From 50fb035164ccf309453bfcd1ebdb88e99d4a3906 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 24 Jan 1996 19:57:24 +0000 Subject: [PATCH] Update man pages with new options git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7375 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/bsd/ChangeLog | 2 + src/appl/bsd/krlogind.M | 110 ++++++++++++++++++++++------------------ src/appl/bsd/krshd.M | 53 +++++++++++++------ 3 files changed, 101 insertions(+), 64 deletions(-) diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 2ed5556de..ee6df50b7 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,5 +1,7 @@ Wed Jan 24 00:34:42 1996 Sam Hartman + * krlogind.M krshd.M: Update to document new options. + * Makefile.in (install): Install as kshd and klogind not krshd and krlogind. diff --git a/src/appl/bsd/krlogind.M b/src/appl/bsd/krlogind.M index 6052ea79c..c76b99cab 100644 --- a/src/appl/bsd/krlogind.M +++ b/src/appl/bsd/krlogind.M @@ -10,7 +10,7 @@ krlogind \- remote login server .SH SYNOPSIS .B /etc/rlogind [ -.B \-kKrRpPex +.B \-kr54cpPe ] .SH DESCRIPTION .I Krlogind @@ -25,17 +25,17 @@ server is invoked by \fIinetd(8c)\fP when it receives a connection on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf configuration line for \fIkrlogind\fP might be: -klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -K +klogin stream tcp nowait root /krb5/sbin/krlogind krlogind -e5c -When a service request is received, the follow protocol is initiated: +When a service request is received, the following protocol is initiated: .IP 1) Check authentication. .IP 2) -Check authorization via the access-control files \fI.k5login\fP +Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP and \fI.rhosts\fP in the user's home directory. .IP 3) -Prompt for password if any checks fail. +Prompt for password if any checks fail and the \fI-p\fP option was supplied. .PP If the authentication succeeds, login the user by calling the accompanying login.krb5 or /bin/login, according to the definition of @@ -45,58 +45,72 @@ The configuration of \fIkrlogind\fP is done either by command-line arguments passed by inetd, or by the name of the daemon. If command-line arguments are present, they take priority. The options are: -.IP \fB\-k\fP 10 -Check authorization in ~/.k5login. +.IP \fB\-5\fP 10 +Allow Kerberos5 authentication with the \fI.k5login\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. -.IP \fB\-K\fP -Similar to \fb\-k\fP except that the authorization check must succeed -inorder for the login to succeed. +.IP \fB\-4\fP +Allow Kerberos4 authentication with the \fI.klogin\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. -.IP \fB\-r\fP -Check authorization in ~/.rhosts. +.IP \fB\-k\fP +Allow Kerberos5 and Kerberos4 as acceptable authentication +mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. -.IP \fB\-K\fP -Similar to \fb\-r\fP except that the authorization check must succeed -inorder for the login to succeed. +.IP \fB\-r\fP +Trust the remote hostname as an authentication system using the + \fI.rhosts\fP authorization list. -.IP \fB\-p\fP -Prompt the user for a password. If \fB-r\fP or \fB-k\fP -is passed \fB-p\fP is necessary to allow password authentication. -Otherwise, if all previous checks fail, login permission is denied +.IP \fB\-p\fP + If all other authorization checks fail, prompt the user +for a password If this option is not included, access is denied +without successful authentication and authorization using one of the +previous mechanisms. .IP \fB\-P\fP -Prompt the user for a password. If the -P option is passed, then the -password is verified in addition to all other checks. +Prompt the user for a password. +If the -P option is passed, then the password is verified in addition +to all other checks. + .IP \fB\-e\fP -Create an encrypted session. -.IP \fB\-x\fP -Create an encrypted session. -.PP -If no command-line arguments are present, then the presence of the -letters kKrRpPex in the program-name before "logind" determine the -behaviour of the program exactly as with the command-line arguments. -.PP -If the ~/.rhosts check is to be used, then the program verifies that -the client is connecting -from a privileged port, before allowing login. +Create an encrypted session. + +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic checksum of +initial connection information like the name of the user that the +client is trying to access in the initial authenticator. This +checksum provides additionl security by preventing an attacker from +changing the initial connection information. To benefit from this +security, only Kerberos5 should be trusted; Kerberos4 and rhosts +authentication do not include this checksum. If thi options is +specified, older Kerberos5 clients that do not send a checksum in the +authenticator will not be able to authenticate to this server. .PP -The parent of the login process manipulates the master side of -the pseduo terminal, operating as an intermediary -between the login process and the client instance of the -.I rlogin(1C) -program. In normal operation, the packet protocol described -in -.IR pty (4) -is invoked to provide ^S/^Q type facilities and propagate -interrupt signals to the remote programs. The login process -propagates the client terminal's baud rate and terminal type, -as found in the environment variable, ``TERM''; see -.IR environ (7). -The screen or window size of the terminal is requested from the client, -and window size changes from the client are propagated to the pseudo terminal. +If no command-line +arguments are present, then the presence of the letters kr54cpPe in +the program-name before "logind" determine the behaviour of the +program exactly as with the command-line arguments. + .PP -.I Krlogind -supports three options which are used for testing purposes: +If the +~/.rhosts check is to be used, then the program verifies that the +client is connecting from a privileged port, before allowing login. + +.PP The parent of the login process manipulates the master side of the +pseduo terminal, operating as an intermediary between the login +process and the client instance of the .I rlogin(1C) program. In +normal operation, the packet protocol described in .IR pty (4) is +invoked to provide ^S/^Q type facilities and propagate interrupt +signals to the remote programs. The login process propagates the +client terminal's baud rate and terminal type, as found in the +environment variable, ``TERM''; see .IR environ (7). The screen or +window size of the terminal is requested from the client, and window +size changes from the client are propagated to the pseudo terminal. + +.PP .I Krlogind supports three options which are used for testing +purposes: .IP \fB\-S\ srvtab\fP 10 Set the \fIsrvtab\fP file to use. diff --git a/src/appl/bsd/krshd.M b/src/appl/bsd/krshd.M index 20a0d2b83..8c2bb2fba 100644 --- a/src/appl/bsd/krshd.M +++ b/src/appl/bsd/krshd.M @@ -6,9 +6,9 @@ .\" .TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena" .SH NAME -krshd \- kerberized remote shell server +kshd \- kerberized remote shell server .SH SYNOPSIS -.B /usr/etc/krshd -kKrR +.B /usr/local/sbin/kshd -kr45ec .SH DESCRIPTION .I Krshd is the server for the @@ -16,22 +16,23 @@ is the server for the routine and, consequently, for the .IR rsh (1C) program. The server provides remote execution facilities -with authentication based on privileged port numbers from trusted hosts. +with authentication based on privileged port numbers from trusted hosts or +the Kerberos authentication system. .PP The -.I krshd +.I kshd server is invoked by \fIinetd(8c)\fP when it receives a connection on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf configuration line for \fIkrshd\fP might be: -kshell stream tcp nowait root /krb5/sbin/krshd krshd -K +kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -When a service request is received, the follow protocol is initiated: +When a service request is received, the following protocol is initiated: .IP 1) Authentication is checked .IP 2) -Authorization is checked via the access-control files \fI.k5login\fP +Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP and \fI.rhosts\fP in the user's home directory. .IP 3) A null byte is returned on the initial socket @@ -46,19 +47,39 @@ by \fIinetd(8)\fP, or by the name of the daemon. If command-line arguments are present, they take priority. The options are: -.IP \fB\-k\fP 10 -Check authorization in ~/.k5login. +.IP \fB\-5\fP 10 +Allow Kerberos5 authentication with the \fI.k5login\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. -.IP \fB\-K\fP -Similar to \fb\-k\fP except that the authorization check must succeed -inorder for the login to succeed. +.IP \fB\-4\fP +Allow Kerberos4 authentication with the \fI.klogin\fP access control file +to be trusted. If this authentication system is used by the client and the +authorization check is passed, then the user is allowed to log in. + +.IP \fB\-k\fP +Allow Kerberos5 and Kerberos4 as acceptable authentication +mechanisms. This is the same as including \fB\-4\fP and \fB\-5\fP. .IP \fB\-r\fP -Check authorization in ~/.rhosts. +Trust the remote hostname as an authentication system using the + \fI.rhosts\fP authorization list. + + +.IP \fB\-e\fP +Require the client to encrypt the connection. Only Kerberos5 clients +support encryption. -.IP \fB\-K\fP -Similar to \fb\-r\fP except that the authorization check must succeed -inorder for the login to succeed. +.IP \fB\-c\fP +Require Kerberos5 clients to present a cryptographic checksum of +initial connection information like the name of the user that the +client is trying to access in the initial authenticator. This +checksum provides additionl security by preventing an attacker from +changing the initial connection information. To benefit from this +security, only Kerberos5 should be trusted; Kerberos4 and rhosts +authentication do not include this checksum. If this option is +specified, older Kerberos5 clients that do not send a checksum in the +authenticator will not be able to authenticate to this server. .PP If no command-line arguments are present, then the presence of the -- 2.26.2