From 4b57c35980de9b80da0c8d24958791766c1c414c Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Tue, 7 Sep 1999 22:22:57 +0000 Subject: [PATCH] 1.1 updates git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11786 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/ChangeLog | 16 +++++++ doc/admin.texinfo | 6 ++- doc/build.texinfo | 44 ++++++++++---------- doc/definitions.texinfo | 4 +- doc/install.texinfo | 92 ++++++++++++++++++++++++++++++++++++----- 5 files changed, 128 insertions(+), 34 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index d351b47e5..6cf413b9d 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,19 @@ +1999-09-07 Ken Raeburn + + * definitions.texinfo: Update for 1.1 release. + + * admin.texinfo (Adding or Modifying Principals): Mention des3 + enctype for host keys. + + * build.texinfo: Replace "krb5-1.0" with "krb5-@value{RELEASE}" + throughout. + (Shared Library Support): Cut supported-OS list down to Solaris + and Irix for now. + + * install.texinfo: Update EDITION to 1.1. + (MacOS X Configuration): New node, with info from Brad Thompson. + (Encryption Types and Salt Types): Mention des3. + 1999-08-31 Ken Raeburn * admin.texinfo (Kadmin Options): Describe -e option. diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 64a580a3e..2ea716b25 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1408,7 +1408,11 @@ Removes the policy @i{policyname} from the principal @item -randkey Sets the key for the principal to a random value (@code{add_principal} -only). @value{COMPANY} recommends using this option for host keys. +only). @value{COMPANY} recommends using this option for host keys. You +may also wish to use the @b{kadmin.local} command-line options @b{-e +"des3-cbc-sha1:normal des-cbc-crc:normal"}@xref{Kadmin Options} on the +KDC machine itself for host keys and other service keys that are +security-critical. @item -pw @i{password} Sets the key of the principal to the specified string and does not diff --git a/doc/build.texinfo b/doc/build.texinfo index bee77fe88..78aa8b450 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -38,17 +38,17 @@ link tree for your build tree. The first step in each of these build procedures is to unpack the source distribution. The Kerberos V5 distribution comes in two compressed tar files. The first file, which is generally named -@file{krb5-1.0.src.tar.gz}, contains the sources for all of Kerberos +@file{krb5-@value{RELEASE}.src.tar.gz}, contains the sources for all of Kerberos except for the crypto library, which is found in the file -@file{krb5-1.0.crypto.tar.gz}. +@file{krb5-@value{RELEASE}.crypto.tar.gz}. Both files should be unpacked in the same directory, such as -@file{/u1/krb5-1.0}. (In the rest of this document, we will assume that +@file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we will assume that you have chosen to unpack the Kerberos V5 source distribution in this directory. Note that the tarfiles will by default all unpack into the -@file{./krb5-1.0} directory, so that if your current directory is +@file{./krb5-@value{RELEASE}} directory, so that if your current directory is @file{/u1} when you unpack the tarfiles, you will get -@file{/u1/krb5-1.0/src}, etc.) +@file{/u1/krb5-@value{RELEASE}/src}, etc.) @node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5 @@ -77,7 +77,7 @@ use the following abbreviated procedure. @enumerate @item - @code{cd /u1/krb5-1.0/src} + @code{cd /u1/krb5-@value{RELEASE}/src} @item @code{./configure} @item @@ -100,9 +100,9 @@ you might use the following procedure: @enumerate @item -@code{mkdir /u1/krb5-1.0/pmax} +@code{mkdir /u1/krb5-@value{RELEASE}/pmax} @item - @code{cd /u1/krb5-1.0/pmax} + @code{cd /u1/krb5-@value{RELEASE}/pmax} @item @code{../src/configure} @item @@ -122,11 +122,11 @@ you might use the following procedure: @enumerate @item - @code{mkdir /u1/krb5-1.0/solaris} + @code{mkdir /u1/krb5-@value{RELEASE}/solaris} @item - @code{cd /u1/krb5-1.0/solaris} + @code{cd /u1/krb5-@value{RELEASE}/solaris} @item - @code{/u1/krb5-1.0/src/util/lndir `pwd`/../src} + @code{/u1/krb5-@value{RELEASE}/src/util/lndir `pwd`/../src} @item @code{./configure} @item @@ -397,8 +397,10 @@ variables when using the programs. Except where noted, multiple versions of the libraries may be installed on the same system and continue to work. -Currently the supported platforms are: NetBSD 1.0A, AIX 3.2.5, AIX 4.1, -Solaris 2.4 (aka SunOS 5.4), Alpha OSF/1 >= 2.1, HP-UX >= 9.X. +Currently the supported platforms are +@comment NetBSD 1.0A, AIX 3.2.5, AIX 4.1, +Solaris 2.6 (aka SunOS 5.6) and Irix 6.5. +@comment Alpha OSF/1 >= 2.1, HP-UX >= 9.X. To enable shared libraries on the above platforms, run the configure script with the option @samp{--enable-shared}. @@ -475,11 +477,11 @@ NetBSD and FreeBSD.) @node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities @subsection HPUX -The native compiler for HPUX currently will not work, because it is not -a full ANSI C compiler. The optional compiler (c89) should work as long -as you give it the @samp{+Olibcalls -D_HPUX_SOURCE} (this has only been -tested for HPUX 9.0). At this point, using GCC is probably your best -bet. +The native (bundled) compiler for HPUX currently will not work, because +it is not a full ANSI C compiler. The optional compiler (c89) should +work as long as you give it the @samp{+Olibcalls -D_HPUX_SOURCE} (this +has only been tested for HPUX 9.0). At this point, using GCC is +probably your best bet. @node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities @subsection Solaris versions 2.0 through 2.3 @@ -496,7 +498,7 @@ Workarounds: @enumerate @item - Supply your own resolver library. (such as bind-4.9.3pl1 availavle + Supply your own resolver library. (such as bind-4.9.3pl1 available from ftp.vix.com) @item @@ -605,7 +607,7 @@ that you have made a change that will require that all the @code{--force} option: @example -% cd /u1/krb5-1.0/src +% cd /u1/krb5-@value{RELEASE}/src % ./util/reconf --force @end example @@ -625,7 +627,7 @@ Then follow the instructions for building packaged source trees (above). To install the binaries into a binary tree, do: @example -% cd /u1/krb5-1.0/src +% cd /u1/krb5-@value{RELEASE}/src % make all % make install DESTDIR=somewhere-else @end example diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 19b2b0f55..079809d2c 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -19,8 +19,8 @@ @set RANDOMUSER johndoe @set RANDOMUSER1 jennifer @set RANDOMUSER2 david -@set RELEASE 1.0 -@set PREVRELEASE beta 7 +@set RELEASE 1.1 +@set PREVRELEASE 1.0 @set INSTALLDIR /usr/@value{LCPRODUCT} @set PREVINSTALLDIR @value{INSTALLDIR} @set ROOTDIR /usr/local diff --git a/doc/install.texinfo b/doc/install.texinfo index f5c4396a8..c388cd0a8 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -16,7 +16,7 @@ @end iftex @include definitions.texinfo -@set EDITION 1.0 +@set EDITION 1.1 @finalout @c don't print black warning boxes @@ -1050,17 +1050,17 @@ counterparts @c @code{from} @code{su}, @code{passwd}, and @code{rdist}. -@node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines +@node Client Machine Configuration Files, MacOS X Configuration, Client Programs, Installing and Configuring UNIX Client Machines @subsection Client Machine Configuration Files Each machine running Kerberos must have a @code{/etc/krb5.conf} file. (@xref{krb5.conf}) @need 4000 -Also, you must add the appropriate Kerberos services to each client -machine's @code{/etc/services} file. If you are using the default -configuration for @value{PRODUCT}, you should be able to just insert the -following code: +Also, for most UNIX systems, you must add the appropriate Kerberos +services to each client machine's @code{/etc/services} file. If you are +using the default configuration for @value{PRODUCT}, you should be able +to just insert the following code: @smallexample @group @@ -1095,6 +1095,76 @@ to switch the port number for @code{kerberos} to 750 and create a @code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos V4 KDC(s) will continue to work properly. +@menu +* MacOS X Configuration:: +@end menu + +@node MacOS X Configuration, , Client Machine Configuration Files, Client Machine Configuration Files +@subsubsection MacOS X Configuration + +To install Kerberos V on MacOS X, follow the directions for generic +Unix-based OS's, except for the @code{/etc/services} updates described +above. Then, you must reconfigure your name resolver to return fully +qualified domain names (FQDNs). To see if your system is already +correctly configured, compile the Kerberos code, and run: + +@smallexample +@group +$ cd .../src/tests/resolve +$ ./resolve +@end group +@end smallexample + +This will tell you whether or not your machine returns FQDNs on name +lookups. If the test fails, run the following commands to fix things: + +@smallexample +@group +$ niutil -create . /locations/lookupd/hosts +$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent + NIAgent NILAgent +@end group +@end smallexample + +Unfortunately, as of release time, the machine must be rebooted for the +changes to take effect. When the machine comes back up, run the test +again to make sure things are fixed. + +Now, service entries must be created for the Kerberos-based servers. +@code{/etc/services} is meaningless on MacOS X, so the following +commands must be run instead: + +@smallexample +@group +$ niutil -create . /services/kerberos +$ niutil -createprop . /services/kerberos name kerberos kdc +$ niutil -createprop . /services/kerberos port 750 +$ niutil -createprop . /services/kerberos protocol tcp udp +$ niutil -create . /services/krbupdate +$ niutil -createprop . /services/krbupdate name krbupdate kreg +$ niutil -createprop . /services/krbupdate port 760 +$ niutil -createprop . /services/krbupdate protocol tcp +$ niutil -create . /services/kpasswd +$ niutil -createprop . /services/kpasswd name kpasswd kpwd +$ niutil -createprop . /services/kpasswd port 761 +$ niutil -createprop . /services/kpasswd protocol tcp +$ niutil -create . /services/klogin +$ niutil -createprop . /services/klogin port 543 +$ niutil -createprop . /services/klogin protocol tcp +$ niutil -create . /services/eklogin +$ niutil -createprop . /services/eklogin port 2105 +$ niutil -createprop . /services/eklogin protocol tcp +$ niutil -create . /services/kshell +$ niutil -createprop . /services/kshell name kshell krcmd +$ niutil -createprop . /services/kshell port 544 +$ niutil -createprop . /services/kshell protocol tcp +@end group +@end smallexample + +The remainder of the setup of a MacOS X client machine or application +server should be the same as for other UNIX-based systems. + + @node UNIX Application Servers, , Installing and Configuring UNIX Client Machines, Installing Kerberos V5 @section UNIX Application Servers @@ -1471,10 +1541,12 @@ To add Kerberos V4 support, change the @code{supported_enctypes} line to: @node Encryption Types and Salt Types, , kdc.conf, kdc.conf @appendixsubsec Encryption Types and Salt Types -Currently, @value{PRODUCT} supports only DES encryption. The encoding -type is @code{des-cbc-crc}. The @dfn{salt} is additional information -encoded within the key that tells what kind of key it is. The only -salts that you will be likely to encounter are: +Currently, @value{PRODUCT} supports only DES and triple-DES encryption; +however, triple-DES is currently supported only for service keys, not +for user keys or session keys. The encoding types include +@code{des-cbc-crc} and @code{des3-cbc-sha1}. The @dfn{salt} is +additional information encoded within the key that tells what kind of +key it is. The only salts that you will be likely to encounter are: @itemize @bullet @item @dfn{normal}, which @value{COMPANY} recommends using for all of -- 2.26.2