From 50fb035164ccf309453bfcd1ebdb88e99d4a3906 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 24 Jan 1996 19:57:24 +0000
Subject: [PATCH] Update man pages with new options

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7375 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/appl/bsd/ChangeLog  |   2 +
 src/appl/bsd/krlogind.M | 110 ++++++++++++++++++++++------------------
 src/appl/bsd/krshd.M    |  53 +++++++++++++------
 3 files changed, 101 insertions(+), 64 deletions(-)

diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index 2ed5556de..ee6df50b7 100644
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,5 +1,7 @@
 Wed Jan 24 00:34:42 1996  Sam Hartman  <hartmans@tertius.mit.edu>
 
+	* krlogind.M krshd.M: Update to document new options.
+
 	* Makefile.in (install): Install as kshd and klogind not krshd and
  	krlogind.
 
diff --git a/src/appl/bsd/krlogind.M b/src/appl/bsd/krlogind.M
index 6052ea79c..c76b99cab 100644
--- a/src/appl/bsd/krlogind.M
+++ b/src/appl/bsd/krlogind.M
@@ -10,7 +10,7 @@ krlogind \- remote login server
 .SH SYNOPSIS
 .B /etc/rlogind
 [
-.B \-kKrRpPex
+.B \-kr54cpPe
 ]
 .SH DESCRIPTION
 .I Krlogind
@@ -25,17 +25,17 @@ server is invoked by \fIinetd(8c)\fP when it receives a
 connection on the port indicated in /etc/inetd.conf.  A typical
 /etc/inetd.conf configuration line for \fIkrlogind\fP might be:
 
-klogin	stream	tcp	nowait	root	/krb5/sbin/krlogind krlogind -K
+klogin	stream	tcp	nowait	root	/krb5/sbin/krlogind krlogind -e5c
 
-When a service request is received, the follow protocol is initiated:
+When a service request is received, the following protocol is initiated:
 
 .IP 1)
 Check authentication.
 .IP 2)
-Check authorization via the access-control files \fI.k5login\fP 
+Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP 
 and \fI.rhosts\fP in the user's home directory.
 .IP 3)
-Prompt for password if any checks fail.
+Prompt for password if any checks fail and the \fI-p\fP option was supplied.
 .PP
 If the authentication succeeds, login the user by calling the accompanying 
 login.krb5 or /bin/login, according to the definition of 
@@ -45,58 +45,72 @@ The configuration of \fIkrlogind\fP is done
 either by command-line arguments passed by
 inetd, or by the name of the daemon. If command-line arguments are
 present, they  take priority. The options are:
-.IP \fB\-k\fP 10
-Check authorization in ~/.k5login.
+.IP \fB\-5\fP 10
+Allow Kerberos5 authentication with the \fI.k5login\fP access control file
+to be trusted.  If this authentication system is used by the client and the
+authorization check is passed, then the user is allowed to log in.
 
-.IP \fB\-K\fP
-Similar to \fb\-k\fP except that the authorization check must succeed
-inorder for the login to succeed.
+.IP \fB\-4\fP 
+Allow Kerberos4 authentication with the \fI.klogin\fP access control file
+to be trusted.  If this authentication system is used by the client and the
+authorization check is passed, then the user is allowed to log in.
 
-.IP \fB\-r\fP 
-Check authorization in ~/.rhosts.
+.IP \fB\-k\fP 
+Allow Kerberos5 and Kerberos4 as acceptable authentication
+mechanisms.  This is the same as including \fB\-4\fP and \fB\-5\fP.
 
-.IP \fB\-K\fP
-Similar to \fb\-r\fP except that the authorization check must succeed
-inorder for the login to succeed.
+.IP \fB\-r\fP 
+Trust the remote hostname as an authentication system using the 
+ \fI.rhosts\fP authorization list.
 
-.IP \fB\-p\fP 
-Prompt the user for a password.  If \fB-r\fP or \fB-k\fP
-is passed \fB-p\fP is necessary to allow password authentication.
-Otherwise, if all previous checks fail, login permission is denied
+.IP \fB\-p\fP
+ If all other authorization checks fail, prompt the user
+for a password If this option is not included, access is denied
+without successful authentication and authorization using one of the
+previous mechanisms.
 
 .IP \fB\-P\fP
-Prompt the user for a password.  If the -P option is passed, then the
-password is verified in addition to all other checks.
+Prompt the user for a password.
+If the -P option is passed, then the password is verified in addition
+to all other checks.
+
 .IP \fB\-e\fP
-Create an encrypted session.
-.IP \fB\-x\fP
-Create an encrypted session.
-.PP
-If no command-line arguments are present, then the presence of the 
-letters kKrRpPex in the program-name before "logind" determine the 
-behaviour of the program exactly as with the command-line arguments.
-.PP
-If the ~/.rhosts check is to be used, then the program verifies that
-the client is connecting
-from a privileged port, before allowing login.
+Create an encrypted session. 
+
+.IP \fB\-c\fP
+Require Kerberos5 clients to present a cryptographic checksum of
+initial connection information like the name of the user that the
+client is trying to access in the initial authenticator.  This
+checksum provides additionl security by preventing an attacker from
+changing the initial connection information.  To benefit from this
+security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+authentication do not include this checksum.  If thi options is
+specified, older Kerberos5 clients that do not send a checksum in the
+authenticator will not be able to authenticate to this server.
 .PP
-The parent of the login process manipulates the master side of
-the pseduo terminal, operating as an intermediary
-between the login process and the client instance of the
-.I rlogin(1C)
-program.  In normal operation, the packet protocol described
-in
-.IR pty (4)
-is invoked to provide ^S/^Q type facilities and propagate
-interrupt signals to the remote programs.  The login process
-propagates the client terminal's baud rate and terminal type,
-as found in the environment variable, ``TERM''; see
-.IR environ (7).
-The screen or window size of the terminal is requested from the client,
-and window size changes from the client are propagated to the pseudo terminal.
+If no command-line
+arguments are present, then the presence of the letters kr54cpPe in
+the program-name before "logind" determine the behaviour of the
+program exactly as with the command-line arguments.
+
 .PP
-.I Krlogind
-supports three options which are used for testing purposes:
+If the
+~/.rhosts check is to be used, then the program verifies that the
+client is connecting from a privileged port, before allowing login.
+
+.PP The parent of the login process manipulates the master side of the
+pseduo terminal, operating as an intermediary between the login
+process and the client instance of the .I rlogin(1C) program.  In
+normal operation, the packet protocol described in .IR pty (4) is
+invoked to provide ^S/^Q type facilities and propagate interrupt
+signals to the remote programs.  The login process propagates the
+client terminal's baud rate and terminal type, as found in the
+environment variable, ``TERM''; see .IR environ (7).  The screen or
+window size of the terminal is requested from the client, and window
+size changes from the client are propagated to the pseudo terminal.
+
+.PP .I Krlogind supports three options which are used for testing
+purposes:
 
 .IP \fB\-S\ srvtab\fP 10
 Set the \fIsrvtab\fP file to use.
diff --git a/src/appl/bsd/krshd.M b/src/appl/bsd/krshd.M
index 20a0d2b83..8c2bb2fba 100644
--- a/src/appl/bsd/krshd.M
+++ b/src/appl/bsd/krshd.M
@@ -6,9 +6,9 @@
 .\"
 .TH KRSHD 8C "Kerberos Version 5.0" "MIT Project Athena"
 .SH NAME
-krshd \- kerberized remote shell server
+kshd \- kerberized remote shell server
 .SH SYNOPSIS
-.B /usr/etc/krshd -kKrR
+.B /usr/local/sbin/kshd -kr45ec
 .SH DESCRIPTION
 .I Krshd
 is the server for the 
@@ -16,22 +16,23 @@ is the server for the
 routine and, consequently, for the
 .IR rsh (1C)
 program.  The server provides remote execution facilities
-with authentication based on privileged port numbers from trusted hosts.
+with authentication based on privileged port numbers from trusted hosts or 
+the Kerberos authentication system.
 .PP
 The
-.I krshd
+.I kshd
 server is invoked by \fIinetd(8c)\fP when it receives a connection
 on the port indicated in /etc/inetd.conf.  A typical /etc/inetd.conf
 configuration line for \fIkrshd\fP might be:
 
-kshell	stream	tcp	nowait	root	/krb5/sbin/krshd	krshd -K
+kshell	stream	tcp	nowait	root	/usr/local/sbin/kshd	kshd -5c
 
-When a service request is received, the follow protocol is initiated:
+When a service request is received, the following protocol is initiated:
 
 .IP 1) 
 Authentication is checked
 .IP 2)
-Authorization is checked via the access-control files \fI.k5login\fP 
+Check authorization via the access-control files \fI.k5login\fP, \fI.klogin\fP 
 and \fI.rhosts\fP in the user's home directory.
 .IP 3)
 A null byte is returned on the initial socket
@@ -46,19 +47,39 @@ by \fIinetd(8)\fP,
 or by the name of the daemon. If command-line arguments are present, they 
 take priority.  The options are:
 
-.IP \fB\-k\fP 10
-Check authorization in ~/.k5login.
+.IP \fB\-5\fP 10
+Allow Kerberos5 authentication with the \fI.k5login\fP access control file
+to be trusted.  If this authentication system is used by the client and the
+authorization check is passed, then the user is allowed to log in.
 
-.IP \fB\-K\fP
-Similar to \fb\-k\fP except that the authorization check must succeed
-inorder for the login to succeed.
+.IP \fB\-4\fP 
+Allow Kerberos4 authentication with the \fI.klogin\fP access control file
+to be trusted.  If this authentication system is used by the client and the
+authorization check is passed, then the user is allowed to log in.
+
+.IP \fB\-k\fP 
+Allow Kerberos5 and Kerberos4 as acceptable authentication
+mechanisms.  This is the same as including \fB\-4\fP and \fB\-5\fP.
 
 .IP \fB\-r\fP 
-Check authorization in ~/.rhosts.
+Trust the remote hostname as an authentication system using the 
+ \fI.rhosts\fP authorization list.
+
+
+.IP \fB\-e\fP
+Require the client to encrypt the connection.  Only Kerberos5 clients
+support encryption.
 
-.IP \fB\-K\fP
-Similar to \fb\-r\fP except that the authorization check must succeed
-inorder for the login to succeed.
+.IP \fB\-c\fP
+Require Kerberos5 clients to present a cryptographic checksum of
+initial connection information like the name of the user that the
+client is trying to access in the initial authenticator.  This
+checksum provides additionl security by preventing an attacker from
+changing the initial connection information.  To benefit from this
+security, only Kerberos5 should be trusted; Kerberos4 and rhosts
+authentication do not include this checksum.  If this option is
+specified, older Kerberos5 clients that do not send a checksum in the
+authenticator will not be able to authenticate to this server.
 
 .PP
 If no command-line arguments are present, then the presence of the 
-- 
2.26.2