From e227b97f8ee7a07061253cc6c58dfd17c7b2d411 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Fri, 21 Oct 2011 19:31:41 +0000 Subject: [PATCH] Updated "MIT Kerberos defaults" with references to the internet drafts/standards and projects On the unrelated note, commiting the reference to the new API krb5_pac_sign in krb_appldev/refs/api/index.rst git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25404 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/rst_source/index.rst | 1 + doc/rst_source/krb_appldev/refs/api/index.rst | 1 + doc/rst_source/mitK5defaults.rst | 98 +++++++++ doc/rst_source/mitK5features.rst | 197 +++++++----------- doc/rst_source/mitK5license.rst | 2 + 5 files changed, 181 insertions(+), 118 deletions(-) create mode 100644 doc/rst_source/mitK5defaults.rst diff --git a/doc/rst_source/index.rst b/doc/rst_source/index.rst index f983c8fe3..53712a47f 100644 --- a/doc/rst_source/index.rst +++ b/doc/rst_source/index.rst @@ -11,6 +11,7 @@ Contents krb_appldev/index.rst krb_admins/index.rst krb_users/index.rst + krb_build/index.rst .. toctree:: :maxdepth: 1 diff --git a/doc/rst_source/krb_appldev/refs/api/index.rst b/doc/rst_source/krb_appldev/refs/api/index.rst index 9e172afc2..2d493f061 100644 --- a/doc/rst_source/krb_appldev/refs/api/index.rst +++ b/doc/rst_source/krb_appldev/refs/api/index.rst @@ -234,6 +234,7 @@ Rarely used public interfaces krb5_pac_get_types.rst krb5_pac_init.rst krb5_pac_parse.rst + krb5_pac_sign.rst krb5_pac_verify.rst krb5_principal2salt.rst krb5_rd_cred.rst diff --git a/doc/rst_source/mitK5defaults.rst b/doc/rst_source/mitK5defaults.rst new file mode 100644 index 000000000..995590eee --- /dev/null +++ b/doc/rst_source/mitK5defaults.rst @@ -0,0 +1,98 @@ +.. _mitK5defaults: + +MIT Kerberos defaults +============================ + + +The list of the site- and OS- dependent configuration +------------------------------------------------------- + + + ================================================== ================================ + Keytab file FILE\:/etc/krb5.keytab + Path to Kerberos configuration file /etc/krb5.conf:SYSCONFDIR/krb5.conf + KDC configuration file LOCALSTATEDIR/krb5kdc/kdc.conf + The location of the default database LOCALSTATEDIR/krb5kdc/principal + Master key stash file location and prefix LOCALSTATEDIR/krb5kdc/.k5. (for example, /usr/local/var/krb5kdc/.k5.YOURREALM) + Admin Access Control List (ACL) file LOCALSTATEDIR/krb5kdc/krb5_adm.acl + Admin ACL file used by old admin server LOCALSTATEDIR/krb5kdc/kadm_old.acl + Kerberos database library path MODULEDIR/kdb + Base directory where plugins are located LIBDIR/krb5/plugins + Master key default enctype ENCTYPE_AES256_CTS_HMAC_SHA1_96 + The name of the rcache used by KDC dfl:krb5kdc_rcache + KDC portname used for /etc/services or equiv. "kerberos" + KDC secondary portname for backward compatibility "kerberos-sec" + KDC default port 88 + KDC default port for authentication 750 + Admin change password port 464 + KDC UDP default portlist "88,750" + ================================================== ================================ + + +MAC OS specific +----------------- + + ============================================================ ================================ + Path to Kerberos config file ~/Library/Preferences/edu.mit.Kerberos:/etc/krb5.conf:SYSCONFDIR/krb5.conf + Base directory where krb5 plugins are located /System/Library/KerberosPlugins/KerberosFrameworkPlugins + Base directory where Kerberos databadse plugins are located /System/Library/KerberosPlugins/KerberosDatabasePlugins + Base directory where authorization data plugins are located /System/Library/KerberosPlugins/KerberosAuthDataPlugins + ============================================================ ================================ + + +Windows specific +---------------------- + + ======================================= ==================================================== + Kerberos config file name krb5.ini + Keytab file name FILE\:%s\\krb5kt (for example, C:\\WINDOWS\\krb5kt) + ======================================= ==================================================== + + +Defaults for the KADM5 admin system +--------------------------------------- + + ====================================================================== ================================ + Admin keytab file LOCALSTATEDIR/krb5kdc/kadm5.keytab + Admin ACL file that defines access rights to the Kerberos database LOCALSTATEDIR/krb5kdc/kadm5.acl + Admin server default port 749 + Default supported enctype/salttype matrix aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal + Max datagram size 4096 + Directory to store replay caches KRB5RCTMPDIR + Kerberized login program SBINDIR/login.krb5 + Kerberized remote login program BINDIR/rlogin + ====================================================================== ================================ + + +krb5 *slave* support +----------------------------- + + ============================================================ ================================ + kprop database dump file LOCALSTATEDIR/krb5kdc/slave_datatrans + kpropd temporary database file LOCALSTATEDIR/krb5kdc/from_master + Location of the utility used to load the principal database SBINDIR/kdb5_util + kpropd default kprop SBINDIR/kprop + kpropd principal database location LOCALSTATEDIR/krb5kdc/principal + kpropd ACL file LOCALSTATEDIR/krb5kdc/kpropd.acl + ============================================================ ================================ + + +Site- and system-wide initialization for the code compiled on Linux or Solaris +----------------------------------------------------------------------------------- + + ===================== ============================== ================= + BINDIR /usr/local/bin/ + KRB5RCTMPDIR /var/tmp + LIBDIR /usr/local/lib/ krb5 library directory + LOCALSTATEDIR /usr/local/var/ + MODULEDIR /usr/local/lib/krb5/plugins/ krb5 static plugins directory + SBINDIR /usr/local/sbin/ + SYSCONFDIR /usr/local/etc/ + ===================== ============================== ================= + +Report the problem +------------------ + + +Please, provide your feedback on this document at krb5-bugsmit.edu?subject=Documentation___krb5_implementation_features + diff --git a/doc/rst_source/mitK5features.rst b/doc/rst_source/mitK5features.rst index 71b83c629..319e00732 100644 --- a/doc/rst_source/mitK5features.rst +++ b/doc/rst_source/mitK5features.rst @@ -10,45 +10,39 @@ http://web.mit.edu/kerberos Quick facts ----------------------- - +---------------------------------+------------------------+ - | | MIT | - +=================================+========================+ - | Latest stable version | 1.9.1 | - +---------------------------------+------------------------+ - | Supported versions | 1.7.2, 1.8.4, 1.9.1 | - +---------------------------------+------------------------+ - | Release cycle | 9 - 12 months | - +---------------------------------+------------------------+ - | Supported platforms/ | - Solaris | - | OS distributions | - SPARC | - | | - x86_64/x86 | - | | - GNU/Linux | - | | - Debian x86_64/x86 | - | | - Ubuntu x86_64/x86 | - | | - RedHat x86_64/x86 | - | | - BSD | - | | - NetBSD x86_64/x86 | - +---------------------------------+------------------------+ - | Crypto backends | - OSSL 1.0+ | - | | - builtin | - | | - NSS 3.12.9+ | - +---------------------------------+------------------------+ - | Database backends | - LDAP | - | | - DB2 | - +---------------------------------+------------------------+ - | krb4 support | < 1.8 | - +---------------------------------+------------------------+ - | DES support | configurable | - +---------------------------------+------------------------+ - | Extensions (1.8+) | - S4U2Self | - | | - S4U2Proxy | - | | - GSS naming exts | - | | - GSS to store creds | - +---------------------------------+------------------------+ - | License | .. toctree:: | - | | | - | | mitK5license.rst | - +---------------------------------+------------------------+ + + ====================================================== ======================================= ============================================================================= + Latest stable version 1.9.1 + Supported versions 1.7.2, 1.8.4, 1.9.1 + Release cycle 9 - 12 months + Supported platforms/OS distributions Solaris + - SPARC + - x86_64/x86 + GNU/Linux + - Debian x86_64/x86 + - Ubuntu x86_64/x86 + - RedHat x86_64/x86 + BSD + - NetBSD x86_64/x86 + Crypto backends - OpenSSL 1.0\+ - http://www.openssl.org + - builtin - MIT Kerberos native crypto library + - NSS 3.12.9\+ - Mozilla's Network Security Services. + http://www.mozilla.org/projects/security/pki/nss + Database backends - LDAP + - DB2 + krb4 support < 1.8 + DES support configurable http://k5wiki.kerberos.org/wiki/Projects/Disable_DES + GSS-API S4U extensions 1.8+ http://msdn.microsoft.com/en-us/library/cc246071 + - S4U2Proxy + - S4U2Proxy + GSS-API naming extensions 1.8+ http://tools.ietf.org/html/draft-ietf-kitten-gssapi-naming-exts-11 + + GSS-API extensions for storing delegated credentials 1.8+ :rfc:`5588` + + License :ref:`mitK5license` + Defaults :ref:`mitK5defaults` + ====================================================== ======================================= ============================================================================= + @@ -87,85 +81,52 @@ Heimdal * Support for reading Heimdal database starting from version 1.8 -Feature list --------------------------- - - - +-----------------------------------------------+-----------+-------------------+ - | | Available | Additional | - | | | information | - +===============================================+===========+===================+ - | PKINIT | 1.7 | | - +-----------------------------------------------+-----------+-------------------+ - | Anonymous PKINIT | 1.8 | | - +-----------------------------------------------+-----------+-------------------+ - | IPv6 support in iprop | | | - +-----------------------------------------------+-----------+-------------------+ - | kadmin over IPv6 | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Trace logging | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | IAKERB | 1.8 | | - +-----------------------------------------------+-----------+-------------------+ - | GSSAPI/KRB5 multi-realm support | | | - +-----------------------------------------------+-----------+-------------------+ - | Plugins to test password quality | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Plugins to synchronize password changes | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Parallel KDC | | | - +-----------------------------------------------+-----------+-------------------+ - | Credentials delegation | 1.7 | | - +-----------------------------------------------+-----------+-------------------+ - | Constrained delegation | 1.8 | | - +-----------------------------------------------+-----------+-------------------+ - | Cross-realm auth and referrals | 1.7 | | - +-----------------------------------------------+-----------+-------------------+ - | GS2 | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Purging old keys | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Naming extensions for delegation chain | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Password expiration API | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Windows client support (build-only) | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | pre-auth mechanisms: | | | | | - | | | | | | - | - PW-SALT | | | | :rfc:`4120` | - | - ENC-TIMESTAMP | | | | :rfc:`4120` | - | - SAM-2 | | | | | - | - FAST negotiation framework | | 1.8 | | | - | - PKINIT | | | | | - | - FX-COOKIE | | | | | - | - S4U-X509-USER | | | | | - | | | | - +-----------------------------------------------+-----------+-------------------+ - | KDC support for SecurID preauthentication | 1.9 | SAM-2 protocol | - +-----------------------------------------------+-----------+-------------------+ - | Account lockout on bad login attempts | 1.8 | | - +-----------------------------------------------+-----------+-------------------+ - | Camellia encryption (CTS-MAC mode) | 1.9 | experimental | - | | | | - +-----------------------------------------------+-----------+-------------------+ - | PRNG | | | | - | | | | | - | - modularity: | | 1.9 | | - | - Yarrow PRNG | | < 1.10 | | - | - Fortuna PRNG | | 1.9 | | - | - OS PRNG | | 1.10 | | - +-----------------------------------------------+-----------+-------------------+ - | Advance warning on password expiry | 1.9 | | - +-----------------------------------------------+-----------+-------------------+ - | Heimdal bridge plugin for KDC backend | 1.8 | | - +-----------------------------------------------+-----------+-------------------+ - | Zero configuration | | | - +-----------------------------------------------+-----------+-------------------+ - | Master key migration | 1.7 | | - +-----------------------------------------------+-----------+-------------------+ - | | | | - +-----------------------------------------------+-----------+-------------------+ +Feature list +~~~~~~~~~~~~~~~ + + =============================================== =========== ============================================ + \ Available Additional information + =============================================== =========== ============================================ + Credentials delegation 1.7 :rfc:`5896` + Cross-realm authentication and referrals 1.7 http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-12 + Master key migration 1.7 http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration + PKINIT 1.7 :rfc:`4556` + Anonymous PKINIT 1.8 :rfc:`6112` http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit + Constrained delegation 1.8 http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation + IAKERB 1.8 http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 + Heimdal bridge plugin for KDC backend 1.8 + Advance warning on password expiry 1.9 + Camellia encryption (CTS-CMAC mode) 1.9 experimental http://tools.ietf.org/html/draft-ietf-krb-wg-camellia-cts-00 + KDC support for SecurID preauthentication 1.9 http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support + kadmin over IPv6 1.9 + Trace logging 1.9 http://k5wiki.kerberos.org/wiki/Projects/Trace_logging + GSSAPI/KRB5 multi-realm support + Plugins to test password quality 1.9 http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface + Plugins to synchronize password changes 1.9 + Parallel KDC 1.9 + GS2 1.9 :rfc:`5801` :rfc:`5587` http://k5wiki.kerberos.org/wiki/Projects/GS2 + Purging old keys 1.9 + Naming extensions for delegation chain 1.9 + Password expiration API 1.9 + Windows client support (build-only) 1.9 + pre-auth mechanisms: + - PW-SALT :rfc:`4120#section-5.2.7.3` + - ENC-TIMESTAMP :rfc:`4120#section-5.2.7.2` + - SAM-2 + - FAST negotiation framework 1.8 :rfc:`6113` + - PKINIT :rfc:`4556` + - FX-COOKIE :rfc:`6113#section-5.2` + - S4U-X509-USER 1.8 http://msdn.microsoft.com/en-us/library/cc246091 + + PRNG + - modularity: 1.9 + - Yarrow PRNG < 1.10 + - Fortuna PRNG 1.9 + - OS PRNG 1.10 + Zero configuration + IPv6 support in iprop + =============================================== =========== ============================================ + diff --git a/doc/rst_source/mitK5license.rst b/doc/rst_source/mitK5license.rst index 1d61b8340..d41a3403b 100644 --- a/doc/rst_source/mitK5license.rst +++ b/doc/rst_source/mitK5license.rst @@ -1,3 +1,5 @@ +.. _mitK5license: + MIT Kerberos License information =================================== -- 2.26.2