberos server program, -and by applications programs that require authentication service. - -@section[The @p(man) Directory] - -This directory contains manual pages for Kerberos programs and -library routines. - -@section[The @p(prototypes) Directory] - -This directory contains prototype -@i[/etc/services] and @i[/etc/krb.conf] files. -New entries must be added to the @i[/etc/services] file for -the Kerberos server, and possibly for Kerberized applications -(@i[services.append] contains the entries used by the Athena-provided -servers & applications, and is suitable for appending to your existing -@i[/etc/services] file.). -The @i[/etc/krb.conf] file defines the local Kerberos realm -for its host and lists Kerberos servers for given realms. -The @i[/etc/krb.realms] file defines exceptions for mapping machine -names to Kerberos realms. - -@section[The @p(tools) Directory] - -This directory contains -a makefile to set up a directory tree -for building the software in, and -a shell script to format code in the -style we use. - - -@section[The @p(util) Directory] - -This directory contains several utility programs and libraries. -Included are Larry Wall's @i[patch] program, a @i[make] pre-processor -program called -@i[imake], and a program for generating Makefile dependencies, -@i[makedepend], as well as the Sub-system library and -utilities (@i[ss]), and the Error table library and utilities (@i[et]). - -@chapter[Preparing for Installation] - -This document assumes that you will build the system -on the machine on which you plan to install -the Kerberos master server and its database. -You'll need about 10 megabytes for source and executables. - -By default, there must be -a @i[/kerberos] directory on the master server machine -in which to store the Kerberos -database files. -If the master server machine does not have room on its root partition -for these files, -create a @i[/kerberos] symbolic link to another file system. - -@chapter[Preparing for the Build] - -Before you build the system, -you have to choose a @b[realm name], -the name that specifies the system's administrative domain. -Project Athena uses the internet domain name ATHENA.MIT.EDU -to specify its Kerberos realm name. -We recommend using a name of this form. -@b[NOTE:] the realm-name is case sensitive; by convention, we suggest -that you use your internet domain name, in capital letters. - -Edit the [SOURCE_DIR]/@i[include/krb.h] file and look for the following -lines of code: -@begin[example] -/* - * Kerberos specific definitions - * - * KRBLOG is the log file for the kerberos master server. - * KRB_CONF is the configuration file where different host - * machines running master and slave servers can be found. - * KRB_MASTER is the name of the machine with the master - * database. The admin_server runs on this machine, and all - * changes to the db (as opposed to read-only requests, which - * can go to slaves) must go to it. - * KRB_HOST is the default machine when looking for a kerberos - * slave server. Other possibilities are in the KRB_CONF file. - * KRB_REALM is the name of the realm. - */ - -#ifdef notdef -this is server-only, does not belong here; -#define KRBLOG "/kerberos/kerberos.log" -are these used anyplace '?'; -#define VX_KRB_HSTFILE "/etc/krbhst" -#define PC_KRB_HSTFILE "\\kerberos\\krbhst" -#endif - -#define KRB_CONF "/etc/krb.conf" -#define KRB_RLM_TRANS "/etc/krb.realms" -#define KRB_MASTER "kerberos" -#define KRB_HOST KRB_MASTER -#define KRB_REALM "ATHENA.MIT.EDU" -@end[example] -Edit the last line as follows: -@begin[enumerate] -Change the KRB_REALM definition so that it specifies the realm name -you have chosen for your Kerberos system. This is a default which is -usually overridden by a configuration file on each machine; however, if -that config file is absent, many programs will use this "built-in" realm -name. -@end[enumerate] - -@section[The @p(/etc/krb.conf) File] - -Create a @i[/etc/krb.conf] file using the following format: -@begin[example] -@p[realm_name] -@p[realm_name] @p[master_server_name] admin server -@end[example] -where @i[realm_name] specifies the system's realm name, -and @i[master_server_name] specifies the machine name on -which you will run the master server. The words 'admin server' must -appear next to the name of the server on which you intend to run the -administration server (which must be a machine with access to the database). - -For example, -if your realm name is @i[tim.edu] and your master server's name is -@i[kerberos.tim.edu], the file should have these contents: -@begin[example] -tim.edu -tim.edu kerberos.tim.edu admin server -@end[example] - -See the [SOURCE_DIR]/@i[prototypes/etc.krb.conf] file for an -example @i[/etc/krb.conf] file. That file has examples of how to -provide backup servers for a given realm (additional lines with the same -leading realm name) and how to designate servers for remote realms. - -@section[The @p(/etc/krb.realms) File] - -In many situations, the default realm in which a host operates will be -identical to the domain portion its Internet domain name. - -If this is not the case, you will need to establish a translation from -host name or domain name to realm name. This is accomplished with the -@i(/etc/krb.realms) file. - -Each line of the translation file specifies either a hostname or domain -name, and its associated realm: -@begin[example] -.domain.name kerberos.realm1 -host.name kerberos.realm2 -@end[example] -For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1 -but the host FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read: -@begin[example] -.LSC.TIM.EDU KRB.REALM1 -FILMS.LSC.TIM.EDU KRB.REALM2 -@end[example] -If a particular host matches both a domain and a host entry, the host -entry takes precedence. - -@chapter[Building the Software] - -Before you build the software -read the @b[README] file in [SOURCE_DIR]. -What follows is a more detailed description of the instructions -listed in README. -@begin[enumerate] -Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you -are about to build, for example, -@i[/mit/kerberos/obj]. - -Change directory to [OBJ_DIR]. -The following command creates directories under [OBJ_DIR] -and installs Makefiles for the final build. -@begin[example, rightmargin -7] -host% @b(make -f [SOURCE_DIR]/tools/makeconfig SRCDIR=[SOURCE_DIR]) -@end[example] - - - -Change directory to util/imake.includes. Read through config.Imakefile, -turning on appropriate flags for your installation. Change SRCTOP so -that it is set to the top level of your source directory. - -Check that your machine type has a definition in include/osconf.h & -related files in the source tree (if it doesn't, then you may need to -create your own; if you get successful results, please post to -kerberos@@athena.mit.edu) - -Change directory to [OBJ_DIR]. The next command generates new Makefiles -based on the configuration you selected in config.Imakefile, then adds -dependency information to the Makefiles, and finally builds the system: -@begin[example, rightmargin -7] -host% @b(make world) -@end[example] -This command takes a while to complete; you may wish to redirect the -output onto a file and put the job in the background: -@begin[example, rightmargin -7] -host% @b(make world >&WORLDLOG_891201 &) -@end[example] -If you need to rebuild the Kerberos programs and libraries after making -a change, you can usually just type: -@begin[example, rightmargin -7] -host% @b(make all) -@end[example] -However, if you changed the configuration in config.Imakefile or modified -the Imakefiles or Makefiles, you should run @i[make world] to re-build -all the Makefiles and dependency lists. -@end(enumerate) - -@section[Testing the DES Library] - -Use the @i[verify] command to test the DES library -implementation: -@begin[example] -host% @b([OBJ_DIR]/lib/des/verify) -@end[example] -The command should display the following: -@begin[example, rightmargin -10] -Examples per FIPS publication 81, keys ivs and cipher -in hex. These are the correct answers, see below for -the actual answers. - -Examples per Davies and Price. - -EXAMPLE ECB key = 08192a3b4c5d6e7f - clear = 0 - cipher = 25 dd ac 3e 96 17 64 67 -ACTUAL ECB - clear "" - cipher = (low to high bytes) - 25 dd ac 3e 96 17 64 67 - -EXAMPLE ECB key = 0123456789abcdef - clear = "Now is the time for all " - cipher = 3f a4 0e 8a 98 4d 48 15 ... -ACTUAL ECB - clear "Now is the time for all " - cipher = (low to high bytes) - 3f a4 0e 8a 98 4d 48 15 - -EXAMPLE CBC key = 0123456789abcdef iv = 1234567890abcdef - clear = "Now is the time for all " - cipher = e5 c7 cd de 87 2b f2 7c - 43 e9 34 00 8c 38 9c 0f - 68 37 88 49 9a 7c 05 f6 -ACTUAL CBC - clear "Now is the time for all " - ciphertext = (low to high bytes) - e5 c7 cd de 87 2b f2 7c - 43 e9 34 00 8c 38 9c 0f - 68 37 88 49 9a 7c 05 f6 - 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 - decrypted clear_text = "Now is the time for all " -EXAMPLE CBC checksum key = 0123456789abcdef iv = 1234567890abcdef - clear = "7654321 Now is the time for " - checksum 58 d2 e7 7e 86 06 27 33 or some part thereof -ACTUAL CBC checksum - encrypted cksum = (low to high bytes) - 58 d2 e7 7e 86 06 27 33 -@end[example] - -If the @i[verify] command fails to display this information as specified -above, the implementation of DES for your hardware needs to -be adjusted. -Your Kerberos system cannot work properly if your DES library -fails this test. - -When you have finished building the software, -you will find the executables in the object tree as follows: -@begin[description] -@b([OBJ_DIR]/admin)@\@i[ext_srvtab], @i[kdb_destroy], -@i[kdb_edit], @i[kdb_init], @i[kdb_util], and @i[kstash]. - -@b([OBJ_DIR]/kuser)@\@i[kdestroy], @i[kinit], @i[klist], @i[ksrvtgt], -and @i[ksu]. - -@b([OBJ_DIR]/server)@\@i[kerberos]. - -@b([OBJ_DIR]/appl/bsd)@\@i[klogind], @i[kshd], @i[login.krb], @i[rcp], -@i[rlogin], and @i[rsh]. - -@b([OBJ_DIR]/appl/knetd)@\@i[knetd]. - -@b([OBJ_DIR]/appl/sample)@\@i[sample_server], @i[sample_client], -@i[simple_server], and @i[simple_client]. - -@b([OBJ_DIR]/appl/tftp)@\@i[tcom], @i[tftpd], and @i[tftp]. - -@b([OBJ_DIR]/slave)@\@i[kprop] and @i[kpropd]. -@end[description] - -@chapter[Installing the Software] - -To install the software, issue the @i[make install] command from -the [OBJ_DIR] (you need to be a privileged user in order to -properly install the programs). -Programs can either be installed in default directories, or under -a given root directory, as described below. - -@section[The ``Standard'' Places] - -If you use the @i[make] command as follows: -@begin[example] -host# @b(make install) -@end[example] -the installation process will try to install the various parts of the -system in ``standard'' directories. -This process creates the ``standard'' directories as needed. - -The standard installation process copies things as follows: -@begin[itemize] -The @i[include] files @i[krb.h], @i[des.h], @i[mit-copyright.h], -@i[kadm.h] and @i[kadm_err.h] get copied to the -@i[/usr/include] directory. - -The Kerberos libraries @i[libdes.a], @i[libkrb.a], @i[libkdb.a], -@i[libkadm.a], @i[libknet.a], and @i[libacl.a] get copied -to the @i[/usr/athena/lib] (or wherever you pointed LIBDIR in -config.Imakefile) directory. - -The Kerberos master database utilities @i[kdb_init], @i[kdb_destroy], -@i[kdb_edit], @i[kdb_util], @i[kstash], and @i[ext_srvtab] get copied to -the @i[/usr/etc] (DAEMDIR) directory. - -The Kerberos user utilities @i[kinit], @i[kdestroy], @i[klist], -@i[ksrvtgt] and @i[ksu] get copied to the @i[/usr/athena] (PROGDIR) -directory. - -The modified Berkeley utilities @i[rsh], @i[rlogin] get copied to the -@i[/usr/ucb] (UCBDIR) directory; @i[rcp] gets copied to the @i[/bin] -(SLASHBINDIR) directory; and @i[rlogind], @i[rshd], and @i[login.krb] -get copied to the @i[/usr/etc] (DAEMDIR) directory. The old copies of -the user programs are renamed @i(rsh.ucb), @i(rlogin.ucb) and -@i(rcp.ucb), respectively. The Kerberos versions of these programs are -designed to fall back and execute the original versions if something -prevents the Kerberos versions from succeeding. - -The Kerberos version of @i[tftp] and @i[tcom] get copied to the -@i[/usr/athena] (PROGDIR) directory; @i[tftpd] gets copied to the -@i[/etc] (ETCDIR) directory. @i[tftp] and @i[tftpd] are installed -set-uid to an unprivileged user (user id of DEF_UID). - -The @i[knetd] daemon gets copied to the @i[/usr/etc] (DAEMDIR) directory. - -The Kerberos server @i[kerberos], the slave propagation software -@i[kprop] and @i[kpropd], and the administration server @i[kadmind] get -copied to the @i[/usr/etc] (SVRDIR, SVRDIR, and DAEMDIR) directory. - -The remote administration tools @i[kpasswd], @i[ksrvutil] and @i[kadmin] -get copied to the @i[/usr/athena] (PROGDIR) directory. - -The Kerberos manual pages get installed in the appropriate -@i[/usr/man] directories. Don't forget to run @i[makewhatis] -after installing the manual pages. - -@end[itemize] - -@section[``Non-Standard'' Installation] - -If you'd rather install the software in a different location, -you can use the @i[make] command as follows, -where [DEST_DIR] specifies an alternate destination directory -which will be used as the root for the installed programs, i.e. programs -that would normally be installed in /usr/athena would be installed in -[DEST_DIR]/usr/athena. -@begin[example] -host# @b(make install DESTDIR=[DEST_DIR]) -@end[example] - -@chapter[Conclusion] - -Now that you have built and installed your Kerberos system, -use the accompanying @u[Kerberos Operation Notes] -to create a Kerberos Master database, install authenticated services, -and start the Kerberos server. - -@chapter [Acknowledgements] - -We'd like to thank Henry Mensch and Jon Rochlis for helping us debug -this document. diff --git a/doc/old-V4-docs/operation.PS b/doc/old-V4-docs/operation.PS deleted file mode 100644 index 3afb8cf06..000000000 --- a/doc/old-V4-docs/operation.PS +++ /dev/null @@ -1,2669 +0,0 @@ -%!PS-Adobe-2.0 -%%Title: operation.mss -%%DocumentFonts: (atend) -%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700) -%%CreationDate: 4 January 1990 11:55 -%%Pages: (atend) -%%EndComments -% PostScript Prelude for Scribe. -/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def -/ES {showpage SV restore} bind def -/SC {setrgbcolor} bind def -/FMTX matrix def -/RDF {WFT SLT 0.0 eq - {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore} - {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore} - ifelse makefont setfont} bind def -/SLT 0.0 def -/SI { /SLT exch cvr def RDF} bind def -/WFT /Courier findfont def -/SF { /WFT exch findfont def RDF} bind def -/SSZ 1000.0 def -/SS { /SSZ exch 100.0 mul def RDF} bind def -/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def -/MT /moveto load def -/XM {currentpoint exch pop moveto} bind def -/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto - setlinewidth 0.0 rlineto stroke grestore} bind def -/LH {gsave newpath moveto setlinewidth - 0.0 rlineto - gsave stroke grestore} bind def -/LV {gsave newpath moveto setlinewidth - 0.0 exch rlineto - gsave stroke grestore} bind def -/BX {gsave newpath moveto setlinewidth - exch - dup 0.0 rlineto - exch 0.0 exch neg rlineto - neg 0.0 rlineto - closepath - gsave stroke grestore} bind def -/BX1 {grestore} bind def -/BX2 {setlinewidth 1 setgray stroke grestore} bind def -/PB {/PV save def newpath translate - 100.0 -100.0 scale pop /showpage {} def} bind def -/PE {PV restore} bind def -/GB {/PV save def newpath translate rotate - div dup scale 100.0 -100.0 scale /showpage {} def} bind def -/GE {PV restore} bind def -/FB {dict dup /FontMapDict exch def begin} bind def -/FM {cvn exch cvn exch def} bind def -/FE {end /original-findfont /findfont load def /findfont - {dup FontMapDict exch known{FontMapDict exch get} if - original-findfont} def} bind def -/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def -/EC /grestore load def -/SH /show load def -/MX {exch show 0.0 rmoveto} bind def -/W {0 32 4 -1 roll widthshow} bind def -/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def -/RC {100.0 -100.0 scale -612.0 0.0 translate --90.0 rotate -.01 -.01 scale} bind def -/URC {100.0 -100.0 scale -90.0 rotate --612.0 0.0 translate -.01 -.01 scale} bind def -/RCC {100.0 -100.0 scale -0.0 -792.0 translate 90.0 rotate -.01 -.01 scale} bind def -/URCC {100.0 -100.0 scale --90.0 rotate 0.0 792.0 translate -.01 -.01 scale} bind def -%%EndProlog -%%Page: 0 1 -BS -0 SI -20 /Times-Bold AF -19324 13788 MT -(Kerberos Operation Notes)SH -27156 15798 MT -(DRAFT)SH -16 /Times-Roman AF -27021 23502 MT -(Bill Bryant)SH -27289 25150 MT -(John Kohl)SH -23957 26798 MT -(Project Athena, MIT)SH -/Times-Bold SF -19489 32396 MT -(Initial Release, January 24, 1989)SH -/Times-Italic SF -17558 34044 MT -(\050plus later patches through patchlevel 7\051)SH -11 /Times-Roman AF -7200 43798 MT -(These notes assume that you have used the)SH -/Times-Italic SF -26322 XM -(Kerberos Installation Notes)SH -/Times-Roman SF -38821 XM -(to build and install your Kerberos)SH -7200 44994 MT -(system. As) -275 W( in that document, we refer to the directory that contains the built Kerberos binaries as)SH -7200 46190 MT -([OBJ_DIR].)SH -7200 48488 MT -(This document assumes that you are a Unix system manager.)SH -ES -%%Page: 1 2 -BS -0 SI -16 /Times-Bold AF -7200 8272 MT -(1. How) -400 W( Kerberos Works: A Schematic Description)SH -11 /Times-Roman AF -7200 10467 MT -(This section provides a simplified description of a general user's interaction with the Kerberos system.)SH -7200 11663 MT -(This interaction happens transparently--users don't need to know and probably don't care about what's)SH -7200 12859 MT -(going on--but Kerberos administrators might find a schematic description of the process useful. The)SH -7200 14055 MT -(description glosses over a lot of details; for more information, see)SH -/Times-Italic SF -36404 XM -(Kerberos: An Authentication Service)SH -7200 15251 MT -(for Open Network Systems)SH -/Times-Roman SF -(, a paper presented at Winter USENIX 1988, in Dallas, Texas.)SH -14 /Times-Bold AF -7200 19069 MT -(1.1 Network) -350 W( Services and Their Client Programs)SH -11 /Times-Roman AF -7200 21264 MT -(In an environment that provides network services, you use)SH -/Times-Italic SF -33164 XM -(client)SH -/Times-Roman SF -35883 XM -(programs to request service from)SH -/Times-Italic SF -50696 XM -(server)SH -/Times-Roman SF -7200 22460 MT -(programs that are somewhere on the network. Suppose you have logged in to a workstation and you want)SH -7200 23656 MT -(to)SH -/Times-Italic SF -8331 XM -(rlogin)SH -/Times-Roman SF -11296 XM -(to another machine. You use the local)SH -/Times-Italic SF -28493 XM -(rlogin)SH -/Times-Roman SF -31458 XM -(client program to contact the remote machine's)SH -/Times-Italic SF -7200 24852 MT -(rlogin)SH -/Times-Roman SF -10165 XM -(service daemon.)SH -14 /Times-Bold AF -7200 28670 MT -(1.2 Kerberos) -350 W( Tickets)SH -11 /Times-Roman AF -7200 30865 MT -(Under Kerberos, the)SH -/Times-Italic SF -16422 XM -(rlogin)SH -/Times-Roman SF -19387 XM -(service program allows a client to login to a remote machine if it can provide)SH -7200 32061 MT -(a Kerberos)SH -/Times-Bold SF -12268 XM -(ticket)SH -/Times-Roman SF -15169 XM -(for the request. This ticket proves the identity of the person who has used the client)SH -7200 33257 MT -(program to access the server program.)SH -14 /Times-Bold AF -7200 37075 MT -(1.3 The) -350 W( Kerberos Master Database)SH -11 /Times-Roman AF -7200 39270 MT -(Kerberos will give you tickets only if you have an entry in the Kerberos server's)SH -/Times-Bold SF -42845 XM -(master database)SH -/Times-Roman SF -(. Your)275 W -7200 40466 MT -(database entry includes your Kerberos username \050often referred to as your Kerberos)SH -/Times-Bold SF -44394 XM -(principal)SH -/Times-Roman SF -48949 XM -(name\051, and)SH -7200 41662 MT -(your Kerberos password. Every Kerberos user must have an entry in this database.)SH -14 /Times-Bold AF -7200 45480 MT -(1.4 The) -350 W( Ticket-Granting Ticket)SH -11 /Times-Roman AF -7200 47675 MT -(The)SH -/Times-Italic SF -9185 XM -(kinit)SH -/Times-Roman SF -11416 XM -(command prompts for your Kerberos username and password, and if you enter them)SH -7200 48871 MT -(successfully, you will obtain a Kerberos)SH -/Times-Italic SF -25131 XM -(ticket-granting ticket)SH -/Times-Roman SF -(. As) -275 W( illustrated below, client programs use)SH -7200 50067 MT -(this ticket to get other Kerberos tickets as needed.)SH -14 /Times-Bold AF -7200 53885 MT -(1.5 Network) -350 W( Services and the Master Database)SH -11 /Times-Roman AF -7200 56080 MT -(The master database also contains entries for all network services that require Kerberos authentication.)SH -7200 57276 MT -(Suppose for instance that your site has a machine)SH -/Times-Italic SF -29163 XM -(laughter)SH -/Times-Roman SF -33166 XM -(that requires Kerberos authentication from)SH -7200 58472 MT -(anyone who wants to)SH -/Times-Italic SF -16792 XM -(rlogin)SH -/Times-Roman SF -19757 XM -(to it. This service must be registered in the master database. Its entry)SH -7200 59668 MT -(includes the service's principal name, and its)SH -/Times-Bold SF -27238 XM -(instance)SH -/Times-Roman SF -(.)SH -7200 61966 MT -(The)SH -/Times-Italic SF -9185 XM -(instance)SH -/Times-Roman SF -13126 XM -(is the name of the service's machine; in this case, the service's instance is the name)SH -/Times-Italic SF -7200 63162 MT -(laughter)SH -/Times-Roman SF -(. The) -275 W( instance provides a means for Kerberos to distinguish between machines that provide the)SH -7200 64358 MT -(same service. Your site is likely to have more than one machine that provides)SH -/Times-Italic SF -41840 XM -(rlogin)SH -/Times-Roman SF -44805 XM -(service.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(1)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 2 3 -BS -0 SI -14 /Times-Bold AF -7200 8138 MT -(1.6 The) -350 W( User-Kerberos Interaction)SH -11 /Times-Roman AF -7200 10333 MT -(Suppose that you \050in the guise of a general user\051 walk up to a workstation intending to login to it, and)SH -7200 11529 MT -(then)SH -/Times-Italic SF -9369 XM -(rlogin)SH -/Times-Roman SF -12334 XM -(to the machine)SH -/Times-Italic SF -19085 XM -(laughter)SH -/Times-Roman SF -(. Here's) -275 W( what happens.)SH -9400 13480 MT -(1.)SH -10500 XM -(You login to the workstation and use the)SH -/Times-Italic SF -28648 XM -(kinit)SH -/Times-Roman SF -30879 XM -(command to to get a ticket-granting ticket.)SH -10500 14676 MT -(This command prompts you for your username \050your Kerberos Principal Name\051, and your)SH -10500 15872 MT -(Kerberos password [on some systems which use the new version of)SH -/Times-Italic SF -40465 XM -(/bin/login)SH -/Times-Roman SF -(, this may be)SH -10500 17068 MT -(done as part of the login process, not requiring the user to run a separate program].)SH -12762 19019 MT -(a.)SH -13800 XM -(The)SH -/Times-Italic SF -15785 XM -(kinit)SH -/Times-Roman SF -18016 XM -(command sends your request to the Kerberos master server machine. The)SH -13800 20215 MT -(server software looks for your principal name's entry in the Kerberos)SH -/Times-Bold SF -44555 XM -(master)SH -13800 21411 MT -(database)SH -/Times-Roman SF -(.)SH -12700 23305 MT -(b.)SH -13800 XM -(If this entry exists, the Kerberos server creates and returns a)SH -/Times-Italic SF -40430 XM -(ticket-granting ticket)SH -/Times-Roman SF -(,)SH -13800 24501 MT -(encrypted in your password. If)SH -/Times-Italic SF -27819 XM -(kinit)SH -/Times-Roman SF -30050 XM -(can decrypt the Kerberos reply using the)SH -13800 25697 MT -(password you provide, it stores this ticket in a)SH -/Times-Bold SF -34270 XM -(ticket file)SH -/Times-Roman SF -38912 XM -(on your local machine for)SH -13800 26893 MT -(later use. The ticket file to be used can be specified in the)SH -/Times-Bold SF -39609 XM -(KRBTKFILE)SH -/Times-Roman SF -13800 28089 MT -(environment variable. If this variable is not set, the name of the file will be)SH -/Times-Italic SF -13800 29285 MT -(/tmp/tkt)SH -/Times-BoldItalic SF -(uid)SH -/Times-Roman SF -(, where)SH -/Times-BoldItalic SF -22141 XM -(uid)SH -/Times-Roman SF -23884 XM -(is the UNIX user-id, represented in decimal.)SH -9400 31236 MT -(2.)SH -10500 XM -(Now you use the)SH -/Times-Italic SF -18198 XM -(rlogin)SH -/Times-Roman SF -21163 XM -(client to try to access the machine)SH -/Times-Italic SF -36344 XM -(laughter)SH -/Times-Roman SF -(.)SH -/Courier SF -11820 32813 MT -(host%)SH -/Times-Bold SF -15780 XM -(rlogin laughter)275 W -/Times-Roman SF -12762 34764 MT -(a.)SH -13800 XM -(The)SH -/Times-Italic SF -15785 XM -(rlogin)SH -/Times-Roman SF -18750 XM -(client checks your ticket file to see if you have a ticket for)SH -/Times-Italic SF -44559 XM -(laughter)SH -/Times-Roman SF -('s)SH -/Times-Italic SF -13800 35960 MT -(rcmd)SH -/Times-Roman SF -16335 XM -(service \050the rlogin program uses the)SH -/Times-Italic SF -32401 XM -(rcmd)SH -/Times-Roman SF -34936 XM -(service name, mostly for historical)SH -13800 37156 MT -(reasons\051. You) -275 W( don't, so)SH -/Times-Italic SF -24583 XM -(rlogin)SH -/Times-Roman SF -27548 XM -(uses the ticket file's)SH -/Times-Italic SF -36590 XM -(ticket-granting ticket)SH -/Times-Roman SF -46060 XM -(to make a)SH -13800 38352 MT -(request to the master server's ticket-granting service.)SH -12700 40246 MT -(b.)SH -13800 XM -(This ticket-granting service receives the)SH -/Times-Italic SF -31667 XM -(rcmd-laughter)SH -/Times-Roman SF -38296 XM -(request and looks in the)SH -13800 41442 MT -(master database for an)SH -/Times-Italic SF -23938 XM -(rcmd-laughter)SH -/Times-Roman SF -30567 XM -(entry. If) -275 W( that entry exists, the ticket-granting)SH -13800 42638 MT -(service issues you a ticket for that service. That ticket is also cached in your ticket)SH -13800 43834 MT -(file.)SH -12762 45728 MT -(c.)SH -13800 XM -(The)SH -/Times-Italic SF -15785 XM -(rlogin)SH -/Times-Roman SF -18750 XM -(client now uses that ticket to request service from the)SH -/Times-Italic SF -42454 XM -(laughter rlogin)SH -/Times-Roman SF -13800 46924 MT -(service program. The service program lets you)SH -/Times-Italic SF -34843 XM -(rlogin)SH -/Times-Roman SF -37808 XM -(if the ticket is valid.)SH -16 /Times-Bold AF -7200 51596 MT -(2. Setting) -400 W( Up and Testing the Kerberos Server)SH -11 /Times-Roman AF -7200 53791 MT -(The procedure for setting up and testing a Kerberos server is as follows:)SH -9400 55742 MT -(1.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kdb_init)SH -/Times-Roman SF -17985 XM -(command to create and initialize the master database.)SH -9400 57636 MT -(2.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kdb_edit)SH -/Times-Roman SF -18167 XM -(utility to add your username to the master database.)SH -9400 59530 MT -(3.)SH -10500 XM -(Start the Kerberos server.)SH -9400 61424 MT -(4.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kinit)SH -/Times-Roman SF -16335 XM -(command to obtain a Kerberos ticket-granting ticket.)SH -9400 63318 MT -(5.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(klist)SH -/Times-Roman SF -16213 XM -(command to verify that the)SH -/Times-Italic SF -28402 XM -(kinit)SH -/Times-Roman SF -30633 XM -(command authenticated you successfully.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(2)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 3 4 -BS -0 SI -14 /Times-Bold AF -7200 8138 MT -(2.1 Creating) -350 W( and Initializing the Master Database)SH -11 /Times-Roman AF -7200 10333 MT -(Login to the Kerberos master server machine, and use the)SH -/Times-Bold SF -32825 XM -(su)SH -/Times-Roman SF -34140 XM -(command to become root. If you installed)SH -7200 11529 MT -(the Kerberos administration tools with the)SH -/Times-Italic SF -26020 XM -(make install)SH -/Times-Roman SF -31642 XM -(command and the default pathnames, they should)SH -7200 12725 MT -(be in the)SH -/Times-Italic SF -11263 XM -(/usr/etc)SH -/Times-Roman SF -14838 XM -(directory. If) -275 W( you installed the tools in a different directory, hopefully you know what it)SH -7200 13921 MT -(is. From) -275 W( now on, we will refer to this directory as [ADMIN_DIR].)SH -7200 16219 MT -(The)SH -/Times-Italic SF -9185 XM -(kdb_init)SH -/Times-Roman SF -13066 XM -(command creates and initializes the master database. It asks you to enter the system's realm)SH -7200 17415 MT -(name and the database's master password. Do not forget this password. If you do, the database becomes)SH -7200 18611 MT -(useless. \050Your) -275 W( realm name should be substituted for [REALMNAME] below.\051)SH -7200 20909 MT -(Use)SH -/Times-Italic SF -9185 XM -(kdb_init)SH -/Times-Roman SF -13066 XM -(as follows:)SH -/Courier SF -8520 22486 MT -(host#)SH -/Times-Bold SF -12480 XM -([ADMIN_DIR]/kdb_init)SH -/Courier SF -8520 23600 MT -(Realm name \050default XXX\051:)SH -/Times-Bold SF -25680 XM -([REALMNAME])SH -39600 XM -(<--)SH -/Times-BoldItalic SF -41619 XM -(Enter your system's realm name.)SH -/Courier SF -8520 24714 MT -(You will be prompted for the database Master Password.)SH -8520 25828 MT -(It is important that you NOT FORGET this password.)SH -8520 28056 MT -(Enter Kerberos master key:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter the master password.)SH -14 /Times-Bold AF -7200 32988 MT -(2.2 Storing) -350 W( the Master Password)SH -11 /Times-Roman AF -7200 35183 MT -(The)SH -/Times-Italic SF -9185 XM -(kstash)SH -/Times-Roman SF -12210 XM -(command ``stashes'' the master password in the file)SH -/Times-Italic SF -35424 XM -(/.k)SH -/Times-Roman SF -36768 XM -(so that the Kerberos server can be)SH -7200 36379 MT -(started automatically during an unattended reboot of the master server. Other administrative programs)SH -7200 37575 MT -(use this hidden password so that they can access the master database without someone having to manually)SH -7200 38771 MT -(provide the master password. This command is an optional one; if you'd rather enter the master password)SH -7200 39967 MT -(each time you start the Kerberos server, don't use)SH -/Times-Italic SF -29312 XM -(kstash)SH -/Times-Roman SF -(.)SH -7200 42265 MT -(One the one hand, if you use)SH -/Times-Italic SF -20090 XM -(kstash)SH -/Times-Roman SF -(, a copy of the master key will reside on disk which may not be)SH -7200 43461 MT -(acceptable; on the other hand, if you don't use)SH -/Times-Italic SF -27848 XM -(kstash)SH -/Times-Roman SF -(, the server cannot be started unless someone is)SH -7200 44657 MT -(around to type the password in manually.)SH -7200 46955 MT -(The command prompts you twice for the master password:)SH -/Courier SF -8520 48532 MT -(host#)SH -/Times-Bold SF -12480 XM -([ADMIN_DIR]/kstash)SH -/Courier SF -8520 50760 MT -(Enter Kerberos master key:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter the master password.)SH -/Courier SF -8520 51874 MT -(Current Kerberos master key version is 1.)SH -8520 54102 MT -(Master key entered) -SH( BEWARE!)1320 W -/Times-Roman SF -7200 56400 MT -(A note about the Kerberos database master key: if your master key is compromised and the database is)SH -7200 57596 MT -(obtained, the security of your entire authentication system is compromised. The master key must be a)SH -7200 58792 MT -(carefully kept secret. If you keep backups, you must guard all the master keys you use, in case someone)SH -7200 59988 MT -(has stolen an old backup and wants to attack users' whose passwords haven't changed since the backup)SH -7200 61184 MT -(was stolen. This is why we provide the option not to store it on disk.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(3)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 4 5 -BS -0 SI -14 /Times-Bold AF -7200 8167 MT -(2.3 Using)350 W -/Times-BoldItalic SF -13423 XM -(kdb_edit)SH -/Times-Bold SF -18673 XM -(to Add Users to the Master Database)SH -11 /Times-Roman AF -7200 10362 MT -(The)SH -/Times-Italic SF -9185 XM -(kdb_edit)SH -/Times-Roman SF -13248 XM -(program is used to add new users and services to the master database, and to modify)SH -7200 11558 MT -(existing database information. The program prompts you to enter a principal's)SH -/Times-Bold SF -42177 XM -(name)SH -/Times-Roman SF -45018 XM -(and)SH -/Times-Bold SF -46881 XM -(instance)SH -/Times-Roman SF -(.)SH -7200 13856 MT -(A principal name is typically a username or a service program's name. An instance further qualifies the)SH -7200 15052 MT -(principal. If) -275 W( the principal is a service, the instance is used to specify the name of the machine on which)SH -7200 16248 MT -(that service runs. If the principal is a username that has general user privileges, the instance is usually set)SH -7200 17444 MT -(to null.)SH -7200 19742 MT -(The following example shows how to use)SH -/Times-Italic SF -25805 XM -(kdb_edit)SH -/Times-Roman SF -29868 XM -(to add the user)SH -/Times-Italic SF -36588 XM -(wave)SH -/Times-Roman SF -39123 XM -(to the Kerberos database.)SH -/Courier SF -8520 21319 MT -(host#)SH -/Times-Bold SF -12480 XM -([ADMIN_DIR]/kdb_edit)SH -/Courier SF -8520 23547 MT -(Opening database...)SH -8520 25775 MT -(Enter Kerberos master key:)SH -8520 26889 MT -(Verifying, please re-enter)SH -8520 28003 MT -(Enter Kerberos master key:)SH -8520 29117 MT -(Current Kerberos master key version is 1)SH -8520 31345 MT -(Master key entered. BEWARE!)SH -8520 32459 MT -(Previous or default values are in [brackets] ,)SH -8520 33573 MT -(enter return to leave the same, or new value.)SH -8520 35801 MT -(Principal name:)SH -/Times-Bold SF -19080 XM -(wave)SH -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter the username.)SH -/Courier SF -8520 36915 MT -(Instance:)SH -/Times-BoldItalic SF -28800 XM -(<-- Enter a null instance.)SH -/Courier SF -8520 39143 MT -(, Create [y] ?)SH -/Times-Bold SF -25680 XM -(y)SH -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(The user-instance does not exist.)SH -30450 40257 MT -(Enter y to create the user-instance.)SH -/Courier SF -8520 41371 MT -(Principal: wave Instance: m_key_v: 1)SH -8520 42485 MT -(New Password:)SH -/Times-BoldItalic SF -28800 XM -(<-- Enter the user-instance's password.)SH -/Courier SF -8520 43599 MT -(Verifying, please re-enter)SH -8520 44713 MT -(New Password:)SH -8520 45827 MT -(Principal's new key version = 1)SH -8520 46941 MT -(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH -/Times-Bold SF -39600 XM -(<--)SH -/Times-BoldItalic SF -41619 XM -(Enter newlines)SH -/Courier SF -8520 48055 MT -(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH -/Times-Bold SF -39600 XM -(<--)SH -/Times-BoldItalic SF -41619 XM -(to get the)SH -/Courier SF -8520 49169 MT -(Attributes [ 0 ] ?)SH -/Times-Bold SF -30120 XM -(<--)SH -/Times-BoldItalic SF -32139 XM -(default values.)SH -/Courier SF -8520 50283 MT -(Edit O.K.)SH -8520 52511 MT -(Principal name:)SH -/Times-BoldItalic SF -28800 XM -(<-- Enter a newline to exit the program.)SH -/Times-Roman SF -7200 54809 MT -(Use the)SH -/Times-Italic SF -10804 XM -(kdb_edit)SH -/Times-Roman SF -14867 XM -(utility to add your username to the master database.)SH -14 /Times-Bold AF -7200 58627 MT -(2.4 Starting) -350 W( the Kerberos Server)SH -11 /Times-Roman AF -7200 60822 MT -(Change directories to the directory in which you have installed the server program)SH -/Times-Italic SF -43701 XM -(kerberos)SH -/Times-Roman SF -47824 XM -(\050the default)SH -7200 62018 MT -(directory is)SH -/Times-Italic SF -12454 XM -(/usr/etc)SH -/Times-Roman SF -(\051, and start the program as a background process:)SH -/Courier SF -8520 63595 MT -(host#)SH -/Times-Bold SF -12480 XM -(./kerberos &)SH -/Times-Roman SF -7200 65190 MT -(If you have used the)SH -/Times-Italic SF -16393 XM -(kstash)SH -/Times-Roman SF -19418 XM -(command to store the master database password, the server will start)SH -7200 66386 MT -(automatically. If) -275 W( you did not use)SH -/Times-Italic SF -22048 XM -(kstash)SH -/Times-Roman SF -(, use the following command:)SH -/Courier SF -8520 67963 MT -(host#)SH -/Times-Bold SF -12480 XM -(./kerberos -m)SH -10 /Times-Roman AF -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(4)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 5 6 -BS -0 SI -11 /Times-Roman AF -7200 7955 MT -(The server will prompt you to enter the master password before actually starting itself.)SH -14 /Times-Bold AF -7200 11773 MT -(2.5 Testing) -350 W( the Kerberos Server)SH -11 /Times-Roman AF -7200 13968 MT -(Exit the root account and use the)SH -/Times-Italic SF -21893 XM -(kinit)SH -/Times-Roman SF -24124 XM -(command obtain a Kerberos ticket-granting ticket. This command)SH -7200 15164 MT -(creates your ticket file and stores the ticket-granting ticket in it.)SH -7200 17462 MT -(If you used the default)SH -/Times-Italic SF -17371 XM -(make install)SH -/Times-Roman SF -22993 XM -(command and directories to install the Kerberos user utilities,)SH -/Times-Italic SF -50365 XM -(kinit)SH -/Times-Roman SF -7200 18658 MT -(will be in the)SH -/Times-Italic SF -13250 XM -(/usr/athena)SH -/Times-Roman SF -18537 XM -(directory. From now on, we'll refer to the Kerberos user commands directory as)SH -7200 19854 MT -([K_USER].)SH -7200 22152 MT -(Use)SH -/Times-Italic SF -9185 XM -(kinit)SH -/Times-Roman SF -11416 XM -(as follows:)SH -/Courier SF -8520 23729 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/kinit)SH -/Courier SF -8520 24843 MT -(MIT Project Athena, \050ariadne\051)SH -8520 25957 MT -(Kerberos Initialization)SH -8520 27071 MT -(Kerberos name:)SH -/Times-BoldItalic SF -18420 XM -(yourusername)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter your Kerberos username.)SH -/Courier SF -8520 28185 MT -(Password:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter your Kerberos password.)SH -/Times-Roman SF -7200 30483 MT -(Use the)SH -/Times-Italic SF -10804 XM -(klist)SH -/Times-Roman SF -12913 XM -(program to list the contents of your ticket file.)SH -/Courier SF -8520 32060 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/klist)SH -/Times-Roman SF -7200 33655 MT -(The command should display something like the following:)SH -/Courier SF -8520 35181 MT -(Ticket file:) -SH( /tmp/tkt5555)1980 W -8520 36295 MT -(Principal: yourusername@REALMNAME)3300 W -9840 38523 MT -(Issued Expires) -6600 W( Principal)5940 W -8520 39637 MT -(May 6) -660 W( 10:15:23 May 6 18:15:23 krbtgt.REALMNAME@REALMNAME)SH -/Times-Roman SF -7200 41935 MT -(If you have any problems, you can examine the log file)SH -/Times-Italic SF -31758 XM -(/kerberos/kerberos.log)SH -/Times-Roman SF -42022 XM -(on the Kerberos server)SH -7200 43131 MT -(machine to see if there was some sort of error.)SH -16 /Times-Bold AF -7200 47803 MT -(3. Setting) -400 W( up and testing the Administration server)SH -11 /Times-Roman AF -7200 49998 MT -(The procedure for setting up and testing the Kerberos administration server is as follows:)SH -9400 51949 MT -(1.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kdb_edit)SH -/Times-Roman SF -18167 XM -(utility to add your username with an administration instance to the master)SH -10500 53145 MT -(database.)SH -9400 55039 MT -(2.)SH -10500 XM -(Edit the access control lists for the administration server)SH -9400 56933 MT -(3.)SH -10500 XM -(Start the Kerberos administration server.)SH -9400 58827 MT -(4.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kpasswd)SH -/Times-Roman SF -18107 XM -(command to change your password.)SH -9400 60721 MT -(5.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kadmin)SH -/Times-Roman SF -17617 XM -(command to add new entries to the database.)SH -9400 62615 MT -(6.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(kinit)SH -/Times-Roman SF -16335 XM -(command to verify that the)SH -/Times-Italic SF -28524 XM -(kadmin)SH -/Times-Roman SF -32037 XM -(command correctly added new entries to)SH -10500 63811 MT -(the database.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(5)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 6 7 -BS -0 SI -14 /Times-Bold AF -7200 8138 MT -(3.1 Adding) -350 W( an administration instance for the administrator)SH -11 /Times-Roman AF -7200 10333 MT -(Login to the Kerberos master server machine, and use the)SH -/Times-Bold SF -32825 XM -(su)SH -/Times-Roman SF -34140 XM -(command to become root. Use the)SH -/Times-Italic SF -49780 XM -(kdb_edit)SH -/Times-Roman SF -7200 11529 MT -(program to create an entry for each administrator with the instance ``)SH -/Times-BoldItalic SF -(admin)SH -/Times-Roman SF -(''.)SH -/Courier SF -8520 13106 MT -(host#)SH -/Times-Bold SF -12480 XM -([ADMIN_DIR]/kdb_edit)SH -/Courier SF -8520 15334 MT -(Opening database...)SH -8520 17562 MT -(Enter Kerberos master key:)SH -8520 18676 MT -(Verifying, please re-enter)SH -8520 19790 MT -(Enter Kerberos master key:)SH -8520 20904 MT -(Current Kerberos master key version is 1)SH -8520 23132 MT -(Master key entered. BEWARE!)SH -8520 24246 MT -(Previous or default values are in [brackets] ,)SH -8520 25360 MT -(enter return to leave the same, or new value.)SH -8520 27588 MT -(Principal name:)SH -/Times-Bold SF -19080 XM -(wave)SH -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter the username.)SH -/Courier SF -8520 28702 MT -(Instance:)SH -/Times-Bold SF -(admin)SH -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter ``admin''.)SH -/Courier SF -8520 30930 MT -(, Create [y] ?)SH -/Times-Bold SF -25680 XM -(y)SH -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(The user-instance does not exist.)SH -30450 32044 MT -(Enter y to create the user-instance.)SH -/Courier SF -8520 33158 MT -(Principal: wave Instance: admin m_key_v: 1)SH -8520 34272 MT -(New Password:)SH -/Times-BoldItalic SF -28800 XM -(<-- Enter the user-instance's password.)SH -/Courier SF -8520 35386 MT -(Verifying, please re-enter)SH -8520 36500 MT -(New Password:)SH -8520 37614 MT -(Principal's new key version = 1)SH -8520 38728 MT -(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH -/Times-Bold SF -39600 XM -(<--)SH -/Times-BoldItalic SF -41619 XM -(Enter newlines)SH -/Courier SF -8520 39842 MT -(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH -/Times-Bold SF -39600 XM -(<--)SH -/Times-BoldItalic SF -41619 XM -(to get the)SH -/Courier SF -8520 40956 MT -(Attributes [ 0 ] ?)SH -/Times-Bold SF -30120 XM -(<--)SH -/Times-BoldItalic SF -32139 XM -(default values.)SH -/Courier SF -8520 42070 MT -(Edit O.K.)SH -8520 44298 MT -(Principal name:)SH -/Times-BoldItalic SF -28800 XM -(<-- Enter a newline to exit the program.)SH -14 /Times-Bold AF -7200 48116 MT -(3.2 The) -350 W( Access Control Lists)SH -11 /Times-Roman AF -7200 50311 MT -(The Kerberos administration server uses three access control lists to determine who is authorized to make)SH -7200 51507 MT -(certain requests. The access control lists are stored on the master Kerberos server in the same directory as)SH -7200 52703 MT -(the principal database,)SH -/Times-Italic SF -17340 XM -(/kerberos)SH -/Times-Roman SF -(. The) -275 W( access control lists are simple ASCII text files, with each line)SH -7200 53899 MT -(specifying the name of one principal who is allowed the particular function. To allow several people to)SH -7200 55095 MT -(perform the same function, put their principal names on separate lines in the same file.)SH -7200 57393 MT -(The first list,)SH -/Times-Italic SF -13128 XM -(/kerberos/admin_acl.mod)SH -/Times-Roman SF -(, is a list of principals which are authorized to change entries in the)SH -7200 58589 MT -(database. To) -275 W( allow the administrator `)SH -/Times-Bold SF -(wave)SH -/Times-Roman SF -(' to modify entries in the database for the realm `)SH -/Times-Bold SF -(TIM.EDU)SH -/Times-Roman SF -(',)SH -7200 59785 MT -(you would put the following line into the file)SH -/Times-Italic SF -27275 XM -(/kerberos/admin_acl.mod)SH -/Times-Roman SF -(:)SH -/Courier SF -8520 61311 MT -(wave.admin@TIM.EDU)SH -/Times-Roman SF -7200 63609 MT -(The second list,)SH -/Times-Italic SF -14410 XM -(/kerberos/admin_acl.get)SH -/Times-Roman SF -(, is a list of principals which are authorized to retrieve entries)SH -7200 64805 MT -(from the database.)SH -7200 67103 MT -(The third list,)SH -/Times-Italic SF -13434 XM -(/kerberos/admin_acl.add)SH -/Times-Roman SF -(, is a list of principals which are authorized to add new entries to)SH -7200 68299 MT -(the database.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(6)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 7 8 -BS -0 SI -14 /Times-Bold AF -7200 8138 MT -(3.3 Starting) -350 W( the administration server)SH -11 /Times-Roman AF -7200 10333 MT -(Change directories to the directory in which you have installed the administration server program)SH -/Times-Italic SF -7200 11529 MT -(kadmind)SH -/Times-Roman SF -11263 XM -(\050the default directory is)SH -/Times-Italic SF -21831 XM -(/usr/etc)SH -/Times-Roman SF -(\051, and start the program as a background process:)SH -/Courier SF -8520 13106 MT -(host#)SH -/Times-Bold SF -12480 XM -(./kadmind -n&)SH -/Times-Roman SF -7200 14701 MT -(If you have used the)SH -/Times-Italic SF -16393 XM -(kstash)SH -/Times-Roman SF -19418 XM -(command to store the master database password, the server will start)SH -7200 15897 MT -(automatically. If) -275 W( you did not use)SH -/Times-Italic SF -22048 XM -(kstash)SH -/Times-Roman SF -(, use the following command:)SH -/Courier SF -8520 17474 MT -(host#)SH -/Times-Bold SF -12480 XM -(./kadmind)SH -/Times-Roman SF -7200 19069 MT -(The server will prompt you to enter the master password before actually starting itself; after it starts, you)SH -7200 20265 MT -(should suspend it and put it in the background \050usually this is done by typing control-Z and then)SH -/Times-Bold SF -49792 XM -(bg)SH -/Times-Roman SF -(\051.)SH -14 /Times-Bold AF -7200 24112 MT -(3.4 Testing)350 W -/Times-BoldItalic SF -14434 XM -(kpasswd)SH -11 /Times-Roman AF -7200 26307 MT -(To test the administration server, you should try changing your password with the)SH -/Times-Italic SF -43494 XM -(kpasswd)SH -/Times-Roman SF -47497 XM -(command, and)SH -7200 27503 MT -(you should try adding new users with the)SH -/Times-Italic SF -25592 XM -(kadmin)SH -/Times-Roman SF -29105 XM -(command \050both commands are installed into)SH -/Times-Italic SF -48963 XM -(/usr/athena)SH -/Times-Roman SF -7200 28699 MT -(by default\051.)SH -7200 30997 MT -(Before testing, you should exit the root account.)SH -7200 33295 MT -(To change your password, run the)SH -/Times-Italic SF -22441 XM -(kpasswd)SH -/Times-Roman SF -26444 XM -(command:)SH -/Courier SF -8520 34872 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/kpasswd)SH -/Courier SF -8520 35986 MT -(Old password for wave@TIM.EDU:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -(Enter your password)SH -/Courier SF -8520 37100 MT -(New Password for wave@TIM.EDU:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -(Enter a new password)SH -/Courier SF -8520 38214 MT -(Verifying, please re-enter New Password for wave@TIM.EDU:)SH -/Times-Bold SF -28800 39328 MT -(<--)SH -/Times-BoldItalic SF -(Enter new password again)SH -/Courier SF -8520 40442 MT -(Password changed.)SH -/Times-Roman SF -7200 42037 MT -(Once you have changed your password, use the)SH -/Times-Italic SF -28365 XM -(kinit)SH -/Times-Roman SF -30596 XM -(program as shown above to verify that the password)SH -7200 43233 MT -(was properly changed.)SH -14 /Times-Bold AF -7200 47080 MT -(3.5 Testing)350 W -/Times-BoldItalic SF -14434 XM -(kadmin)SH -11 /Times-Roman AF -7200 49275 MT -(You should also test the function of the)SH -/Times-Italic SF -24798 XM -(kadmin)SH -/Times-Roman SF -28311 XM -(program, by adding a new user \050here named)SH -7200 50471 MT -(``)SH -/Courier SF -(username)SH -/Times-Roman SF -(''\051:)SH -/Courier SF -8520 52048 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/kadmin)SH -/Courier SF -8520 53162 MT -(Welcome to the Kerberos Administration Program, version 2)SH -8520 54276 MT -(Type "help" if you need it.)SH -8520 55390 MT -(admin:)SH -/Times-Bold SF -13800 XM -(ank username)SH -/Times-BoldItalic SF -28800 XM -(`ank' stands for Add New Key)SH -/Courier SF -8520 56504 MT -(Admin password:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -(enter the password)SH -28800 57618 MT -(you chose above for wave.admin)SH -/Courier SF -8520 58732 MT -(Password for username:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -(Enter the user's initial password)SH -/Courier SF -8520 59846 MT -(Verifying, please re-enter Password for username:)SH -/Times-Bold SF -40920 XM -(<--)SH -/Times-BoldItalic SF -(enter it again)SH -/Courier SF -8520 60960 MT -(username added to database.)SH -8520 63188 MT -(admin: quit)660 W -8520 64302 MT -(Cleaning up and exiting.)SH -10 /Times-Roman AF -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(7)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 8 9 -BS -0 SI -14 /Times-Bold AF -7200 8167 MT -(3.6 Verifying) -350 W( with)SH -/Times-BoldItalic SF -18671 XM -(kinit)SH -11 /Times-Roman AF -7200 10362 MT -(Once you've added a new user, you should test to make sure it was added properly by using)SH -/Times-Italic SF -47917 XM -(kinit)SH -/Times-Roman SF -(, and)SH -7200 11558 MT -(trying to get tickets for that user:)SH -/Courier SF -8520 13135 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/kinit username)SH -/Courier SF -8520 14249 MT -(MIT Project Athena \050ariadne\051)SH -8520 15363 MT -(Kerberos Initialization for "username@TIM.EDU")SH -8520 16477 MT -(Password:)SH -/Times-Bold SF -15120 XM -(<--)SH -/Times-BoldItalic SF -(Enter the user's password you used above)SH -/Courier SF -8520 17591 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/klist)SH -/Courier SF -8520 18705 MT -(Ticket file:) -SH( /tmp/tkt_5509_spare1)1980 W -8520 19819 MT -(Principal: username@TIM.MIT.EDU)3300 W -9840 22047 MT -(Issued Expires) -6600 W( Principal)5940 W -8520 23161 MT -(Nov 20 15:58:52 Nov 20 23:58:52 krbtgt.TIM.EDU@TIM.EDU)SH -/Times-Roman SF -7200 25459 MT -(If you have any problems, you can examine the log files)SH -/Times-Italic SF -32186 XM -(/kerberos/kerberos.log)SH -/Times-Roman SF -42450 XM -(and)SH -/Times-Italic SF -7200 26655 MT -(/kerberos/admin_server.syslog)SH -/Times-Roman SF -21008 XM -(on the Kerberos server machine to see if there was some sort of error.)SH -16 /Times-Bold AF -7200 31327 MT -(4. Setting) -400 W( up and testing slave server\050s\051)SH -11 /Times-Roman AF -7200 33522 MT -([Unfortunately, this chapter is not yet ready. Sorry. -ed])SH -16 /Times-Bold AF -7200 38194 MT -(5. A) -400 W( Sample Application)SH -11 /Times-Roman AF -7200 40389 MT -(This release of Kerberos comes with a sample application server and a corresponding client program.)SH -7200 41585 MT -(You will find this software in the [OBJ_DIR])SH -/Times-Italic SF -(/appl/sample)SH -/Times-Roman SF -33170 XM -(directory. The) -275 W( file)SH -/Times-Italic SF -41691 XM -(sample_client)SH -/Times-Roman SF -48076 XM -(contains the)SH -7200 42781 MT -(client program's executable code, the file)SH -/Times-Italic SF -25677 XM -(sample_server)SH -/Times-Roman SF -32366 XM -(contains the server's executable.)SH -7200 45079 MT -(The programs are rudimentary. When they have been installed \050the installation procedure is described in)SH -7200 46275 MT -(detail later\051, they work as follows:)SH -/Symbol SF -9169 48351 MT -(\267)SH -/Times-Roman SF -9950 XM -(The user starts)SH -/Times-Italic SF -16639 XM -(sample_client)SH -/Times-Roman SF -23024 XM -(and provides as arguments to the command the name of the)SH -9950 49547 MT -(server machine and a checksum. For instance:)SH -/Courier SF -11270 51147 MT -(host%)SH -/Times-Bold SF -15230 XM -(sample_client)SH -/Times-BoldItalic SF -22966 XM -(servername 43)385 W -/Symbol SF -9169 53041 MT -(\267)SH -/Times-Italic SF -9950 XM -(Sample_client)SH -/Times-Roman SF -16457 XM -(contacts the server machine and authenticates the user to)SH -/Times-Italic SF -41654 XM -(sample_server)SH -/Times-Roman SF -(.)SH -/Symbol SF -9169 54935 MT -(\267)SH -/Times-Italic SF -9950 XM -(Sample_server)SH -/Times-Roman SF -16761 XM -(authenticates itself to)SH -/Times-Italic SF -26384 XM -(sample_client)SH -/Times-Roman SF -(, then returns a message to the client)SH -9950 56131 MT -(program. This) -275 W( message contains diagnostic information that includes the user's username,)SH -9950 57327 MT -(the Kerberos realm, and the user's workstation address.)SH -/Symbol SF -9169 59221 MT -(\267)SH -/Times-Italic SF -9950 XM -(Sample_client)SH -/Times-Roman SF -16457 XM -(displays the server's message on the user's terminal screen.)SH -14 /Times-Bold AF -7200 63039 MT -(5.1 The) -350 W( Installation Process)SH -11 /Times-Roman AF -7200 65234 MT -(In general, you use the following procedure to install a Kerberos-authenticated server-client system.)SH -9400 67185 MT -(1.)SH -10500 XM -(Add the appropriate entry to the Kerberos database using)SH -/Times-Italic SF -35881 XM -(kdb_edit)SH -/Times-Roman SF -39944 XM -(or)SH -/Times-Italic SF -41135 XM -(kadmin)SH -/Times-Roman SF -44648 XM -(\050described)SH -10500 68381 MT -(below\051.)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(8)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 9 10 -BS -0 SI -11 /Times-Roman AF -9400 7955 MT -(2.)SH -10500 XM -(Create a)SH -/Times-Italic SF -14408 XM -(/etc/srvtab)SH -/Times-Roman SF -19327 XM -(file for the server machine.)SH -9400 9849 MT -(3.)SH -10500 XM -(Install the service program and the)SH -/Times-Italic SF -26016 XM -(/etc/srvtab)SH -/Times-Roman SF -30935 XM -(file on the server machine.)SH -9400 11743 MT -(4.)SH -10500 XM -(Install the client program on the client machine.)SH -9400 13637 MT -(5.)SH -10500 XM -(Update the)SH -/Times-Italic SF -15570 XM -(/etc/services)SH -/Times-Roman SF -21281 XM -(file on the client and server machines.)SH -7200 15935 MT -(We will use the sample application as an example, although the procedure used to install)SH -/Times-Italic SF -46484 XM -(sample_server)SH -/Times-Roman SF -7200 17131 MT -(differs slightly from the general case because the)SH -/Times-Italic SF -29006 XM -(sample_server)SH -/Times-Roman SF -35695 XM -(takes requests via the)SH -/Times-Italic SF -45347 XM -(inetd)SH -/Times-Roman SF -47822 XM -(program.)SH -/Times-Italic SF -7200 18327 MT -(Inetd)SH -/Times-Roman SF -9735 XM -(starts)SH -/Times-Italic SF -12332 XM -(sample_server)SH -/Times-Roman SF -19021 XM -(each time a client process contacts the server machine.)SH -/Times-Italic SF -43606 XM -(Sample_server)SH -/Times-Roman SF -7200 19523 MT -(processes the request, terminiates, then is restarted when)SH -/Times-Italic SF -32368 XM -(inetd)SH -/Times-Roman SF -34843 XM -(receives another)SH -/Times-Italic SF -42293 XM -(sample_client)SH -/Times-Roman SF -48678 XM -(request.)SH -7200 20719 MT -(When you install the program on the server, you must add a)SH -/Times-Italic SF -33807 XM -(sample)SH -/Times-Roman SF -37198 XM -(entry to the server machine's)SH -/Times-Italic SF -7200 21915 MT -(/etc/inetd.conf)SH -/Times-Roman SF -13738 XM -(file.)SH -7200 24213 MT -(The following description assumes that you are installing)SH -/Times-Italic SF -32680 XM -(sample_server)SH -/Times-Roman SF -39369 XM -(on the machine)SH -/Times-Italic SF -46364 XM -(ariadne.tim.edu)SH -/Times-Roman SF -(.)SH -7200 25409 MT -(Here's the process, step by step:)SH -9400 27360 MT -(1.)SH -10500 XM -(Login as or)SH -/Times-Italic SF -15785 XM -(su)SH -/Times-Roman SF -17038 XM -(to root on the Kerberos server machine. Use the)SH -/Times-Italic SF -38631 XM -(kdb_edit)SH -/Times-Roman SF -42694 XM -(or)SH -/Times-Italic SF -43885 XM -(kadmin)SH -/Times-Roman SF -47398 XM -(program)SH -10500 28556 MT -(to create an entry for)SH -/Times-Italic SF -19935 XM -(sample)SH -/Times-Roman SF -23326 XM -(in the Kerberos database:)SH -/Courier SF -11820 30133 MT -(host#)SH -/Times-Bold SF -15780 XM -([ADMIN_DIR]/kdb_edit)SH -/Courier SF -11820 32361 MT -(Opening database...)SH -11820 34589 MT -(Enter Kerberos master key:)SH -11820 35703 MT -(Verifying, please re-enter)SH -11820 36817 MT -(master key entered. BEWARE!)SH -11820 37931 MT -(Previous or default values are in [brackets] ,)SH -11820 39045 MT -(enter return to leave the same, or new value.)SH -11820 41273 MT -(Principal name:)SH -/Times-Bold SF -22380 XM -(sample)SH -26220 XM -(<--)SH -/Times-BoldItalic SF -28239 XM -(Enter the principal name.)SH -/Courier SF -11820 42387 MT -(Instance:)SH -/Times-Bold SF -18420 XM -(ariadne)SH -26220 XM -(<--)SH -/Times-BoldItalic SF -28239 XM -(Instances cannot have periods in them.)SH -/Courier SF -11820 44615 MT -(, Create [y] ?)SH -/Times-Bold SF -28980 XM -(y)SH -/Courier SF -11820 46843 MT -(Principal: sample_server Instance: ariadne m_key_v: 1)SH -11820 47957 MT -(New Password:)SH -/Times-Bold SF -26220 XM -(<--)SH -/Times-BoldItalic SF -28239 XM -(Enter ``RANDOM'' to get random password.)SH -/Courier SF -11820 49071 MT -(Verifying, please re-enter)SH -11820 50185 MT -(New Password:)SH -/Times-Bold SF -26220 XM -(<--)SH -/Times-BoldItalic SF -28239 XM -(Enter ``RANDOM'' again.)SH -/Courier SF -11820 51299 MT -(Random password [y] ?)SH -/Times-Bold SF -26340 XM -(y)SH -/Courier SF -11820 53527 MT -(Principal's new key version = 1)SH -11820 54641 MT -(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH -11820 55755 MT -(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH -11820 56869 MT -(Attributes [ 0 ] ?)SH -11820 57983 MT -(Edit O.K.)SH -11820 60211 MT -(Principal name:)SH -/Times-Bold SF -26220 XM -(<--)SH -/Times-BoldItalic SF -28239 XM -(Enter newline to exit kdb_edit.)SH -/Times-Roman SF -9400 62105 MT -(2.)SH -10500 XM -(Use the)SH -/Times-Italic SF -14104 XM -(ext_srvtab)SH -/Times-Roman SF -18961 XM -(program to create a)SH -/Times-Italic SF -27755 XM -(srvtab)SH -/Times-Roman SF -30780 XM -(file for)SH -/Times-Italic SF -34078 XM -(sample_server)SH -/Times-Roman SF -('s host machine:)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30350 XM -(9)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 10 11 -BS -0 SI -11 /Courier AF -11820 7937 MT -(host#)SH -/Times-Bold SF -15780 XM -([ADMIN_DIR]/ext_srvtab ariadne)275 W -/Courier SF -11820 10165 MT -(Enter Kerberos master key:)SH -11820 11279 MT -(Current Kerberos master key version is 1.)SH -11820 13507 MT -(Generating 'ariadne-new-srvtab'....)SH -/Times-Roman SF -10500 15102 MT -(Transfer the)SH -/Times-Italic SF -16118 XM -(ariadne-new-srvtab)SH -/Times-Roman SF -25069 XM -(file to)SH -/Times-Italic SF -27941 XM -(ariadne)SH -/Times-Roman SF -31638 XM -(and install it as)SH -/Times-Italic SF -38544 XM -(/etc/srvtab)SH -/Times-Roman SF -(. Note) -275 W( that this)SH -10500 16298 MT -(file is equivalent to the service's password and should be treated with care. For example, it)SH -10500 17494 MT -(could be transferred by removable media, but should not be sent over an open network in)SH -10500 18690 MT -(the clear. Once installed, this file should be readable only by root.)SH -9400 20584 MT -(3.)SH -10500 XM -(Add the following line to the)SH -/Times-Italic SF -23516 XM -(/etc/services)SH -/Times-Roman SF -29227 XM -(file on)SH -/Times-Italic SF -32343 XM -(ariadne)SH -/Times-Roman SF -(, and on all machines that will run)SH -10500 21780 MT -(the)SH -/Times-Italic SF -12119 XM -(sample_client)SH -/Times-Roman SF -18504 XM -(program:)SH -/Courier SF -11820 23306 MT -(sample 906/tcp) -2640 W( #) -3960 W( Kerberos sample app server)SH -/Times-Roman SF -9400 25200 MT -(4.)SH -10500 XM -(Add a line similar to the following line to the)SH -/Times-Italic SF -30666 XM -(/etc/inetd.conf)SH -/Times-Roman SF -37204 XM -(file on)SH -/Times-Italic SF -40320 XM -(sample_server)SH -/Times-Roman SF -('s)SH -10500 26396 MT -(machine:)SH -/Courier SF -11820 27922 MT -(sample stream tcp nowait switched root)1320 W -14460 29036 MT -([PATH]/sample_server sample_server)SH -/Times-Roman SF -10500 30631 MT -(where [PATH] should be substituted with the path to the)SH -/Times-Italic SF -35674 XM -(sample_server)SH -/Times-Roman SF -42363 XM -(program. \050This)275 W -/Times-Italic SF -10500 31827 MT -(inetd.conf)SH -/Times-Roman SF -15144 XM -(information should be placed on one line.\051 You should examine existing lines in)SH -/Times-Italic SF -10500 33023 MT -(/etc/inetd.conf)SH -/Times-Roman SF -17038 XM -(and use the same format used by other entries \050e.g. for telnet\051. Most systems)SH -10500 34219 MT -(do not have a column for the `switched' keyword, and some do not have a column for the)SH -10500 35415 MT -(username \050usually `root', as above\051.)SH -9400 37309 MT -(5.)SH -10500 XM -(Restart)SH -/Times-Italic SF -13891 XM -(inetd)SH -/Times-Roman SF -16366 XM -(by sending the current)SH -/Times-Italic SF -26446 XM -(inetd)SH -/Times-Roman SF -28921 XM -(process a hangup signal:)SH -/Courier SF -11820 38909 MT -(host#)SH -/Times-Bold SF -15780 XM -(kill -HUP)275 W -/Times-BoldItalic SF -21373 XM -(process_id_number)SH -/Times-Roman SF -9400 40803 MT -(6.)SH -10500 XM -(The)SH -/Times-Italic SF -12485 XM -(sample_server)SH -/Times-Roman SF -19174 XM -(is now ready to take)SH -/Times-Italic SF -28307 XM -(sample_client)SH -/Times-Roman SF -34692 XM -(requests.)SH -14 /Times-Bold AF -7200 44621 MT -(5.2 Testing) -350 W( the Sample Server)SH -11 /Times-Roman AF -7200 46816 MT -(Assume that you have installed)SH -/Times-Italic SF -21223 XM -(sample_server)SH -/Times-Roman SF -27912 XM -(on)SH -/Times-Italic SF -29287 XM -(ariadne)SH -/Times-Roman SF -(.)SH -7200 49114 MT -(Login to your workstation and use the)SH -/Times-Italic SF -24217 XM -(kinit)SH -/Times-Roman SF -26448 XM -(command to obtain a Kerberos ticket-granting ticket:)SH -/Courier SF -8520 50691 MT -(host%)SH -/Times-Bold SF -12480 XM -([K_USER]/kinit)SH -/Courier SF -8520 51805 MT -(MIT Project Athena, \050your_workstation\051)SH -8520 52919 MT -(Kerberos Initialization)SH -8520 54033 MT -(Kerberos name:)SH -/Times-BoldItalic SF -18420 XM -(yourusername)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter your Kerberos username.)SH -/Courier SF -8520 55147 MT -(Password:)SH -/Times-Bold SF -28800 XM -(<--)SH -/Times-BoldItalic SF -30819 XM -(Enter your Kerberos password.)SH -/Times-Roman SF -7200 57445 MT -(Now use the)SH -/Times-Italic SF -12973 XM -(sample_client)SH -/Times-Roman SF -19358 XM -(program as follows:)SH -/Courier SF -8520 59022 MT -(host%)SH -/Times-Bold SF -12480 XM -([PATH]/sample_client ariadne)275 W -/Times-Roman SF -7200 60617 MT -(The command should display something like the following:)SH -/Courier SF -8520 62143 MT -(The server says:)SH -8520 63257 MT -(You are)SH -/Times-BoldItalic SF -13800 XM -(yourusername)SH -/Courier SF -(.@REALMNAME \050local name)SH -/Times-BoldItalic SF -36180 XM -(yourusername)SH -/Courier SF -(\051,)SH -9180 64371 MT -(at address)SH -/Times-BoldItalic SF -16440 XM -(yournetaddress)SH -/Courier SF -(, version VERSION9, cksum 997)SH -10 /Times-Roman AF -7200 75600 MT -(MIT Project Athena)SH -30100 XM -(10)SH -47890 XM -(4 January 1990)SH -ES -%%Page: 11 12 -BS -0 SI -16 /Times-Bold AF -7200 8272 MT -(6. Service) -400 W( names and other services)SH -14 SS -7200 12090 MT -(6.1 rlogin,) -350 W( rsh, rcp, tftp, and others)SH -11 /Times-Roman AF -7200 14285 MT -(Many services use a common principal name for authentication purposes.)SH -/Times-Italic SF -40128 XM -(rlogin)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -43368 XM -(rsh)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -45324 XM -(rcp)SH -/Times-Roman SF -(,)SH -/Times-Italic SF -47340 XM -(tftp)SH -/Times-Roman SF -49083 XM -(and others)SH -7200 15481 MT -(use the principal name ``)SH -/Courier SF -(rcmd)SH -/Times-Roman SF -(''. For) -275 W( example, to set up the machine)SH -/Times-Italic SF -38033 XM -(ariadne)SH -/Times-Roman SF -41730 XM -(to support Kerberos rlogin,)SH -7200 16677 MT -(it needs to have a service key for principal ``)SH -/Courier SF -(rcmd)SH -/Times-Roman SF -('', instance ``)SH -/Courier SF -(ariadne)SH -/Times-Roman SF -(''. You) -275 W( create this key in the)SH -7200 17873 MT -(same way as shown above for the sample service.)SH -7200 20171 MT -(After creating this key, you need to run the)SH -/Times-Italic SF -26382 XM -(ext_srvtab)SH -/Times-Roman SF -31239 XM -(program again to generate a new srvtab file for)SH -7200 21367 MT -(ariadne.)SH -14 /Times-Bold AF -7200 25185 MT -(6.2 NFS) -350 W( modifications)SH -11 /Times-Roman AF -7200 27380 MT -(The NFS modifications distributed separately use the service name ``)SH -/Courier SF -(rvdsrv)SH -/Times-Roman SF -('' with the instance set to)SH -7200 28576 MT -(the machine name \050as for the sample server and the rlogin, rsh, rcp and tftp services\051.)SH -14 /Times-Bold AF -7200 32394 MT -(6.3 inetd.conf) -350 W( entries)SH -11 /Times-Roman AF -7200 34589 MT -(The following are the)SH -/Times-Italic SF -16974 XM -(/etc/inetd.conf)SH -/Times-Roman SF -23512 XM -(entries necessary to support rlogin, encrypted rlogin, rsh, and rcp)SH -7200 35785 MT -(services on a server machine. As above, your)SH -/Times-Italic SF -27631 XM -(inetd.conf)SH -/Times-Roman SF -32275 XM -(may not support all the fields shown here.)SH -/Courier SF -8520 37311 MT -(eklogin stream) -660 W( tcp nowait unswitched root)1320 W -11160 38425 MT -([PATH]/klogind eklogind)1320 W -8520 39539 MT -(kshell stream tcp nowait unswitched root)1320 W -11160 40653 MT -([PATH]/kshd kshd)1320 W -8520 41767 MT -(klogin stream tcp nowait unswitched root)1320 W -11160 42881 MT -([PATH]/klogind klogind)1320 W -10 /Times-Roman AF -7200 75600 MT -(MIT Project Athena)SH -30100 XM -(11)SH -47890 XM -(4 January 1990)SH -ES -%%Page: i 13 -BS -0 SI -14 /Times-Bold AF -25272 8138 MT -(Table of Contents)SH -13 SS -7200 9781 MT -(1. How) -325 W( Kerberos Works: A Schematic Description)SH -53350 XM -(1)SH -12 /Times-Roman AF -9000 11130 MT -(1.1 Network) -300 W( Services and Their Client Programs)SH -53400 XM -(1)SH -9000 12479 MT -(1.2 Kerberos) -300 W( Tickets)SH -53400 XM -(1)SH -9000 13828 MT -(1.3 The) -300 W( Kerberos Master Database)SH -53400 XM -(1)SH -9000 15177 MT -(1.4 The) -300 W( Ticket-Granting Ticket)SH -53400 XM -(1)SH -9000 16526 MT -(1.5 Network) -300 W( Services and the Master Database)SH -53400 XM -(1)SH -9000 17875 MT -(1.6 The) -300 W( User-Kerberos Interaction)SH -53400 XM -(2)SH -13 /Times-Bold AF -7200 19518 MT -(2. Setting) -325 W( Up and Testing the Kerberos Server)SH -53350 XM -(2)SH -12 /Times-Roman AF -9000 20867 MT -(2.1 Creating) -300 W( and Initializing the Master Database)SH -53400 XM -(3)SH -9000 22216 MT -(2.2 Storing) -300 W( the Master Password)SH -53400 XM -(3)SH -9000 23571 MT -(2.3 Using)300 W -/Times-BoldItalic SF -14267 XM -(kdb_edit)SH -/Times-Roman SF -18768 XM -(to Add Users to the Master Database)SH -53400 XM -(4)SH -9000 24920 MT -(2.4 Starting) -300 W( the Kerberos Server)SH -53400 XM -(4)SH -9000 26269 MT -(2.5 Testing) -300 W( the Kerberos Server)SH -53400 XM -(5)SH -13 /Times-Bold AF -7200 27912 MT -(3. Setting) -325 W( up and testing the Administration server)SH -53350 XM -(5)SH -12 /Times-Roman AF -9000 29261 MT -(3.1 Adding) -300 W( an administration instance for the administrator)SH -53400 XM -(6)SH -9000 30610 MT -(3.2 The) -300 W( Access Control Lists)SH -53400 XM -(6)SH -9000 31959 MT -(3.3 Starting) -300 W( the administration server)SH -53400 XM -(7)SH -9000 33314 MT -(3.4 Testing)300 W -/Times-BoldItalic SF -15001 XM -(kpasswd)SH -/Times-Roman SF -53400 XM -(7)SH -9000 34669 MT -(3.5 Testing)300 W -/Times-BoldItalic SF -15001 XM -(kadmin)SH -/Times-Roman SF -53400 XM -(7)SH -9000 36024 MT -(3.6 Verifying) -300 W( with)SH -/Times-BoldItalic SF -18501 XM -(kinit)SH -/Times-Roman SF -53400 XM -(8)SH -13 /Times-Bold AF -7200 37667 MT -(4. Setting) -325 W( up and testing slave server\050s\051)SH -53350 XM -(8)SH -7200 39310 MT -(5. A) -325 W( Sample Application)SH -53350 XM -(8)SH -12 /Times-Roman AF -9000 40659 MT -(5.1 The) -300 W( Installation Process)SH -53400 XM -(8)SH -9000 42008 MT -(5.2 Testing) -300 W( the Sample Server)SH -52800 XM -(10)SH -13 /Times-Bold AF -7200 43651 MT -(6. Service) -325 W( names and other services)SH -52700 XM -(11)SH -12 /Times-Roman AF -9000 45000 MT -(6.1 rlogin,) -300 W( rsh, rcp, tftp, and others)SH -52800 XM -(11)SH -9000 46349 MT -(6.2 NFS) -300 W( modifications)SH -52800 XM -(11)SH -9000 47698 MT -(6.3 inetd.conf) -300 W( entries)SH -52800 XM -(11)SH -10 SS -7200 75600 MT -(MIT Project Athena)SH -30461 XM -(i)SH -47890 XM -(4 January 1990)SH -ES -%%Trailer -%%Pages: 13 -%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol diff --git a/doc/old-V4-docs/operation.mss b/doc/old-V4-docs/operation.mss deleted file mode 100644 index a35bb9f95..000000000 --- a/doc/old-V4-docs/operation.mss +++ /dev/null @@ -1,799 +0,0 @@ -@Comment[ $Source$] -@Comment[ $Author$] -@Comment[ $Id$] -@Comment[] -@device[postscript] -@make[report] -@comment[ -@DefineFont(HeadingFont, - P=, - B=, - I=, - R=) -] -@DefineFont(HeadingFont, - P=, - B=, - I=, - R=) -@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I], - IncrementedBy Use,Announced) -@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ], - IncrementedBy Use,Referenced [@1],Announced) -@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ], - IncrementedBy,Referenced [@A],Announced,Alias Chapter) -@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias - Chapter) -@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2, - Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy - Use,Announced) -@Counter(AppendixSection,Within Appendix,TitleEnv HD2, - ContentsEnv tc2, - Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy - Use,Announced) -@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3, - Numbered [@#@:.@1 ],IncrementedBy Use, - Referenced [@#@:.@1 ]) -@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3, - ContentsEnv tc3, - Numbered [@#@:.@1 ],IncrementedBy Use, - Referenced [@#@:.@1 ]) -@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4, - Numbered [@#@:.@1 ],Referenced [@#@:.@1], - IncrementedBy Use) -@modify(CopyrightNotice, Fixed -1 inch, Flushright) -@Modify(Titlebox, Fixed 3.0 inches) -@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off) -@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept) -@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept) -@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line) -@Modify(Tc1, Above .5, Facecode B) -@Modify(Tc2, Above .25, Below .25, Facecode R) -@Modify(Tc3,Facecode R) -@Modify(Tc4,Facecode R) -@Modify(Itemize,Above 1line,Below 1line) -@Modify(Insert,LeftMargin +2, RightMargin +2) -@libraryfile[stable] -@comment[@Style(Font NewCenturySchoolBook, size 11)] -@Style(Font TimesRoman, size 11) -@Style(Spacing 1.1, indent 0) -@Style(leftmargin 1.0inch) -@Style(justification no) -@Style(BottomMargin 1.5inch) -@Style(ChangeBarLocation Right) -@Style(ChangeBars=off) -@pageheading[immediate] -@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)", -right = "@value(date)"] -@set[page = 0] -@blankspace[.5 inches] -@begin[group, size 20] -@begin(center) -@b[Kerberos Operation Notes] -@b[DRAFT] -@end[center] -@blankspace[.5 inches] -@end(group) -@begin[group, size 16] -@begin(center) -Bill Bryant -John Kohl -Project Athena, MIT -@blankspace[.5 inches] -@b[Initial Release, January 24, 1989] -@i[(plus later patches through patchlevel 7)] -@end[center] -@end(group) -@begin[group, size 10] -@end[group] -@blankspace[1inches] - -These notes assume that you have used the -@i[Kerberos Installation Notes] to build and install your -Kerberos system. -As in that document, we refer to the directory that contains -the built Kerberos binaries as [OBJ_DIR]. - -This document assumes that you are a Unix system manager. - -@newpage() -@chapter[How Kerberos Works: A Schematic Description] - -This section provides a simplified description of -a general user's interaction with the Kerberos system. -This interaction happens transparently--users don't need to know -and probably don't care about what's going on--but Kerberos administrators -might find a schematic description of the process useful. -The description glosses over a lot of details; -for more information, see @i[Kerberos: An Authentication -Service for Open Network Systems], -a paper presented at Winter USENIX 1988, in Dallas, Texas. - -@section[Network Services and Their Client Programs] - -In an environment that provides network services, -you use @i[client] programs to request service from -@i[server] programs that are somewhere on the network. -Suppose you have logged in to a workstation -and you want to @i[rlogin] to another machine. -You use the local @i[rlogin] client program to -contact the remote machine's @i[rlogin] service daemon. - -@section[Kerberos Tickets] - -Under Kerberos, the @i[rlogin] service program -allows a client to login to a remote machine if it -can provide -a Kerberos @b[ticket] for the request. -This ticket proves the identity of the person who has used -the client program to access the server program. - -@section[The Kerberos Master Database] - -Kerberos will give you tickets only if you -have an entry in the Kerberos server's -@b[master database]. -Your database entry includes your Kerberos username (often referred to -as your Kerberos @b[principal] name), and your Kerberos password. -Every Kerberos user must have an entry in this database. - -@section[The Ticket-Granting Ticket] - -The @i[kinit] command prompts for your Kerberos username and password, -and if you enter them successfully, you will obtain a Kerberos -@i[ticket-granting ticket]. -As illustrated below, -client programs use this ticket to get other Kerberos tickets as -needed. - -@section[Network Services and the Master Database] - -The master database also contains entries for all network services that -require Kerberos authentication. -Suppose for instance that your site has a machine @i[laughter] -that requires Kerberos authentication from anyone who wants -to @i[rlogin] to it. -This service must be registered in the master database. -Its entry includes the service's principal name, and its @b[instance]. - -The @i[instance] is the name of the service's machine; -in this case, the service's instance is the name @i[laughter]. -The instance provides a means for Kerberos to distinguish between -machines that provide the same service. -Your site is likely to have more than one machine that -provides @i[rlogin] service. - -@section[The User-Kerberos Interaction] - -Suppose that you (in the guise of a general user) walk up to a workstation -intending to login to it, and then @i[rlogin] to the machine @i[laughter]. -Here's what happens. -@begin[enumerate] -You login to the workstation and use the @i[kinit] command -to to get a ticket-granting ticket. -This command prompts you for your username (your Kerberos Principal Name), -and your Kerberos password [on some systems which use the new version of -@i{/bin/login}, this may be done as part of the login process, not -requiring the user to run a separate program]. -@begin[enumerate] -The @i[kinit] command sends your request to the Kerberos master server -machine. -The server software looks for your principal name's entry in the -Kerberos @b[master database]. - -If this entry exists, the -Kerberos server creates and returns a -@i[ticket-granting ticket], encrypted in your password. -If @i[kinit] can decrypt the Kerberos reply using the password you -provide, it stores this ticket in a @b[ticket file] on your -local machine for later use. -The ticket file to be used -can be specified in the @b[KRBTKFILE] environment -variable. If this variable is not set, the name of the file will be -@i[/tmp/tkt@p(uid)], where @p(uid) is the UNIX user-id, represented in decimal. -@end[enumerate] - -Now you use the @i[rlogin] client to try to access the machine @i[laughter]. -@begin[example] -host% @b[rlogin laughter] -@end[example] -@begin[enumerate] -The @i[rlogin] client checks your ticket file to see if you -have a ticket for @i[laughter]'s @i[rcmd] service (the rlogin program -uses the @i[rcmd] service name, mostly for historical reasons). -You don't, so @i[rlogin] uses the ticket file's @i[ticket-granting -ticket] to make a request to the master server's ticket-granting service. - -This ticket-granting service receives the @i[rcmd-laughter] request -and looks in the master database for an @i[rcmd-laughter] entry. -If that entry exists, the ticket-granting service issues you a ticket -for that service. -That ticket is also cached in your ticket file. - -The @i[rlogin] client now uses that ticket to request service from -the @i[laughter] @i[rlogin] service program. -The service program -lets you @i[rlogin] if the ticket is valid. -@end[enumerate] -@end[enumerate] - -@chapter[Setting Up and Testing the Kerberos Server] - -The procedure for setting up and testing a Kerberos server -is as follows: -@begin[enumerate] -Use the @i[kdb_init] command to create and initialize the master database. - -Use the @i[kdb_edit] utility to add your username to the -master database. - -Start the Kerberos server. - -Use the @i[kinit] command to obtain a Kerberos ticket-granting ticket. - -Use the @i[klist] command to verify that the @i[kinit] command -authenticated you successfully. -@end[enumerate] - -@section[Creating and Initializing the Master Database] - -Login to the Kerberos master server machine, -and use the @b[su] command to become root. -If you installed the Kerberos administration tools -with the @i[make install] command and the default pathnames, -they should be in the @i[/usr/etc] directory. -If you installed the tools in a different directory, -hopefully you know what it is. -From now on, we will refer to this directory as [ADMIN_DIR]. - -The @i[kdb_init] command creates and initializes the master database. -It asks you to enter the system's -realm name and the database's master password. -Do not forget this password. -If you do, the database becomes useless. -(Your realm name should be substituted for [REALMNAME] below.) - -Use @i[kdb_init] as follows: -@tabset[3inches, +1.5inches] -@begin[example, rightmargin -10] -host# @b([ADMIN_DIR]/kdb_init) -Realm name (default XXX): @b([REALMNAME])@\@b[<--] @p[Enter your system's realm name.] -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. - -Enter Kerberos master key: @\@b[<--] @p[Enter the master password.] -@comment(this needs to be re-fixed...: -Verifying, please re-enter -Enter Kerberos master key: @\@b[<--] @p[Re-enter it.] -) -@end[example] - -@section[Storing the Master Password] - -The @i[kstash] command ``stashes'' the master password in the file @i[/.k] -so that the Kerberos server can -be started automatically during an unattended reboot of the -master server. -Other administrative programs use this hidden password so that they -can access the master database without someone having to manually -provide the master password. -This command is an optional one; -if you'd rather enter the master password each time you -start the Kerberos server, don't use @i[kstash]. - -One the one hand, if you use @i[kstash], a copy of the master -key will reside -on disk which may not be acceptable; on the other hand, if you don't -use @i[kstash], the server cannot be started unless someone is around to -type the password in manually. - -The command prompts you twice for the master password: -@begin[example] -@tabset[3inches] -host# @b([ADMIN_DIR]/kstash) - -Enter Kerberos master key:@\@b[<--] @p[Enter the master password.] -Current Kerberos master key version is 1. - -Master key entered BEWARE! -@end[example] - -A note about the Kerberos database master key: -if your master key is compromised and the database is obtained, -the security of your entire authentication system is compromised. -The master key must be a carefully kept secret. If you keep backups, -you must guard all the master keys you use, in case someone has stolen -an old backup and wants to attack users' whose passwords haven't changed -since the backup was stolen. -This is why we provide the option not to store it on disk. - -@section[Using @p(kdb_edit) to Add Users to the Master Database] - -The @i[kdb_edit] program is used to add new users and services -to the master database, and to modify existing database information. -The program prompts you to enter a principal's @b[name] and @b[instance]. - -A principal name is typically a username or a service program's name. -An instance further qualifies the principal. -If the principal is a service, -the instance is used to specify the name of the machine on which that -service runs. -If the principal is a username that has general user privileges, -the instance is usually set to null. - -The following example shows how to use @i[kdb_edit] to -add the user @i[wave] to the Kerberos database. -@begin[example, rightmargin -10] -@tabset[3inches, +1.5inches] -host# @b([ADMIN_DIR]/kdb_edit) - -Opening database... - -Enter Kerberos master key: -Verifying, please re-enter -Enter Kerberos master key: -Current Kerberos master key version is 1 - -Master key entered. BEWARE! -Previous or default values are in [brackets] , -enter return to leave the same, or new value. - -Principal name: @b[wave]@\@b[<--] @p[Enter the username.] -Instance:@\@p[<-- Enter a null instance.] - -, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.] -@\@p[ Enter y to create the user-instance.] -Principal: wave Instance: m_key_v: 1 -New Password: @\@p[<-- Enter the user-instance's password.] -Verifying, please re-enter -New Password: -Principal's new key version = 1 -Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines] -Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the] -Attributes [ 0 ] ? @\@\@b[<--] @p[default values.] -Edit O.K. - -Principal name:@\@p[<-- Enter a newline to exit the program.] -@end[example] - -Use the @i[kdb_edit] utility to add your username to the master database. - -@section[Starting the Kerberos Server] - -Change directories to the directory in which you have installed -the server program @i[kerberos] -(the default directory is @i[/usr/etc]), -and start the program as a background process: -@begin[example] -host# @b[./kerberos &] -@end[example] -If you have used the @i[kstash] command to store the master database password, -the server will start automatically. -If you did not use @i[kstash], -use the following command: -@begin[example] -host# @b[./kerberos -m] -@end[example] -The server will prompt you to enter the master password before actually -starting itself. - -@section[Testing the Kerberos Server] - -Exit the root account and use the @i[kinit] command obtain a Kerberos -ticket-granting ticket. -This command -creates your ticket file -and stores the ticket-granting ticket in it. - -If you used the default @i[make install] command and directories to -install the Kerberos user utilities, @i[kinit] will be in the -@i[/usr/athena] directory. From now on, we'll refer to the Kerberos user -commands directory as [K_USER]. - -Use @i[kinit] as follows: -@begin[example] -@tabset[3 inches] -host% @b([K_USER]/kinit) -MIT Project Athena, (ariadne) -Kerberos Initialization -Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.] -Password: @\@b[<--] @p[Enter your Kerberos password.] -@end[example] - -Use the @i[klist] program to list the contents of your ticket file. -@begin[example] -host% @b([K_USER]/klist) -@end[example] -The command should display something like the following: -@begin[example] -Ticket file: /tmp/tkt5555 -Principal: yourusername@@REALMNAME - - Issued Expires Principal -May 6 10:15:23 May 6 18:15:23 krbtgt.REALMNAME@@REALMNAME -@end[example] - -If you have any problems, you can examine the log file -@i[/kerberos/kerberos.log] on the Kerberos server machine to see if -there was some sort of error. - -@chapter[Setting up and testing the Administration server] - -The procedure for setting up and testing the Kerberos administration server -is as follows: -@begin[enumerate] -Use the @i[kdb_edit] utility to add your username with an administration -instance to the master database. - -Edit the access control lists for the administration server - -Start the Kerberos administration server. - -Use the @i[kpasswd] command to change your password. - -Use the @i[kadmin] command to add new entries to the database. - -Use the @i[kinit] command to verify that the @i[kadmin] command -correctly added new entries to the database. -@end(enumerate) - -@section[Adding an administration instance for the administrator] - -Login to the Kerberos master server machine, -and use the @b[su] command to become root. -Use the @i[kdb_edit] program to create an entry for each administrator -with the instance ``@p(admin)''. -@begin[example] -@tabset[3inches, +1.5inches] -host# @b([ADMIN_DIR]/kdb_edit) - -Opening database... - -Enter Kerberos master key: -Verifying, please re-enter -Enter Kerberos master key: -Current Kerberos master key version is 1 - -Master key entered. BEWARE! -Previous or default values are in [brackets] , -enter return to leave the same, or new value. - -Principal name: @b[wave]@\@b[<--] @p[Enter the username.] -Instance:@b[admin]@\@b[<--] @p[Enter ``admin''.] - -, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.] -@\@p[ Enter y to create the user-instance.] -Principal: wave Instance: admin m_key_v: 1 -New Password: @\@p[<-- Enter the user-instance's password.] -Verifying, please re-enter -New Password: -Principal's new key version = 1 -Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines] -Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the] -Attributes [ 0 ] ? @\@\@b[<--] @p[default values.] -Edit O.K. - -Principal name:@\@p[<-- Enter a newline to exit the program.] -@end[example] - -@section[The Access Control Lists] -The Kerberos administration server uses three access control lists to -determine who is authorized to make certain requests. The access -control lists are stored on the master Kerberos server in the same -directory as the principal database, @i(/kerberos). The access control -lists are simple ASCII text files, with each line specifying the name of -one principal who is allowed the particular function. To allow several -people to perform the same function, put their principal names on -separate lines in the same file. - -The first list, @i(/kerberos/admin_acl.mod), is a list of principals -which are authorized to change entries in the database. To allow the -administrator `@b[wave]' to modify entries in the database for the realm -`@b[TIM.EDU]', you would put the following line into the file -@i(/kerberos/admin_acl.mod): -@begin(example) -wave.admin@@TIM.EDU -@end(example) - -The second list, @i(/kerberos/admin_acl.get), is a list of principals -which are authorized to retrieve entries from the database. - -The third list, @i(/kerberos/admin_acl.add), is a list of principals -which are authorized to add new entries to the database. - -@section(Starting the administration server) -Change directories to the directory in which you have installed -the administration server program @i[kadmind] -(the default directory is @i[/usr/etc]), -and start the program as a background process: -@begin[example] -host# @b[./kadmind -n&] -@end[example] -If you have used the @i[kstash] command to store the master database password, -the server will start automatically. -If you did not use @i[kstash], -use the following command: -@begin[example] -host# @b[./kadmind] -@end[example] -The server will prompt you to enter the master password before actually -starting itself; after it starts, you should suspend it and put it in -the background (usually this is done by typing control-Z and then @b(bg)). - -@section(Testing @p[kpasswd]) - -To test the administration server, you should try changing your password -with the @i[kpasswd] command, and you should try adding new users with -the @i[kadmin] command (both commands are installed into @i[/usr/athena] -by default). - -Before testing, you should exit the root account. - -To change your password, run the @i[kpasswd] command: -@begin(example) -@tabset[3inches, +1.5inches] -host% @b([K_USER]/kpasswd) -Old password for wave@@TIM.EDU:@\@b[<--]@p[Enter your password] -New Password for wave@@TIM.EDU:@\@b[<--]@p[Enter a new password] -Verifying, please re-enter New Password for wave@@TIM.EDU: -@\@b[<--]@p[Enter new password again] -Password changed. -@end(example) -Once you have changed your password, use the @i[kinit] program as shown -above to verify that the password was properly changed. - -@section(Testing @p[kadmin]) -You should also test the function of the @i[kadmin] program, by adding a -new user (here named ``@t[username]''): -@begin(example) -@tabset[3inches, +1.5inches] -host% @b([K_USER]/kadmin) -Welcome to the Kerberos Administration Program, version 2 -Type "help" if you need it. -admin: @b(ank username)@\@p[`ank' stands for Add New Key] -Admin password: @\@b[<--]@p[enter the password -@\you chose above for wave.admin] -Password for username:@\@b[<--]@p[Enter the user's initial password] -Verifying, please re-enter Password for username:@\@b[<--]@p[enter it again] -username added to database. - -admin: quit -Cleaning up and exiting. -@end[example] - -@section(Verifying with @p[kinit]) -Once you've added a new user, you should test to make sure it was added -properly by using @i[kinit], and trying to get tickets for that user: - -@begin[example] -@tabset[3inches, +1.5inches] -host% @b([K_USER]/kinit username) -MIT Project Athena (ariadne) -Kerberos Initialization for "username@@TIM.EDU" -Password: @b[<--]@p[Enter the user's password you used above] -host% @b([K_USER]/klist) -Ticket file: /tmp/tkt_5509_spare1 -Principal: username@@TIM.MIT.EDU - - Issued Expires Principal -Nov 20 15:58:52 Nov 20 23:58:52 krbtgt.TIM.EDU@@TIM.EDU -@end[example] - -If you have any problems, you can examine the log files -@i[/kerberos/kerberos.log] and @i[/kerberos/admin_server.syslog] on the -Kerberos server machine to see if there was some sort of error. - -@chapter[Setting up and testing slave server(s)] - -[Unfortunately, this chapter is not yet ready. Sorry. -ed] - -@chapter[A Sample Application] - -This release of Kerberos comes with a sample application -server and a corresponding client program. -You will find this software in the [OBJ_DIR]@i[/appl/sample] directory. -The file @i[sample_client] contains the client program's executable -code, the file @i[sample_server] contains the server's executable. - -The programs are rudimentary. -When they have been installed (the installation procedure is described -in detail later), they work as follows: -@begin[itemize] -The user starts @i[sample_client] and provides as arguments -to the command the name of the server machine and a checksum. -For instance: -@begin[example] -host% @b[sample_client] @p[servername] @p[43] -@end[example] - -@i[Sample_client] contacts the server machine and -authenticates the user to @i[sample_server]. - -@i[Sample_server] authenticates itself to @i[sample_client], -then returns a message to the client program. -This message contains diagnostic information -that includes the user's username, the Kerberos realm, -and the user's workstation address. - -@i[Sample_client] displays the server's message on the user's -terminal screen. -@end[itemize] - -@section[The Installation Process] - -In general, -you use the following procedure to install a Kerberos-authenticated -server-client system. -@begin[enumerate] -Add the appropriate entry to the Kerberos database using @i[kdb_edit] or -@i[kadmin] (described below). - -Create a @i[/etc/srvtab] file for the server machine. - -Install the service program and the @i[/etc/srvtab] -file on the server machine. - -Install the client program on the client machine. - -Update the @i[/etc/services] file on the client and server machines. -@end[enumerate] - -We will use the sample application as an example, although -the procedure used to install @i[sample_server] differs slightly -from the general case because the @i[sample_server] -takes requests via the -@i[inetd] program. -@i[Inetd] starts @i[sample_server] each time -a client process contacts the server machine. -@i[Sample_server] processes the request, -terminiates, then is restarted when @i[inetd] receives another -@i[sample_client] request. -When you install the program on the server, -you must add a @i[sample] entry to the server machine's -@i[/etc/inetd.conf] file. - -The following description assumes that you are installing -@i[sample_server] on the machine @i[ariadne.tim.edu]. -Here's the process, step by step: -@begin[enumerate] -Login as or @i[su] to root on the Kerberos server machine. -Use the @i[kdb_edit] or @i[kadmin] program to create an entry for -@i[sample] in the Kerberos database: -@begin[example, rightmargin -10] -@tabset[2.0inches, +.5inches] -host# @b([ADMIN_DIR]/kdb_edit) - -Opening database... - -Enter Kerberos master key: -Verifying, please re-enter -master key entered. BEWARE! -Previous or default values are in [brackets] , -enter return to leave the same, or new value. - -Principal name: @b[sample]@\@b[<--] @p[Enter the principal name.] -Instance: @b[ariadne]@\@b[<--] @p[Instances cannot have periods in them.] - -, Create [y] ? @b[y] - -Principal: sample_server Instance: ariadne m_key_v: 1 -New Password:@\@b[<--] @p[Enter ``RANDOM'' to get random password.] -Verifying, please re-enter -New Password:@\@b[<--] @p[Enter ``RANDOM'' again.] -Random password [y] ? @b[y] - -Principal's new key version = 1 -Expiration date (enter dd-mm-yy) [ 12/31/99 ] ? -Max ticket lifetime (*5 minutes) [ 255 ] ? -Attributes [ 0 ] ? -Edit O.K. - -Principal name:@\@b[<--] @p[Enter newline to exit kdb_edit.] -@end[example] - -Use the @i[ext_srvtab] program to create a @i[srvtab] file -for @i[sample_server]'s host machine: -@begin[example] -host# @b([ADMIN_DIR]/ext_srvtab ariadne) - -Enter Kerberos master key: -Current Kerberos master key version is 1. - -Generating 'ariadne-new-srvtab'.... -@end[example] -Transfer the @i[ariadne-new-srvtab] file to @i[ariadne] and install it as -@i[/etc/srvtab]. -Note that this file is equivalent to the service's password and should -be treated with care. -For example, it could be transferred by removable media, but should -not be sent over an open network in the clear. -Once installed, this file should be readable only by root. - -Add the following line to the @i[/etc/services] file on -@i[ariadne], and on all machines that -will run the @i[sample_client] program: -@begin[example] -sample 906/tcp # Kerberos sample app server -@end[example] - -Add a line similar to the following line to the @i[/etc/inetd.conf] -file on @i[sample_server]'s machine: -@begin[example] -sample stream tcp nowait switched root - [PATH]/sample_server sample_server -@end[example] -where [PATH] should be substituted with -the path to the @i[sample_server] program. -(This @i[inetd.conf] information should be placed on one line.) -You should examine existing lines in @i[/etc/inetd.conf] and use the -same format used by other entries (e.g. for telnet). Most systems do -not have a column for the `switched' keyword, and some do not have a -column for the username (usually `root', as above). - -Restart @i[inetd] by sending the current @i[inetd] process -a hangup signal: -@begin[example] -host# @b[kill -HUP @p(process_id_number)] -@end[example] - -The @i[sample_server] is now ready to take @i[sample_client] requests. -@end[enumerate] - -@section[Testing the Sample Server] - -Assume that you have installed @i[sample_server] on @i[ariadne]. - -Login to your workstation and use the @i[kinit] command to -obtain a Kerberos ticket-granting ticket: -@begin[example] -@tabset[3 inches] -host% @b([K_USER]/kinit) -MIT Project Athena, (your_workstation) -Kerberos Initialization -Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.] -Password: @\@b[<--] @p[Enter your Kerberos password.] -@end[example] - -Now use the @i[sample_client] program as follows: -@begin[example] -host% @b([PATH]/sample_client ariadne) -@end[example] -The command should display something like the following: -@begin[example] -The server says: -You are @p[yourusername].@@REALMNAME (local name @p[yourusername]), - at address @p[yournetaddress], version VERSION9, cksum 997 -@end[example] - -@chapter[Service names and other services] - -@section(rlogin, rsh, rcp, tftp, and others) - -Many services use a common principal name for authentication purposes. -@i[rlogin], @i[rsh], @i[rcp], @i[tftp] and others use the principal name -``@t[rcmd]''. For example, to set up the machine @i[ariadne] to support -Kerberos rlogin, it needs to have a service key for principal -``@t[rcmd]'', instance ``@t[ariadne]''. You create this key in the same -way as shown above for the sample service. - -After creating this key, you need to run the @i[ext_srvtab] program -again to generate a new srvtab file for ariadne. - -@section(NFS modifications) - -The NFS modifications distributed separately use the service name -``@t[rvdsrv]'' with the instance set to the machine name (as for the -sample server and the rlogin, rsh, rcp and tftp services). - -@section(inetd.conf entries) -The following are the @i(/etc/inetd.conf) entries necessary to support -rlogin, encrypted rlogin, rsh, and rcp services on a server machine. As -above, your @i(inetd.conf) may not support all the fields shown here. -@begin[example] -eklogin stream tcp nowait unswitched root - [PATH]/klogind eklogind -kshell stream tcp nowait unswitched root - [PATH]/kshd kshd -klogin stream tcp nowait unswitched root - [PATH]/klogind klogind -@end[example]