1 \input texinfo @c -*-texinfo-*-
4 @setfilename krb5-user.info
5 @settitle Kerberos V5 UNIX User's Guide
6 @setchapternewpage odd @c chapter begins on next odd page
7 @c @setchapternewpage on @c chapter begins on next page
8 @c @smallbook @c Format for 7" X 9.25" paper
9 @documentencoding UTF-8
12 Copyright @copyright{} 1985-2010 by the Massachusetts Institute of Technology.
22 * krb5-user: (krb5-user). Kerberos V5 UNIX User's Guide
25 @include definitions.texinfo
28 @finalout @c don't print black warning boxes
31 @title @value{PRODUCT} UNIX User's Guide
32 @subtitle Release: @value{RELEASE}
33 @subtitle Document Edition: @value{EDITION}
34 @subtitle Last updated: @value{UPDATED}
35 @author @value{COMPANY}
38 @vskip 0pt plus 1filll
42 @comment node-name, next, previous, up
43 @node Top, Introduction, (dir), (dir)
46 This file describes how to use the @value{PRODUCT} client programs.
51 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
52 @c function. Don't forget to run M-x texinfo-every-node-update after
53 @c you add a new section or subsection, or after you've rearranged the
54 @c comand before each @section or @subsection! All you need to enter
57 @c @section New Section Name
59 @c M-x texinfo-every-node-update will take care of calculating the
60 @c node's forward and back pointers.
62 @c ---------------------------------------------------------------------
66 * Kerberos V5 Tutorial::
67 * Kerberos V5 Reference::
72 @node Introduction, Kerberos V5 Tutorial, Top, Top
76 @value{PRODUCT} is based on the Kerberos V5 authentication system
80 Kerberos V5 is an authentication system developed at MIT.
82 Kerberos is named for the three-headed watchdog from Greek mythology,
83 who guarded the entrance to the underworld.
85 Under Kerberos, a client (generally either a user or a service) sends a
86 request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
87 creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
88 using the client's password as the key, and sends the encrypted TGT back
89 to the client. The client then attempts to decrypt the TGT, using its
90 password. If the client successfully decrypts the TGT (@i{i.e.}, if the
91 client gave the correct password), it keeps the decrypted TGT, which
92 indicates proof of the client's identity.
94 The TGT, which expires at a specified time, permits the client to obtain
95 additional tickets, which give permission for specific services. The
96 requesting and granting of these additional tickets is user-transparent.
98 Since Kerberos negotiates authenticated, and optionally encrypted,
99 communications between two points anywhere on the internet, it provides
100 a layer of security that is not dependent on which side of a firewall
101 either client is on. Since studies have shown that half of the computer
102 security breaches in industry happen from @i{inside} firewalls,
103 @value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
106 The @value{PRODUCT} package is designed to be easy to use. Most of the
107 commands are nearly identical to UNIX network programs you already
108 use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
109 that you have to type your password only once per session, and Kerberos
110 does the authenticating and encrypting transparently.
113 * What is a Ticket?::
114 * What is a Kerberos Principal?::
117 @node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
118 @section What is a Ticket?
120 Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
121 electronic information that can be used to verify your identity. Your
122 Kerberos tickets may be stored in a file, or they may exist only in
125 The first ticket you obtain is a @dfn{ticket-granting ticket}, which
126 permits you to obtain additional tickets. These additional tickets give
127 you permission for specific services. The requesting and granting of
128 these additional tickets happens transparently.
130 A good analogy for the ticket-granting ticket is a three-day ski pass
131 that is good at four different resorts. You show the pass at whichever
132 resort you decide to go to (until it expires), and you receive a lift
133 ticket for that resort. Once you have the lift ticket, you can ski all
134 you want at that resort. If you go to another resort the next day, you
135 once again show your pass, and you get an additional lift ticket for the
136 new resort. The difference is that the @value{PRODUCT} programs notice
137 that you have the weekend ski pass, and get the lift ticket for you, so
138 you don't have to perform the transactions yourself.
140 @node What is a Kerberos Principal?, , What is a Ticket?, Introduction
141 @section What is a Kerberos Principal?
143 A Kerberos @dfn{principal} is a unique identity to which Kerberos can
144 assign tickets. Principals can have an arbitrary number of
145 components. Each component is separated by a component separator,
146 generally `/'. The last component is the realm, separated from the
147 rest of the principal by the realm separator, generally `@@'. If there
148 is no realm component in the principal, then it will be assumed that
149 the principal is in the default realm for the context in which it is
152 Traditionally, a principal is divided into three parts: the
153 @dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of
154 a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
157 @item The @dfn{primary} is the first part of the principal. In the case
158 of a user, it's the same as your username. For a host, the primary is
159 the word @code{host}.
161 @item The @dfn{instance} is an optional string that qualifies the
162 primary. The instance is separated from the primary by a slash
163 (@code{/}). In the case of a user, the instance is usually null, but a
164 user might also have an additional principal, with an instance called
165 @samp{admin}, which he/she uses to administrate a database. The
166 principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
167 separate from the principal
168 @code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
169 password, and separate permissions. In the case of a host, the instance
170 is the fully qualified hostname, e.g.,
171 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
173 @item The @dfn{realm} is your Kerberos realm. In most cases, your
174 Kerberos realm is your domain name, in upper-case letters. For example,
175 the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in
176 the realm @code{@value{SECONDREALM}}.
179 @node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
180 @chapter Kerberos V5 Tutorial
182 This tutorial is intended to familiarize you with the @value{PRODUCT}
183 client programs. We will represent your prompt as ``@code{shell%}''.
184 So an instruction to type the ``@kbd{ls}'' command would be represented as
194 In these examples, we will use sample usernames, such as
195 @code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
196 hostnames, such as @code{@value{RANDOMHOST1}} and
197 @code{@value{RANDOMHOST2}}, and sample domain names, such as
198 @code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
199 see one of these, substitute your username, hostname, or domain name
203 * Setting Up to Use Kerberos V5::
204 * Ticket Management::
205 * Password Management::
206 * Kerberos V5 Applications::
209 @node Setting Up to Use Kerberos V5, Ticket Management, Kerberos V5 Tutorial, Kerberos V5 Tutorial
210 @section Setting Up to Use @value{PRODUCT}
212 Your system administrator will have installed the @value{PRODUCT}
213 programs in whichever directory makes the most sense for your system.
214 We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
215 top-level directory @value{PRODUCT} directory. We will therefor use
216 @code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
217 programs. In your installation, the directory name may be different,
218 but whatever the directory name is, you should make sure it is included
219 in your path. You will probably want to put it @i{ahead of} the
220 directories @code{/bin} and @code{/usr/bin} so you will get the
221 @value{PRODUCT} network programs, rather than the standard UNIX
222 versions, when you type their command names.
224 @node Ticket Management, Password Management, Setting Up to Use Kerberos V5, Kerberos V5 Tutorial
225 @section Ticket Management
227 On many systems, Kerberos is built into the login program, and you get
228 tickets automatically when you log in. Other programs, such as
229 @code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
230 copies of your tickets to the remote host. Most of these programs also
231 automatically destroy your tickets when they exit. However,
232 @value{COMPANY} recommends that you explicitly destroy your Kerberos
233 tickets when you are through with them, just to be sure. One way to
234 help ensure that this happens is to add the @code{kdestroy} command to
235 your @code{.logout} file. Additionally, if you are going to be away
236 from your machine and are concerned about an intruder using your
237 permissions, it is safest to either destroy all copies of your tickets,
238 or use a screensaver that locks the screen.
242 * Kerberos Ticket Properties::
243 * Obtaining Tickets with kinit::
244 * Viewing Your Tickets with klist::
245 * Destroying Your Tickets with kdestroy::
248 @node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
249 @subsection Kerberos Ticket Properties
252 There are various properties that Kerberos tickets can have:
254 If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
255 a different network address based on the forwardable ticket. This
256 allows for authentication forwarding without requiring a password to be
257 typed in again. For example, if a user with a forwardable TGT logs
258 into a remote system, the KDC could issue a new TGT for that user with
259 the network address of the remote system, allowing authentication on
260 that host to work as though the user were logged in locally.
262 When the KDC creates a new ticket based on a forwardable ticket, it
263 sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
264 created based on a ticket with the forwarded flag set will also have
265 their forwarded flags set.
267 A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
268 allows a service to take on the identity of the client. Unlike a
269 forwardable ticket, however, a proxiable ticket is only issued for
270 specific services. In other words, a ticket-granting ticket cannot be
271 issued based on a ticket that is proxiable but not forwardable.
273 A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
275 A @dfn{postdated} ticket is issued with the @i{invalid} flag set.
276 After the starting time listed on the ticket, it can be presented to
277 the KDC to obtain valid tickets.
279 Tickets with the @dfn{postdateable} flag set can be used to issue postdated
282 @dfn{Renewable} tickets can be used to obtain new session keys without
283 the user entering their password again. A renewable ticket has two
284 expiration times. The first is the time at which this particular
285 ticket expires. The second is the latest possible expiration time for
286 any ticket issued based on this renewable ticket.
288 A ticket with the @dfn{initial} flag set was issued based on the
289 authentication protocol, and not on a ticket-granting ticket. Clients
290 that wish to ensure that the user's key has been recently presented for
291 verification could specify that this flag must be set to accept the
294 An @dfn{invalid} ticket must be rejected by application servers. Postdated
295 tickets are usually issued with this flag set, and must be validated by
296 the KDC before they can be used.
298 A @dfn{preauthenticated} ticket is one that was only issued after the
299 client requesting the ticket had authenticated itself to the KDC.
301 The @dfn{hardware authentication} flag is set on a ticket which
302 required the use of hardware for authentication. The hardware is
303 expected to be possessed only by the client which requested the
306 If a ticket has the @dfn{transit policy checked} flag set, then the KDC that
307 issued this ticket implements the transited-realm check policy and
308 checked the transited-realms list on the ticket. The transited-realms
309 list contains a list of all intermediate realms between the realm of the
310 KDC that issued the first ticket and that of the one that issued the
311 current ticket. If this flag is not set, then the application server
312 must check the transited realms itself or else reject the ticket.
314 The @dfn{okay as delegate} flag indicates that the server specified in
315 the ticket is suitable as a delegate as determined by the policy of
316 that realm. A server that is acting as a delegate has been granted a
317 proxy or a forwarded TGT. This flag is a new addition to the
318 @value{PRODUCT} protocol and is not yet implemented on MIT servers.
320 An @dfn{anonymous} ticket is one in which the named principal is a generic
321 principal for that realm; it does not actually specify the individual
322 that will be using the ticket. This ticket is meant only to securely
323 distribute a session key. This is a new addition to the @value{PRODUCT}
324 protocol and is not yet implemented on MIT servers.
326 @node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
327 @subsection Obtaining Tickets with kinit
329 If your site is using the @value{PRODUCT} login program, you will get
330 Kerberos tickets automatically when you log in. If your site uses a
331 different login program, you may need to explicitly obtain your Kerberos
332 tickets, using the @code{kinit} program. Similarly, if your Kerberos
333 tickets expire, use the @code{kinit} program to obtain new ones.
336 To use the @code{kinit} program, simply type @kbd{kinit} and then type
337 your password at the prompt. For example, Jennifer (whose username is
338 @code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
339 with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
340 @code{@value{PRIMARYREALM}}). She would type:
345 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
351 If you type your password incorrectly, kinit will give you the following
357 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
358 @b{kinit: Password incorrect}
363 @noindent and you won't get Kerberos tickets.
365 @noindent Notice that @code{kinit} assumes you want tickets for your own
366 username in your default realm.
368 Suppose Jennifer's friend David is visiting, and he wants to borrow a
369 window to check his mail. David needs to get tickets for himself in his
370 own realm, @value{SECONDREALM}.@footnote{Note: the realm
371 @value{SECONDREALM} must be listed in your computer's Kerberos
372 configuration file, @code{/etc/krb5.conf}.} He would type:
376 @b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
377 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
382 @noindent David would then have tickets which he could use to log onto
383 his own machine. Note that he typed his password locally on Jennifer's
384 machine, but it never went over the network. Kerberos on the local host
385 performed the authentication to the KDC in the other realm.
388 If you want to be able to forward your tickets to another host, you need
389 to request @dfn{forwardable} tickets. You do this by specifying the
395 @b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
401 Note that @code{kinit} does not tell you that it obtained forwardable
402 tickets; you can verify this using the @code{klist} command
403 (@pxref{Viewing Your Tickets with klist}).
405 Normally, your tickets are good for your system's default ticket
406 lifetime, which is ten hours on many systems. You can specify a
407 different ticket lifetime with the @samp{-l} option. Add the letter
408 @samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
409 hours, or @samp{d} for days.
411 For example, to obtain forwardable tickets for
412 @code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
413 three hours, you would type:
417 @b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
418 @b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
424 You cannot mix units; specifying a lifetime of @samp{3h30m} would result
425 in an error. Note also that most systems specify a maximum ticket
426 lifetime. If you request a longer ticket lifetime, it will be
427 automatically truncated to the maximum lifetime.
429 @node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
430 @subsection Viewing Your Tickets with klist
432 The @code{klist} command shows your tickets. When you first obtain
433 tickets, you will have only the ticket-granting ticket. (@xref{What is
434 a Ticket?}.) The listing would look like this:
439 Ticket cache: /tmp/krb5cc_ttypa
440 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
442 Valid starting Expires Service principal
443 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
449 The ticket cache is the location of your ticket file. In the above
450 example, this file is named @code{/tmp/krb5cc_ttypa}. The default
451 principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
454 The ``valid starting'' and ``expires'' fields describe the period of
455 time during which the ticket is valid. The @dfn{service principal}
456 describes each ticket. The ticket-granting ticket has the primary
457 @code{krbtgt}, and the instance is the realm name.
460 Now, if @value{RANDOMUSER1} connected to the machine
461 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
462 @kbd{klist} again, she would have gotten the following result:
467 Ticket cache: /tmp/krb5cc_ttypa
468 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
470 Valid starting Expires Service principal
471 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
472 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
478 Here's what happened: when @value{RANDOMUSER1} used telnet to connect
479 to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
480 program presented her ticket-granting ticket to the KDC and requested a
481 host ticket for the host
482 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
483 ticket, which telnet then presented to the host
484 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
485 log in without typing her password.
488 Suppose your Kerberos tickets allow you to log into a host in another
489 domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
490 is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
491 telnet to this host, you will receive a ticket-granting ticket for the
492 realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
493 @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
499 Ticket cache: /tmp/krb5cc_ttypa
500 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
502 Valid starting Expires Service principal
503 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
504 06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
505 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
506 06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
511 You can use the @code{-f} option to view the @dfn{flags} that apply to
512 your tickets. The flags are:
534 @b{H}ardware authenticated
538 @b{T}ransit policy checked
546 Here is a sample listing. In this example, the user @value{RANDOMUSER1}
547 obtained her initial tickets (@samp{I}), which are forwardable
548 (@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
549 (@xref{kinit Reference}, for more information about postdated tickets.)
554 @b{Ticket cache: /tmp/krb5cc_320
555 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
557 Valid starting Expires Service principal
558 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
565 In the following example, the user @value{RANDOMUSER2}'s tickets were
566 forwarded (@samp{f}) to this host from another host. The tickets are
567 reforwardable (@samp{F}).
572 @b{Ticket cache: /tmp/krb5cc_p11795
573 Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
575 Valid starting Expires Service principal
576 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
578 07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
584 @node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
585 @subsection Destroying Your Tickets with kdestroy
587 Your Kerberos tickets are proof that you are indeed yourself, and
588 tickets can be stolen. If this happens, the person who has them can
589 masquerade as you until they expire. For this reason, you should
590 destroy your Kerberos tickets when you are away from your computer.
593 Destroying your tickets is easy. Simply type @kbd{kdestroy}.
603 If @code{kdestroy} fails to destroy your tickets, it will beep and give
604 an error message. For example, if @code{kdestroy} can't find any
605 tickets to destroy, it will give the following message:
610 @b{kdestroy: No credentials cache file found while destroying cache
615 @node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
616 @section Password Management
618 Your password is the only way Kerberos has of verifying your identity.
619 If someone finds out your password, that person can masquerade as
620 you---send email that comes from you, read, edit, or delete your files,
621 or log into other hosts as you---and no one will be able to tell the
622 difference. For this reason, it is important that you choose a good
623 password (@pxref{Password Advice}), and keep it secret. If you need to
624 give access to your account to someone else, you can do so through
625 Kerberos. (@xref{Granting Access to Your Account}.) You should
626 @i{never} tell your password to anyone, including your system
627 administrator, for any reason. You should change your password
628 frequently, particularly any time you think someone may have found out
632 * Changing Your Password::
634 * Granting Access to Your Account::
637 @node Changing Your Password, Password Advice, Password Management, Password Management
638 @subsection Changing Your Password
641 To change your Kerberos password, use the @code{kpasswd} command. It
642 will ask you for your old password (to prevent someone else from walking
643 up to your computer when you're not there and changing your password),
644 and then prompt you for the new one twice. (The reason you have to type
645 it twice is to make sure you have typed it correctly.) For example,
646 user @code{@value{RANDOMUSER2}} would do the following:
651 @b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
652 @b{Enter new password:} @i{<- Type your new password.}
653 @b{Enter it again:} @i{<- Type the new password again.}
654 @b{Password changed.}
660 If @value{RANDOMUSER2} typed the incorrect old password, he would get
661 the following message:
666 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
667 @b{kpasswd: Password incorrect while getting initial ticket
673 If you make a mistake and don't type the new password the same way
674 twice, @code{kpasswd} will ask you to try again:
679 @b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
680 @b{Enter new password:} @i{<- Type the new password.}
681 @b{Enter it again:} @i{<- Type a different new password.}
682 @b{kpasswd: Password mismatch while reading password
687 Once you change your password, it takes some time for the change to
688 propagate through the system. Depending on how your system is set up,
689 this might be anywhere from a few minutes to an hour or more. If you
690 need to get new Kerberos tickets shortly after changing your password,
691 try the new password. If the new password doesn't work, try again using
694 @node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
695 @subsection Password Advice
697 Your password can include almost any character you can type (except
698 control keys and the ``enter'' key). A good password is one you can
699 remember, but that no one else can easily guess. Examples of @i{bad}
700 passwords are words that can be found in a dictionary, any common or
701 popular name, especially a famous person (or cartoon character), your
702 name or username in any form (@i{e.g.}, forward, backward, repeated
703 twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
704 date, your social security number, and any sample password that appears
705 in this (or any other) manual.
708 @value{COMPANY} recommends that your password be at least 6 characters
709 long, and contain UPPER- and lower-case letters, numbers, and/or
710 punctuation marks. Some passwords that would be good if they weren't
711 listed in this manual include:
714 @item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
717 @item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
720 @item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
723 @noindent Note: don't actually use any of the above passwords. They're
724 only meant to show you how to make up a good password. Passwords that
725 appear in a manual are the first ones intruders will try.
728 @value{PRODUCT} allows your system administrators to automatically
729 reject bad passwords, based on certain criteria, such as a password
730 dictionary or a minimum length. For example, if the user
731 @code{@value{RANDOMUSER1}}, who had a policy "strict" that required a
732 minimum of 8 characaters, chose a password that was less than 8
733 characters, Kerberos would give an error message like the following:
738 @b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
740 @value{RANDOMUSER1}'s password is controlled by the policy strict, which
741 requires a minimum of 8 characters from at least 3 classes (the five classes
742 are lowercase, uppercase, numbers, punctuation, and all other characters).
744 @b{Enter new password:} @i{<- Type an insecure new password.}
745 @b{Enter it again:} @i{<- Type it again.}
747 kpasswd: Password is too short while attempting to change password.
748 Please choose another password.
750 @b{Enter new password:} @i{<- Type a good password here.}
751 @b{Enter it again:} @i{<- Type it again.}
757 @noindent Your system administrators can choose the message that is
758 displayed if you choose a bad password, so the message you see may be
759 different from the above example.
761 @node Granting Access to Your Account, , Password Advice, Password Management
762 @subsection Granting Access to Your Account
765 If you need to give someone access to log into your account, you can do
766 so through Kerberos, without telling the person your password. Simply
767 create a file called @code{.k5login} in your home directory. This file
768 should contain the Kerberos principal (@xref{What is a Kerberos
769 Principal?}.) of each person to whom you wish to give access. Each
770 principal must be on a separate line. Here is a sample @code{.k5login}
775 @value{RANDOMUSER1}@@@value{PRIMARYREALM}
776 @value{RANDOMUSER2}@@@value{SECONDREALM}
780 @noindent This file would allow the users @code{@value{RANDOMUSER1}} and
781 @code{@value{RANDOMUSER2}} to use your user ID, provided that they had
782 Kerberos tickets in their respective realms. If you will be logging
783 into other hosts across a network, you will want to include your own
784 Kerberos principal in your @code{.k5login} file on each of these hosts.
787 Using a @code{.k5login} file is much safer than giving out your
791 @item You can take access away any time simply by removing the principal
792 from your @code{.k5login} file.
794 @item Although the user has full access to your account on one
795 particular host (or set of hosts if your @code{.k5login} file is shared,
796 @i{e.g.}, over NFS), that user does not inherit your network privileges.
798 @item Kerberos keeps a log of who obtains tickets, so a system
799 administrator could find out, if necessary, who was capable of using
800 your user ID at a particular time.
803 One common application is to have a @code{.k5login} file in
804 @code{root}'s home directory, giving root access to that machine to the
805 Kerberos principals listed. This allows system administrators to allow
806 users to become root locally, or to log in remotely as @code{root},
807 without their having to give out the root password, and without anyone
808 having to type the root password over the network.
810 @node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
811 @section Kerberos V5 Applications
813 @value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
814 only have to type your password once, and the @value{PRODUCT} programs
815 do the authenticating (and optionally encrypting) for you. The way this
816 works is that Kerberos has been built into each of a suite of network
817 programs. For example, when you use a @value{PRODUCT} program to
818 connect to a remote host, the program, the KDC, and the remote host
819 perform a set of rapid negotiations. When these negotiations are
820 completed, your program has proven your identity on your behalf to the
821 remote host, and the remote host has granted you access, all in the
822 space of a few seconds.
824 The @value{PRODUCT} applications are versions of existing UNIX network
825 programs with the Kerberos features added.
828 * Overview of Additional Features::
837 @node Overview of Additional Features, telnet, Kerberos V5 Applications, Kerberos V5 Applications
838 @subsection Overview of Additional Features
840 The @value{PRODUCT} @dfn{network programs} are those programs that
841 connect to another host somewhere on the internet. These programs
842 include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
843 @code{rcp}, and @code{ksu}. These programs have all of the original
844 features of the corresponding non-Kerberos @code{rlogin}, @code{telnet},
845 @code{ftp}, @code{rsh}, @code{rcp}, and @code{su} programs, plus
846 additional features that transparently use your Kerberos tickets for
847 negotiating authentication and optional encryption with the remote host.
848 In most cases, all you'll notice is that you no longer have to type your
849 password, because Kerberos has already proven your identity.
851 The @value{PRODUCT} network programs allow you the options of forwarding
852 your tickets to the remote host (if you obtained forwardable tickets
853 with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
854 encrypting data transmitted between you and the remote host.
856 This section of the tutorial assumes you are familiar with the
857 non-Kerberos versions of these programs, and highlights the Kerberos
858 functions added in the @value{PRODUCT} package.
860 @node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
863 The @value{PRODUCT} @code{telnet} command works exactly like the
864 standard UNIX telnet program, with the following Kerberos options added:
868 forwards a copy of your tickets to the remote host.
871 forwards a copy of your tickets to the remote host, and marks them
872 re-forwardable from the remote host.
875 requests tickets for the remote host in the specified realm, instead of
876 determining the realm itself.
879 uses your tickets to authenticate to the remote host, but does not log
883 attempt automatic login using your tickets. @code{telnet} will assume
884 the same username unless you explicitly specify another.
892 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
893 UNIX telnet to connect to the machine
894 @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
898 @b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN}
899 @b{Trying 128.0.0.5 ...
900 Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}.
901 Escape character is '^]'.
903 NetBSD/i386 (daffodil) (ttyp3)
905 login:} @value{RANDOMUSER2}
906 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
907 @b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
908 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
909 The Regents of the University of California. All rights reserved.
911 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
918 @noindent Note that the machine
919 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
920 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
921 was sent over the network unencrypted. If an intruder were watching
922 network traffic at the time, that intruder would know
923 @code{@value{RANDOMUSER2}}'s password.
926 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
927 @value{PRODUCT} telnet to connect to the machine
928 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
929 copy of her tickets, request an encrypted session, and log on as herself
934 @b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
935 @b{Trying 128.0.0.5...
936 Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}.
937 Escape character is '^]'.
938 [ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ]
939 [ Kerberos V5 accepted forwarded credentials ]
940 What you type is protected by encryption.
941 Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST1}.@value{SECONDDOMAIN}
942 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
948 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
949 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
950 and logged her in automatically as herself. She had an encrypted
951 session, a copy of her tickets already waiting for her, and she never
954 If you forwarded your Kerberos tickets, @code{telnet} automatically
955 destroys them when it exits. The full set of options to @value{PRODUCT}
956 @code{telnet} are discussed in the Reference section of this manual.
957 (@pxref{telnet Reference})
960 @node rlogin, FTP, telnet, Kerberos V5 Applications
964 The @value{PRODUCT} @code{rlogin} command works exactly like the
965 standard UNIX rlogin program, with the following Kerberos options added:
969 forwards a copy of your tickets to the remote host.
972 forwards a copy of your tickets to the remote host, and marks them
973 re-forwardable from the remote host.
976 requests tickets for the remote host in the specified realm, instead of
977 determining the realm itself.
980 encrypts the input and output data streams (the username is sent unencrypted)
985 For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
986 UNIX rlogin to connect to the machine
987 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type:
991 @b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2}
992 @b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
993 @b{Last login: Fri Jun 21 10:36:32 from :0.0
994 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
995 The Regents of the University of California. All rights reserved.
997 NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
1004 @noindent Note that the machine
1005 @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
1006 @code{@value{RANDOMUSER2}}'s password. When he typed it, his password
1007 was sent over the network unencrypted. If an intruder were watching
1008 network traffic at the time, that intruder would know
1009 @code{@value{RANDOMUSER2}}'s password.
1012 If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
1013 @value{PRODUCT} rlogin to connect to the machine
1014 @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
1015 copy of her tickets, mark them as not forwardable from the remote host,
1016 and request an encrypted session as follows:
1020 @b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x
1021 @b{This rlogin session is using DES encryption for all data transmissions.
1022 Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
1023 Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
1028 @noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1029 to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
1030 and logged her in automatically as herself. She had an encrypted
1031 session, a copy of her tickets were waiting for her, and she never typed
1034 If you forwarded your Kerberos tickets, @code{rlogin} automatically
1035 destroys them when it exits. The full set of options to @value{PRODUCT}
1036 @code{rlogin} are discussed in the Reference section of this manual.
1037 (@pxref{rlogin Reference})
1039 @node FTP, rsh, rlogin, Kerberos V5 Applications
1043 The @value{PRODUCT} @code{FTP} program works exactly like the standard
1044 UNIX FTP program, with the following Kerberos features added:
1048 requests tickets for the remote host in the specified realm, instead of
1049 determining the realm itself.
1052 requests that your tickets be forwarded to the remote host. The
1053 @kbd{-f} argument must be the last argument on the command line.
1055 @itemx protect @i{level}
1056 (issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1057 is no protection; ``safe'' ensures data integrity by verifying the
1058 checksum, and ``private'' encrypts the data. Encryption also ensures
1063 For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1064 @code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1065 on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1066 to encrypt the file transfer. The exchange would look like the
1071 @b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1072 Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1073 220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1074 334 Using authentication type GSSAPI; ADAT must follow
1075 GSSAPI accepted as authentication type
1076 GSSAPI authentication succeeded
1077 200 Data channel protection level set to private.
1078 Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1079 232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1080 230 User @value{RANDOMUSER1} logged in.
1081 Remote system type is UNIX.
1082 Using binary mode to transfer files.
1083 ftp> protect private
1084 200 Protection level set to Private.
1085 ftp> cd ~@value{RANDOMUSER1}/MAIL
1086 250 CWD command successful.
1088 227 Entering Passive Mode (128,0,0,5,16,49)
1089 150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1090 226 Transfer complete.
1091 361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1097 The full set of options to @value{PRODUCT} @code{FTP} are discussed
1098 in the Reference section of this manual. (@pxref{FTP Reference})
1100 @node rsh, rcp, FTP, Kerberos V5 Applications
1103 The @value{PRODUCT} @code{rsh} program works exactly like the standard
1104 UNIX rlogin program, with the following Kerberos features added:
1108 forwards a copy of your tickets to the remote host.
1111 forwards a copy of your tickets to the remote host, and marks them
1112 re-forwardable from the remote host.
1115 requests tickets for the remote host in the specified realm, instead of
1116 determining the realm itself.
1119 encrypts the input and output data streams (the command line is not encrypted)
1124 For example, if your Kerberos tickets allowed you to run programs on the
1125 host @* @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1126 run the @samp{date} program as follows:
1130 @b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1131 @b{This rsh session is using DES encryption for all data transmissions.
1132 Tue Jul 30 19:34:21 EDT 2002
1137 If you forwarded your Kerberos tickets, @code{rsh} automatically
1138 destroys them when it exits. The full set of options to @value{PRODUCT}
1139 @code{rsh} are discussed in the Reference section of this manual.
1140 (@pxref{rsh Reference})
1142 @node rcp, ksu, rsh, Kerberos V5 Applications
1146 The @value{PRODUCT} @code{rcp} program works exactly like the standard
1147 UNIX rcp program, with the following Kerberos features added:
1151 requests tickets for the remote host in the specified realm, instead of
1152 determining the realm itself.
1155 turns on encryption.
1160 For example, if you wanted to copy the file @code{/etc/motd} from the
1161 host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1162 directory, via an encrypted connection, you would simply type:
1165 @b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1168 The @kbd{rcp} program negotiates authentication and encryption
1169 transparently. The full set of options to @value{PRODUCT} @code{rcp}
1170 are discussed in the Reference section of this manual. (@pxref{rcp
1173 @node ksu, , rcp, Kerberos V5 Applications
1176 The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1177 program. @code{ksu} first authenticates you to Kerberos. Depending on
1178 the configuration of your system, @code{ksu} may ask for your Kerberos
1179 password if authentication fails. @emph{Note that you should never type
1180 your password if you are remotely logged in using an unencrypted
1183 Once @code{ksu} has authenticated you, if your Kerberos principal
1184 appears in the target's @code{.k5login} file (@pxref{Granting Access to
1185 Your Account}) or in the target's @code{.k5users} file (see below), it
1186 switches your user ID to the target user ID.
1189 For example, @code{@value{RANDOMUSER2}} has put
1190 @code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1191 file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1192 @code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1193 differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1194 prompt is represented as @code{@value{RANDOMUSER1}%} and
1195 @code{@value{RANDOMUSER2}}'s prompt is represented as
1196 @code{@value{RANDOMUSER2}%}.)
1200 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1201 @b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1202 Changing uid to @value{RANDOMUSER2} (3382)
1203 @value{RANDOMUSER2}%}
1208 Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1209 tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1210 with @samp{.1} appended to it:
1214 @b{@value{RANDOMUSER2}%} klist
1215 @b{Ticket cache: /tmp/krb5cc_3382.1
1216 Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1218 Valid starting Expires Service principal
1219 07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1220 07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1221 @value{RANDOMUSER2}%}
1226 If @code{@value{RANDOMUSER1}} had not appeared in
1227 @code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1228 configured to ask for a password), the exchange would have looked like
1229 this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1230 precautions in protecting his password):
1234 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1235 @b{WARNING: Your password may be exposed if you enter it here and are logged
1236 in remotely using an unsecure (non-encrypted) channel.
1237 Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1238 @b{ksu: Password incorrect
1239 Authentication failed.
1240 @value{RANDOMUSER1}%}
1244 Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1245 @code{@value{RANDOMUSER1}} full access to his account, but wanted to
1246 give her permission to list his files and use the "more" command to view
1247 them. He could create a @code{.k5users} file giving her permission to
1248 run only those specific commands.
1251 The @code{.k5users} file is like the @code{.k5login} file, except that
1252 each principal is optionally followed by a list of commands. @code{ksu}
1253 will let those principals execute only the commands listed, using the
1254 @kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1255 might look like the following:
1259 @value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1260 @value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1261 @value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1262 @value{RANDOMUSER2}@@@value{SECONDREALM}
1266 @noindent The above @code{.k5users} file would let
1267 @code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1268 @code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1269 the command @code{/bin/ls} if he had regular tickets, but if he had
1270 tickets for his @code{admin} instance,
1271 @code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1272 to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1273 in the realm @value{SECONDREALM} permission to execute any command.
1274 (@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1275 giving that principal permission to execute @code{*}.) This is so that
1276 @value{RANDOMUSER2} can allow himself to execute commands when he logs
1277 in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1280 Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1285 @b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1286 @b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1287 Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1289 Changing uid to @value{RANDOMUSER2} (3382)
1290 Mail News Personal misc bin
1291 @value{RANDOMUSER1}%}
1295 @noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1296 command to @code{ksu}, it would have prompted for a password as with the
1299 Note that unless the @code{.k5users} file gives the target permission to
1300 run any command, the user must use @code{ksu} with the @kbd{-e}
1304 The @code{ksu} options you are most likely to use are:
1307 @itemx -n @i{principal}
1308 specifies which Kerberos principal you want to use for @code{ksu}.
1309 (@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1310 @code{admin} instance. @xref{What is a Ticket?}.)
1313 specifies the location of your Kerberos credentials cache (ticket file).
1316 tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1320 requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1321 is only applicable if @code{ksu} needs to obtain tickets.
1323 @itemx -l @i{lifetime}
1324 sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1325 only applicable if @code{ksu} needs to obtain tickets.
1328 tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1329 switching is the same as the Kerberos primary (either yours or the one
1330 specified by the @kbd{-n} option).
1333 tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1335 @itemx -e @i{command}
1336 tells @code{ksu} to execute @i{command} and then exit. See the
1337 description of the @code{.k5users} file above.
1340 (at the end of the command line) tells @code{ksu} to pass everything
1341 after @samp{-a} to the target shell.
1344 The full set of options to @value{PRODUCT} @code{ksu} are discussed
1345 in the Reference section of this manual. (@pxref{ksu Reference})
1347 @node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
1348 @chapter Kerberos V5 Reference
1350 This section will include copies of the manual pages for the
1351 @value{PRODUCT} client programs. You can read the manual entry for any
1352 command by typing @code{man} @i{command}, where @i{command} is the name
1353 of the command for which you want to read the manual entry. For
1354 example, to read the @code{kinit} manual entry, you would type:
1357 @b{shell%} man kinit
1360 Note: To be able to view the @value{PRODUCT} manual pages on line, you
1361 may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1362 environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1363 the top-level directory in which @value{PRODUCT} is installed.) For
1364 example, if you had the the following line in your @code{.login}
1365 file@footnote{The MANPATH variable may be specified in a different
1366 initialization file, depending on your operating system. Some of the
1367 files in which you might specify environment variables include
1368 @code{.login}, @code{.profile}, or @code{.cshrc}.}:
1371 setenv MANPATH /usr/local/man:/usr/man
1375 and the @value{PRODUCT} man pages were in the directory
1376 @code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1379 setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1383 Note to info users: the manual pages are not available within this info
1384 tree. You can read them from emacs with the command:
1387 M-x manual-entry @emph{command}
1397 * kdestroy Reference::
1398 * kpasswd Reference::
1399 * telnet Reference::
1401 * rlogin Reference::
1406 @node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
1407 @section kinit Reference
1410 @special{psfile=kinit1.ps voffset=-700 hoffset=-40}
1411 @centerline{Reference Manual for @code{kinit}}
1414 @special{psfile=kinit2.ps voffset=-700 hoffset=-40}
1415 @centerline{Reference Manual for @code{kinit}}
1420 Type @kbd{M-x manual-entry kinit} to read this manual page.
1425 <a href="kinit.html"> kinit manpage</a>
1429 @node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference
1430 @section klist Reference
1433 @special{psfile=klist1.ps voffset=-700 hoffset=-40}
1434 @centerline{Reference Manual for @code{klist}}
1439 @special{psfile=klist2.ps voffset=-700 hoffset=-40}
1440 @centerline{Reference Manual for @code{klist}}
1445 Type @kbd{M-x manual-entry klist} to read this manual page.
1450 <a href="klist.html"> klist manpage</a>
1454 @node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference
1455 @section ksu Reference
1458 @special{psfile=ksu1.ps voffset=-700 hoffset=-40}
1459 @centerline{Reference Manual for @code{ksu}}
1462 @special{psfile=ksu2.ps voffset=-700 hoffset=-40}
1463 @centerline{Reference Manual for @code{ksu}}
1466 @special{psfile=ksu3.ps voffset=-700 hoffset=-40}
1467 @centerline{Reference Manual for @code{ksu}}
1470 @special{psfile=ksu4.ps voffset=-700 hoffset=-40}
1471 @centerline{Reference Manual for @code{ksu}}
1474 @special{psfile=ksu5.ps voffset=-700 hoffset=-40}
1475 @centerline{Reference Manual for @code{ksu}}
1480 Type @kbd{M-x manual-entry ksu} to read this manual page.
1485 <a href="ksu.html"> ksu manpage</a>
1489 @node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference
1490 @section kdestroy Reference
1493 @special{psfile=kdestroy1.ps voffset=-700 hoffset=-60}
1494 @centerline{Reference Manual for @code{kdestroy}}
1499 Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1504 <a href="kdestroy.html"> kdestroy manpage</a>
1508 @node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
1509 @section kpasswd Reference
1512 @special{psfile=kpasswd1.ps voffset=-700 hoffset=-40}
1513 @centerline{Reference Manual for @code{kpasswd}}
1518 Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1523 <a href="kpasswd.html"> kpasswd manpage</a>
1527 @node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference
1528 @section telnet Reference
1531 @special{psfile=telnet1.ps voffset=-700 hoffset=-40}
1532 @centerline{Reference Manual for @code{telnet}}
1535 @special{psfile=telnet2.ps voffset=-700 hoffset=-40}
1536 @centerline{Reference Manual for @code{telnet}}
1539 @special{psfile=telnet3.ps voffset=-700 hoffset=-40}
1540 @centerline{Reference Manual for @code{telnet}}
1543 @special{psfile=telnet4.ps voffset=-700 hoffset=-40}
1544 @centerline{Reference Manual for @code{telnet}}
1547 @special{psfile=telnet5.ps voffset=-700 hoffset=-40}
1548 @centerline{Reference Manual for @code{telnet}}
1551 @special{psfile=telnet6.ps voffset=-700 hoffset=-40}
1552 @centerline{Reference Manual for @code{telnet}}
1555 @special{psfile=telnet7.ps voffset=-700 hoffset=-40}
1556 @centerline{Reference Manual for @code{telnet}}
1559 @special{psfile=telnet8.ps voffset=-700 hoffset=-40}
1560 @centerline{Reference Manual for @code{telnet}}
1563 @special{psfile=telnet9.ps voffset=-700 hoffset=-40}
1564 @centerline{Reference Manual for @code{telnet}}
1569 Type @kbd{M-x manual-entry telnet} to read this manual page.
1574 <a href="telnet.html"> telnet manpage</a>
1578 @node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference
1579 @section FTP Reference
1582 @special{psfile=ftp1.ps voffset=-700 hoffset=-40}
1583 @centerline{Reference Manual for @code{FTP}}
1586 @special{psfile=ftp2.ps voffset=-700 hoffset=-40}
1587 @centerline{Reference Manual for @code{FTP}}
1590 @special{psfile=ftp3.ps voffset=-700 hoffset=-40}
1591 @centerline{Reference Manual for @code{FTP}}
1594 @special{psfile=ftp4.ps voffset=-700 hoffset=-40}
1595 @centerline{Reference Manual for @code{FTP}}
1598 @special{psfile=ftp5.ps voffset=-700 hoffset=-40}
1599 @centerline{Reference Manual for @code{FTP}}
1602 @special{psfile=ftp6.ps voffset=-700 hoffset=-40}
1603 @centerline{Reference Manual for @code{FTP}}
1606 @special{psfile=ftp7.ps voffset=-700 hoffset=-40}
1607 @centerline{Reference Manual for @code{FTP}}
1610 @special{psfile=ftp8.ps voffset=-700 hoffset=-40}
1611 @centerline{Reference Manual for @code{FTP}}
1614 @special{psfile=ftp9.ps voffset=-700 hoffset=-40}
1615 @centerline{Reference Manual for @code{FTP}}
1620 Type @kbd{M-x manual-entry FTP} to read this manual page.
1625 <a href="ftp.html"> ftp manpage</a>
1629 @node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference
1630 @section rlogin Reference
1633 @special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
1634 @centerline{Reference Manual for @code{rlogin}}
1637 @special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
1638 @centerline{Reference Manual for @code{rlogin}}
1643 Type @kbd{M-x manual-entry rlogin} to read this manual page.
1648 <a href="rlogin.html"> rlogin manpage</a>
1652 @node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference
1653 @section rsh Reference
1656 @special{psfile=rsh1.ps voffset=-700 hoffset=-40}
1657 @centerline{Reference Manual for @code{rsh}}
1660 @special{psfile=rsh2.ps voffset=-700 hoffset=-40}
1661 @centerline{Reference Manual for @code{rsh}}
1666 Type @kbd{M-x manual-entry rsh} to read this manual page.
1671 <a href="rsh.html"> rsh manpage</a>
1675 @node rcp Reference, , rsh Reference, Kerberos V5 Reference
1676 @section rcp Reference
1679 @special{psfile=rcp1.ps voffset=-700 hoffset=-40}
1680 @centerline{Reference Manual for @code{rcp}}
1685 @special{psfile=rcp2.ps voffset=-700 hoffset=-40}
1686 @centerline{Reference Manual for @code{rcp}}
1691 Type @kbd{M-x manual-entry rcp} to read this manual page.
1696 <a href="rcp.html"> rcp manpage</a>
1700 @node Kerberos Glossary, Copyright, Kerberos V5 Reference, Top
1701 @appendix Kerberos Glossary
1703 @include glossary.texinfo
1705 @node Copyright, , Kerberos Glossary, Top
1708 @include copyright.texinfo