From eaedc17afd1ecafee7098607ccb8778ffecfed38 Mon Sep 17 00:00:00 2001 From: Jen Selby Date: Fri, 20 Sep 2002 17:35:28 +0000 Subject: [PATCH] * Makefile: made the list of manpages a variable * admin.texinfo: took out second inclusion of copyright notice, changed some section names, updated initial synopsis of file, added explanation of encryption types and the [login] section of krb5.conf, added documentation on various tags in the configuration files, added some more examples, fixed some typos, updated usage statements for various kadmin and kdb5_util commands, updated the sample output from the commands, updated the infotex for use with makeinfo --html, added a section about getting shared-realm keys, updated the error codes * build.texinfo: added a section describing the structure of the source code tree, updated documentation of options to configure script, added information about defaults for various variable settings, updated information about shared library support, added discussion of valid kerberos principals * definitions.texinfo: added some new default variables, corrected some pathnames of default values * dnssrv.texinfo: made the information about default port numbers reference a variable * glossary.texinfo: updated definition of principal * install.texinfo: fixed typos and formatting errors, removed old sample config files from appendix (samples are in the sections about the config files), added information about supporting RC4 keys * kadm5.acl: new file. describes the kadm5.acl file. included by both admin.texinfo and install.texinfo. text is made up mostly of text that was split between those two documents. documentation of backreferences was added * kdcconf.texinfo: made defaults reference variables * krb425.texinfo: deleted second inclusion of copyright info, made defaults reference variable, fixed typos, took out redundant part about editing inetd.conf and replaced it with reference to install guide * krb5conf.texinfo: documented the "final variable" feature, added mention of the [login] section, * send-pr.texinfo: minor change in wording for clarity * user-guide.texinfo: made various minor wording changes, updated some of the sample output, updated documention of command options git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14891 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/ChangeLog | 41 ++ doc/Makefile | 4 +- doc/admin.texinfo | 984 +++++++++++++++++++++++++++------------- doc/build.texinfo | 275 +++++++++-- doc/definitions.texinfo | 92 +++- doc/dnssrv.texinfo | 22 +- doc/glossary.texinfo | 3 +- doc/install.texinfo | 242 +++++----- doc/kadm5acl.texinfo | 113 +++++ doc/kdcconf.texinfo | 6 +- doc/krb425.texinfo | 83 +--- doc/krb5conf.texinfo | 26 +- doc/send-pr.texinfo | 5 +- doc/user-guide.texinfo | 383 ++++++++-------- 14 files changed, 1473 insertions(+), 806 deletions(-) create mode 100644 doc/kadm5acl.texinfo diff --git a/doc/ChangeLog b/doc/ChangeLog index ef243af13..ce81239fb 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,44 @@ +2002-09-20 Jen Selby + + * Makefile: made the list of manpages a variable + * admin.texinfo: took out second inclusion of copyright notice, + changed some section names, updated initial synopsis of file, + added explanation of encryption types and the [login] section of + krb5.conf, added documentation on various tags in the configuration + files, added some more examples, fixed some typos, updated usage + statements for various kadmin and kdb5_util commands, updated the + sample output from the commands, updated the infotex for use with + makeinfo --html, added a section about getting shared-realm keys, + updated the error codes + * build.texinfo: added a section describing the structure of the + source code tree, updated documentation of options to configure + script, added information about defaults for various variable + settings, updated information about shared library support, + added discussion of valid kerberos principals + * definitions.texinfo: added some new default variables, + corrected some pathnames of default values + * dnssrv.texinfo: made the information about default port numbers + reference a variable + * glossary.texinfo: updated definition of principal + * install.texinfo: fixed typos and formatting errors, removed old + sample config files from appendix (samples are in the sections about + the config files), added information about supporting RC4 keys + * kadm5.acl: new file. describes the kadm5.acl file. included by + both admin.texinfo and install.texinfo. text is made up mostly of + text that was split between those two documents. documentation + of backreferences was added + * kdcconf.texinfo: made defaults reference variables + * krb425.texinfo: deleted second inclusion of copyright info, + made defaults reference variable, fixed typos, took out redundant + part about editing inetd.conf and replaced it with reference to + install guide + * krb5conf.texinfo: documented the "final variable" feature, + added mention of the [login] section, + * send-pr.texinfo: minor change in wording for clarity + * user-guide.texinfo: made various minor wording changes, updated + some of the sample output, updated documention of command options + + 2002-09-13 Ken Raeburn * build.texinfo (Options to Configure): Update for new options diff --git a/doc/Makefile b/doc/Makefile index a5b8d13fe..6e26a5edd 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -20,6 +20,8 @@ INSTALL_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \ krb5conf.texinfo kdcconf.texinfo send-pr.texinfo INSTALL_DEPS=install.texinfo $(INSTALL_INCLUDES) +MANPAGES=$(SRCDIR)/appl/gssftp/ftp/ftp.M $(SRCDIR)/clients/kdestroy/kdestroy.M $(SRCDIR)/clients/kinit/kinit.M $(SRCDIR)/clients/klist/klist.M $(SRCDIR)/clients/ksu/ksu.M $(SRCDIR)/appl/bsd/rcp.M $(SRCDIR)/appl/bsd/rlogin.M $(SRCDIR)/appl/bsd/rsh.M $(SRCDIR)/appl/telnet/telnet/telnet.1 $(SRCDIR)/kadmin/passwd/kpasswd.M + USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo USER_GUIDE_DEPS=user-guide.texinfo $(USER_GUIDE_INCLUDES) @@ -81,7 +83,7 @@ user-guide:: user-guide.ps user-guide.ps: $(USER_GUIDE_DEPS) $(DVI) user-guide.texinfo - $(MANPS) $(SRCDIR)/appl/gssftp/ftp/ftp.M $(SRCDIR)/clients/kdestroy/kdestroy.M $(SRCDIR)/clients/kinit/kinit.M $(SRCDIR)/clients/klist/klist.M $(SRCDIR)/clients/ksu/ksu.M $(SRCDIR)/appl/bsd/rcp.M $(SRCDIR)/appl/bsd/rlogin.M $(SRCDIR)/appl/bsd/rsh.M $(SRCDIR)/appl/telnet/telnet/telnet.1 $(SRCDIR)/kadmin/passwd/kpasswd.M + $(MANPS) $(MANPAGES) $(DVIPS) user-guide .PHONY: user-guide-info diff --git a/doc/admin.texinfo b/doc/admin.texinfo index d04ba7572..c4d834163 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1,4 +1,4 @@ -\input texinfo-suppl.tex % contains @doubleleftarrow{} definition +x\input texinfo-suppl.tex % contains @doubleleftarrow{} definition % this line must come *before* \input texinfo \input texinfo @c -*-texinfo-*- @c %**start of header @@ -30,7 +30,6 @@ @page @vskip 0pt plus 1filll -@include copyright.texinfo @end titlepage @comment node-name, next, previous, up @@ -62,7 +61,7 @@ installation. * How Kerberos Works:: * Configuration Files:: * Using DNS:: -* Administrating Kerberos Database Entries:: +* Administrating the Kerberos Database:: * Application Servers:: * Backups of Secure Hosts:: * Bug Reporting:: @@ -107,17 +106,18 @@ The next chapter describes how Kerberos works. Chapter three describes administration of the principals in the Kerberos database. -Chapter four describes administrative programs for manipulating the +Chapter four describes how you can use DNS in configuring your Kerberos realm. + +Chapter five describes administrative programs for manipulating the Kerberos database as a whole. -Chapter five describes issues to consider when adding an application +Chapter six describes issues to consider when adding an application server to the database. -Chapter six describes our problem reporting system. +Chapter seven describes our problem reporting system. -The appendices include sample configuration files, the list of Kerberos -error messages, and a complete list of the time zones understood by -@code{kadmin}. +The appendices include the list of Kerberos error messages, and a +complete list of the time zones understood by @code{kadmin}. @node How Kerberos Works, Configuration Files, Introduction, Top @chapter How Kerberos Works @@ -131,7 +131,7 @@ of details; for more information, see @i{Kerberos: An Authentication Service for Open Network Systems}, a paper presented at Winter USENIX 1988, in Dallas, Texas. This paper can be retreived by FTP from @code{athena-dist.mit.edu}, in the location: -@code{/pub/ATHENA/kerberos/doc/USENIX.ps}. +@code{/pub/ATHENA/kerberos/doc/usenix.PS}. @menu * Network Services and Their Client Programs:: @@ -345,6 +345,9 @@ Following are definitions of some of the Kerberos terminology. @node Supported Encryption Types, Salts, Configuration Files, Configuration Files @section Supported Encryption Types +Any tag in the configuration files which requires a list of encryption +types can be set to some combination of the following strings. + @include support-enc.texinfo @node Salts, krb5.conf, Supported Encryption Types, Configuration Files @@ -365,6 +368,7 @@ salt. The supported values for salts are as follows. @menu * libdefaults:: * appdefaults:: +* login:: * realms (krb5.conf):: * domain_realm:: * logging:: @@ -379,6 +383,11 @@ The @code{libdefaults} section may contain any of the following relations: @table @b +@itemx default_keytab_name +This relation specifies the default keytab name to be used by +application servers such as telnetd and rlogind. The default is +@value{DefaultDefaultKeytabName}. + @itemx default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this is not specified and the TXT record @@ -398,14 +407,28 @@ value is @value{DefaultDefaultTgsEnctypes}. @itemx default_tkt_enctypes Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for -@emph{default_tkt_enctypes}. The default value for this tag is +@emph{default_tgs_enctypes}. The default value for this tag is @value{DefaultDefaultTktEnctypes}. +@itemx permitted_enctypes +Identifies all encryption types that are permitted for use in session +key encryption. The default value for this tag is +@value{DefaultPermittedEnctypes}. + @itemx clockskew Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is @value{DefaultClockskew}. +@itemx kdc_timesync +If this is set to 1 (for true), then client machines will compute the +difference between their time and the time returned by the KDC in the +timestamps in the tickets and use this value to correct for an +inaccurate system clock. This corrective factor is only used by the +Kerberos library. The default is @value{DefaultKDCTimesyncMac} for +Macintosh computers and @value{DefaultKDCTimesync} for all other +platforms. + @itemx kdc_req_checksum_type @itemx ap_req_checksum_type @itemx safe_checksum_type @@ -454,11 +477,17 @@ The default lifetime of a ticket. The default is code. @end ignore -@itemx kdc_timesync -If this is set to 1 (for true), then client machines will attempt -to sync their time with the KDC using the timestamps in the tickets. -The default is @value{DefaultKDCTimesyncMac} for Macintosh computers -and @value{DefaultKDCTimesync} for all other platforms. +@itemx krb4_srvtab +Specifies the location of the Kerberos V4 srvtab file. Default is +@value{DefaultKrb4Srvtab}. + +@itemx krb4_config +Specifies the location of hte Kerberos V4 configuration file. Default +is @value{DefaultKrb4Config}. + +@itemx krb4_realms +Specifies the location of the Kerberos V4 domain/realm translation +file. Default is @value{DefaultKrb4Realms}. @itemx dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and @@ -503,42 +532,102 @@ has no effect. General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. +@itemx extra_addresses +This allows a computer to use multiple local addresses, in order to +allow Kerberos to work in a network that uses NATs. The addresses +should be in a comma-separated list. + +@itemx udp_preference_limit +When sending a message to the KDC, the library will try using TCP before +UDP if the size of the message is above @code{udp_preference_list}. +If the message is smaller than @code{udp_preference_list}, then UDP +will be tried before TCP. Regardless of the size, both protocols will +be tried if the first attempt fails. + @end table -@node appdefaults, realms (krb5.conf), libdefaults, krb5.conf +@node appdefaults, login, libdefaults, krb5.conf @subsection [appdefaults] -Each tag in the [appdefaults] section names a Kerberos V5 application. -The value of the tag is a subsection with relations that define the -default behaviors for that application. +Each tag in the [appdefaults] section names a Kerberos V5 application +or an option that is used by some Kerberos V5 application[s]. The +value of the tag defines the default behaviors for that application. For example: @smallexample @group [appdefaults] - kinit = @{ - forwardable = true - @} - telnet = @{ - forward = true - encrypt = true - autologin = true - @} telnet = @{ @value{PRIMARYREALM} = @{ - forward = false + option1 = false @} @} + telnet = @{ + option1 = true + option2 = true + @} + @value{PRIMARYREALM} = @{ + option2 = false + @} + option2 = true @end group @end smallexample +The above four ways of specifying the value of an option are shown +in order of decreasing precedence. In this example, if telnet is +running in the realm @value{SECONDREALM}, it should, by default, have +option1 and option2 set to true. However, a telnet program in the realm +@value{PRIMARYREALM} should have option1 set to false and option2 set +to true. Any other programs in @value{PRIMARYREALM} should have option2 +set to false by default. Any programs running in other realms should +have option2 set to true. + The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section. -@node realms (krb5.conf), domain_realm, appdefaults, krb5.conf +@node login, realms (krb5.conf), appdefaults, krb5.conf +@subsection [login] + +Each tag in the [login] section of the file is an option for +login.krb5. This section may contain any of the following relations: + +@table @b +@itemx krb5_get_tickets +Indicate whether or not to use a user's password to get V5 tickets. +The default value is @value{DefaultKrb5GetTickets}. + +@itemx krb4_get_tickets +Indicate whether or not to user a user's password to get V4 tickets. +The default value is @value{DefaultKrb4GetTickets}. + +@itemx krb4_convert +Indicate whether or not to use the Kerberos conversion daemon to get V4 +tickets. The default value is @value{DefaultKrb4Convert}. If this is +set to false and krb4_get_tickets is true, then login will get the V5 +tickets directly using the Kerberos V4 protocol directly. This does +not currently work with non-MIT-V4 salt types (such as the AFS3 salt +type). Note that if this is set to true and krb524d is not running, +login will hang for approximately a minute under Solaris, due to a +Solaris socket emulation bug. + +@itemx krb_run_aklog +Indicate whether or not to run aklog. The default value is +@value{DefaultKrbRunAklog}. + +@itemx aklog_path +Indicate where to find aklog. The default value is +@value{DefaultAklogPath}. + +@itemx accept_passwd +A true value will cause login not to accept plaintext passwords. The +default value is @value{DefaultAcceptPasswd}. This is not yet +implemented. +@end table + +@node realms (krb5.conf), domain_realm, login, krb5.conf @subsection [realms] Each tag in the [realms] section of the file is the name of a Kerberos @@ -560,16 +649,98 @@ Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the kadmin server for the realm. +@ignore +this doesn't seem to be used in the code @itemx application defaults Application defaults that are specific to a particular realm may be specified within that realm's tag. Realm-specific application defaults override the global defaults specified in the [appdefaults] section. +@end ignore @itemx default_domain This tag is used for Kerberos 4 compatibility. Kerberos 4 does not require the entire hostname of a server to be in its principal like Kerberos 5 does. This tag provides the domain name needed to produce a -full hostname. +full hostname when translating V4 principal names into V5 principal +names. All servers in this realm are assumed to be in the domain given +as the value of this tag + +@itemx v4_instance_convert +This subsection allows the administrator to configure exceptions to the +default_domain mapping rule. It contains V4 instances (the tag name) +which should be translated to some specific hostname (the tag value) as +the second component in a Kerberos V5 principal name. + +@itemx v4_realm +This relation is used by the krb524 library routines when converting a +V5 principal name to a V4 principal name. It is used when the V4 realm +name and the V5 realm name are not the same, but still share the same +principal names and passwords. The tag value is the Kerberos V4 realm +name. + +@itemx auth_to_local_names +This subsection allows you to set explicit mappings from principal +names to local user names. The tag is the mapping name, and the value +is the corresponding local user name. + +@itemx auth_to_local +This tag allows you to set a general rule for mapping principal names +to local user names. It will be used if there is not an explicit +mapping for the principal name that is being translated. The possible +values are: + +@table @b + +@item DB:@i{filename} +The principal will be looked up in the database @i{filename}. Support +for this is not currently compiled in by default. + +@item RULE:@i{exp} +The local name will be formulated from @i{exp}. + +The format for @i{exp} is +@code{[@i{n}:$@i{d}..@i{string}](@i{regexp})s/@i{pattern}/@i{replacement}/g}. +The integer @i{n} indicates how many components the target principal +should have. If this matches, then a string will be formed by putting +together the components of the principal in the order indicated by each +integer @i{d}, and the arbitrary string @i{string} (i.e. if the +principal was @value{RANDOMUSER}/admin then [2:$2$1foo] would result in +the string "admin@value{RANDOMUSER}foo". If this string matches +@i{regexp}, then the @code{s//[g]} substitution command will be run over the +string. The optional g will cause the substitution to be global over +the string, instead of replacing only the first match in the string. + +@item DEFAULT +The principal name will be used as the local user name. If the +principal has more than one component or is not in the default realm, +this rule is not applicable and the conversion will fail. + +@end table + +For example: + +@smallexample +@group +[realms] + @value{PRIMARYREALM} = @{ + auth_to_local = @{ + RULE:[2:$1](@value{RANDOMUSER})s/^.*$/guest/ + RULE:[2:$1;$2](^.*;admin$)s/;admin$// + RULE:[2:$2](^.*;root)s/^.*$/root/ + DEFAULT + @} + @} +@end group +@end smallexample + +would result in any principal without @code{root} or @code{admin} as +the second component to be translated with the default rule. A +principal with a second component of @code{admin} will become its first +component. @code{root} will be used as the local name for any +principal with a second component of @code{root}. The exception to +these two rules are any principals @value{RANDOMUSER}/*, which will +always get the local name @code{guest}. + @end table @node domain_realm, logging, realms (krb5.conf), krb5.conf @@ -698,7 +869,7 @@ paths between the realms. This section defines that database. A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section -to verify the authentication path used be the client, by checking the +to verify the authentication path used by the client, by checking the transited field of the received ticket. There is a tag for each participating realm, and each tag has subtags @@ -716,7 +887,7 @@ tag for each realm of the clients it will serve. For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV -which will authenticate with NERSC.GOV but not PNL.GOV. The [capath] +which will authenticate with NERSC.GOV but not PNL.GOV. The [capaths] section for ANL.GOV systems would look like this: @smallexample @@ -743,7 +914,7 @@ section for ANL.GOV systems would look like this: @end group @end smallexample -The [capath] section of the configuration file used on NERSC.GOV systems +The [capaths] section of the configuration file used on NERSC.GOV systems would look like this: @smallexample @@ -774,7 +945,7 @@ would look like this: In the above examples, the ordering is not important, except when the same subtag name is used more then once. The client will use this to -determing the path. (It is not important to the server, since the +determine the path. (It is not important to the server, since the transited field is not sorted.) This feature is not currently supported by DCE. DCE security servers @@ -816,6 +987,18 @@ Here is an example of a generic @code{krb5.conf} file: @end ifset @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} +[capaths] + @value{PRIMARYREALM} = @{ + @value{SECONDREALM} = . + @} + @value{SECONDREALM} = @{ + @value{PRIMARYREALM} = . + @} + +[logging] + kdc = SYSLOG:INFO + admin_server = FILE=/var/kadm5.log + @end group @end smallexample @@ -846,6 +1029,12 @@ listen by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is @value{DefaultKdcPorts}, the first being the assigned Kerberos port and the second which was used by Kerberos V4. + +@itemx v4_mode +This string specifies how the KDC should respond to Kerberos 4 +packets. The possible values are none, disable, full, and nopreauth. +The default value is @value{DefaultV4Mode}. +@comment these values found in krb5/src/kdc/kerberos_v4.c in v4mode_table @end table @node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf @@ -878,21 +1067,84 @@ default is @* @code{@value{DefaultDatabaseName}}. principals created in this realm. The default value for this tag is @value{DefaultDefaultPrincipalExpiration}. -@itemx default_principal_flags +@itemx default_principal_flags (Flag string.) Specifies the default attributes of principals created -in this realm. The default value for this tag is +in this realm. The format for this string is a comma-separated list of +flags, with '+' before each flag that should be enabled and '-' before +each flag that should be disabled. The default is @value{DefaultDefaultPrincipalFlags}. +There are a number of possible flags: + +@table @b +@itemx postdateable +Enabling this flag allows the principal to obtain postdateable tickets. + +@itemx forwardable +Enabling this flag allows the principal to obtain forwardable tickets. + +@itemx tgt-based +Enabling this flag allows a principal to obtain tickets based on a +ticket-granting-ticket, rather than repeating the authentication +process that was used to obtain the TGT. + +@itemx renewable +Enabling this flag allows the principal to obtain renewable tickets. + +@itemx proxiable +Enabling this flag allows the principal to obtain proxy tickets. + +@itemx dup-skey +Enabling this flag allows the principal to obtain a session key for +another user, permitting user-to-user authentication for this principal. + +@itemx allow-tickets +Enabling this flag means that the KDC will issue tickets for this +principal. Disabling this flag essentially deactivates the principal +within this realm. + +@itemx preauth +If this flag is enabled on a client principal, then that principal is +required to preauthenticate to the KDC before receiving any tickets. +On a service principal, enabling this flag means that service tickets +for this principal will only be issued to clients with a TGT that has +the preauthenticated ticket set. + +@itemx hwauth +If this flag is enabled, then the principal is required to +preauthenticate using a hardware device before receiving any tickets. + +@itemx pwchange +Enabling this flag forces a password change for this principal. + +@itemx service +Enabling this flag allows the the KDC to issue service tickets for this +principal. + +@itemx pwservice +If this flag is enabled, it marks this principal as a password change +service. This should only be used in special cases, for example, if a +user's password has expired, then the user has to get tickets for that +principal without going through the normal password authentication in +order to be able to change the password. + +@end table + @itemx dict_file (String.) Location of the dictionary file containing strings that are -not allowed as passwords. If none is specified, no dictionary checks -of passwords will be performed. +not allowed as passwords. If none is specified or if there is no +policy assigned to the principal, no dictionary checks of passwords +will be performed. @itemx kadmind_port -(Port number.) Specifies the port that the kadmind daemon is to listen -for this realm. The assigned port for kadmind is +(Port number.) Specifies the port on which the kadmind daemon is to +listen for this realm. The assigned port for kadmind is @value{DefaultKadmindPort}. +@itemx kpasswd_port +(Port number.) Specifies the port on which the kpasswd daemon is to +listen for this realm. The default is @value{DefaultKpasswdPort}. + @itemx key_stash_file (String.) Specifies the location where the master key has been stored (via @code{kdb5_util stash}). The default is @@ -905,8 +1157,8 @@ this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used. @itemx master_key_name -(String.) Specifies the name of the master key. The default is -@value{DefaultMasterKeyName}. +(String.) Specifies the name of the principal associated with the +master key. The default is @value{DefaultMasterKeyName}. @itemx master_key_type (Key type string.) Specifies the master key's key type. The default @@ -924,14 +1176,15 @@ valid ticket may be renewed in this realm. The default value is @value{DefaultMaxRenewableLife}. @itemx supported_enctypes -List of key:salt strings. Specifies the default key/salt combinations -of principals for this realm. Any principals created through -@code{kadmin} will have keys of these types. For lists of possible -values, see @ref{Supported Encryption Types} and @ref{Salts}. +List of key:salt strings. Specifies the default key/salt combinations of +principals for this realm. Any principals created through @code{kadmin} +will have keys of these types. The default value for this tag is +@value{DefaultSupportedEnctypes}. For lists of possible values, see +@ref{Supported Encryption Types} and @ref{Salts}. @itemx kdc_supported_enctypes Specifies the permitted key/salt combinations of principals for this -realm. The format is the same as @code{supported_enctypes} +realm. The format is the same as @code{supported_enctypes}. @itemx reject_bad_transit A boolean value (@code{true}, @code{false}). If set to @code{true}, the @@ -980,7 +1233,7 @@ Here's an example of a @code{kdc.conf} file: [realms] @value{PRIMARYREALM} = @{ kadmind_port = 749 - max_life = 10h 0m 0s + max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 @@ -994,7 +1247,7 @@ Here's an example of a @code{kdc.conf} file: @end group @end smallexample -@node Using DNS, Administrating Kerberos Database Entries, Configuration Files, Top +@node Using DNS, Administrating the Kerberos Database, Configuration Files, Top @chapter Using DNS @menu @@ -1012,7 +1265,7 @@ Here's an example of a @code{kdc.conf} file: @include dnssrv.texinfo -@node Administrating Kerberos Database Entries, Application Servers, Using DNS, Top +@node Administrating the Kerberos Database, Application Servers, Using DNS, Top @chapter Administrating the Kerberos Database Your Kerberos database contains all of your realm's Kerberos principals, @@ -1057,16 +1310,15 @@ authenticate to KADM5. * Date Format:: * Principals:: * Policies:: -* Dumping a Kerberos Database to a File:: -* Restoring a Kerberos Database from a Dump File:: -* Creating a Stash File:: -* Creating and Destroying a Kerberos Database:: +* Global Operations on the Kerberos Database:: +* Cross-realm Authentication:: @end menu -@node Kadmin Options, Date Format, Administrating Kerberos Database Entries, Administrating Kerberos Database Entries +@node Kadmin Options, Date Format, Administrating the Kerberos Database, Administrating the Kerberos Database @section Kadmin Options -You can invoke @code{kadmin} with any of the following options: +You can invoke @code{kadmin} or @code{kadmin.local} with any of the +following options: @table @b @item @b{-r} @i{REALM} @@ -1078,10 +1330,18 @@ If this option is not given, @code{kadmin} will append @code{admin} to either the primary principal name, the environment variable USER, or to the username obtained from @code{getpwuid}, in order of preference. -@item @b{-k} @i{keytab} +@item @b{-q} @i{query} +Pass @i{query} directly to @code{kadmin}. This is useful for writing +scripts that pass specific queries to @code{kadmin}. + +@noindent +You can invoke @code{kadmin} with any of the following options: + +@item @b{-k} [@b{-t} @i{keytab}] Use the keytab @i{keytab} to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the principal will -be @samp{host/@i{hostname}}. +be @samp{host/@i{hostname}}. If @b{-t} is not used to specify a keytab, +then the default keytab will be used. @item @b{-c} @i{credentials cache} Use @i{credentials_cache} as the credentials cache. The credentials @@ -1096,18 +1356,27 @@ TTY. Note: placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users gain read access to the script. -@item @b{-q} @i{query} -Pass @i{query} directly to @code{kadmin}. This is useful for writing -scripts that pass specific queries to @code{kadmin}. +@item @b{-s} @i{admin_server[:port]} +Specifies the admin server that kadmin should contact. + +@noindent +You can invoke @code{kadmin.local} with an of the follwing options: + +@item @b{-d_ @i{dbname}} +Specifies the name of the Kerberos database. @item @b{-e} @i{"enctypes ..."} -@b{(For @code{kadmin.local} only.)} Sets the list of cryptosystem and -salt types to be used for any new keys created. See @ref{Supported -Encryption Types} and @ref{Salts} for available types. +Sets the list of cryptosystem and salt types to be used for any new +keys created. See @ref{Supported Encryption Types} and @ref{Salts} for +available types. + +@item @b{-m} +Do not authenticate using a keytab. This option will cause kadmin to +prompt for the master database password. @end table -@node Date Format, Principals, Kadmin Options, Administrating Kerberos Database Entries +@node Date Format, Principals, Kadmin Options, Administrating the Kerberos Database @section Date Format Many of the @code{kadmin} commands take a duration or time as an @@ -1134,9 +1403,6 @@ fortnight @end group @end smallexample -Two-digit years are allowed in places, but the use of this form is not -recommended. - Note that if the date specification contains spaces, you must enclose it in double quotes. Note also that you cannot use a number without a unit. (I.e., ``"60 seconds"'' is correct, but ``60'' is incorrect.) @@ -1146,7 +1412,7 @@ the allowable keywords. @table @b @item Months january, jan, february, feb, march, mar, april, apr, may, june, jun, -july, jul, august, aug, september, sept, sep, october, oct, november, +july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec @item Days @@ -1156,9 +1422,10 @@ thursday, thurs, thur, thu, friday, fri, saturday, sat @item Units year, month, fortnight, week, day, hour, minute, min, second, sec -@item Relative -tomorrow, yesterday, today, now, last, this, next, first, third, fourth, -fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago +@item Relative +tomorrow, yesterday, today, now, last, this, next, first, second, +third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, +twelfth, ago @item Time Zones @code{kadmin} recognizes abbreviations for most of the world's time @@ -1168,7 +1435,7 @@ zones. A complete listing appears in @ref{kadmin Time Zones}. am, pm @end table -@node Principals, Policies, Date Format, Administrating Kerberos Database Entries +@node Principals, Policies, Date Format, Administrating the Kerberos Database @section Principals Each entry in the Kerberos database contains a Kerberos principal @@ -1181,7 +1448,6 @@ that principal. * Adding or Modifying Principals:: * Deleting Principals:: * Changing Passwords:: -* Renaming Principals:: @end menu @node Retrieving Information About a Principal, Privileges, Principals, Principals @@ -1203,29 +1469,32 @@ requires the ``inquire'' administrative privilege. The syntax is: @b{get_principal} @i{principal} @end smallexample -@noindent The @code{get_principal} command has the alias @code{getprinc}. +@noindent +The @code{get_principal} command has the alias @code{getprinc}. -For example, suppose you wanted to view the attributes of the principals -@* @code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}} and -@code{systest@@@value{PRIMARYREALM}}. You would type: +For example, suppose you wanted to view the attributes of the +principal @* @code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}}. + You would type: @smallexample @group @b{shell%} kadmin @b{kadmin:} getprinc @value{RANDOMUSER1}/root @b{Principal: @value{RANDOMUSER1}/root@@@value{PRIMARYREALM} -Key version: 3 -Maximum life: 1 day 00:00:00 +Expiration date: [never] +Last password change: Mon Jan 31 02:06:40 EDT 2002 +Password Expiration date: [none] +Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 -Master key version: 1 -Expires: Mon Jan 18 22:14:07 EDT 2038 -Password expires: Mon Sep 19 14:40:00 EDT 2004 -Password last changed: Mon Jan 31 02:06:40 EDT 2004 -Last modified: by @value{ADMINUSER}/admin@@@value{PRIMARYREALM} - on Wed Jul 13 18:27:08 EDT 2004 -Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE, - REQUIRES_HW_AUTH -Salt type: DEFAULT +Last modified: Wed Jul 24 14:46:25 EDT 2002 (@value{ADMINUSER}/admin@@@value{PRIMARYREALM}) +Last successful authentication: Mon Jul 29 18:20:17 EDT 2002 +Last failed authentication: Mon Jul 29 18:18:54 EDT 2002 +Failed password attempts: 3 +Number of keys: 2 +Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt +Key: vno 2, DES cbc mode with CRC-32, no salt +Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE +Policy: [none] kadmin:} @end group @end smallexample @@ -1235,11 +1504,12 @@ the fields as a quoted, tab-separated string. For example: @smallexample @group -@b{kadmin:} getprinc -terse systest -@b{systest@@@value{PRIMARYREALM} 3 86400 604800 1 -785926535 753241234 785900000 -@value{ADMINUSER}/admin@@@value{PRIMARYREALM} 786100034 0 -0 +@b{kadmin:} getprinc -terse @value{RANDOMUSER1}/root +@b{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM} 0 1027458564 +0 36000 (@value{ADMINUSER}/admin@@@value{PRIMARYREALM} +1027536385 18 2 0 [none] 604800 1027980137 +1027980054 3 2 1 2 16 0 1 +2 1 0 kadmin:} @end group @end smallexample @@ -1255,103 +1525,42 @@ The syntax is: @b{list_principals} [@i{expression}] @end smallexample -@noindent where @i{expression} is a shell-style glob expression that can -contain the characters @samp{*}, @samp{?}, @samp{[}, and @samp{]}. All -policy names matching the expression are displayed. The -@code{list_principals} command has the alias @code{listprincs}. For -example: +@noindent where @i{expression} is a shell-style glob expression that +can contain the characters @samp{*}, @samp{?}, @samp{[}, and @samp{]}. +All policy names matching the expression are displayed. The +@code{list_principals} command has the aliases @code{listprincs}, +@code{get_principals}, and @code{getprincs}. For example: @smallexample @group @b{kadmin:} listprincs test* -@b{test3@@@value{PRIMARYDOMAIN} -test2@@@value{PRIMARYDOMAIN} -test1@@@value{PRIMARYDOMAIN} -testuser@@@value{PRIMARYDOMAIN} +@b{test3@@@value{PRIMARYREALM} +test2@@@value{PRIMARYREALM} +test1@@@value{PRIMARYREALM} +testuser@@@value{PRIMARYREALM} kadmin:} @end group @end smallexample -@noindent If no expression is provided, all principals are printed. +@noindent +If no expression is provided, all principals are printed. @node Privileges, Adding or Modifying Principals, Retrieving Information About a Principal, Principals @subsection Privileges Administrative privileges for the Kerberos database are stored in the -file @code{kadm5.acl}. Each line of the file contains a principal, the -privileges that principal has, and optionally the target to which those -permissions apply. The privileges are represented by single letters; -UPPER-CASE letters represent negative permissions. The permissions are: - -@table @b -@itemx a -allows the addition of principals or policies in the database. -@itemx A -disallows the addition of principals or policies in the database. -@itemx d -allows the deletion of principals or policies in the database. -@itemx D -disallows the deletion of principals or policies in the database. -@itemx m -allows the modification of principals or policies in the database. -@itemx M -disallows the modification of principals or policies in the database. -@itemx c -allows the changing of passwords for principals in the database. -@itemx C -disallows the changing of passwords for principals in the database. -@itemx i -allows inquiries to the database. -@itemx I -disallows inquiries to the database. -@itemx l -allows the listing of principals or policies in the database. -@itemx L -disallows the listing of principals or policies in the database. -@itemx * -All privileges (admcil). -@itemx x -All privileges (admcil); identical to ``*''. -@end table - -Principals in this file can include the @b{*} wildcard. Here is an -example of a @code{kadm5.acl} file. Note that order is important; -permissions are determined by the first matching entry. - -@smallexample -@group -*/admin@@@value{PRIMARYREALM} * -@value{ADMINUSER}@@@value{PRIMARYREALM} ADMCIL -@value{ADMINUSER}/*@@@value{PRIMARYREALM} il -@value{RANDOMUSER1}/root@@@value{PRIMARYREALM} cil */root@@@value{PRIMARYREALM} -*/*@@@value{PRIMARYREALM} i -@end group -@end smallexample +file @code{kadm5.acl}. -@noindent In the above file, any principal with an @code{admin} instance -has all administrative privileges. The user @code{@value{ADMINUSER}} -has all permissions with his @code{admin} instance, -@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}} (matches the first -line). He has no permissions at all with his @code{null} instance, -@code{@value{ADMINUSER}@@@value{PRIMARYREALM}} (matches the second -line). He has @i{inquire} and @i{list} permissions with any other -instance (matches the third line). When @code{@value{RANDOMUSER1}} is -using her @code{root} -instance, @code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}}, she has -@i{change password}, @i{inquire}, and @i{list} privileges for any other -principal that has the instance @code{root}. Finally, any principal in -the realm @code{@value{PRIMARYREALM}} (except for -@code{@value{ADMINUSER}@@@value{PRIMARYREALM}}, as mentioned above) -has @i{inquire} privileges. +@include kadm5acl.texinfo @node Adding or Modifying Principals, Deleting Principals, Privileges, Principals @subsection Adding or Modifying Principals To add a principal to the database, use the kadmin @code{add_principal} command, which requires the ``add'' administrative privilege. This -function creates the new principal and, if neither the -policy nor --clearpolicy options are specified and the policy ``default'' exists, -assigns it that policy. The syntax is: +function creates the new principal, prompting twice for a password, and, +if neither the -policy nor -clearpolicy options are specified and the +policy ``default'' exists, assigns it that policy. The syntax is: @smallexample @b{kadmin:} add_principal [@i{options}] @i{principal} @@ -1368,22 +1577,13 @@ administrative privilege. The syntax is: @noindent @code{add_principal} has the aliases @code{addprinc} and @code{ank}@footnote{@code{ank} was the short form of the equivalent -command using the deprecated @code{kadmin5} database administrative -tool. It has been kept}. @code{modify_principal} has the alias @code{modprinc}. +command using the deprecated @code{kadmin5} database administrative tool. +It has been kept}. @code{modify_principal} has the alias @code{modprinc}. The @code{add_principal} and @code{modify_principal} commands take the following switches: @table @b -@item -salt @i{salttype} -Uses the specified salt for generating the key. For valid salt types, -see @ref{Salts}. - -@item -clearpolicy -For @code{modify_principal}, removes the current policy from a -principal. For @code{add_principal}, suppresses the automatic -assignment of the policy ``default''. - @item -expire @i{date} Sets the expiration date of the principal to @i{date}. @@ -1393,6 +1593,10 @@ Sets the expiration date of the password to @i{date}. @item -maxlife @i{maxlife} Sets the maximum ticket life of the principal to @i{maxlife}. +@item -maxrenewlife @i{maxrenewlife} +Sets the maximum renewable life of tickets for the principal to +@i{maxrenewlife}. + @item -kvno @i{number} Explicity sets the key version number to @i{number}. @value{COMPANY} does not recommend doing this unless there is a specific reason. @@ -1405,6 +1609,11 @@ supplied, the -clearpolicy is not specified, and the policy ``default'' exists, that policy is assigned. If a principal is created with no policy, @code{kadmin} will print a warning message. +@item -clearpolicy +For @code{modify_principal}, removes the current policy from a +principal. For @code{add_principal}, suppresses the automatic +assignment of the policy ``default''. + @item @{-|+@}allow_postdated The ``-allow_postdated'' option prohibits this principal from obtaining postdated tickets. ``+allow_postdated'' clears this flag. In effect, @@ -1484,10 +1693,6 @@ will probably never need to use this option.) ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database. -@item -clearpolicy @i{policyname} -Removes the policy @i{policyname} from the principal -(@code{modify_principal} only). - @item -randkey Sets the key for the principal to a random value (@code{add_principal} only). @value{COMPANY} recommends using this option for host keys. @@ -1520,6 +1725,10 @@ defaulting to no policy.} @b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<= Type the password.} @b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<=Type it again.} @end ifinfo +@ifhtml +@b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<= Type the password.} +@b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<=Type it again.} +@end ifhtml @b{Principal "@value{RANDOMUSER1}@@@value{PRIMARYREALM}" created. kadmin:} @end group @@ -1546,6 +1755,11 @@ continuation of the previous line.) @b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} @end ifinfo +@ifhtml +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the password.} +@b{Re-enter password for principal +@value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} +@end ifhtml @b{Principal "@value{RANDOMUSER2}@@@value{PRIMARYREALM}" created. kadmin:} @@ -1553,14 +1767,15 @@ kadmin:} @end smallexample If you will need cross-realm authentication, you need to add principals -for the other realm's TGT to each realm. For example, if you need to do -cross-realm authentication between the realms @value{PRIMARYREALM} and -@value{SECONDREALM}, you would need to add the principals @* +for the other realm's TGT to each realm. For example, if you need to +do cross-realm authentication between the realms @value{PRIMARYREALM} +and @value{SECONDREALM}, you would need to add the principals @* @samp{krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}} and @samp{krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}} to both databases. You need to be sure the passwords and the key version numbers (kvno) are the same in both databases. This may require -explicitly setting the kvno with the @samp{-kvno} option. +explicitly setting the kvno with the @samp{-kvno} option. See +@ref{Cross-realm Authentication} for more details. @node Deleting Principals, Changing Passwords, Adding or Modifying Principals, Principals @subsection Deleting Principals @@ -1588,7 +1803,7 @@ kadmin:} @end group @end smallexample -@node Changing Passwords, Renaming Principals, Deleting Principals, Principals +@node Changing Passwords, , Deleting Principals, Principals @subsection Changing Passwords To change a principal's password use the kadmin @code{change_password} @@ -1603,11 +1818,6 @@ the principal is changing his/her own password). The syntax is: @code{change_password} takes the following options: @table @b -@item @b{-salt} @i{salttype} -Uses the specified salt for generating the key. Salt types are the same -as for the @code{add_principal} command (@pxref{Adding or Modifying -Principals}). - @item -randkey Sets the key of the principal to a random value. @@ -1621,6 +1831,12 @@ of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. See @ref{Supported Encryption Types} and @ref{Salts} for possible values. + +@item @b{-keepold} +Keeps the previous kvno's keys around. There is no easy way to delete +the old keys, and this flag is usually not necessary except perhaps for +TGS keys. Don't use this flag unless you know what you're doing. + @end table For example: @@ -1636,6 +1852,10 @@ For example: @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the new password.} @b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} @end ifinfo +@ifhtml +@b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the new password.} +@b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.} +@end ifhtml @b{Password for @value{RANDOMUSER2}@@@value{PRIMARYREALM} changed. kadmin:} @end group @@ -1644,36 +1864,7 @@ kadmin:} Note that @code{change_password} will not let you change the password to one that is in the principal's password history. -@node Renaming Principals, , Changing Passwords, Principals -@subsection Renaming Principals - -To rename a principal, use the kadmin @code{rename_principal} command, -which requires both the ``add'' and ``delete'' administrative -privileges. The syntax is: - -@smallexample -@b{rename_principal} [@b{-force}] @i{old_principal} @i{new_principal} -@end smallexample - -@noindent The @code{rename_principal} command has the alias @code{renprinc}. - -For example: - -@smallexample -@group -@b{kadmin:} renprinc test test0 -@b{Are you sure you want to rename the principal -"test@@@value{PRIMARYREALM}" to -"test0@@@value{PRIMARYREALM}"? (yes/no):} yes -@b{Principal "test@@@value{PRIMARYREALM}" renamed to -"test0@@@value{PRIMARYREALM}". -Make sure that you have removed "test@@@value{PRIMARYREALM}" from -all ACLs before reusing. -kadmin:} -@end group -@end smallexample - -@node Policies, Dumping a Kerberos Database to a File, Principals, Administrating Kerberos Database Entries +@node Policies, Global Operations on the Kerberos Database, Principals, Administrating the Kerberos Database @section Policies A policy is a set of rules governing passwords. Policies can dictate @@ -1741,8 +1932,8 @@ syntax is: @noindent where @i{expression} is a shell-style glob expression that can contain the characters *, ?, and []. All policy names matching the -expression are displayed. The @code{list_policies} command has the alias -@code{listpols}. For example: +expression are displayed. The @code{list_policies} command has the aliases +@code{listpols}, @code{get_policies}, and @code{getpols}. For example: @smallexample @group @@ -1809,7 +2000,7 @@ To delete a policy, use the @code{kadmin} @code{delete_policy} command, which requires the ``delete'' administrative privilege. The syntax is: @smallexample -@b{delete_policy} @i{policy_name} +@b{delete_policy [-force]} @i{policy_name} @end smallexample @noindent The @code{delete_policy} command has the alias @code{delpol}. @@ -1821,8 +2012,7 @@ For example: @b{kadmin:} delete_policy guests @b{Are you sure you want to delete the policy "guests"? (yes/no):} yes -@b{Policy "guests" deleted. -kadmin:} +@b{kadmin:} @end group @end smallexample @@ -1830,14 +2020,61 @@ Note that you must cancel the policy from all principals before deleting it. The @code{delete_policy} command will fail if it is in use by any principals. -@node Dumping a Kerberos Database to a File, Restoring a Kerberos Database from a Dump File, Policies, Administrating Kerberos Database Entries -@section Dumping a Kerberos Database to a File +@node Global Operations on the Kerberos Database, Cross-realm Authentication, Policies, Administrating the Kerberos Database +@section Global Operations on the Kerberos Database + +@menu +* Dumping a Kerberos Database to a File:: +* Restoring a Kerberos Database from a Dump File:: +* Creating a Stash File:: +* Creating and Destroying a Kerberos Database:: +@end menu + +The @code{kdb5_util} command is the primary tool for administrating the +Kerberos database. The syntax is: + +@smallexample +@b{kdb5_util} @i{command} [@i{kdb5_util_options}] [@i{command_options}] +@end smallexample + +The @code{kdb5_util} command takes the following options, which override +the defaults specified in the configuration files: + +@table @b +@itemx -r @i{realm} +specifies the the Kerberos realm of the database. + +@itemx -d @i{database_name} +specifies the name under which the principal database is stored. + +@itemx -k @i{master_key_type} +specifies the key type of the master key in the database. + +@itemx -M @i{master_key_name} +specifies the principal name of the master key in the database. + +@itemx -m +indicates that the master database password should be read from the TTY +rather than fetched from a file on disk. + +@itemx -sf @i{stash_file} +specifies the stash file of the master database password + +@itemx -P @i{password} +specifies the master database password. @value{COMPANY} does not +recommend using this option. + +@end table + +@node Dumping a Kerberos Database to a File, Restoring a Kerberos Database from a Dump File, Global Operations on the Kerberos Database, Global Operations on the Kerberos Database +@subsection Dumping a Kerberos Database to a File To dump a Kerberos database into a file, use the @code{kdb5_util} @code{dump} command on one of the KDCs. The syntax is: @smallexample -@b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@i{filename} +@b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}] +[@b{-verbose}] [-mkey_convert] [-new_mkey_file] [@i{filename} [@i{principals...}]] @end smallexample @@ -1850,6 +2087,9 @@ causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format @itemx -b6 causes the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit load_dump version 3.0''). +@itemx -b7 +causes the dump to be in the Kerberos 5 Beta 7 format (``kdbt_edit +load_dump version 4''). @itemx -ov causes the dump to be in ovsec_adm_export format. Currently, the only way to preserve per-principal policy information is to use this in @@ -1857,6 +2097,12 @@ conjunction with a normal dump. @itemx -verbose causes the name of each principal and policy to be printed as it is dumped. +@itemx -mkey_convert +prompts for a new master password, and then dumps the database with +all keys reencrypted in this new master key +@itemx -new_mkey_file +reads a new key from the default keytab and then dumps the database +with all keys reencrypted in this new master key @end table For example: @@ -1916,16 +2162,16 @@ contained in the Kerberos database, you must perform a normal dump (with no option flags) and an additional dump using the ``-ov'' flag to a different file. -@node Restoring a Kerberos Database from a Dump File, Creating a Stash File, Dumping a Kerberos Database to a File, Administrating Kerberos Database Entries -@section Restoring a Kerberos Database from a Dump File +@node Restoring a Kerberos Database from a Dump File, Creating a Stash File, Dumping a Kerberos Database to a File, Global Operations on the Kerberos Database +@subsection Restoring a Kerberos Database from a Dump File To restore a Kerberos database dump from a file, use the @code{kdb5_util} @code{load} command on one of the KDCs. The syntax is: @smallexample -@b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@b{-update}] -@i{dumpfilename} @i{dbname} [@i{admin_dbname}] +@b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}] [@b{-verbose}] +[@b{-update}] [@b{-hash}] @i{dumpfilename} @i{dbname} [@i{admin_dbname}] @end smallexample The @code{kdb5_util load} command takes the following options: @@ -1937,6 +2183,9 @@ requires the dump to be in the Kerberos 5 Beta 5 and earlier dump format @itemx -b6 requires the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit load_dump version 3.0''). +@itemx -b7 +requires the dump to be in the Kerberos 5 Beta 7 format (``kdb5_edit +load_dump version 4''). @itemx -ov requires the dump to be in ovsec_adm_export format. @itemx -verbose @@ -1948,6 +2197,8 @@ existing database. This is useful in conjunction with an ovsec_adm_export format dump if you want to preserve per-principal policy information, since the current default format does not contain this data. +@itemx -hash +causes the database to be stored as a hash rather than a binary tree. @end table For example: @@ -1970,8 +2221,8 @@ For example: If the database file exists, and the @b{-update} flag was not given, @code{kdb5_util} will overwrite the existing database. -@node Creating a Stash File, Creating and Destroying a Kerberos Database, Restoring a Kerberos Database from a Dump File, Administrating Kerberos Database Entries -@section Creating a Stash File +@node Creating a Stash File, Creating and Destroying a Kerberos Database, Restoring a Kerberos Database from a Dump File, Global Operations on the Kerberos Database +@subsection Creating a Stash File A stash file allows a KDC to authenticate itself to the database utilities, such as @code{kadmin}, @code{kadmind}, @code{krb5kdc}, and @@ -1997,6 +2248,9 @@ kdb5_util: Warning: proceeding without master key} @ifinfo @b{Enter KDC database master key:} @i{<= Type the KDC database master password.} @end ifinfo +@ifhtml +@b{Enter KDC database master key:} @i{<= Type the KDC database master password.} +@end ifhtml @b{shell%} @end group @end smallexample @@ -2005,8 +2259,8 @@ kdb5_util: Warning: proceeding without master key} If you do not specify a stash file, @code{kdb5_util} will stash the key in the file specified in your @code{kdc.conf} file. -@node Creating and Destroying a Kerberos Database, , Creating a Stash File, Administrating Kerberos Database Entries -@section Creating and Destroying a Kerberos Database +@node Creating and Destroying a Kerberos Database, , Creating a Stash File, Global Operations on the Kerberos Database +@subsection Creating and Destroying a Kerberos Database If you need to create a new Kerberos database, use the @code{kdb5_util} @code{create} command. The syntax is: @@ -2037,6 +2291,10 @@ It is important that you NOT FORGET this password.} @b{Enter KDC database master key:} @i{<= Type the master password.} @b{Re-enter KDC database master key to verify:} @i{<= Type it again.} @end ifinfo +@ifhtml +@b{Enter KDC database master key:} @i{<= Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{<= Type it again.} +@end ifhtml @b{shell%} @end group @end smallexample @@ -2064,6 +2322,10 @@ confirmation before destroying the database. @b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure (type yes to confirm)?} @i{<== yes} @end ifinfo +@ifhtml +@b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure +(type yes to confirm)?} @i{<== yes} +@end ifhtml @b{OK, deleting database '@value{DefaultDatabaseName}'...} @b{shell%} @@ -2071,13 +2333,48 @@ confirmation before destroying the database. @end smallexample @ignore -@c @node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating Kerberos Database Entries +@c @node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating the Kerberos Database @c @section The KDC Logs This will have to wait until the next release. *sigh* @end ignore -@node Application Servers, Backups of Secure Hosts, Administrating Kerberos Database Entries, Top +@node Cross-realm Authentication, , Global Operations on the Kerberos Database, Administrating the Kerberos Database +@section Cross-realm Authentication + +In order for a KDC in one realm to authenticate Kerberos users in a +different realm, it must share a key with the KDC in the other realm. +In both databases, there must be krbtgt service principals for realms. +These principals should all have the same passwords, key version +numbers, and encryption types. For example, if the administrators of +@value{PRIMARYREALM} and @value{SECONDREALM} wanted to authenticate +across the realms, they would run the following commands on the KDCs in +@i{both} realms: + +@smallexample +@group +@b{shell%:} kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4" +@b{kadmin:} add_princ -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM} +@b{Enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} +@b{Re-enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} +@b{kadmin:} add_princ -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} +@b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:} +@b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALML}:} +@b{kadmin:} +@end group +@end smallexample + +Even if most principals in a realm are generally created with the +requires_preauth flag enabled, this flag is not desirable on +cross-realm authentication keys because doing so makes it impossible to +disable preauthentication on a service-by-service basis. Disabling it +as in the example above is recommended. + +It is also very important that these principals have good passwords. +@value{COMPANY} recommends that TGT principal passwords be at least 26 +characters of random ASCII text. + +@node Application Servers, Backups of Secure Hosts, Administrating the Kerberos Database, Top @chapter Application Servers If you need to install the @value{PRODUCT} programs on an application @@ -2123,15 +2420,17 @@ the @code{ktadd} command from @code{kadmin}, which requires the privilege.) The syntax is: @smallexample -@b{ktadd} [@b{-k} @i{keytab}] [@b{-q}] [@i{principal} | @b{-glob} @i{princ_exp}] [@i{@dots{}}] +@b{ktadd} [@b{-k[eytab]} @i{keytab}] [@b{-q}] [@b{-e} +@i{key:salt_list}] [@i{principal} | @b{-glob} @i{princ_exp}] +[@i{@dots{}}] @end smallexample The @code{ktadd} command takes the following switches: @table @b -@item -k @i{keytab} +@item -k[eytab] @i{keytab} use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the -default keytab file (@code{/etc/krb5.keytab}). +default keytab file (@code{@value{DefaultDefaultKeytabName}}). @item @b{-e} @i{"enc:salt..."} Uses the specified list of enctype-salttype pairs for setting the key @@ -2183,13 +2482,13 @@ To remove a principal from an existing keytab, use the kadmin @code{ktremove} command. The syntax is: @smallexample -@b{ktremove} [@b{-k} @i{keytab}] [@b{-q}] @i{principal} [@i{kvno} | @b{all} | @b{old}] +@b{ktremove} [@b{-k[eytab]} @i{keytab}] [@b{-q}] @i{principal} [@i{kvno} | @b{all} | @b{old}] @end smallexample The @code{ktremove} command takes the following switches: @table @b -@item -k @i{keytab} +@item -k[eytab] @i{keytab} use @i{keytab} as the keytab file. Otherwise, @code{ktremove} will use the default keytab file (@code{/etc/krb5.keytab}). @@ -2233,7 +2532,7 @@ specified maximum clock skew of the KDC (as specified in the @code{kdc.conf} file). Similarly, hosts are configured to reject responses from any KDC whose clock is not within the specified maximum clock skew of the host (as specified in the @code{krb5.conf} file). The -default value for maximum clock skew is 300 seconds (five minutes). +default value for maximum clock skew is @value{DefaultClockskew}. @value{COMPANY} suggests that you add a line to client machines' @code{/etc/rc} files to synchronize the machine's clock to your KDC at @@ -2306,23 +2605,26 @@ If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a slave KDC outside your firewall, or you configure your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other ports -may be specified in the KDC's kdc.conf file.) Similarly, if you need -off-site users to be able to change their passwords in your realm, they -must be able to get to your Kerberos admin server. The default port for -the admin server is 749. +whichever port the KDC is running. (The default is port +@value{DefaultPort}; other ports may be specified in the KDC's kdc.conf +file.) Similarly, if you need off-site users to be able to change +their passwords in your realm, they must be able to get to your +Kerberos admin server. The default port for the admin server is +@value{DefaultKadmindPort}. If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow -outgoing TCP and UDP requests to port 88. Additionally, if they will -need to get to any Kerberos V4 KDCs, you may also need to allow TCP and -UDP requests to port 750. If your on-site users inside your firewall +outgoing TCP and UDP requests to port @value{DefaultPort}. +Additionally, if they will need to get to any Kerberos V4 KDCs, you may +also need to allow TCP and UDP requests to port +@value{DefaultSecondPort}. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will -also need to allow outgoing TCP and UDP requests to port 749. +also need to allow outgoing TCP and UDP requests to port +@value{DefaultKadmindPort}. If any of your KDCs are outside your firewall, you will need to allow @code{kprop} requests to get through to the remote KDC. @code{Kprop} -uses the krb5_prop service on port 754 (tcp). +uses the krb5_prop service on port @value{DefaultKrbPropPort} (tcp). If you need your off-site users to have access to machines inside your firewall, you need to allow TCP connections from their off-site hosts on @@ -2332,18 +2634,18 @@ for the @value{PRODUCT} programs: @smallexample @group -ftp 21/tcp # Kerberos ftp and telnet use the -telnet 23/tcp # default ports -kerberos 88/udp kdc # Kerberos V5 KDC -kerberos 88/tcp kdc # Kerberos V5 KDC -klogin 543/tcp # Kerberos authenticated rlogin -kshell 544/tcp cmd # and remote shell -kerberos-adm 749/tcp # Kerberos 5 admin/changepw -kerberos-adm 749/udp # Kerberos 5 admin/changepw -krb5_prop 754/tcp # Kerberos slave propagation +ftp @value{DefaultFTPPort}/tcp # Kerberos ftp and telnet use the +telnet @value{DefaultTelnetPort}/tcp # default ports +kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC +kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC +klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin +kshell @value{DefaultKshellPort}/tcp cmd # and remote shell +kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw +kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw +krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation @c kpop 1109/tcp # Pop with Kerberos -eklogin 2105/tcp # Kerberos auth. & encrypted rlogin -krb524 4444/tcp # Kerberos 5 to 4 ticket translator +eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin +krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator @end group @end smallexample @@ -2358,28 +2660,28 @@ these programs to non-default port numbers and allow ftp and telnet connections on those ports to get through. @value{PRODUCT} @code{rlogin} uses the @code{klogin} service, which by -default uses port 543. Encrypted @value{PRODUCT} rlogin uses the -@code{eklogin} service, which by default uses port 2105. +default uses port @value{DefaultKloginPort}. Encrypted @value{PRODUCT} +rlogin uses the @code{eklogin} service, which by default uses port +@value{DefaultEkloginPort}. @value{PRODUCT} @code{rsh} uses the @code{kshell} service, which by -default uses port 544. However, the server must be able to make a TCP -connection from the kshell port to an arbitrary port on the client, so -if your users are to be able to use @code{rsh} from outside your -firewall, the server they connect to must be able to send outgoing -packets to arbitrary port numbers. Similarly, if your users need to run -@code{rsh} from inside your firewall to hosts outside your firewall, the -outside server needs to be able to connect to an arbitrary port on the -machine inside your firewall. Because @value{PRODUCT} @code{rcp} uses -@code{rsh}, the same issues apply. If you need to use @code{rsh} (or -@code{rcp}) through your firewall and are concerned with the security -implications of allowing connections to arbitrary ports, @value{COMPANY} -suggests that you have rules that specifically name these applications -and, if possible, list the allowed hosts. - -A reasonably good cookbook for configuring firewalls is available by FTP -from @* @code{ftp.livingston.com}, in the location: -@code{/pub/firewall/firewall-1.1.ps.Z}. The book @cite{UNIX System -Security}, by David Curry, is also a good starting point. +default uses port @value{DefaultKshellPort}. However, the server must +be able to make a TCP connection from the kshell port to an arbitrary +port on the client, so if your users are to be able to use @code{rsh} +from outside your firewall, the server they connect to must be able to +send outgoing packets to arbitrary port numbers. Similarly, if your +users need to run @code{rsh} from inside your firewall to hosts outside +your firewall, the outside server needs to be able to connect to an +arbitrary port on the machine inside your firewall. Because +@value{PRODUCT} @code{rcp} uses @code{rsh}, the same issues apply. If +you need to use @code{rsh} (or @code{rcp}) through your firewall and +are concerned with the security implications of allowing connections to +arbitrary ports, @value{COMPANY} suggests that you have rules that +specifically name these applications and, if possible, list the allowed +hosts. + +The book @cite{UNIX System Security}, by David Curry, is a good +starting point for learning to configure firewalls. @ignore @c @node Enabling Users to Connect from Off-Site, , Configuring Your Firewall to Work With @value{PRODUCT}, Application Servers @@ -2512,12 +2814,7 @@ KRB5KDC_ERR_KEY_EXP: Password has expired @item KRB5KDC_ERR_PREAUTH_FAILED: Preauthentication failed @item -@iftex KRB5KDC_ERR_PREAUTH_REQUIRED: Additional pre-auth@-en@-ti@-ca@-tion required -@end iftex -@ifinfo -KRB5KDC_ERR_PREAUTH_REQUIRED: Additional preauthentication required -@end ifinfo @item KRB5KDC_ERR_SERVER_NOMATCH: Requested server and ticket don't match @item @@ -2569,9 +2866,9 @@ KRB5KRB_AP_ERR_BADSEQ: Incorrect sequence number in message @item KRB5KRB_AP_ERR_INAPP_CKSUM: Inappropriate type of checksum in message @item -KRB5PLACEHOLD_51: KRB5 error code 51 +KRB5KRB_AP_PATH_NOT_ACCEPTED: Policy rejects transited path @item -KRB5PLACEHOLD_52: KRB5 error code 52 +KRB5KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP, retry with TCP @item KRB5PLACEHOLD_53: KRB5 error code 53 @item @@ -2737,9 +3034,9 @@ KRB5_PARSE_ILLCHAR: Illegal character in component name @item KRB5_PARSE_MALFORMED: Malformed representation of principal @item -KRB5_CONFIG_CANTOPEN: Can't open/find configuration file +KRB5_CONFIG_CANTOPEN: Can't open/find Kerberos configuration file @item -KRB5_CONFIG_BADFORMAT: Improper format of configuration file +KRB5_CONFIG_BADFORMAT: Improper format of Kerberos configuration file @item KRB5_CONFIG_NOTENUFSPACE: Insufficient space to return complete information @@ -2860,11 +3157,11 @@ KRB5_CC_IO: Credentials cache I/O operation failed XXX @item KRB5_FCC_PERM: Credentials cache file permissions incorrect @item -KRB5_FCC_NOFILE: No credentials cache file found +KRB5_FCC_NOFILE: No credentials cache found @item -KRB5_FCC_INTERNAL: Internal file credentials cache error +KRB5_FCC_INTERNAL: Internal credentials cache error @item -KRB5_CC_WRITE: Error writing to credentials cache file +KRB5_CC_WRITE: Error writing to credentials cache @item KRB5_CC_NOMEM: No more memory to allocate (in credentials cache code) @item @@ -2924,10 +3221,39 @@ credentials @item KRB5_GET_IN_TKT_LOOP: Looping detected inside krb5_get_in_tkt @item -KRB5_CONFIG_NODEFREALM: Configuration file does not specify default -realm +KRB5_CONFIG_NODEFREALM: Configuration file does not specify default realm @item KRB5_SAM_UNSUPPORTED: Bad SAM flags in obtain_sam_padata +@item +KRB5_KT_NAME_TOOLONG: Keytab name too long +@item +KRB5_KT_KVNONOTFOUND: Key version number for principal in key table is incorrect +@item +KRB5_APPL_EXPIRED: This application has expired +@item +KRB5_LIB_EXPIRED: This Krb5 library has expired +@item +KRB5_CHPW_PWDNULL: New password cannot be zero length +@item +KRB5_CHPW_FAIL: Password change failed +@item +KRB5_KT_FORMAT: Bad format in keytab +@item +KRB5_NOPERM_ETYPE: Encryption type not permitted +@item +KRB5_CONFIG_ETYPE_NOSUPP: No supported encryption types (config file error?) +@item +KRB5_OBSOLETE_FN: Program called an obsolete, deleted function +@item +KRB5_EAI_FAIL: unknown getaddrinfo failure +@item +KRB5_EAI_NODATA: no data available for host/domain name +@item +KRB5_EAI_NONAME: host/domain name not found +@item +KRB5_EAI_SERVICE: service name unknown +@item +KRB5_ERR_NUMERIC_REALM: Cannot determine realm for numeric host address @end enumerate @node Kerberos V5 Database Library Error Codes, Kerberos V5 Magic Numbers Error Codes, Kerberos V5 Library Error Codes, Errors @@ -2989,6 +3315,12 @@ KRB5_KDB_BAD_VERSION: Unsupported version in database entry KRB5_KDB_BAD_SALTTYPE: Unsupported salt type @item KRB5_KDB_BAD_ENCTYPE: Unsupported encryption type +@item +KRB5_KDB_BAD_CREATEFLAGS: Bad database creation flags +@item +KRB5_KDB_NO_PERMITTED_KEY: No matching key in entry having a permitted enc type +@item +KRB5_KDB_NO_MATCHING_KEY: No matching key in entry @end enumerate @node Kerberos V5 Magic Numbers Error Codes, ASN.1 Error Codes, Kerberos V5 Database Library Error Codes, Errors @@ -3013,23 +3345,12 @@ KV5M_ENCRYPT_BLOCK: Bad magic number for krb5_encrypt_block structure @item KV5M_ENC_DATA: Bad magic number for krb5_enc_data structure @item -@iftex KV5M_CRYPTOSYSTEM_ENTRY: Bad magic number for krb5_cryp@-to@-sys@-tem_entry structure -@end iftex -@ifinfo -KV5M_CRYPTOSYSTEM_ENTRY: Bad magic number for krb5_cryptosystem_entry -structure -@end ifinfo @item KV5M_CS_TABLE_ENTRY: Bad magic number for krb5_cs_table_entry structure @item -@iftex KV5M_CHECKSUM_ENTRY: Bad magic number for krb5_check@-sum_en@-try structure -@end iftex -@ifinfo -KV5M_CHECKSUM_ENTRY: Bad magic number for krb5_checksum_entry structure -@end ifinfo @item KV5M_AUTHDATA: Bad magic number for krb5_authdata structure @item @@ -3119,6 +3440,10 @@ KV5M_PREDICTED_SAM_RESPONSE: Bad magic number for krb5_predicted_sam_response @item KV5M_PASSWD_PHRASE_ELEMENT: Bad magic number for passwd_phrase_element +@item +KV5M_GSS_OID: Bad magic number for GSSAPI OID +@item +KV5M_GSS_QUEUE: Bad magic number for GSSAPI QUEUE @end enumerate @node ASN.1 Error Codes, GSSAPI Error Codes, Kerberos V5 Magic Numbers Error Codes, Errors @@ -3146,6 +3471,12 @@ ASN1_BAD_LENGTH: ASN.1 length doesn't match expected value ASN1_BAD_FORMAT: ASN.1 badly-formatted encoding @item ASN1_PARSE_ERROR: ASN.1 parse error +@item +ASN1_BAD_GMTIME: ASN.1 bad return from gmtime +@item +ASN1_MISMATCH_INDEF: ASN.1 non-constructed indefinite encoding +@item +ASN1_MISSING_EOC: ASN.1 missing expected EOC @end enumerate @node GSSAPI Error Codes, , ASN.1 Error Codes, Errors @@ -3176,6 +3507,18 @@ G_UNKNOWN_QOP: Unknown quality of protection specified @item G_BAD_HOSTNAME: Hostname in SERVICE-NAME string could not be canonicalized +@item +G_WRONG_MECH: Mechanism is incorrect +@item +G_BAD_TOK_HEADER: Token header is malformed or corrupt +@item +G_BAD_DIRECTION: Packet was replayed in wrong direction +@item +G_TOK_TRUNC: Token is missing data +@item +G_REFLECT: Token was reflected +@item +G_WRONG_TOKID: Received token ID does not match expected token ID @end enumerate Kerberos 5 GSSAPI Errors: @@ -3205,6 +3548,12 @@ KG_CONTEXT: Bad magic number for krb5_gss_ctx_id_t KG_CRED: Bad magic number for krb5_gss_cred_id_t @item KG_ENC_DESC: Bad magic number for krb5_gss_enc_desc +@item +KG_BAD_SEQ: Sequence number in token is corrupt +@item +KG_EMPTY_CCACHE: Credential cache is empty +@item +KG_NO_CTYPES: Acceptor and Initiator share no checksum types @end enumerate @node kadmin Time Zones, , Errors, Appendix @@ -3346,3 +3695,4 @@ International Date Line East. (12 hours ahead of GMT.) @contents @bye + diff --git a/doc/build.texinfo b/doc/build.texinfo index ebcad2f2d..1f0ef9687 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -1,10 +1,10 @@ -Starting with the Beta 4 distribution, we are using a new configuration -system, which was built using the Free Software Foundation's -@samp{autoconf} program. This system will hopefully make Kerberos V5 -much simpler to build and reduce the amount of effort required in -porting Kerberos V5 to a new platform. +@value{PRODUCT} uses a configuration system built using the Free +Software Foundation's @samp{autoconf} program. This system makes +Kerberos V5 much simpler to build and reduces the amount of effort +required in porting Kerberos V5 to a new platform. @menu +* Organization of the Source Directory:: Description of the source tree. * Build Requirements:: How much disk space, etc. you need to build Kerberos. * Unpacking the Sources:: Preparing the source tree. @@ -18,9 +18,204 @@ porting Kerberos V5 to a new platform. configuration scripts. @end menu -@node Build Requirements, Unpacking the Sources, Building Kerberos V5, Building Kerberos V5 +@node Organization of the Source Directory, Build Requirements, Building Kerberos V5, Building Kerberos V5 @section Build Requirements +Below is a brief overview of the organization of the complete source +directory. More detailed descriptions follow. + +@table @b +@itemx appl +applications with @value{PRODUCT} extensions +@itemx clients +@value{PRODUCT} user programs +@itemx gen-manpages +manpages for @value{PRODUCT} and the @value{PRODUCT} login program +@itemx include +include files +@itemx kadmin +administrative interface to the Kerberos master database +@itemx kdc +the @value{PRODUCT} Authentication Service and Key Distribution Center +@itemx krb524 +utilities for converting between Kerberos 4 and Kerberos 5 +@itemx lib +libraries for use with/by @value{PRODUCT} +@itemx mac +source code for building @value{PRODUCT} on MacOS +@itemx prototype +templates for source code files +@itemx slave +utilities for propagating the database to slave KDCs +@itemx tests +test suite +@itemx util +various utilities for building/configuring the code, sending bug reports, etc. +@itemx windows +source code for building @value{PRODUCT} on Windows (see windows/README) +@end table + +@menu +* The appl Directory:: +* The clients Directory:: +* The gen-manpages Directory:: +* The include Directory:: +* The kadmin Directory:: +* The kdc Directory:: +* The krb524 Directory:: +* The lib Directory:: +* The prototype Directory:: +* The slave Directory:: +* The util Directory:: +@end menu + +@node The appl Directory, The clients Directory, Organization of the Source Directory, Organization of the Source Directory +@subsection The appl Directory + +The Kerberos release provides certain UNIX utilities, modified to use +Kerberos authentication. In the @i{appl/bsd} directory are the +Berkeley utilities @i{login}, @i{rlogin}, @i{rsh}, and @i{rcp}, as well as +the associated daemons @i{kshd} and @i{klogind}. The @i{login} program +obtains ticket-granting tickets for users upon login; the other utilities +provide authenticated Unix network services. + +The @i{appl} directory also contains Kerberized telnet and ftp programs, +as well as sample Kerberos application client and server programs. + +@node The clients Directory, The gen-manpages Directory, The appl Directory, Organization of the Source Directory +@subsection The clients Directory + +This directory contains the code for several user-oriented programs. + +@table @b +@itemx kdestroy +This program destroys the user's active Kerberos authorization tickets. +@value{COMPANY} recommends that users @code{kdestroy} before logging out. + +@itemx kinit +This program prompts users for their Kerberos principal name and password, +and attempts to get an initial ticket-granting-ticket for that principal. + +@itemx klist +This program lists the Kerberos principal and Kerberos tickets held in +a credentials cache, or the keys held in a keytab file. + +@itemx kpasswd +This program changes a user's Kerberos password. + +@itemx ksu +This program is a Kerberized verions of the @code{su} program that is +meant to securely change the real and effective user ID to that of the +target user and to create a new security context. + +@itemx kvno +This program acquires a service ticket for the specified Kerberos +principals and prints out the key version numbers of each. +@end table + +@node The gen-manpages Directory, The include Directory, The clients Directory, Organization of the Source Directory +@subsection The gen-manpages Directory + +There are two manual pages in this directory. One is an introduction +to the Kerberos system. The other describes the @code{.k5login} file +which allows users to give access with their UID to other users +authenticated by the Kerberos system. + +@node The include Directory, The kadmin Directory, The gen-manpages Directory, Organization of the Source Directory +@subsection The include Directory + +This directory contains the @i{include} files needed to build the +Kerberos system. + +@node The kadmin Directory, The kdc Directory, The include Directory, Organization of the Source Directory +@subsection The kadmin Directory + +In this directory is the code for the utilities @code{kadmin}, +@code{kadmin.local}, @code{kdb5_util}, and @code{ktutil}. +@code{ktutil} is the Kerberos keytab file maintenance utility from +which a Kerberos administrator can read, write, or edit entries in a +Kerberos V5 keytab or Kerberos V4 srvtab. @code{kadmin} and +@code{kadmin.local} are command-line interfaces to the Kerberos V5 KADM5 +administration system. @code{kadmin.local} runs on the master KDC and +does not use Kerberos to authenticate to the database, while +@code{kadmin} uses Kerberos authentication and an encrypted RPC. The +two provide identical functionalities, which allow administrators to +modify the database of Kerberos principals. @code{kdb5_util} allows +administrators to perform low-level maintenance procedures on Kerberos +and the KADM5 database. With this utility, databases can be created, +destroyed, or dumped to and loaded from ASCII files. It can also be +used to create master key stash files. + +@node The kdc Directory, The krb524 Directory, The kadmin Directory, Organization of the Source Directory +@subsection The kdc Directory + +This directory contains the code for the @code{krb5kdc} daemon, the +Kerberos Authentication Service and Key Distribution Center. + +@node The krb524 Directory, The lib Directory, The kdc Directory, Organization of the Source Directory +@subsection The krb524 Directory + +This directory contains the code for @code{krb524}, a service that +converts Kerberos V5 credentials into Kerberos V4 credentials suitable +for use with applications that for whatever reason do not use V5 +directly. + +@node The lib Directory, The prototype Directory, The krb524 Directory, Organization of the Source Directory +@subsection The lib Directory + +The @i{lib} directory contain 10 subdirectories as well as some +definition and glue files. The @i{crypto} subdirectory contains the +Kerberos V5 encryption library. The @i{des425} subdirectory exports +the Kerberos V4 encryption API, and translates these functions into +calls to the Kerberos V5 encryption API. The @i{gssapi} library +contains the Generic Security Services API, which is a library of +commands to be used in secure client-server communication. The +@i{kadm5} directory contains the libraries for the KADM5 administration +utilities. The Kerberos 5 database libraries are contained in +@i{kdb}. The directories @i{krb4} and @i{krb5} contain the Kerberos 4 +and Kerberos 5 APIs, respectively. The @i{rpc} directory contains the +API for the Kerberos Remote Procedure Call protocol. + +@node The prototype Directory, The slave Directory, The lib Directory, Organization of the Source Directory +@subsection The prototype Directory + +This directory contains several template files. The @code{prototype.h} +and @code{prototype.c} files contain the MIT copyright message and a +placeholder for the title and description of the file. +@code{prototype.h} also has a short template for writing @code{ifdef} +and @code{ifndef} preprocessor statements. The @code{getopt.c} file +provides a template for writing code that will parse the options with +which a program was called. + +@node The slave Directory, The util Directory, The prototype Directory, Organization of the Source Directory +@subsection The slave Directory + +This directory contains code which allows for the propagation of the +Kerberos principal database from the master KDC to slave KDCs over an +encrypted, secure channel. @code{kprop} is the program which actually +propagates the database dump file. @code{kpropd} is the Kerberos V5 +slave KDC update server which accepts connections from the @code{kprop} +program. @code{kslave_update} is a script that takes the name of a +slave server, and propagates the database to that server if the +database has been modified since the last dump or if the database has +been dumped since the last propagation. + +@node The util Directory, , The slave Directory, Organization of the Source Directory +@subsection The util Directory + +This directory contains several utility programs and libraries. The +programs used to configure and build the code, such as @code{autoconf}, +@code{lndir}, @code{kbuild}, @code{reconf}, and @code{makedepend}, +are in this directory. The @i{profile} directory contains most of the +functions which parse the Kerberos configuration files (@code{krb5.conf} +and @code{kdc.conf}). Also in this directory are the Kerberos error table +library and utilities (@i{et}), the Sub-system library and utilities +(@i{ss}), database utilities (@i{db2}), pseudo-terminal utilities +(@i{pty}), and bug-reporting program @code{send-pr}. + +@node Build Requirements, Unpacking the Sources, Organization of the Source Directory, Building Kerberos V5 +@section Organization of the Source Directory + In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol @@ -154,10 +349,10 @@ building Kerberos; see @ref{Doing the Build}.): @menu * The DejaGnu Tests:: -* The KADM5 Tests:: +* The KADM5 Tests:: @end menu -@node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build +@node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build @subsection The DejaGnu Tests Some of the built-in regression tests are setup to use the DejaGnu @@ -303,21 +498,6 @@ default, Kerberos V5 configuration will look for @code{-lnsl} and (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in @file{src/tests/resolv} you will need to use this option. -@item --with-vague-errors - -If enabled, gives vague and unhelpful error messages to the client... er, -attacker. (Needed to meet silly government regulations; most other -sites will want to keep this undefined.) - -@item --with-kdc-kdb-update - -Set this option if you want to allow the KDC to modify the Kerberos -database; this allows the last request information to be updated, as -well as the failure count information. Note that this doesn't work if -you're using slave servers!!! It also causes the database to be -modified (and thus needing to be locked) frequently. Please note that -the implementors do not regularly test this feature. - @item --with-tcl=TCLPATH Some of the unit-tests in the build tree rely upon using a program in @@ -336,10 +516,11 @@ platforms. @item --enable-dns-for-realm Enable the use of DNS to look up a host's Kerberos realm, or a realm's -KDCs, if the information is not provided in krb5.conf. See -@xref{Hostnames for the Master and Slave KDCs}, and @xref{Mapping -Hostnames onto Kerberos Realms}. By default, DNS lookups are enabled -for the latter but not for the former. +KDCs, if the information is not provided in krb5.conf. See @ref{Hostnames +for the Master and Slave KDCs} for information about using DNS to +locate the KDCs, and @ref{Mapping Hostnames onto Kerberos Realms} for +information about using DNS to determine the default realm. By default, +DNS lookups are enabled for the former but not for the latter. @item --enable-kdc-replay-cache @@ -450,32 +631,37 @@ process. @xref{Options to Configure}. @item DEFAULT_PROFILE_PATH -The pathname to the file which contains the profiles for the known -realms, their KDCs, etc. +The pathname to the file which contains the profiles for the known realms, +their KDCs, etc. The default value is @value{DefaultDefaultProfilePath}. The profile file format is no longer the same format as Kerberos V4's @file{krb.conf} file. @item DEFAULT_KEYTAB_NAME -The type and pathname to the default server keytab file (the equivalent -of Kerberos V4's @file{/etc/srvtab}). +The type and pathname to the default server keytab file (the +equivalent of Kerberos V4's @file{/etc/srvtab}). The default is +@value{DefaultDefaultKeytabName}. @item DEFAULT_KDC_ENCTYPE -The default encryption type for the KDC. +The default encryption type for the KDC. The default value is +@value{DefaultMasterKeyType}. @item KDCRCACHE -The name of the replay cache used by the KDC. +The name of the replay cache used by the KDC. The default value is +@value{DefaultKDCRCache}. @item RCTMPDIR -The directory which stores replay caches. +The directory which stores replay caches. The default is to try +@value{DefaultRCTmpDirs}. @item DEFAULT_KDB_FILE -The location of the default database +The location of the default database. The default value is +@value{DefaultDatabaseName}. @end table @@ -491,15 +677,18 @@ variables when using the programs. Except where noted, multiple versions of the libraries may be installed on the same system and continue to work. -Currently the supported platforms are Solaris 2.6 (aka SunOS 5.6) and Irix 6.5. +Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS +5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows +(using DLLs). Shared library support has been tested on the following platforms but not exhaustively (they have been built but not necessarily tested in an -installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, NetBSD -1.4.x (i386), and HP/UX 10.20. +installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and +HP/UX 10.20. Platforms for which there is shared library support but not significant -testing include FreeBSD, OpenBSD, MacOS 10, AIX, Linux, and SunOS 4.x. +testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x +(i386), and SunOS 4.x. To enable shared libraries on the above platforms, run the configure script with the option @samp{--enable-shared}. @@ -685,10 +874,10 @@ or without optimization. In most of the Kerberos V5 source directories, there is a @file{configure} script which automatically determines the compilation -environment and creates the proper Makefiles for a particular platform. -These @file{configure} files are generated using @samp{autoconf} version -2.4, which can be found in the @file{src/util/autoconf} directory in the -distribution. +environment and creates the proper Makefiles for a particular +platform. These @file{configure} files are generated using +@samp{autoconf}, which can be found in the @file{src/util/autoconf} +directory in the distribution. Normal users will not need to worry about running @samp{autoconf}; the distribution comes with the @file{configure} files already prebuilt. diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 91058b8cf..870983c5d 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -25,6 +25,7 @@ @set PREVINSTALLDIR @value{INSTALLDIR} @set ROOTDIR /usr/local @set BINDIR /usr/local/bin +@set LOCALSTATEDIR @value{ROOTDIR}/var @set SECONDDOMAIN fubar.org @set SECONDREALM FUBAR.ORG @set UPDATED @today @@ -46,6 +47,7 @@ krb5/src/lib/krb5/krb/init_ctx.c @comment DEFAULT_ETYPE_LIST @set DefaultDefaultTgsEnctypes @value{DefaultETypeList} @set DefaultDefaultTktEnctypes @value{DefaultETypeList} +@set DefaultPermittedEnctypes @value{DefaultETypeList} @set DefaultClockskew 300 seconds, or five minutes @comment libdefaults, clockskew @set DefaultChecksumType RSA MD5 @@ -59,6 +61,8 @@ krb5/src/lib/krb5/krb/init_ctx.c @set DefaultKDCTimesyncMac 1 @set DefaultKDCTimesync 0 @comment DEFAULT_KDC_TIMESYNC +@set DefaultKDCDefaultOptions KDC_OPT_RENEWABLE_OK +@comment line 194 @ignore the following defaults should be consistent with default variables set @@ -68,22 +72,31 @@ in krb5/src/include/krb5/stock/osconf.h @comment DEFAULT_KDC_ENCTYPE @set DefaultKadmindPort 749 @comment DEFAULT_KADM5_PORT -@set DefaultAclFile @value{ROOTDIR}/krb5kdc/kadm5.acl +@set DefaultAclFile @value{LOCALSTATEDIR}/krb5kdc/kadm5.acl @comment DEFAULT_KADM5_ACL_FILE -@set DefaultAdminKeytab @value{ROOTDIR}/krb5kdc/kadm5.keytab +@set DefaultAdminKeytab @value{LOCALSTATEDIR}/krb5kdc/kadm5.keytab @comment DEFAULT_KADM5_KEYTAB -@set DefaultDatabaseName /usr/local/var/krb5kdc/principal -@comment DEFAULT_KDB_FILE (@LOCALSTATEDIR is /usr/local/var) +@set DefaultDatabaseName @value{LOCALSTATEDIR}/krb5kdc/principal +@comment DEFAULT_KDB_FILE @set DefaultKdcPorts 88,750 @comment DEFAULT_KDC_PORTLIST @set DefaultKpasswdPort 464 @comment DEFAULT_KPASSWD_PORT -@set DefaultSecPort 750 +@set DefaultSecondPort 750 @comment KRB5_DEFAULT_SEC_PORT @set DefaultPort 88 @comment KRB5_DEFAULT_PORT -@set DefaultKeyStashFileStub /usr/local/var/krb5kdc/.k5. +@set DefaultKeyStashFileStub @value{LOCALSTATEDIR}/krb5kdc/.k5. @comment DEFAULT_KEYFILE_STUB +@set DefaultDefaultKeytabName /etc/krb5.keytab +@comment DEFAULT_KEYTAB_NAME +@set DefaultKpasswdPort 464 +@comment DEFAULT_KPASSWD_PORT +@set DefaultDefaultProfilePath /etc/krb5.conf +@comment DEFAULT_PROFILE_PATH +@set DefaultKDCRCache krb5kdc_rcache +@comment KDCRCACHE +@set DefaultRCTmpDirs /var/tmp, /usr/tmp, /var/usr/tmp, and /tmp @ignore the following defaults should be consistent with the numbers set in @@ -95,19 +108,15 @@ krb5/src/lib/kadm5/alt_prof.c @comment line 622 @set DefaultDefaultPrincipalExpiration 0 @comment line 639 +@set DefaultSupportedEnctypes des3-hmac-sha1:normal des-cbc-crc:normal +@comment line 705 @ignore the following defaults should be consistent with the values set in krb5/src/include/krb5/kdb.h @end ignore -@set DefaultDefaultPrincipalFlags no flags set -@comment KRB5_KDB_DEF_FLAGS set to 0 - -@ignore -in krb5/src/include/k5-int.h, the values KRB5_KDB_MAX_LIFE, -KRB5_KDB_MAX_RLIFE, and KRB5_KDB_EXPIRATION are set to one day, one week, -and Thursday Jan 1 2038, respectively -@end ignore +@set DefaultDefaultPrincipalFlags postdateable, forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets, and service enabled. +@comment KRB_KDC_DEFAULT_FLAGS set to 0 @ignore the following defaults should be consistent with the values set in @@ -117,10 +126,59 @@ include/krb5/kdb.h @comment KRB5_KDB_M_NAME @ignore -krb5/src/lib/krb5/krb/init_ctx.c, line 195 has libdefault -kdc_default_options (KDC_OPT_RENEWABLE_OKAY) +the following defaults should be consistent with the values set in +krb5/src/appl/bsd/login.c +@end ignore +@set DefaultKrb5GetTickets true +@comment login_krb5_get_tickets +@set DefaultKrb4GetTickets false +@comment login_krb4_get_tickets +@set DefaultKrb4Convert false +@comment login_krb4_convert +@set DefaultKrbRunAklog false +@comment login_krb_run_aklog +@set DefaultAklogPath $(prefix)/bin/aklog +@comment lines 955-956 +@set DefaultAcceptPasswd false +@comment login_accept_password + +@ignore +the following defaults should be consistent with the values set in +krb5/src/kdc/kerberos_v4 @end ignore +@set DefaultV4Mode nopreauth +@comment KDC_V4_DEFAULT_MODE -@comment this should be verified in the code +@ignore +these defaults are based on code in krb5/src/aclocal.m4 +@end ignore @set DefaultDNSLookupKDC true @set DefaultDNSLookupRealm false +@comment lines 1259-1300 + +@ignore +the following are based on variables in krb5/src/include/kerberosIV/krbports.h +@end ignore +@set DefaultKrbPropPort 754 +@comment KRB_PROP_PORT +@set DefaultKloginPort 543 +@comment KLOGIN_PORT +@set DefaultEkloginPort 2105 +@comment EKLOGIN_PORT +@set DefaultKshellPort 544 +@comment KRB_SHELL_PORT + +@ignore +/etc/services +@end ignore +@set DefaultTelnetPort 23 +@set DefaultFTPPort 21 +@set DefaultKrb524Port 4444 + +@comment src/include/kerberosIV/krb.h +@set DefaultKrb4Srvtab /etc/srvtab +@comment line 131 +@set DefaultKrb4Config /etc/krb.conf +@comment KRB_CONF +@set DefaultKrb4Realms /etc/krb.realms +@comment KRB_RLM_TRANS diff --git a/doc/dnssrv.texinfo b/doc/dnssrv.texinfo index 6d157afb3..1f306d0f4 100644 --- a/doc/dnssrv.texinfo +++ b/doc/dnssrv.texinfo @@ -19,10 +19,11 @@ possible to have Kerberos realm names that are not DNS-style names, but we don't recommend it for Internet use, and our code does not support it well.) Several different Kerberos-related service names are used: -@table @code -@item _kerberos._udp -This is for contacting any KDC. This entry will be used the most often. -Normally you should list ports 88 and 750 on each of your KDCs. +@table @code +@item _kerberos._udp +This is for contacting any KDC. This entry will be used the most +often. Normally you should list ports @value{DefaultKdcPorts} on each +of your KDCs. @item _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see @@ -38,14 +39,15 @@ KDC that would get database changes faster than the others, you do not need to define this entry. @item _kerberos-adm._tcp -This should list port 749 on your master KDC. Support for it is not -complete at this time, but it will eventually be used by the -@code{kadmin} program and related utilities. For now, you will also -need the @code{admin_server} entry in @code{krb5.conf}. +This should list port @value{DefaultKadmindPort} on your master KDC. +Support for it is not complete at this time, but it will eventually be +used by the @code{kadmin} program and related utilities. For now, you +will also need the @code{admin_server} entry in @code{krb5.conf}. +(@xref{krb5.conf}.) @item _kpasswd._udp -This should list port 464 on your master KDC. It is used when a user -changes her password. +This should list port @value{DefaultKpasswdPort} on your master KDC. +It is used when a user changes her password. @end table diff --git a/doc/glossary.texinfo b/doc/glossary.texinfo index 5fbaa634a..d49a56a7f 100644 --- a/doc/glossary.texinfo +++ b/doc/glossary.texinfo @@ -21,7 +21,8 @@ password. @item principal a string that names a specific entity to which a set of credentials may -be assigned. It generally has three parts: +be assigned. It can have an arbitrary number of components, but +generally has three: @table @b @item primary diff --git a/doc/install.texinfo b/doc/install.texinfo index 9aa6654bc..b105435e2 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -30,9 +30,6 @@ @page @vskip 0pt plus 1filll -@iftex -@include copyright.texinfo -@end iftex @end titlepage @node Top, Copyright, (dir), (dir) @@ -112,8 +109,6 @@ security breaches in industry happen from @i{inside} firewalls, @value{PRODUCT} from @value{COMPANY} will play a vital role in the security of your network. -@include document-list.texinfo - @node Please Read the Documentation, Overview of This Guide, Why Should I use Kerberos?, Introduction @section Please Read the Documentation @@ -134,12 +129,19 @@ believes that it is important. Please read and follow these instructions carefully. @end ifset +@include document-list.texinfo + @node Overview of This Guide, , Please Read the Documentation, Introduction @section Overview of This Guide +@noindent The next chapter describes the decisions you need to make before installing @value{PRODUCT}. +@noindent +Chapter three provided instructions for building the Kerberos sources. + +@noindent Chapter four describes installation procedures for each class of Kerberos machines: @@ -166,13 +168,13 @@ UNIX application server machines Note that a machine can be both a client machine and an application server. +@noindent Chapter five describes procedure for updating previous installations of @value{PRODUCT}. +@noindent Chapter six describes our problem reporting system. -The appendices give sample configuration files. - @node Realm Configuration Decisions, Building Kerberos V5, Introduction, Top @chapter Realm Configuration Decisions @@ -233,15 +235,16 @@ BOSTON.@value{SECONDREALM} and HOUSTON.@value{SECONDREALM}. @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions @section Ports for the KDC and Admin Services -The default ports used by Kerberos are port 88 for the -KDC@footnote{Kerberos V4 used port 750. If necessary, you can run on -both ports for backward compatibility.} and port 749 for the admin -server. You can, however, choose to run on other ports, as long as they -are specified in each host's @code{/etc/services} and @code{krb5.conf} -files, and the @code{kdc.conf} file on each KDC. For a more thorough -treatment of port numbers used by the @value{PRODUCT} programs, refer to -the ``Configuring Your Firewall to Work With @value{PRODUCT}'' section -of the @cite{@value{PRODUCT} System Administrator's Guide}. +The default ports used by Kerberos are port @value{DefaultPort} for the +KDC@footnote{Kerberos V4 used port @value{DefaultSecondPort}. If +necessary, you can run on both ports for backward compatibility.} and +port @value{DefaultKadmindPort} for the admin server. You can, however, +choose to run on other ports, as long as they are specified in each +host's @code{/etc/services} and @code{krb5.conf} files, and the +@code{kdc.conf} file on each KDC. For a more thorough treatment of +port numbers used by the @value{PRODUCT} programs, refer to the +``Configuring Your Firewall to Work With @value{PRODUCT}'' section of +the @cite{@value{PRODUCT} System Administrator's Guide}. @node Slave KDCs, Hostnames for the Master and Slave KDCs, Ports for the KDC and Admin Services, Realm Configuration Decisions @section Slave KDCs @@ -415,10 +418,12 @@ An example @code{krb5.conf} file: default_realm = @value{PRIMARYREALM} [realms] - kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN} - kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} - kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} - admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + @value{PRIMARYREALM} = @{ + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + @{ [logging] kdc = FILE:/var/log/krb5kdc.log @@ -484,6 +489,10 @@ It is important that you NOT FORGET this password.} @b{Enter KDC database master key:} @i{<= Type the master password.} @b{Re-enter KDC database master key to verify:} @i{<= Type it again.} @end ifinfo +@ifhtml +@b{Enter KDC database master key:} @i{<= Type the master password.} +@b{Re-enter KDC database master key to verify:} @i{<= Type it again.} +@end ifhtml @b{shell%} @end group @end smallexample @@ -502,79 +511,10 @@ want a stash file, run the above command without the @code{-s} option. Next, you need create an Access Control List (acl) file, and put the Kerberos principal of at least one of the administrators into it. The filename should match the value you have set for ``acl_file'' in your -@code{kdc.conf} file. The default file name is @samp{kadm5.acl}. The -format of the file is: - -@smallexample -Kerberos principal permissions optional target principal -@end smallexample - -The Kerberos principal (and optional target principal) can include the -``@b{*}'' wildcard, so if you want any principal with the instance -``admin'' to have full permissions on the database, you could use the -principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos -realm. - -Note: a common use of an @i{admin} instance is so you can grant -separate permissions (such as administrator access to the Kerberos -database) to a separate Kerberos principal. For example, the user -@code{@value{ADMINUSER}} might have a principal for his administrative -use, called @code{@value{ADMINUSER}/admin}. This way, -@code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin} -tickets only when he actually needs to use those permissions. Refer to -the @value{PRODUCT} Administrator's Guide or the @value{PRODUCT} User's -Guide for more detailed explanations of @dfn{principals} and -@dfn{instances}. - -The permissions (acls) recognized in the acl file -are the following: - -@table @b -@itemx a -allows the addition of principals or policies in the database. -@itemx A -prohibits the addition of principals or policies in the database. -@itemx d -allows the deletion of principals or policies in the database. -@itemx D -prohibits the deletion of principals or policies in the database. -@itemx m -allows the modification of principals or policies in the database. -@itemx M -prohibits the modification of principals or policies in the database. -@itemx c -allows the changing of passwords for principals in the database. -@itemx C -prohibits the changing of passwords for principals in the database. -@itemx i -allows inquiries to the database. -@itemx I -prohibits inquiries to the database. -@itemx l -allows the listing of principals or policies in the database. -@itemx L -prohibits the listing of principals or policies in the database. -@itemx * -Short for all privileges (admcil). -@itemx x -Short for all privileges (admcil); identical to ``*''. -@end table - -To give the principal @code{*/admin@@@value{PRIMARYREALM}} permission to -change all of the database permissions on any principal permissions, you -would place the following line in the file: - -@smallexample -*/admin@@@value{PRIMARYREALM} * -@end smallexample +@code{kdc.conf} file. The default file name is +@samp{@value{DefaultAclFile}}. -To give the principal @code{@value{ADMINUSER}@@@value{PRIMARYREALM}} -permission to add, list, and inquire about any principal that has the -instance ``root'', you would add the following line to the acl file: - -@smallexample -@value{ADMINUSER}@@@value{PRIMARYREALM} ali */root@@@value{PRIMARYREALM} -@end smallexample +@include kadm5acl.texinfo @node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC @subsubsection Add Administrators to the Kerberos Database @@ -590,8 +530,8 @@ administration principal @code{admin/admin} is created: @group @b{shell%} @value{ROOTDIR}/sbin/kadmin.local @b{kadmin.local:} addprinc admin/admin@@@value{PRIMARYREALM} -@b{WARNING: no policy specified for "admin/admin@@@value{PRIMARYREALM}"; -defaulting to no policy.} +@b{NOTICE: no policy specified for "admin/admin@@@value{PRIMARYREALM}"; +assigning "default".} @iftex @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Enter a password.} Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doubleleftarrow{} Type it again.} @@ -600,6 +540,10 @@ Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doublele @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.} Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.} @end ifinfo +@ifhtml +@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.} +Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.} +@end ifhtml @b{Principal "admin/admin@@@value{PRIMARYREALM}" created. kadmin.local:} @end group @@ -625,12 +569,18 @@ continuation of the previous line.): @b{shell%} @value{ROOTDIR}/sbin/kadmin.local @b{kadmin.local:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadm5.keytab @result{} kadmin/admin kadmin/changepw -@b{Entry for principal kadmin/admin@@@value{PRIMARYREALM} with - kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab. -Entry for principal kadmin/changepw@@@value{PRIMARYREALM} with - kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab. +@b{ Entry for principal kadmin/admin with kvno 5, encryption + type Triple DES cbc mode with HMAC/sha1 added to keytab + WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. +Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode + with CRC-32 added to keytab + WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. +Entry for principal kadmin/changepw with kvno 5, encryption + type Triple DES cbc mode with HMAC/sha1 added to keytab + WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. +Entry for principal kadmin/changepw with kvno 5, + encryption type DES cbc mode with CRC-32 added to keytab + WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. kadmin.local:} quit @b{shell%} @end group @@ -705,16 +655,16 @@ named @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} and @group @b{shell%} @value{ROOTDIR}/sbin/kadmin @b{kadmin:} addprinc -randkey host/@value{KDCSERVER}.@value{PRIMARYDOMAIN} -@b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; -defaulting to no policy. +@b{NOTICE: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +assigning "default" Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. kadmin:} addprinc -randkey host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} -@b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; -defaulting to no policy. +@b{NOTICE: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +assigning "default" Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.} @b{kadmin:} addprinc -randkey host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN} -@b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; -defaulting to no policy. +@b{NOTICE: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; +assigning "default" Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. kadmin:} @end group @@ -899,6 +849,9 @@ kdb5_util: Warning: proceeding without master key} @ifinfo @b{Enter KDC database master key:} @i{<= Enter the database master key.} @end ifinfo +@ifhtml +@b{Enter KDC database master key:} @i{<= Enter the database master key.} +@end ifhtml @b{shell%} @end group @end smallexample @@ -1102,16 +1055,16 @@ to just insert the following code: # you will need to switch the "kerberos" service to port 750 and create a # "kerberos-sec" service on port 88. # -kerberos 88/udp kdc # Kerberos V5 KDC -kerberos 88/tcp kdc # Kerberos V5 KDC -klogin 543/tcp # Kerberos authenticated rlogin -kshell 544/tcp cmd # and remote shell -kerberos-adm 749/tcp # Kerberos 5 admin/changepw -kerberos-adm 749/udp # Kerberos 5 admin/changepw -krb5_prop 754/tcp # Kerberos slave propagation +kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC +kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC +klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin +kshell @value{DefaultKshellPort}/tcp cmd # and remote shell +kerberos-adm @value{DefaultKamdindPort}/tcp # Kerberos 5 admin/changepw +kerberos-adm @value{DefaultKamdindPort}/udp # Kerberos 5 admin/changepw +krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation @c kpop 1109/tcp # Pop with Kerberos -eklogin 2105/tcp # Kerberos auth. & encrypted rlogin -krb524 4444/tcp # Kerberos 5 to 4 ticket translator +eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin +krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator @end group @end smallexample @@ -1224,7 +1177,7 @@ If you have @value{PRODUCT} installed on all of your client machines, advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have @value{PRODUCT} installed, you can run an insecure server, and still take advantage of -@value{PRODUCT}'s single sign-on on capability. +@value{PRODUCT}'s single sign-on capability. @menu * Server Programs:: @@ -1384,10 +1337,12 @@ should be readable only by root. If you already have an existing Kerberos database that you created with a prior release of Kerberos 5, you can upgrade it to work with the -current release with the @code{kdb5_util} command. It is only necessary -to perform this dump/undump procedure if you were running a krb5-1.0.x -KDC and are migrating to a krb5-1.1.x or newer KDC. The process for -upgrading a Master KDC involves the following steps: +current release with the @code{kdb5_util} command. It is only +necessary to perform this dump/undump procedure if you were running a +krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you +were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer +KDC. The process for upgrading a Master KDC involves the following +steps: @enumerate @@ -1437,18 +1392,18 @@ Slave KDC, install the new server binaries, reload the most recent slave dump file, and re-start the server processes. @menu -* Upgrading to Triple-DES Encryption Keys:: +* Upgrading to Triple-DES and RC4 Encryption Keys:: @end menu -@node Upgrading to Triple-DES Encryption Keys, , Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations +@node Upgrading to Triple-DES and RC4 Encryption Keys, , Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations @section Upgrading to Triple-DES Encryption Keys -Beginning with the 1.2 release from MIT, Kerberos includes a stronger -encryption algorithm called ``triple DES'' -- essentially, three -applications of the basic DES encryption algorithm, greatly increasing -the resistance to a brute-force search for the key by an attacker. This -algorithm is more secure, but encryption is much slower. We expect to -add other, faster encryption algorithms at some point in the future. +Beginning with the 1.2 release from @value{COMPANY}, Kerberos includes +a stronger encryption algorithm called ``triple DES'' -- essentially, +three applications of the basic DES encryption algorithm, greatly +increasing the resistance to a brute-force search for the key by an +attacker. This algorithm is more secure, but encryption is much +slower. Release 1.1 had some support for triple-DES service keys, but with release 1.2 we have added support for user keys and session keys as @@ -1456,24 +1411,29 @@ well. Release 1.0 had very little support for multiple cryptosystems, and some of that software may not function properly in an environment using triple-DES as well as plain DES. -Because of the way the MIT Kerberos database is structured, the KDC will -assume that a service supports only those encryption types for which -keys are found in the database. Thus, if a service has only a +In the 1.3 release from @value{COMPANY}, Kerberos also includes the RC4 +encryption alogorithm, a stream cipher symmetric key algorithm +developed in 1987 by Ronald Rivest at RSA Data Security. Please note +that RC4 is not part of the IETF standard. + +Because of the way the MIT Kerberos database is structured, the KDC +will assume that a service supports only those encryption types for +which keys are found in the database. Thus, if a service has only a single-DES key in the database, the KDC will not issue tickets for that -service that use triple-DES session keys; it will instead issue only -single-DES session keys, even if other services are already capable of -using triple-DES. So if you make sure your application server software -is updated before adding a triple-DES key for the service, clients -should be able to talk to services at all times during the updating -process. +service that use triple-DES or RC4 session keys; it will instead issue +only single-DES session keys, even if other services are already +capable of using triple-DES or RC4. So if you make sure your +application server software is updated before adding a triple-DES or +RC4 key for the service, clients should be able to talk to services at +all times during the updating process. Normally, the listed @code{supported_enctypes} in @code{kdc.conf} are all used when a new key is generated. You can control this with command-line flags to @code{kadmin} and @code{kadmin.local}. You may -want to exclude triple-DES by default until you have updated a lot of -your application servers, and then change the default to include -triple-DES. We recommend that you always include @code{des-cbc-crc} in -the default list. +want to exclude triple-DES and RC4 by default until you have updated a +lot of your application servers, and then change the default to include +triple-DES and RC4. We recommend that you always include +@code{des-cbc-crc} in the default list. @node Bug Reports for Kerberos V5, , Upgrading Existing Kerberos V5 Installations, Top @chapter Bug Reports for @value{PRODUCT} diff --git a/doc/kadm5acl.texinfo b/doc/kadm5acl.texinfo new file mode 100644 index 000000000..468a9b93a --- /dev/null +++ b/doc/kadm5acl.texinfo @@ -0,0 +1,113 @@ +The format of the file is: + +@smallexample +Kerberos_principal permissions [target_principal] [restrictions] +@end smallexample + +The Kerberos principal (and optional target principal) can include the +``@b{*}'' wildcard, so if you want any principal with the instance +``admin'' to have full permissions on the database, you could use the +principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos +realm. @code{target_principal} can also include backreferences to +@code{Kerberos_principal}, in which "@b{*@i{number}}" matches the +component @i{number} in the @code{Kerberos_principal}. + +Note: a common use of an @i{admin} instance is so you can grant +separate permissions (such as administrator access to the Kerberos +database) to a separate Kerberos principal. For example, the user +@code{@value{ADMINUSER}} might have a principal for his administrative +use, called @code{@value{ADMINUSER}/admin}. This way, +@code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin} +tickets only when he actually needs to use those permissions. + +The permissions are represented by single letters; UPPER-CASE letters +represent negative permissions. The permissions are: + +@table @b +@itemx a +allows the addition of principals or policies in the database. +@itemx A +disallows the addition of principals or policies in the database. +@itemx d +allows the deletion of principals or policies in the database. +@itemx D +disallows the deletion of principals or policies in the database. +@itemx m +allows the modification of principals or policies in the database. +@itemx M +disallows the modification of principals or policies in the database. +@itemx c +allows the changing of passwords for principals in the database. +@itemx C +disallows the changing of passwords for principals in the database. +@itemx i +allows inquiries to the database. +@itemx I +disallows inquiries to the database. +@itemx l +allows the listing of principals or policies in the database. +@itemx L +disallows the listing of principals or policies in the database. +@itemx s +allows the explicit setting of the key for a principal +@itemx S +disallows the explicit setting of the key for a principal +@itemx * +All privileges (admcil). +@itemx x +All privileges (admcil); identical to ``*''. +@end table + +The restrictions are a string of flags. Allowed restrictions are: + +@table @b +@itemx [+ -]@i{flagname} +flag is forced to indicated value. The permissible flags are the same +as the @code{+} and @code{-} flags for the @code{kadmin addprinc} and +@code{modprinc} commands. +@itemx -clearpolicy +policy is forced to clear +@itemx -policy @i{pol} +policy is forced to be @i{pol} +@itemx expire @i{time} +@itemx pwexpire @i{time} +@itemx maxlife @i{time} +@itemx maxrenewlife @i{time} +associated value will be forced to MIN(@i{time}, requested value) +@end table + +The above flags act as restrictions on any add or modify operation +which is allowed due to that ACL line. + +Here is an example of a @code{kadm5.acl} file. Note that order is +important; permissions are determined by the first matching entry. + +@smallexample +@group +*/admin@@@value{PRIMARYREALM} * +@value{ADMINUSER}@@@value{PRIMARYREALM} ADMCIL +@value{ADMINUSER}/*@@@value{PRIMARYREALM} il */root@@@value{PRIMARYREALM} +*@@@value{PRIMARYREALM} cil *1/admin@@@value{PRIMARYREALM} +*/*@@@value{PRIMARYREALM} i +*/admin@@@value{SECONDREALM} * -maxlife 9h -postdateable +@end group +@end smallexample + +@noindent In the above file, any principal in the +@value{PRIMARYREALM} realm with an @code{admin} instance has all +administrative privileges. The user @code{@value{ADMINUSER}} +has all permissions with his @code{admin} instance, +@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}} (matches the first +line). He has no permissions at all with his @code{null} instance, +@code{@value{ADMINUSER}@@@value{PRIMARYREALM}} (matches the second line). +His root instance has @i{inquire} and @i{list} permissions with any +other principal that has the instance @code{root}. Any principal +in @value{PRIMARYREALM} can inquire, list, or change the password of +their @code{admin} instance, but not any other @code{admin} instance. +Any principal in the realm @code{@value{PRIMARYREALM}} (except for +@code{@value{ADMINUSER}@@@value{PRIMARYREALM}}, as mentioned above) has +@i{inquire} privileges. Finally, any principal with an admin instance +in @value{SECONDREALM} has all permissions, but any principal that they +create or modify will not be able to get postdateable tickets or tickets +with a life of longer than 9 hours. + diff --git a/doc/kdcconf.texinfo b/doc/kdcconf.texinfo index 8ff1f3570..51583714e 100644 --- a/doc/kdcconf.texinfo +++ b/doc/kdcconf.texinfo @@ -9,15 +9,15 @@ The @code{kdc.conf} file is set up in the same format as the may contain any or all of the following three sections: @table @b -@itemx kdcdefaults +@item kdcdefaults Contains default values for overall behavior of the KDC. -@itemx realms +@item realms Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. -@itemx logging +@item logging Contains relations which determine how Kerberos programs are to perform logging. @end table diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo index 447383514..8f97c60d6 100644 --- a/doc/krb425.texinfo +++ b/doc/krb425.texinfo @@ -5,7 +5,7 @@ @c guide @setfilename krb425.info @settitle Upgrading to Kerberos V5 from Kerberos V4 -@setchapternewpage odd @c chapter begins on next odd page +@c @setchapternewpage odd @c chapter begins on next odd page @c @setchapternewpage on @c chapter begins on next page @c @smallbook @c Format for 7" X 9.25" paper @c %**end of header @@ -31,7 +31,6 @@ @page @vskip 0pt plus 1filll -@include copyright.texinfo @end titlepage @node Top, Copyright, (dir), (dir) @@ -65,7 +64,7 @@ suggests the following strategy for performing the upgrade: @enumerate @item -@strong{Upgrade your KDCs.} This is must be done first, so that +@strong{Upgrade your KDCs.} This must be done first, so that interactions with the Kerberos database, whether by Kerberos V5 clients or by Kerberos V4 clients, will succeed. @@ -112,15 +111,15 @@ In the [libdefaults] section, the following additional tags may be used: @table @b @item krb4_srvtab Specifies the location of the Kerberos V4 srvtab file. Default is -@code{/etc/srvtab}. +@value{DefaultKrb4Srvtab}. @item krb4_config Specifies the location of the Kerberos V4 configuration file. Default -is @code{/etc/krb.conf}. +is @value{DefaultKrb4Config}. @item krb4_realms Specifies the location of the Kerberos V4 domain/realm translation -file. Default is @code{/etc/krb.realms}. +file. Default is @value{DefaultKrb4Realms}. @end table @node realms (krb5.conf), , libdefaults, krb5.conf @@ -235,8 +234,8 @@ in place of: @smallexample @group -kerberos 88/udp kdc # Kerberos V5 KDC -kerberos 88/tcp kdc # Kerberos V5 KDC +kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC +kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC @end group @end smallexample @@ -245,62 +244,11 @@ add instead: @smallexample @group -kerberos-sec 88/udp kdc # Kerberos V5 KDC -kerberos-sec 88/tcp kdc # Kerberos V5 KDC +kerberos-sec @value{DefaultPort}/udp kdc # Kerberos V5 KDC +kerberos-sec @value{DefaultPort}/tcp kdc # Kerberos V5 KDC @end group @end smallexample -@item -In the file @code{/etc/inetd.conf}, for a @emph{secure} server, instead -of making the changes described in the @value{PRODUCT} Installation -Guide, do the following: - -Find and comment out any lines for the services @code{ftp}, -@code{telnet}, @code{shell}, @code{login}, and @code{exec}. - -@need 1800 -Add the following lines. (Note: each line beginning with @result{} is -a continuation of the previous line.) - -@smallexample -@group -klogin stream tcp nowait root -@result{} @value{ROOTDIR}/sbin/klogind klogind -k -c -eklogin stream tcp nowait root -n@result{} @value{ROOTDIR}/sbin/klogind klogind -k -c -e -kshell stream tcp nowait root -@result{} @value{ROOTDIR}/sbin/kshd kshd -k -c -A -ftp stream tcp nowait root -@result{} @value{ROOTDIR}/sbin/ftpd ftpd -a -telnet stream tcp nowait root -@result{} @value{ROOTDIR}/sbin/telnetd telnetd -a valid -@end group -@end smallexample - -@ifset CYGNUS -@strong{N.B.}: As noted in the @value{PRODUCT} Installation Guide, if -you have some clients running older versions of Kerberos V5 (beta -6@footnote{@value{PRODUCT} is based on the MIT beta 7 release.} or -earlier), checksums were done differently in those versions, which will -cause authentication to fail. To get around this problem, have the -@code{klogind} and @code{kshd} daemons ignore checksums, by replacing -each @code{-c} flag above with @code{-i}. -@end ifset -@ifclear CYGNUS -@strong{N.B.}: As noted in the @value{PRODUCT} Installation Guide, if -you have some clients running older versions of Kerberos V5 (beta 6 or -earlier), checksums were done differently in those versions, which will -cause authentication to fail. To get around this problem, have the -@code{klogind} and @code{kshd} daemons ignore checksums, by replacing -each @code{-c} flag above with @code{-i}. -@end ifclear - -For an @emph{insecure} server, make the changes described in the -@value{PRODUCT} Installation Guide. - -When you make changes to @code{inetd.conf}, remember to @code{kill -HUP} -the @code{inetd} process to cause the changes to take effect. - @item Convert your Kerberos V4 srvtab file to Kerberos V5 keytab file as follows: @@ -336,12 +284,13 @@ V5 application servers.) Users can use either the Kerberos V4 or @node Firewall Considerations, , Upgrading Client machines, Top @chapter Firewall Considerations -@value{PRODUCT} uses port 88, which is the port assigned by the IETF, -for KDC requests. Kerberos V4 used port 750. If your users will need -to get to any KDCs outside your firewall, you will need to allow TCP and -UDP requests on port 88 for your users to get to off-site Kerberos V5 -KDCs, and on port 750 for your users to get to off-site Kerberos V4 -KDCs. +@value{PRODUCT} uses port @value{DefaultPort}, which is the port +assigned by the IETF, for KDC requests. Kerberos V4 used port +@value{DefaultSecondPort}. If your users will need to get to any KDCs +outside your firewall, you will need to allow TCP and UDP requests on +port @value{DefaultPort} for your users to get to off-site Kerberos V5 +KDCs, and on port @value{DefaultSecondPort} for your users to get to +off-site Kerberos V4 KDCs. @contents @c second page break makes sure right-left page alignment works right diff --git a/doc/krb5conf.texinfo b/doc/krb5conf.texinfo index a712ee583..09825524f 100644 --- a/doc/krb5conf.texinfo +++ b/doc/krb5conf.texinfo @@ -26,15 +26,32 @@ fubar = @{ @end group @end smallexample -The @code{krb5.conf} file may contain any or all of the following seven +Placing a `*' at the end of a line indicates that this is the +@dfn{final} value for the tag. This means that neither the remainder +of this configuration file nor any other configuration file will be +checked for any other values for this tag. + +For example, if you have the following lines: + +@smallexample +foo = bar* +foo = baz +@end smallexample + +then the second value of foo (baz) would never be read. + +The @code{krb5.conf} file may contain any or all of the following sections: @table @b @itemx libdefaults Contains default values used by the Kerberos V5 library. +@itemx login +Contains default values used by the Kerberos V5 login program. + @itemx appdefaults -Contains default values used by Kerberos V5 applications. +Contains default values that can be used by Kerberos V5 applications. @itemx realms Contains subsections keyed by Kerberos realm names. Each subsection @@ -57,7 +74,10 @@ client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms. +@ignore +this doesn't seem to be used @itemx kdc For a KDC, may contain the location of the kdc.conf file. -@end table +@end ignore +@end table diff --git a/doc/send-pr.texinfo b/doc/send-pr.texinfo index b646a1d47..e34ca935e 100644 --- a/doc/send-pr.texinfo +++ b/doc/send-pr.texinfo @@ -1,6 +1,7 @@ In any complex software, there will be bugs. If you have successfully -built and installed @value{PRODUCT}, please use the -@code{krb5-send-pr} program to fill out a Problem Report. +built and installed @value{PRODUCT}, please use the @code{krb5-send-pr} +program to fill out a Problem Report should you encounter any errors in +our software. Bug reports that include proposed fixes are especially welcome. If you do include fixes, please send them using either context diffs or unified diff --git a/doc/user-guide.texinfo b/doc/user-guide.texinfo index e761ef45e..c1fe46235 100644 --- a/doc/user-guide.texinfo +++ b/doc/user-guide.texinfo @@ -28,7 +28,6 @@ @page @vskip 0pt plus 1filll -@include copyright.texinfo @end titlepage @comment node-name, next, previous, up @@ -136,9 +135,17 @@ you don't have to perform the transactions yourself. @section What is a Kerberos Principal? A Kerberos @dfn{principal} is a unique identity to which Kerberos can -assign tickets. By convention, a principal is divided into three parts: -the @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format -of a typical Kerberos V5 principal is @code{primary/instance@@REALM}. +assign tickets. Principals can have an arbitrary number of +components. Each component is separated by a component separator, +generally `/'. The last component is the realm, separated from the +rest of the principal by the realm separator, generally `@@'. If there +is no realm component in the principal, then it will be assumed that +the principal is in the default realm for the context in which it is +being used. + +Traditionally, a principal is divided into three parts: the +@dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of +a typical Kerberos V5 principal is @code{primary/instance@@REALM}. @itemize @bullet @item The @dfn{primary} is the first part of the principal. In the case @@ -159,8 +166,8 @@ is the fully qualified hostname, e.g., @item The @dfn{realm} is your Kerberos realm. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, -the machine @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} would be in -the realm @code{@value{PRIMARYREALM}}. +the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in +the realm @code{@value{SECONDREALM}}. @end itemize @node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top @@ -235,6 +242,7 @@ or use a screensaver that locks the screen. @node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management @subsection Kerberos Ticket Properties +@noindent There are various properties that Kerberos tickets can have: If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with @@ -258,19 +266,18 @@ issued based on a ticket that is proxiable but not forwardable. A @dfn{proxy} ticket is one that was issued based on a proxiable ticket. -If a tickets is @dfn{postdated}, this means that it will become valid at a -specific time in the future. Postdated tickets can be issued for the -time at which a job is going to start so that the time that valid -tickets exist unused on a machine is minimized. +A @dfn{postdated} ticket is issued with the @i{invalid} flag set. +After the starting time listed on the ticket, it can be presented to +the KDC to obtain valid tickets. Tickets with the @dfn{postdateable} flag set can be used to issue postdated tickets. -@dfn{Renewable} tickets can be used to obtain new session keys without the -user entering a new password. A renewable ticket has two expiration -times. The first is the time at which this particular ticket expires. -The second is the latest possible expiration time for any ticket issued -based on this renewable ticket. +@dfn{Renewable} tickets can be used to obtain new session keys without +the user entering their password again. A renewable ticket has two +expiration times. The first is the time at which this particular +ticket expires. The second is the latest possible expiration time for +any ticket issued based on this renewable ticket. A ticket with the @dfn{initial} flag set was issued based on the authentication protocol, and not on a ticket-granting ticket. Clients @@ -278,18 +285,19 @@ that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket. -An @dfn{initial} ticket must be rejected by application servers. Postdated +An @dfn{invalid} ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. A @dfn{preauthenticated} ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. -The @dfn{hardware authentication} flag is set on a ticket which required -the use of hardware expected to be possessed soley by the requesting -client for authentication. +The @dfn{hardware authentication} flag is set on a ticket which +required the use of hardware for authentication. The hardware is +expected to be possessed only by the client which requested the +tickets. -If a ticket has the @dfn{transit policy checked} flag set, the the KDC that +If a ticket has the @dfn{transit policy checked} flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the @@ -297,13 +305,11 @@ KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. -The @dfn{okay as delegate} flag indicates that the server specified in the -ticket is suitable as a delegate as determined by the policy of that -realm. A server that is acting as a delegate has been granted a proxy -or a forwarded TGT. The client can use this flag in its decision of -whether or not to use this server as a delgate. This flag is a new -addition to the @value{PRODUCT} protocol and is not yet implemented on MIT -servers. +The @dfn{okay as delegate} flag indicates that the server specified in +the ticket is suitable as a delegate as determined by the policy of +that realm. A server that is acting as a delegate has been granted a +proxy or a forwarded TGT. This flag is a new addition to the +@value{PRODUCT} protocol and is not yet implemented on MIT servers. An @dfn{anonymous} ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual @@ -428,7 +434,7 @@ Ticket cache: /tmp/krb5cc_ttypa Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} Valid starting Expires Service principal -06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} @b{shell%} @end group @end smallexample @@ -456,8 +462,8 @@ Ticket cache: /tmp/krb5cc_ttypa Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} Valid starting Expires Service principal -06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} -06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} @b{shell%} @end group @end smallexample @@ -488,10 +494,10 @@ Ticket cache: /tmp/krb5cc_ttypa Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} Valid starting Expires Service principal -06/07/96 19:49:21 06/08/96 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} -06/07/96 20:22:30 06/08/96 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} -06/07/96 20:24:18 06/08/96 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} -06/07/96 20:24:18 06/08/96 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM} +06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} +06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{PRIMARYREALM} @b{shell%} @end group @end smallexample @@ -519,7 +525,7 @@ post@b{d}ated @itemx i @b{i}nvalid @itemx H -@b{H}ardeware authenticated +@b{H}ardware authenticated @itemx A pre@b{A}uthenticated @itemx T @@ -543,7 +549,7 @@ obtained her initial tickets (@samp{I}), which are forwardable Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} Valid starting Expires Service principal -31 Jul 96 19:06:25 31 Jul 96 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} Flags: FdiI shell%} @end group @@ -561,9 +567,9 @@ reforwardable (@samp{F}). Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM} Valid starting Expires Service principal -07/31/96 11:52:29 07/31/96 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM} +07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM} Flags: Ff -07/31/96 12:03:48 07/31/96 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM} +07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM} Flags: Ff shell%} @end group @@ -596,7 +602,6 @@ tickets to destroy, it will give the following message: @group @b{shell%} kdestroy @b{kdestroy: No credentials cache file found while destroying cache -Ticket cache NOT destroyed! shell%} @end group @end smallexample @@ -637,9 +642,9 @@ user @code{@value{RANDOMUSER2}} would do the following: @smallexample @group @b{shell%} kpasswd -@b{Old password for @value{RANDOMUSER2}:} @i{<- Type your old password.} -@b{New Password for @value{RANDOMUSER2}:} @i{<- Type your new password.} -@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the new password again.} +@b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.} +@b{Enter new password:} @i{<- Type your new password.} +@b{Enter it again:} @i{<- Type the new password again.} @b{Password changed.} @b{shell%} @end group @@ -652,8 +657,8 @@ the following message: @smallexample @group @b{shell%} kpasswd -@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.} -@b{Incorrect old password. +@b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.} +@b{kpasswd: Password incorrect while getting initial ticket shell%} @end group @end smallexample @@ -665,13 +670,10 @@ twice, @code{kpasswd} will ask you to try again: @smallexample @group @b{shell%} kpasswd -@b{Old password for @value{RANDOMUSER2}:} @i{<- Type the old password.} -@b{New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.} -@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type a different new password.} -@b{Mismatch - try again -New Password for @value{RANDOMUSER2}:} @i{<- Type the new password.} -@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type the same new password.} -@b{Password changed. +@b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.} +@b{Enter new password:} @i{<- Type the new password.} +@b{Enter it again:} @i{<- Type a different new password.} +@b{kpasswd: Password mismatch while reading password shell%} @end group @end smallexample @@ -716,26 +718,31 @@ listed in this manual include: only meant to show you how to make up a good password. Passwords that appear in a manual are the first ones intruders will try. -@need 3800 +@need 3800 @value{PRODUCT} allows your system administrators to automatically -reject bad passwords, based on whatever criteria they choose. For -example, if the user @code{@value{RANDOMUSER1}} chose a bad password, -Kerberos would give an error message like the following: +reject bad passwords, based on certain criteria, such as a password +dictionary or a minimum length. For example, if the user +@code{@value{RANDOMUSER1}}, who had a policy "strict" that required a +minimum of 8 characaters, chose a password that was less than 8 +characters, Kerberos would give an error message like the following: @smallexample @group @b{shell%} kpasswd -@b{Old password for @value{RANDOMUSER1}:} @i{<- Type your old password here.} -@b{New Password for @value{RANDOMUSER1}:} @i{<- Type an insecure new password.} -@b{Verifying, please re-enter New Password for @value{RANDOMUSER1}:} @i{<- Type it again.} +@b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.} + +@value{RANDOMUSER1}'s password is controlled by the policy strict, which +requires a minimum of 8 characters from at least 3 classes (the five classes +are lowercase, uppercase, numbers, punctuation, and all other characters). -ERROR: Insecure password not accepted. Please choose another. +@b{Enter new password:} @i{<- Type an insecure new password.} +@b{Enter it again:} @i{<- Type it again.} -kpasswd: Insecure password rejected while attempting to change password. +kpasswd: Password is too short while attempting to change password. Please choose another password. -@b{New Password for @value{RANDOMUSER1}:} @i{<- Type a good password here.} -@b{Verifying, please re-enter New Password for @value{RANDOMUSER2}:} @i{<- Type it again.} +@b{Enter new password:} @i{<- Type a good password here.} +@b{Enter it again:} @i{<- Type it again.} @b{Password changed. shell%} @end group @@ -851,22 +858,13 @@ The @value{PRODUCT} @code{telnet} command works exactly like the standard UNIX telnet program, with the following Kerberos options added: @table @kbd -@itemx -f, --forward +@itemx -f forwards a copy of your tickets to the remote host. -@itemx --noforward -turns off forwarding of tickets to the remote host. (This option -overrides any forwarding specified in your machine's configuration -files.) - -@itemx -F, --forwardable +@itemx -F forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host. -@itemx --noforwardable -makes any forwarded tickets nonforwardable. (This option overrides any -forwardability specified in your machine's configuration files.) - @itemx -k @i{realm} requests tickets for the remote host in the specified realm, instead of determining the realm itself. @@ -879,11 +877,9 @@ you in. attempt automatic login using your tickets. @code{telnet} will assume the same username unless you explicitly specify another. -@itemx -x, --encrypt +@itemx -x turns on encryption. -@itemx --noencrypt -turns off encryption. @end table @need 4000 @@ -893,16 +889,16 @@ UNIX telnet to connect to the machine @smallexample @group -@b{shell%} telnet @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} +@b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN} @b{Trying 128.0.0.5 ... -Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}. +Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}. Escape character is '^]'. -NetBSD/i386 (@value{RANDOMHOST1}) (ttyp3) +NetBSD/i386 (daffodil) (ttyp3) login:} @value{RANDOMUSER2} @b{Password:} @i{<- @value{RANDOMUSER2} types his password here} -@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{SECONDDOMAIN} +@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. @@ -914,7 +910,7 @@ shell%} @end smallexample @noindent Note that the machine -@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for +@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for @code{@value{RANDOMUSER2}}'s password. When he typed it, his password was sent over the network unencrypted. If an intruder were watching network traffic at the time, that intruder would know @@ -923,27 +919,28 @@ network traffic at the time, that intruder would know @need 4000 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the @value{PRODUCT} telnet to connect to the machine -@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a +@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a copy of her tickets, request an encrypted session, and log on as herself as follows: @smallexample @group -@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{SECONDDOMAIN} +@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} @b{Trying 128.0.0.5... -Connected to @value{RANDOMHOST2}.@value{SECONDDOMAIN}. +Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}. Escape character is '^]'. -[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{SECONDDOMAIN}'' ] +[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ] [ Kerberos V5 accepted forwarded credentials ] -NetBSD 1.1: Tue May 21 00:31:42 EDT 1996 +What you type is protected by encryption. +Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST}.@value{SECONDDOMAIN} +Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002 -Welcome to NetBSD! shell%} @end group @end smallexample @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos -to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, +to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, and logged her in automatically as herself. She had an encrypted session, a copy of her tickets already waiting for her, and she never typed her password. @@ -962,41 +959,30 @@ The @value{PRODUCT} @code{rlogin} command works exactly like the standard UNIX rlogin program, with the following Kerberos options added: @table @kbd -@itemx -f, --forward +@itemx -f forwards a copy of your tickets to the remote host. -@itemx --noforward -turns off forwarding of tickets to the remote host. (This option -overrides any forwarding specified in your machine's configuration -files.) - -@itemx -F, --forwardable +@itemx -F forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host. -@itemx --noforwardable -makes any forwarded tickets nonforwardable. (This option overrides any -forwardability specified in your machine's configuration files.) - @itemx -k @i{realm} requests tickets for the remote host in the specified realm, instead of determining the realm itself. -@itemx -x, --encrypt -encrypts the input and output data streams (the command line is not encrypted) +@itemx -x +encrypts the input and output data streams (the username is sent unencrypted) -@itemx --noencrypt -turns off encryption. @end table @need 3000 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard UNIX rlogin to connect to the machine -@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type: +@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type: @smallexample @group -@b{shell%} rlogin @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} -l @value{RANDOMUSER2} +@b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2} @b{Password:} @i{<- @value{RANDOMUSER2} types his password here} @b{Last login: Fri Jun 21 10:36:32 from :0.0 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 @@ -1010,7 +996,7 @@ shell%} @end smallexample @noindent Note that the machine -@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} asked for +@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for @code{@value{RANDOMUSER2}}'s password. When he typed it, his password was sent over the network unencrypted. If an intruder were watching network traffic at the time, that intruder would know @@ -1019,23 +1005,22 @@ network traffic at the time, that intruder would know @need 4000 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use @value{PRODUCT} rlogin to connect to the machine -@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, she could forward a +@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a copy of her tickets, mark them as not forwardable from the remote host, and request an encrypted session as follows: @smallexample @group -@b{shell%} rlogin @value{RANDOMHOST2}.@value{SECONDDOMAIN} -f -x -@b{This rlogin session is encrypting all data transmissions. +@b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x +@b{This rlogin session is using DES encryption for all data transmissions. Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1} -SunOS Release 4.1.4 (GENERIC) #2: Tue Nov 14 18:09:31 EST 1995 -Not checking quotas. Try quota.real if you need them. +Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002 shell%} @end group @end smallexample @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos -to authenticate her to @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, +to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, and logged her in automatically as herself. She had an encrypted session, a copy of her tickets were waiting for her, and she never typed her password. @@ -1057,9 +1042,9 @@ UNIX FTP program, with the following Kerberos features added: requests tickets for the remote host in the specified realm, instead of determining the realm itself. -@itemx -forward +@itemx -f requests that your tickets be forwarded to the remote host. The -@kbd{-forward} argument must be the last argument on the command line. +@kbd{-f} argument must be the last argument on the command line. @itemx protect @i{level} (issued at the @code{ftp>} prompt) sets the protection level. ``Clear'' @@ -1083,6 +1068,7 @@ Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded +200 Data channel protection level set to private. Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}): 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1} 230 User @value{RANDOMUSER1} logged in. @@ -1112,31 +1098,20 @@ The @value{PRODUCT} @code{rsh} program works exactly like the standard UNIX rlogin program, with the following Kerberos features added: @table @kbd -@itemx -f, --forward +@itemx -f forwards a copy of your tickets to the remote host. -@itemx --noforward -turns off forwarding of tickets to the remote host. (This option -overrides any forwarding specified in your machine's configuration -files.) - -@itemx -F, --forwardable +@itemx -F forwards a copy of your tickets to the remote host, and marks them re-forwardable from the remote host. -@itemx --noforwardable -makes any forwarded tickets nonforwardable. (This option overrides any -forwardability specified in your machine's configuration files.) - @itemx -k @i{realm} requests tickets for the remote host in the specified realm, instead of determining the realm itself. -@itemx -x, --encrypt +@itemx -x encrypts the input and output data streams (the command line is not encrypted) -@itemx --noencrypt -turns off encryption. @end table @need 1800 @@ -1147,8 +1122,8 @@ run the @samp{date} program as follows: @smallexample @group @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date -@b{This rsh session is encrypting input/output data transmissions. -Fri Jun 21 17:06:12 EDT 1996 +@b{This rsh session is using DES encryption for all data transmissions. +Tue Jul 30 19:34:21 EDT 2002 shell%} @end group @end smallexample @@ -1170,7 +1145,7 @@ UNIX rcp program, with the following Kerberos features added: requests tickets for the remote host in the specified realm, instead of determining the realm itself. -@itemx -x, --encrypt +@itemx -x turns on encryption. @end table @@ -1235,8 +1210,8 @@ with @samp{.1} appended to it: Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM} Valid starting Expires Service principal -31 Jul 96 21:53:01 01 Aug 96 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} -31 Jul 96 21:53:39 01 Aug 96 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} +07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} @value{RANDOMUSER2}%} @end group @end smallexample @@ -1331,10 +1306,6 @@ specifies which Kerberos principal you want to use for @code{ksu}. @itemx -c specifies the location of your Kerberos credentials cache (ticket file). -@itemx -C -specifies the location you want the Kerberos credentials cache (ticket -file) to be for the target user ID. - @itemx -k tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is finished. @@ -1416,14 +1387,14 @@ M-x manual-entry @emph{command} @menu * kinit Reference:: * klist Reference:: +* ksu Reference:: * kdestroy Reference:: * kpasswd Reference:: * telnet Reference:: -* rlogin Reference:: * FTP Reference:: +* rlogin Reference:: * rsh Reference:: * rcp Reference:: -* ksu Reference:: @end menu @node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference @@ -1438,6 +1409,7 @@ M-x manual-entry @emph{command} @centerline{Reference Manual for @code{kinit}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry kinit} to read this manual page. @end ifinfo @@ -1448,7 +1420,7 @@ Type @kbd{M-x manual-entry kinit} to read this manual page. @end html @end ifhtml -@node klist Reference, kdestroy Reference, kinit Reference, Kerberos V5 Reference +@node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference @section klist Reference @iftex @@ -1462,6 +1434,7 @@ Type @kbd{M-x manual-entry kinit} to read this manual page. @centerline{Reference Manual for @code{klist}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry klist} to read this manual page. @end ifinfo @@ -1472,7 +1445,42 @@ Type @kbd{M-x manual-entry klist} to read this manual page. @end html @end ifhtml -@node kdestroy Reference, kpasswd Reference, klist Reference, Kerberos V5 Reference +@node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference +@section ksu Reference + +@iftex +@special{psfile=ksu1.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu2.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu3.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu4.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page + +@special{psfile=ksu5.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{ksu}} +@page +@end iftex + +@ifinfo +Type @kbd{M-x manual-entry ksu} to read this manual page. +@end ifinfo + +@ifhtml +@html + ksu manpage +@end html +@end ifhtml + +@node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference @section kdestroy Reference @iftex @@ -1480,6 +1488,7 @@ Type @kbd{M-x manual-entry klist} to read this manual page. @centerline{Reference Manual for @code{kdestroy}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry kdestroy} to read this manual page. @end ifinfo @@ -1498,6 +1507,7 @@ Type @kbd{M-x manual-entry kdestroy} to read this manual page. @centerline{Reference Manual for @code{kpasswd}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry kpasswd} to read this manual page. @end ifinfo @@ -1508,7 +1518,7 @@ Type @kbd{M-x manual-entry kpasswd} to read this manual page. @end html @end ifhtml -@node telnet Reference, rlogin Reference, kpasswd Reference, Kerberos V5 Reference +@node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference @section telnet Reference @iftex @@ -1548,6 +1558,7 @@ Type @kbd{M-x manual-entry kpasswd} to read this manual page. @centerline{Reference Manual for @code{telnet}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry telnet} to read this manual page. @end ifinfo @@ -1558,29 +1569,7 @@ Type @kbd{M-x manual-entry telnet} to read this manual page. @end html @end ifhtml -@node rlogin Reference, FTP Reference, telnet Reference, Kerberos V5 Reference -@section rlogin Reference - -@iftex -@special{psfile=rlogin1.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{rlogin}} -@page - -@special{psfile=rlogin2.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{rlogin}} -@page -@end iftex -@ifinfo -Type @kbd{M-x manual-entry rlogin} to read this manual page. -@end ifinfo - -@ifhtml -@html - rlogin manpage -@end html -@end ifhtml - -@node FTP Reference, rsh Reference, rlogin Reference, Kerberos V5 Reference +@node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference @section FTP Reference @iftex @@ -1620,6 +1609,7 @@ Type @kbd{M-x manual-entry rlogin} to read this manual page. @centerline{Reference Manual for @code{FTP}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry FTP} to read this manual page. @end ifinfo @@ -1630,7 +1620,30 @@ Type @kbd{M-x manual-entry FTP} to read this manual page. @end html @end ifhtml -@node rsh Reference, rcp Reference, FTP Reference, Kerberos V5 Reference +@node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference +@section rlogin Reference + +@iftex +@special{psfile=rlogin1.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{rlogin}} +@page + +@special{psfile=rlogin2.ps voffset=-700 hoffset=-40} +@centerline{Reference Manual for @code{rlogin}} +@page +@end iftex + +@ifinfo +Type @kbd{M-x manual-entry rlogin} to read this manual page. +@end ifinfo + +@ifhtml +@html + rlogin manpage +@end html +@end ifhtml + +@node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference @section rsh Reference @iftex @@ -1642,6 +1655,7 @@ Type @kbd{M-x manual-entry FTP} to read this manual page. @centerline{Reference Manual for @code{rsh}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry rsh} to read this manual page. @end ifinfo @@ -1652,7 +1666,7 @@ Type @kbd{M-x manual-entry rsh} to read this manual page. @end html @end ifhtml -@node rcp Reference, ksu Reference, rsh Reference, Kerberos V5 Reference +@node rcp Reference, , rsh Reference, Kerberos V5 Reference @section rcp Reference @iftex @@ -1666,6 +1680,7 @@ Type @kbd{M-x manual-entry rsh} to read this manual page. @centerline{Reference Manual for @code{rcp}} @page @end iftex + @ifinfo Type @kbd{M-x manual-entry rcp} to read this manual page. @end ifinfo @@ -1676,40 +1691,6 @@ Type @kbd{M-x manual-entry rcp} to read this manual page. @end html @end ifhtml -@node ksu Reference, , rcp Reference, Kerberos V5 Reference -@section ksu Reference - -@iftex -@special{psfile=ksu1.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{ksu}} -@page - -@special{psfile=ksu2.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{ksu}} -@page - -@special{psfile=ksu3.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{ksu}} -@page - -@special{psfile=ksu4.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{ksu}} -@page - -@special{psfile=ksu5.ps voffset=-700 hoffset=-40} -@centerline{Reference Manual for @code{ksu}} -@page -@end iftex -@ifinfo -Type @kbd{M-x manual-entry ksu} to read this manual page. -@end ifinfo - -@ifhtml -@html - ksu manpage -@end html -@end ifhtml - @node Kerberos Glossary, , Kerberos V5 Reference, Top @appendix Kerberos Glossary -- 2.26.2