windows\cns\Makefile windows\gina\Makefile \
windows\ms2mit\Makefile \
windows\wintel\Makefile windows\kfwlogon\Makefile \
- windows\leashdll\Makefile windows\leash\Makefile
+ windows\leashdll\Makefile windows\leash\Makefile \
+ windows\leash\htmlhelp\Makefile
##DOS##Makefile-windows:: $(MKFDEP) $(WINMAKEFILES)
##DOS## $(WCONFIG) config < $@.in > $@
##DOS##windows\leash\Makefile: windows\leash\Makefile.in $(MKFDEP)
##DOS## $(WCONFIG) config < $@.in > $@
+##DOS##windows\leash\htmlhelp\Makefile: windows\leash\htmlhelp\Makefile.in $(MKFDEP)
+##DOS## $(WCONFIG) config < $@.in > $@
clean-windows:: Makefile-windows
copy include\gssapi\gssapi_ext.h "$(KRB_INSTALL_DIR)\include\gssapi\."
copy lib\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
copy lib\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+ copy lib\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
copy windows\cns\$(OUTPRE)krb5.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\cns\$(OUTPRE)krb5.pdb "$(KRB_INSTALL_DIR)\bin\."
copy appl\gss-sample\$(OUTPRE)gss-server.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy appl\gss-sample\$(OUTPRE)gss-server.pdb "$(KRB_INSTALL_DIR)\bin\."
copy appl\gss-sample\$(OUTPRE)gss-client.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy appl\gss-sample\$(OUTPRE)gss-client.pdb "$(KRB_INSTALL_DIR)\bin\."
copy windows\ms2mit\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\ms2mit\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
copy windows\leashdll\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
copy windows\leashdll\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\leashdll\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\leash\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\leash\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
copy windows\kfwlogon\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
copy windows\kfwlogon\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
copy windows\kfwlogon\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\kfwlogon\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
copy util\windows\$(OUTPRE)*.lib $(KRB_INSTALL_DIR)\lib\."
copy util\wshelper\$(OUTPRE)$(DLIB).lib "$(KRB_INSTALL_DIR)\lib\."
copy util\wshelper\$(OUTPRE)$(DLIB).dll "$(KRB_INSTALL_DIR)\bin\."
+ copy util\wshelper\$(OUTPRE)$(DLIB).pdb "$(KRB_INSTALL_DIR)\bin\."
copy ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).dll "$(KRB_INSTALL_DIR)\bin\."
+ copy ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).pdb "$(KRB_INSTALL_DIR)\bin\."
copy ccapi\lib\win\srctmp\$(CCLIB).lib "$(KRB_INSTALL_DIR)\lib\."
copy ccapi\server\win\srctmp\$(OUTPRE)ccapiserver.exe "$(KRB_INSTALL_DIR)\bin\."
copy clients\kvno\$(OUTPRE)kvno.exe "$(KRB_INSTALL_DIR)\bin\."
copy clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\."
copy clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\."
copy clients\kswitch\$(OUTPRE)kswitch.exe "$(KRB_INSTALL_DIR)\bin\."
+ copy ccapi\server\win\srctmp\$(OUTPRE)ccapiserver.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kvno\$(OUTPRE)kvno.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\klist\$(OUTPRE)klist.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kinit\$(OUTPRE)kinit.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kdestroy\$(OUTPRE)kdestroy.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kcpytkt\$(OUTPRE)kcpytkt.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kdeltkt\$(OUTPRE)kdeltkt.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kpasswd\$(OUTPRE)kpasswd.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy clients\kswitch\$(OUTPRE)kswitch.pdb "$(KRB_INSTALL_DIR)\bin\."
+ copy windows\leash\htmlhelp\*.chm "$(KRB_INSTALL_DIR)\bin\."
install-unix::
$(INSTALL_SCRIPT) krb5-config \
~CcOsLock() {DeleteCriticalSection(&cs); valid = false;}
void lock() {if (valid) EnterCriticalSection(&cs);}
void unlock() {if (valid) LeaveCriticalSection(&cs);}
-#if 0
bool trylock() {return valid ? (TryEnterCriticalSection(&cs) ? true : false)
: false; }
-#endif
};
class CcAutoLock {
~CcAutoLock() { m_lock.unlock(); }
};
+class CcAutoTryLock {
+ CcOsLock& m_lock;
+ bool m_locked;
+public:
+ CcAutoTryLock(CcOsLock& lock):m_lock(lock) { m_locked = m_lock.trylock(); }
+ ~CcAutoTryLock() { if (m_locked) m_lock.unlock(); m_locked = false; }
+ bool IsLocked() const { return m_locked; }
+};
+
#endif /* __AUTOLOCK_HXX */
CCMSG_REQUEST_REPLY,
CCMSG_DISCONNECT,
CCMSG_LISTEN,
- CCMSG_PING
+ CCMSG_PING,
+ CCMSG_QUIT
};
char* clientEndpoint(const char* UUID);
#pragma mark -
#endif
-MAKE_INIT_FUNCTION(cci_thread_init);
-MAKE_FINI_FUNCTION(cci_thread_fini);
+MAKE_INIT_FUNCTION(cci_process_init);
+MAKE_FINI_FUNCTION(cci_process_fini);
/* ------------------------------------------------------------------------ */
-static int cci_thread_init (void)
+static int cci_process_init (void)
{
cc_int32 err = ccNoError;
}
if (!err) {
- err = cci_ipc_thread_init ();
+ err = cci_ipc_process_init ();
}
if (!err) {
/* ------------------------------------------------------------------------ */
-static void cci_thread_fini (void)
+static void cci_process_fini (void)
{
- if (!INITIALIZER_RAN (cci_thread_init) || PROGRAM_EXITING ()) {
+ if (!INITIALIZER_RAN (cci_process_init) || PROGRAM_EXITING ()) {
return;
}
if (!out_context) { err = cci_check_error (ccErrBadParam); }
if (!err) {
- err = CALL_INIT_FUNCTION (cci_thread_init);
+ err = CALL_INIT_FUNCTION (cci_process_init);
}
if (!err) {
/* ------------------------------------------------------------------------ */
+cc_int32 cci_ipc_process_init (void)
+{
+ return cci_os_ipc_process_init ();
+}
+
+/* ------------------------------------------------------------------------ */
+
cc_int32 cci_ipc_thread_init (void)
{
return cci_os_ipc_thread_init ();
#include "cci_common.h"
+cc_int32 cci_ipc_process_init (void);
+
cc_int32 cci_ipc_thread_init (void);
cc_int32 cci_ipc_send (enum cci_msg_id_t in_request_name,
#include "cci_common.h"
+cc_int32 cci_os_ipc_process_init (void);
+
cc_int32 cci_os_ipc_thread_init (void);
cc_int32 cci_os_ipc (cc_int32 in_launch_server,
psa, // SA
FALSE,
CREATE_NEW_PROCESS_GROUP |
- CREATE_NEW_CONSOLE |
NORMAL_PRIORITY_CLASS |
- // CREATE_NO_WINDOW |
- // DETACHED_PROCESS | /* KPK TODO: was set - restore */
- 0
- ,
+#ifdef CCAPI_LAUNCH_SERVER_WITH_CONSOLE
+ CREATE_NEW_CONSOLE |
+#else
+ DETACHED_PROCESS |
+#endif
+ 0,
NULL, // environment
szDir, // current dir
&si,
}
+static
+DWORD
+make_random_challenge(DWORD *challenge_out) {
+ HCRYPTPROV provider;
+ DWORD status = 0;
+ *challenge_out = 0;
+ if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+ CRYPT_VERIFYCONTEXT)) {
+ status = GetLastError();
+ cci_check_error(status);
+ return status;
+ }
+ if (!CryptGenRandom(provider, sizeof(*challenge_out),
+ (BYTE *)challenge_out)) {
+ status = GetLastError();
+ cci_check_error(status);
+ return status;
+ }
+ if (!CryptReleaseContext(provider, 0)) {
+ /*
+ * Note: even though CryptReleaseContext() failed, we don't really
+ * care since a) we've already successfully obtained our challenge
+ * anyway and b) at least one of the potential errors, "ERROR_BUSY"
+ * does not really seem to be an error at all. So GetLastError() is
+ * logged for informational purposes only and should not be returned.
+ */
+ cci_check_error(GetLastError());
+ }
+ return status;
+}
+
static
DWORD
authenticate_server(Init::InitInfo& info) {
- DWORD challenge = 17; // XXX - maybe use random number
- DWORD desired_response= challenge + 1;
+ DWORD challenge, desired_response;
HANDLE hMap = 0;
LPSTR mem_name = 0;
PDWORD pvalue = 0;
status = alloc_name(&mem_name, "auth", isNT());
cci_check_error(status);
+ if (!status) {
+ status = make_random_challenge(&challenge);
+ desired_response = challenge + 1;
+ cci_check_error(status);
+ }
+
if (!status) {
if (isNT()) {
sa.nLength = sizeof(sa);
}
DWORD Client::Initialize(char* ep OPTIONAL) {
- CcAutoLock AL(Client::sLock);
+ CcAutoTryLock AL(Client::sLock);
+ if (!AL.IsLocked() || s_init)
+ return 0;
SecureClient s;
ccs_request_IfHandle = NULL;
- if (s_init) return 0;
DWORD status = Client::Connect(ep);
if (!status) s_init = true;
return status;
*/
cc_int32 ccapi_connect(const struct tspdata* tsp);
-static DWORD handle_exception(DWORD code);
+static DWORD handle_exception(DWORD code, struct tspdata* ptspdata);
extern "C" {
cc_int32 cci_os_ipc_msg( cc_int32 in_launch_server,
/* ------------------------------------------------------------------------ */
+extern "C" cc_int32 cci_os_ipc_process_init (void) {
+ RPC_STATUS status;
+
+ opts.cMinCalls = 1;
+ opts.cMaxCalls = 20;
+ if (!isNT()) {
+ status = RpcServerRegisterIf(ccs_reply_ServerIfHandle, // interface
+ NULL, // MgrTypeUuid
+ NULL); // MgrEpv; null means use default
+ }
+ else {
+ status = RpcServerRegisterIfEx(ccs_reply_ServerIfHandle, // interface
+ NULL, // MgrTypeUuid
+ NULL, // MgrEpv; 0 means default
+ RPC_IF_ALLOW_SECURE_ONLY,
+ opts.cMaxCalls,
+ NULL); // No security callback.
+ }
+ cci_check_error(status);
+
+ if (!status) {
+ status = RpcServerRegisterAuthInfo(0, // server principal
+ RPC_C_AUTHN_WINNT,
+ 0,
+ 0 );
+ cci_check_error(status);
+ }
+
+ return status; // ugh. needs translation
+}
+
+/* ------------------------------------------------------------------------ */
+
extern "C" cc_int32 cci_os_ipc_thread_init (void) {
cc_int32 err = ccNoError;
struct tspdata* ptspdata;
- HANDLE replyEvent;
+ HANDLE replyEvent = NULL;
UUID __RPC_FAR uuid;
- unsigned char __RPC_FAR* uuidString = NULL;
+ RPC_CSTR __RPC_FAR uuidString = NULL;
+ char* endpoint = NULL;
if (!GetTspData(GetTlsIndex(), &ptspdata)) return ccErrNoMem;
err = cci_check_error(UuidCreate(&uuid)); // Get a UUID
if (err == RPC_S_OK) { // Convert to string
err = UuidToString(&uuid, &uuidString);
+ cci_check_error(err);
}
if (!err) { // Save in thread local storage
tspdata_setUUID(ptspdata, uuidString);
+ endpoint = clientEndpoint((const char *)uuidString);
+ err = RpcServerUseProtseqEp((RPC_CSTR)"ncalrpc",
+ opts.cMaxCalls,
+ (RPC_CSTR)endpoint,
+ sa.lpSecurityDescriptor); // SD
+ cci_check_error(err);
}
+
#if 0
cci_debug_printf("%s UUID:<%s>", __FUNCTION__, tspdata_getUUID(ptspdata));
#endif
replyEvent = createThreadEvent((char*)uuidString, REPLY_SUFFIX);
}
+ if (!err) {
+ static bool bListening = false;
+ if (!bListening) {
+ err = RpcServerListen(opts.cMinCalls,
+ opts.cMaxCalls,
+ TRUE);
+ cci_check_error(err);
+ }
+ bListening = err == 0;
+ }
+
if (replyEvent) tspdata_setReplyEvent(ptspdata, replyEvent);
else err = cci_check_error(GetLastError());
sst = tspdata_getSST (ptspdata);
uuid = tspdata_getUUID(ptspdata);
+ // Initialize old CCAPI if necessary:
+ if (!err) if (!Init:: Initialized()) err = cci_check_error(Init:: Initialize( ));
+ if (!err) if (!Client::Initialized()) err = cci_check_error(Client::Initialize(0));
+
// The lazy connection to the server has been put off as long as possible!
// ccapi_connect starts listening for replies as an RPC server and then
// calls ccs_rpc_connect.
CcAutoLock* a = 0;
CcAutoLock::Start(a, Client::sLock);
- // Initialize old CCAPI if necessary:
- if (!err) if (!Init:: Initialized()) err = cci_check_error(Init:: Initialize( ));
- if (!err) if (!Client::Initialized()) err = cci_check_error(Client::Initialize(0));
-
// New code using new RPC procedures for sending the data and receiving a reply:
if (!err) {
RpcTryExcept {
(long*)(&err) ); /* Return code */
}
RpcExcept(1) {
- handle_exception(RpcExceptionCode());
+ err = handle_exception(RpcExceptionCode(), ptspdata);
}
RpcEndExcept;
}
-static DWORD handle_exception(DWORD code) {
+static DWORD handle_exception(DWORD code, struct tspdata* ptspdata) {
cci_debug_printf("%s code %u; ccs_request_IfHandle:0x%X", __FUNCTION__, code, ccs_request_IfHandle);
if ( (code == RPC_S_SERVER_UNAVAILABLE) || (code == RPC_S_INVALID_BINDING) ) {
- Client::Reconnect(0);
+ Client::Cleanup();
+ tspdata_setConnected(ptspdata, FALSE);
}
- return 4;
+ return code;
}
*/
cc_int32 ccapi_connect(const struct tspdata* tsp) {
BOOL bListen = TRUE;
- char* endpoint = NULL;
HANDLE replyEvent = 0;
RPC_STATUS status = FALSE;
char* uuid = NULL;
/* Build complete RPC uuid using previous CCAPI implementation: */
replyEvent = tspdata_getReplyEvent(tsp);
uuid = tspdata_getUUID(tsp);
- endpoint = clientEndpoint(uuid);
- cci_debug_printf("%s Registering endpoint %s", __FUNCTION__, endpoint);
opts.cMinCalls = 1;
opts.cMaxCalls = 20;
opts.fDontWait = TRUE;
- if (!status) {
- status = RpcServerUseProtseqEp((RPC_CSTR)"ncalrpc",
- opts.cMaxCalls,
- (RPC_CSTR)endpoint,
- sa.lpSecurityDescriptor); // SD
- cci_check_error(status);
- }
-
- if (!status) {
- status = RpcServerRegisterAuthInfo(0, // server principal
- RPC_C_AUTHN_WINNT,
- 0,
- 0 );
- cci_check_error(status);
- }
-
cci_debug_printf("%s is listening ...", __FUNCTION__);
- if (!status) {
- if (!isNT()) {
- status = RpcServerRegisterIf(ccs_reply_ServerIfHandle, // interface
- NULL, // MgrTypeUuid
- NULL); // MgrEpv; null means use default
- }
- else {
- status = RpcServerRegisterIfEx(ccs_reply_ServerIfHandle,// interface
- NULL, // MgrTypeUuid
- NULL, // MgrEpv; 0 means default
- RPC_IF_ALLOW_SECURE_ONLY,
- opts.cMaxCalls,
- NULL); // No security callback.
- }
-
- cci_check_error(status);
-
- if (!status) {
- status = RpcServerListen(opts.cMinCalls,
- opts.cMaxCalls,
- TRUE);
- cci_check_error(status);
- }
- }
-
// Clear replyEvent so we can detect when a reply to our connect request has been received:
ResetEvent(replyEvent);
krb5int_ipc_stream_new
ccs_authenticate
+ cci_os_ipc_process_init
#include "tls.h"
#include "cci_debugging.h"
#include "ccapi_context.h"
+#include "ccapi_ipc.h"
#include "client.h"
-void cci_thread_init__auxinit();
+void cci_process_init__auxinit();
}
// Allocate a TLS index:
if ((dwTlsIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) return FALSE;
-
- // Initialize CCAPI once per DLL load:
- firstThreadID = GetCurrentThreadId();
+ cci_process_init__auxinit();
// Don't break; fallthrough: Initialize the TLS index for first thread.
// The attached process creates a new thread:
memset(ptspdata, 0, sizeof(struct tspdata));
- // Initialize CCAPI once per DLL load:
- if (GetCurrentThreadId() == firstThreadID) cci_thread_init__auxinit();
+ // Initialize CCAPI thread data:
+ cci_ipc_thread_init();
break;
return cci_check_error (err);
}
+
+/* ------------------------------------------------------------------------ */
+
+cc_uint64 ccs_server_client_count ()
+{
+ return ccs_client_array_count (g_client_array);
+}
cc_int32 in_reply_err,
k5_ipc_stream in_reply_data);
+cc_uint64 ccs_server_client_count ();
+
#endif /* CCS_SERVER_H */
return buf;
}
+int WorkList::initialize() {
+ hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+ return 0;
+ }
+
+int WorkList::cleanup() {
+ CloseHandle(hEvent);
+ hEvent = INVALID_HANDLE_VALUE;
+ return 0;
+ }
+
+void WorkList::wait() {
+ WaitForSingleObject(hEvent, INFINITE);
+ }
+
int WorkList::add(WorkItem* item) {
EnterCriticalSection(&cs);
wl.push_front(item);
LeaveCriticalSection(&cs);
+ SetEvent(hEvent);
return 1;
}
* or implied warranty.
*/
+#include "WorkQueue.h"
extern "C" {
#include "cci_debugging.h"
}
WorkList worklist;
+EXTERN_C int worklist_initialize() {
+ return worklist.initialize();
+ }
+
+EXTERN_C int worklist_cleanup() {
+ return worklist.cleanup();
+ }
+
+EXTERN_C void worklist_wait() {
+ worklist.wait();
+ }
+
/* C interfaces: */
-EXTERN_C bool worklist_isEmpty() {
- return worklist.isEmpty();
+EXTERN_C BOOL worklist_isEmpty() {
+ return worklist.isEmpty() ? TRUE : FALSE;
}
EXTERN_C int worklist_add( const long rpcmsg,
#include "windows.h"
#include "ccs_pipe.h"
+EXTERN_C int worklist_initialize();
+
+EXTERN_C int worklist_cleanup();
+
+/* Wait for work to be added to the list (via worklist_add) from another thread */
+EXTERN_C void worklist_wait();
+
EXTERN_C BOOL worklist_isEmpty();
-EXTERN_C void worklist_add( const long rpcmsg,
+EXTERN_C int worklist_add( const long rpcmsg,
const ccs_pipe_t pipe,
const k5_ipc_stream stream,
const time_t serverStartTime);
// status = startup_server(opts);
// }
+ if (!err) {
+ err = worklist_initialize();
+ }
+
if (err) {
Init::Cleanup();
fprintf( stderr, "An error occured while %s the server (%u)\n",
cci_debug_printf("%s for user <%s> shutting down.", argv[0], argv[1]);
+ worklist_cleanup();
+
return cci_check_error (err);
}
cc_int32 ccs_os_server_listen_loop (int argc, const char *argv[]) {
cc_int32 err = 0;
uintptr_t threadStatus;
- unsigned int loopCounter = 0;
ParseOpts::Opts opts = { 0 };
ParseOpts PO;
+ BOOL bQuitIfNoClients = FALSE;
opts.cMinCalls = 1;
opts.cMaxCalls = 20;
queue. */
rpcargs.sessID = (unsigned char*)sessID;
rpcargs.opts = &opts;
+ /// TODO: check for NULL handle, error, etc. probably move to initialize func...
threadStatus = _beginthread(receiveLoop, 0, (void*)&rpcargs);
/* We handle the queue entries here. Work loop: */
- while (TRUE) {
- loopCounter++;
- if (worklist_isEmpty() & 1) {
- SleepEx(1000, TRUE);
- }
- else if (TRUE) { // Take next WorkItem from the queue:
+ while (ccs_server_client_count() > 0 || !bQuitIfNoClients) {
+ worklist_wait();
+ while (!worklist_isEmpty()) {
k5_ipc_stream buf = NULL;
long rpcmsg = CCMSG_INVALID;
time_t serverStartTime = 0xDEADDEAD;
err = krb5int_ipc_stream_write(stream, "This is a test of the emergency broadcasting system", 52);
err = ccs_os_server_send_reply(pipe, stream);
break;
+ case CCMSG_QUIT:
+ bQuitIfNoClients = TRUE;
+ break;
default:
cci_debug_printf("Huh? Received invalid message type %ld from UUID:<%s>",
rpcmsg, uuid);
else {cci_debug_printf("Huh? Queue not empty but no item to remove.");}
}
}
-
return cci_check_error (err);
}
free_alloc_p(&endpoint);
}
+ // tell main thread to shutdown since it won't receive any more messages
+ worklist_add(CCMSG_QUIT, NULL, NULL, 0);
_endthread();
} // End receiveLoop
private:
std::list <WorkItem*> wl;
CRITICAL_SECTION cs;
+ HANDLE hEvent;
public:
WorkList();
~WorkList();
+ int initialize();
+ int cleanup();
+ void wait();
int add(WorkItem*);
int remove(WorkItem**);
bool isEmpty() {return wl.empty();}
#include "test_ccapi_constants.h"
#include "test_ccapi_context.h"
#include "test_ccapi_ccache.h"
+#include "test_ccapi_iterators.h"
int main (int argc, const char * argv[]) {
PDB_OPTS=-Fd$(OUTPRE)\ -FD
CPPFLAGS=-I$(top_srcdir)\include -I$(top_srcdir)\include\krb5 $(DNSFLAGS) -DWIN32_LEAN_AND_MEAN -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -D_CRT_SECURE_NO_DEPRECATE $(KFWFLAGS) $(TIME_T_FLAGS)
CCOPTS=-nologo /EHsc /W3 $(PDB_OPTS) $(DLL_FILE_DEF)
-LOPTS=-nologo -incremental:no
+LOPTS=-nologo -incremental:no -manifest
!if ("$(CPU)" == "IA64" ) || ("$(CPU)" == "AMD64" ) || ("$(CPU)" == "ALPHA64" )
ENTRYPOINT=_DllMainCRTStartup
if (!name)
return ENOMEM;
+#ifdef _WIN64
+ if (!GetModuleFileName(GetModuleHandle("krb5_64"), name, size))
+#else
if (!GetModuleFileName(GetModuleHandle("krb5_32"), name, size))
+#endif
goto cleanup;
p = name + strlen(name);
if (!hModWSHelp)
{
// Note: these must match the DEF file entries
-#if defined (_WIN32)
- hModWSHelp = GetModuleHandle("WSHELP32");
+#if defined(_WIN64)
+ hModWSHelp = GetModuleHandle( "WSHELP64" );
#else
- hModWSHelp = GetModuleHandle("WSHELPER");
+ hModWSHelp = GetModuleHandle( "WSHELP32" );
#endif
}
return hModWSHelp;
krb5_prompt prompts[])
);
+TYPEDEF_FUNC(
+ krb5_error_code,
+ KRB5_CALLCONV,
+ krb5_get_init_creds_opt_alloc,
+ (krb5_context ctx,
+ krb5_get_init_creds_opt **opt)
+ );
+
+TYPEDEF_FUNC(
+ void,
+ KRB5_CALLCONV,
+ krb5_get_init_creds_opt_free,
+ (krb5_context ctx,
+ krb5_get_init_creds_opt *opt)
+ );
+
TYPEDEF_FUNC(
void,
KRB5_CALLCONV,
int prompt)
);
+TYPEDEF_FUNC(
+ krb5_error_code,
+ KRB5_CALLCONV,
+ krb5_get_init_creds_opt_set_out_ccache,
+ (krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_ccache ccache)
+ );
+
TYPEDEF_FUNC(
krb5_error_code,
KRB5_CALLCONV,
krb5_clear_error_message,
(krb5_context)
);
+
+TYPEDEF_FUNC(
+ krb5_boolean,
+ KRB5_CALLCONV,
+ krb5_is_config_principal,
+ (krb5_context, krb5_const_principal)
+ );
#endif /* __LOADFUNCS_KRB5_H__ */
features.wxi \
files.wxi \
property.wxi \
+ runtime.wxi \
site-local.wxi \
lang\strings_$(LANG).wxl \
lang\ui_$(LANG).wxi \
<?include site-local.wxi?>
<!-- Sanity checks -->
- <!-- <?ifndef var.CL1200?>
- <?ifndef var.CL1300?>
- <?ifndef var.CL1310?>
- <?ifndef var.CL1400?>
- <?error Must define one of CL1200, CL1300, CL1310 or CL1400?>
- <?endif?>
- <?endif?>
- <?endif?>
- <?endif?> -->
+ <?ifndef var.CL1600?>
+ <?error Must define CL1600 (MSVC10.0)?>
+ <?endif?>
<!-- Build type specifications -->
<?ifndef env.CPU?>
<?endif?>
<?define BinDir="$(env.KRB_INSTALL_DIR)\bin\"?>
<?define LibDir="$(env.KRB_INSTALL_DIR)\lib\"?>
+ <?define InstallerVersion="300"?>
<?if $(env.CPU) = "i386"?>
- <?define InstallerVersion="110"?>
<?define Platform="Intel"?>
<?define Win64="no"?>
<?elseif $(env.CPU) = "AMD64"?>
- <?define InstallerVersion="200"?>
<?define Platform="x64"?>
<?define Win64="yes"?>
<?else?>
// linker stuff
#pragma comment(lib, "msi")
#pragma comment(lib, "advapi32")
-#if defined(_M_IA64) || defined(_M_AMD64)
-#pragma comment(lib, "bufferoverflowu")
-#endif
void ShowMsiError( MSIHANDLE hInstall, DWORD errcode, DWORD param ){
<ComponentRef Id="cmf_ms2mit_exe" />
<ComponentRef Id="cmf_mit2ms_exe" />
<ComponentRef Id="cmf_wshelp32_dll" />
-<!-- <ComponentRef Id="cmf_xpprof32_dll" /> -->
+ <ComponentRef Id="cmf_xpprof32_dll" />
<ComponentRef Id="cmf_leashw32_dll" />
- <?if $(var.Platform) = "Intel" ?>
-<!-- <ComponentRef Id="cmf_leash32_exe" /> -->
+ <ComponentRef Id="cmf_leash_exe" />
<!-- <ComponentRef Id="csc_leash32_exe" /> -->
- <?endif?>
<ComponentRef Id="cmf_kfwlogon_DLL" />
<ComponentRef Id="cmf_kfwcpcc_EXE" />
<ComponentRef Id="rcm_krb5_2" />
<ComponentRef Id="rcm_krb5_3" />
- <?if $(var.Platform) = "Intel" ?>
<!-- Leash config options -->
<ComponentRef Id="rcm_leash_1" />
<ComponentRef Id="rcm_leash_2" />
<ComponentRef Id="rcm_leash_5" />
<ComponentRef Id="rcm_leash_6" />
-<!-- <?ifdef OldHelp?>
- <ComponentRef Id="cmf_leash32_hlp" />
- <?else?>
<ComponentRef Id="cmf_leash32_chm" />
- <?endif?> -->
- <?endif?>
<!-- Leash dll options -->
<ComponentRef Id="rcm_leashdll_1" />
<ComponentRef Id="cmf_psapi_dll" />
<ComponentRef Id="cmf_krb5_ini" />
- <ComponentRef Id="cmf_krb_con" />
- <ComponentRef Id="cmf_krbrealm_con" />
<ComponentRef Id="rcm_common" />
<ComponentRef Id="rcm_client" />
<ComponentRef Id="cmp_dirinc_loadfuncs" />
<ComponentRef Id="cmp_dirinc_wshelper" />
<ComponentRef Id="cmp_dirinc_wshelper_arpa" />
- <ComponentRef Id="cmp_dirinstall_wix" />
- <ComponentRef Id="cmp_dirinstall_wix_lang" />
- <ComponentRef Id="cmp_dirinstall_wix_Binary" />
- <ComponentRef Id="cmp_dirinstall_wix_custom" />
<ComponentRef Id="rcm_common" />
<ComponentRef Id="rcm_sdk" />
</Feature> <!-- /feaKfwSDK -->
-->
<Include xmlns="http://schemas.microsoft.com/wix/2006/wi">
-<Directory Id="TARGETDIR" Name="SourceDir">
+ <Property Id="DISABLEADVTSHORTCUTS" Value="1" />
+ <Property Id="SYSTEMKRB5INI">
+ <DirectorySearch Id="WindowsFolder" Path="[WindowsFolder]">
+ <FileSearch Name="krb5.ini"/>
+ </DirectorySearch>
+ </Property>
+
+ <Directory Id="TARGETDIR" Name="SourceDir">
+ <Directory Id="DesktopFolder" Name="Desktop"/>
<Directory Id="$(var.PISystemFolder)" SourceName="System">
<Component Win64="$(var.Win64)" Id="cmf_kfwlogon_DLL" Guid="$(var.cmf_kfwlogon_DLL_guid)">
<File Id="filekfwlogon_DLL" Name="kfwlogon.dll" KeyPath="yes" DiskId="1" Source="$(var.BinDir)kfwlogon.dll" />
<Registry Id="reg_ts_krbcc32s_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ccapiserver" Action="createKeyAndRemoveKeyOnUninstall" />
<Registry Id="reg_ts_krbcc32s_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ccapiserver" Name="Flags" Type="integer" Value="1032" />
</Component>
- <?if $(var.Platform) = "Intel" ?>
- <!-- <Component Win64="$(var.Win64)" Id="cmf_leash32_exe" Guid="$(var.cmf_leash32_exe_guid)" DiskId="1">
- <File Id="fil_leash32_exe" Name="leash32.exe" KeyPath="yes" />
- <Registry Id="reg_ts_leash32_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\leash32" Action="createKeyAndRemoveKeyOnUninstall" KeyPath="yes"/>
+ <Component Win64="$(var.Win64)" Id="cmf_leash_exe" Guid="$(var.cmf_leash_exe_guid)" DiskId="1">
+ <File Id="fil_leash_exe" Name="leash.exe" KeyPath="yes">
+ <Shortcut Id="sc_leash_exe" Advertise="yes" Directory="dirShortcut" Name="Leash Kerberos Ticket Manager.lnk" Arguments="[LEASHAUTOINIT]" />
+ <Shortcut Id="sc_leash_desktop_exe" Advertise="yes" Directory="DesktopFolder" Name="Leash Kerberos Ticket Manager.lnk" Arguments="[LEASHAUTOINIT]" />
+ </File>
+ <Registry Id="reg_ts_leash32_0" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\leash32" Action="createKeyAndRemoveKeyOnUninstall" />
<Registry Id="reg_ts_leash32_1" Root="HKLM" Key="Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\leash32" Name="Flags" Type="integer" Value="1032" />
- </Component> -->
+ </Component>
<!-- <Component Win64="$(var.Win64)" Id="csc_leash32_exe" Guid="$(var.csc_leash32_exe_guid)" DiskId="1">
- <Shortcut Id="sc_leash32_exe" Advertise="no" Directory="dirShortcut" Name="Leash Kerberos Ticket Manager.lnk" Arguments="[LEASHAUTOINIT]" Target="[!fil_leash32_exe]" />
+ <CreateFolder Directory="dirShortcut" />
<Condition>USELEASH</Condition>
</Component> -->
<Condition>USELEASH</Condition>
</Component> -->
-<!-- <?ifdef OldHelp?>
- <Component Win64="$(var.Win64)" Id="cmf_leash32_hlp" Guid="$(var.cmf_leash32_hlp_guid)" DiskId="1">
- <File Id="fil_leash32_hlp" Name="leash32.hlp" KeyPath="yes" />
- </Component>
- <?else?>
<Component Win64="$(var.Win64)" Id="cmf_leash32_chm" Guid="$(var.cmf_leash32_chm_guid)" DiskId="1">
- <File Id="fil_leash32_chm" Name="leash32.chm" KeyPath="yes" />
+ <File Id="fil_leash32_chm" Name="leash.chm" KeyPath="yes" />
</Component>
- <?endif?> -->
- <?endif?>
<Component Win64="$(var.Win64)" Id="cmf_leashw32_dll" Guid="$(var.cmf_leashw32_dll_guid)" DiskId="1">
<File Id="fil_leashw32_dll" Name="$(var.cmf_leashw32_dll_name)" KeyPath="yes" />
<Component Win64="$(var.Win64)" Id="cmf_wshelp32_dll" Guid="$(var.cmf_wshelp32_dll_guid)" DiskId="1">
<File Id="fil_wshelp32_dll" Name="$(var.cmf_wshelp32_dll_name)" KeyPath="yes" />
</Component>
-<!-- <Component Win64="$(var.Win64)" Id="cmf_xpprof32_dll" Guid="$(var.cmf_xpprof32_dll_guid)" DiskId="1">
+ <Component Win64="$(var.Win64)" Id="cmf_xpprof32_dll" Guid="$(var.cmf_xpprof32_dll_guid)" DiskId="1">
<File Id="fil_xpprof32_dll" Name="$(var.cmf_xpprof32_dll_name)" KeyPath="yes" />
- </Component> -->
+ </Component>
<!-- Debug symbols -->
<?ifdef DebugSyms?>
<Component Win64="$(var.Win64)" Id="cmf_bin_debug" Guid="$(var.cmf_bin_debug_guid)" DiskId="1">
<?if $(var.Platform) = "Intel" ?>
- <File Id="fil_leash32_pdb" Name="leash32.pdb" />
-
<File Id="fil_comerr32_pdb" Name="comerr32.pdb" />
<File Id="fil_gssapi32_pdb" Name="gssapi32.pdb" />
<File Id="fil_krb5_32_pdb" Name="krb5_32.pdb" KeyPath="yes" />
<File Id="fil_wshelp64_pdb" Name="wshelp64.pdb" />
<File Id="fil_xpprof64_pdb" Name="xpprof64.pdb" />
<?endif?>
+ <File Id="fil_leash_pdb" Name="leash.pdb" />
<File Id="fil_ccapiserver_pdb" Name="ccapiserver.pdb" />
<File Id="fil_gss_client_pdb" Name="gss-client.pdb" />
<File Id="fil_gss_server_pdb" Name="gss-server.pdb" />
</Component>
<?endif?>
- <!-- Runtime (for compilers previous to VS8) -->
- <?ifndef Debug?>
- <?ifdef CL1200?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc42_dll" Guid="BE2D0D08-E26E-4906-BEEA-1C550BA9B405" DiskId="1">
- <File Id="fil_mfc42_dll" Name="mfc42.dll" src="$(var.SystemDir)mfc42.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcp60_dll" Guid="7DBB5E61-AA59-4FD8-87CA-7F139D355050" DiskId="1">
- <File Id="fil_msvcp60_dll" Name="msvcp60.dll" src="$(var.SystemDir)msvcp60.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcrt_dll" Guid="07B1612B-F52B-4A22-BC20-948BB7D50916" DiskId="1">
- <File Id="fil_msvcrt_dll" Name="msvcrt.dll" src="$(var.SystemDir)msvcrt.dll" KeyPath="yes" />
- </Component>
- <?endif?>
- <?ifdef CL1300?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70_dll" Guid="E064D66F-45A5-46FA-A0C0-EE68B5DCA248" DiskId="1">
- <File Id="fil_mfc70_dll" Name="mfc70.dll" src="$(var.SystemDir)mfc70.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcr70_dll" Guid="3489059D-B8C5-4F9A-9DF9-CC8F19B97898" DiskId="1">
- <File Id="fil_msvcr70_dll" Name="msvcr70.dll" src="$(var.SystemDir)msvcr70.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Guid="E3E6DC28-A229-45D7-804B-BC5A2CAB86B6" DiskId="1">
- <File Id="fil_msvcp70_dll" Name="msvcp70.dll" src="$(var.SystemDir)msvcp70.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70chs_dll" Guid="CAFD61A5-8A13-4A7C-AA15-6FEED7D43A3A" DiskId="1">
- <File Id="fil_mfc70chs_dll" Name="mfc70chs.dll" src="$(var.SystemDir)mfc70chs.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70cht_dll" Guid="A3F60016-825A-4096-A45F-98B4972FF1CA" DiskId="1">
- <File Id="fil_mfc70cht_dll" Name="mfc70cht.dll" src="$(var.SystemDir)mfc70cht.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70deu_dll" Guid="D146EE00-8880-4E39-A131-784B947883DB" DiskId="1">
- <File Id="fil_mfc70deu_dll" Name="mfc70deu.dll" src="$(var.SystemDir)mfc70deu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70enu_dll" Guid="11E2059D-62E6-40DF-87C1-B03E425048CE" DiskId="1">
- <File Id="fil_mfc70enu_dll" Name="mfc70enu.dll" src="$(var.SystemDir)mfc70enu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70esp_dll" Guid="3D1AAC2A-0FB1-4EF7-8406-1BF771CEB4BB" DiskId="1">
- <File Id="fil_mfc70esp_dll" Name="mfc70esp.dll" src="$(var.SystemDir)mfc70esp.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70fra_dll" Guid="36A2B8B3-E6C6-4725-96B8-82905D2ADE4E" DiskId="1">
- <File Id="fil_mfc70fra_dll" Name="mfc70fra.dll" src="$(var.SystemDir)mfc70fra.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70ita_dll" Guid="4EE49FC8-ED41-48F4-90A9-1FC06FE6237D" DiskId="1">
- <File Id="fil_mfc70ita_dll" Name="mfc70ita.dll" src="$(var.SystemDir)mfc70ita.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70jpn_dll" Guid="A6ADFFF1-C48B-446C-9B7D-6137F00EC0E4" DiskId="1">
- <File Id="fil_mfc70jpn_dll" Name="mfc70jpn.dll" src="$(var.SystemDir)mfc70jpn.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70kor_dll" Guid="720F98E2-5525-41CA-8734-98B0A5756708" DiskId="1">
- <File Id="fil_mfc70kor_dll" Name="mfc70kor.dll" src="$(var.SystemDir)mfc70kor.dll" KeyPath="yes" />
- </Component>
- <?endif?>
- <?ifdef CL1310?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71_dll" Guid="6A4854A8-35AE-42CB-9671-9F6F096BE20C" DiskId="1">
- <File Id="fil_mfc71_dll" Name="mfc71.dll" src="$(var.SystemDir)mfc71.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcr71_dll" Guid="C6952DEE-E62A-4635-9CE8-405F1E459FB2" DiskId="1">
- <File Id="fil_msvcr71_dll" Name="msvcr71.dll" src="$(var.SystemDir)msvcr71.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcp71_dll" Guid="CA7D0EDE-0B81-4709-86E9-31DC8543918F" DiskId="1">
- <File Id="fil_msvcp71_dll" Name="msvcp71.dll" src="$(var.SystemDir)msvcp71.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71chs_dll" Guid="693F64CF-1AE5-4756-94CC-095ED48C217F" DiskId="1">
- <File Id="fil_mfc71chs_dll" Name="mfc71chs.dll" src="$(var.SystemDir)mfc71chs.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71cht_dll" Guid="A5552AAE-048F-41AB-AC2D-6C96411D812D" DiskId="1">
- <File Id="fil_mfc71cht_dll" Name="mfc71cht.dll" src="$(var.SystemDir)mfc71cht.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71deu_dll" Guid="E8AE39B8-1B23-4DC9-944F-CA823F53CFF3" DiskId="1">
- <File Id="fil_mfc71deu_dll" Name="mfc71deu.dll" src="$(var.SystemDir)mfc71deu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71enu_dll" Guid="1FF5B6B6-4015-40F1-AEFF-004DBCFDB5E7" DiskId="1">
- <File Id="fil_mfc71enu_dll" Name="mfc71enu.dll" src="$(var.SystemDir)mfc71enu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71esp_dll" Guid="028AC2DA-B4F9-4A9E-A728-1100B3C7E259" DiskId="1">
- <File Id="fil_mfc71esp_dll" Name="mfc71esp.dll" src="$(var.SystemDir)mfc71esp.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71fra_dll" Guid="7D6C3457-F08C-426C-BEE2-8D9F214223C5" DiskId="1">
- <File Id="fil_mfc71fra_dll" Name="mfc71fra.dll" src="$(var.SystemDir)mfc71fra.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71ita_dll" Guid="5CE98F88-CD33-4887-9634-B6263B6DB3CB" DiskId="1">
- <File Id="fil_mfc71ita_dll" Name="mfc71ita.dll" src="$(var.SystemDir)mfc71ita.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71jpn_dll" Guid="6DE66BB3-5DD2-4D87-89E4-D73FF405932C" DiskId="1">
- <File Id="fil_mfc71jpn_dll" Name="mfc71jpn.dll" src="$(var.SystemDir)mfc71jpn.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71kor_dll" Guid="B7290849-638E-4C39-9E56-0D73CF564D69" DiskId="1">
- <File Id="fil_mfc71kor_dll" Name="mfc71kor.dll" src="$(var.SystemDir)mfc71kor.dll" KeyPath="yes" />
- </Component>
- <?endif?>
- <?else?> <!-- Debug -->
- <?ifdef CL1200?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc42d_dll" Guid="B7360C15-61FA-409F-8F0A-87B96FB30BBD" DiskId="1">
- <File Id="fil_mfc42d_dll" Name="mfc42d.dll" src="$(var.SystemDir)mfc42d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcp60d_dll" Guid="BFF28D63-B60A-48B6-A403-A7DE00BDB37E" DiskId="1">
- <File Id="fil_msvcp60d_dll" Name="msvcp60d.dll" src="$(var.SystemDir)msvcp60d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcrtd_dll" Guid="69069738-3202-43C3-92A3-4139816B6527" DiskId="1">
- <File Id="fil_msvcrtd_dll" Name="msvcrtd.dll" src="$(var.SystemDir)msvcrtd.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_runtime_debug1200" Guid="3FAD9513-AB33-4eed-9359-E96F8D5ABD2A" DiskId="1">
- <File Id="fil_mfc42d_pdb" Name="mfc42d.pdb" src="$(var.SystemDir)mfc42d.pdb" />
- <File Id="fil_msvcp60d_pdb" Name="msvcp60d.pdb" src="$(var.SystemDir)msvcp60d.pdb" />
- <File Id="fil_msvcrtd_pdb" Name="msvcrtd.pdb" src="$(var.SystemDir)msvcrtd.pdb" KeyPath="yes" />
- </Component>
- <?endif?>
- <?ifdef CL1300?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70d_dll" Guid="40C7120A-9B28-4DD1-86D0-9F66056A2463" DiskId="1">
- <File Id="fil_mfc70d_dll" Name="mfc70d.dll" src="$(var.SystemDir)mfc70d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcr70d_dll" Guid="D0A7B06E-6F65-4559-A99A-63C4C837BE0E" DiskId="1">
- <File Id="fil_msvcr70d_dll" Name="msvcr70d.dll" src="$(var.SystemDir)msvcr70d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcp70d_dll" Guid="DC82F644-8705-4C89-BE63-4CD6680BF580" DiskId="1">
- <File Id="fil_msvcp70d_dll" Name="msvcp70d.dll" src="$(var.SystemDir)msvcp70d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70chs_dll" Guid="CAFD61A5-8A13-4A7C-AA15-6FEED7D43A3A" DiskId="1">
- <File Id="fil_mfc70chs_dll" Name="mfc70chs.dll" src="$(var.SystemDir)mfc70chs.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70cht_dll" Guid="A3F60016-825A-4096-A45F-98B4972FF1CA" DiskId="1">
- <File Id="fil_mfc70cht_dll" Name="mfc70cht.dll" src="$(var.SystemDir)mfc70cht.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70deu_dll" Guid="D146EE00-8880-4E39-A131-784B947883DB" DiskId="1">
- <File Id="fil_mfc70deu_dll" Name="mfc70deu.dll" src="$(var.SystemDir)mfc70deu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70enu_dll" Guid="11E2059D-62E6-40DF-87C1-B03E425048CE" DiskId="1">
- <File Id="fil_mfc70enu_dll" Name="mfc70enu.dll" src="$(var.SystemDir)mfc70enu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70esp_dll" Guid="3D1AAC2A-0FB1-4EF7-8406-1BF771CEB4BB" DiskId="1">
- <File Id="fil_mfc70esp_dll" Name="mfc70esp.dll" src="$(var.SystemDir)mfc70esp.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70fra_dll" Guid="36A2B8B3-E6C6-4725-96B8-82905D2ADE4E" DiskId="1">
- <File Id="fil_mfc70fra_dll" Name="mfc70fra.dll" src="$(var.SystemDir)mfc70fra.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70ita_dll" Guid="4EE49FC8-ED41-48F4-90A9-1FC06FE6237D" DiskId="1">
- <File Id="fil_mfc70ita_dll" Name="mfc70ita.dll" src="$(var.SystemDir)mfc70ita.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70jpn_dll" Guid="A6ADFFF1-C48B-446C-9B7D-6137F00EC0E4" DiskId="1">
- <File Id="fil_mfc70jpn_dll" Name="mfc70jpn.dll" src="$(var.SystemDir)mfc70jpn.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc70kor_dll" Guid="720F98E2-5525-41CA-8734-98B0A5756708" DiskId="1">
- <File Id="fil_mfc70kor_dll" Name="mfc70kor.dll" src="$(var.SystemDir)mfc70kor.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_runtime_debug1300" Guid="157D7DE8-6AFE-44b3-A317-840667C76D0D" DiskId="1">
- <File Id="fil_mfc70d_pdb" Name="mfc70d.pdb" src="$(var.SystemDir)mfc70d.pdb" />
- <File Id="fil_msvcr70d_pdb" Name="msvcr70d.pdb" src="$(var.SystemDir)msvcr70d.pdb" KeyPath="yes" />
- <File Id="fil_msvcp70d_pdb" Name="msvcp70d.pdb" src="$(var.SystemDir)msvcp70d.pdb" />
- </Component>
- <?endif?>
- <?ifdef CL1310?>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71d_dll" Guid="0E0A47A3-892C-4526-8591-C719E1A184F2" DiskId="1">
- <File Id="fil_mfc71d_dll" Name="mfc71d.dll" src="$(var.SystemDir)mfc71d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcr71d_dll" Guid="CB2A282D-CF73-4DA8-929D-8035776F4FB8" DiskId="1">
- <File Id="fil_msvcr71d_dll" Name="msvcr71d.dll" src="$(var.SystemDir)msvcr71d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_msvcp71d_dll" Guid="7D6003B6-B3A1-417A-BE16-5DDD52023456" DiskId="1">
- <File Id="fil_msvcp71d_dll" Name="msvcp71d.dll" src="$(var.SystemDir)msvcp71d.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71chs_dll" Guid="693F64CF-1AE5-4756-94CC-095ED48C217F" DiskId="1">
- <File Id="fil_mfc71chs_dll" Name="mfc71chs.dll" src="$(var.SystemDir)mfc71chs.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71cht_dll" Guid="A5552AAE-048F-41AB-AC2D-6C96411D812D" DiskId="1">
- <File Id="fil_mfc71cht_dll" Name="mfc71cht.dll" src="$(var.SystemDir)mfc71cht.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71deu_dll" Guid="E8AE39B8-1B23-4DC9-944F-CA823F53CFF3" DiskId="1">
- <File Id="fil_mfc71deu_dll" Name="mfc71deu.dll" src="$(var.SystemDir)mfc71deu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71enu_dll" Guid="1FF5B6B6-4015-40F1-AEFF-004DBCFDB5E7" DiskId="1">
- <File Id="fil_mfc71enu_dll" Name="mfc71enu.dll" src="$(var.SystemDir)mfc71enu.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71esp_dll" Guid="028AC2DA-B4F9-4A9E-A728-1100B3C7E259" DiskId="1">
- <File Id="fil_mfc71esp_dll" Name="mfc71esp.dll" src="$(var.SystemDir)mfc71esp.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71fra_dll" Guid="7D6C3457-F08C-426C-BEE2-8D9F214223C5" DiskId="1">
- <File Id="fil_mfc71fra_dll" Name="mfc71fra.dll" src="$(var.SystemDir)mfc71fra.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71ita_dll" Guid="5CE98F88-CD33-4887-9634-B6263B6DB3CB" DiskId="1">
- <File Id="fil_mfc71ita_dll" Name="mfc71ita.dll" src="$(var.SystemDir)mfc71ita.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71jpn_dll" Guid="6DE66BB3-5DD2-4D87-89E4-D73FF405932C" DiskId="1">
- <File Id="fil_mfc71jpn_dll" Name="mfc71jpn.dll" src="$(var.SystemDir)mfc71jpn.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_mfc71kor_dll" Guid="B7290849-638E-4C39-9E56-0D73CF564D69" DiskId="1">
- <File Id="fil_mfc71kor_dll" Name="mfc71kor.dll" src="$(var.SystemDir)mfc71kor.dll" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_runtime_debug1310" Guid="0125814E-9EED-4d57-A4E6-3E685CE5AB5C" DiskId="1">
- <File Id="fil_mfc71d_pdb" Name="mfc71d.pdb" src="$(var.SystemDir)mfc71d.pdb" />
- <File Id="fil_msvcr71d_pdb" Name="msvcr71d.pdb" src="$(var.SystemDir)msvcr71d.pdb" KeyPath="yes" />
- <File Id="fil_msvcp71d_pdb" Name="msvcp71d.pdb" src="$(var.SystemDir)msvcp71d.pdb" />
- </Component>
- <?endif?>
- <?endif?>
-
<Component Win64="$(var.Win64)" Id="cmf_psapi_dll" Guid="877F4DD5-8AE0-451C-8F4D-C27F6F30D221" DiskId="1">
<File Id="fil_psapi_dll" Name="psapi.dll" src="$(var.SystemDir)psapi.dll" KeyPath="yes" />
</Component>
<File Id="fil_krbcc32_lib" Name="krbcc32.lib" />
<File Id="fil_leashw32_lib" Name="leashw32.lib" />
<File Id="fil_wshelp32_lib" Name="wshelp32.lib" />
-<!-- <File Id="fil_xpprof32_lib" Name="xpprof32.lib" /> -->
+ <File Id="fil_xpprof32_lib" Name="xpprof32.lib" />
</Component>
</Directory>
<?endif?>
<File Id="fil_krbcc64_lib" Name="krbcc64.lib" />
<File Id="fil_leashw64_lib" Name="leashw64.lib" />
<File Id="fil_wshelp64_lib" Name="wshelp64.lib" />
-<!-- <File Id="fil_xpprof64_lib" Name="xpprof64.lib" /> -->
+ <File Id="fil_xpprof64_lib" Name="xpprof64.lib" />
</Component>
</Directory>
<?endif?>
</Directory>
- <Directory Id="dirinstall" Name="install" src="$(var.InstallDir)">
- <Directory Id="dirinstall_wix" Name="wix" src="$(var.InstallDir)wix\">
- <Component Win64="$(var.Win64)" Id="cmp_dirinstall_wix" Guid="14DD16AB-6920-4ee1-8B78-623F39DB70BB" DiskId="1">
- <File Id="fil_config_wxi" Name="config.wxi" />
- <File Id="fil_features_wxi" Name="features.wxi" />
- <File Id="fil_files_wxi" Name="files.wxi" />
- <File Id="fil_kfw_wxs" Name="kfw.wxs" KeyPath="yes" />
- <File Id="fil_Makefile_" Name="Makefile" />
- <File Id="fil_property_wxi" Name="property.wxi" />
- <File Id="fil_site_local_wxi" Name="site-local-tagged.wxi" />
- </Component>
- <Directory Id="dirinstall_wix_lang" Name="lang" src="$(var.InstallDir)wix\lang\">
- <Component Win64="$(var.Win64)" Id="cmp_dirinstall_wix_lang" Guid="70741A69-1103-4B54-B146-2E14C271945D" DiskId="1">
- <File Id="fil_config_1033_wxi" Name="config_1033.wxi" KeyPath="yes" />
- <File Id="fil_strings_1033_wxl" Name="strings_1033.wxl" />
- <File Id="fil_ui_1033_wxi" Name="ui_1033.wxi" />
- </Component>
- </Directory>
- <Directory Id="dirinstall_wix_Binary" Name="Binary" src="$(var.InstallDir)wix\Binary\">
- <Component Win64="$(var.Win64)" Id="cmp_dirinstall_wix_Binary" Guid="5F021D71-A398-41FD-8F9C-9C0665C18660" DiskId="1">
- <File Id="fil_bannrbmp_bmp" Name="bannrbmp.bmp" />
- <File Id="fil_completi_ico" Name="completi.ico" />
- <File Id="fil_custicon_ico" Name="custicon.ico" />
- <File Id="fil_dlgbmp_bmp" Name="dlgbmp.bmp" />
- <File Id="fil_exclamic_ico" Name="exclamic.ico" />
- <File Id="fil_info_bmp" Name="info.bmp" />
- <File Id="fil_insticon_ico" Name="insticon.ico" />
- <File Id="fil_new_bmp" Name="new.bmp" />
- <File Id="fil_removico_ico" Name="removico.ico" />
- <File Id="fil_repairic_ico" Name="repairic.ico" />
- <File Id="fil_up_bmp" Name="up.bmp" />
- </Component>
- </Directory>
- <Directory Id="dirinstall_wix_custom" Name="custom" src="$(var.InstallDir)wix\custom\">
- <Component Win64="$(var.Win64)" Id="cmp_dirinstall_wix_custom" Guid="872AA948-39B0-4CDC-B764-7EB69F280E50" DiskId="1">
- <File Id="fil_custom_cpp" Name="custom.cpp" KeyPath="yes" />
- <File Id="fil_custom_h" Name="custom.h" />
- </Component>
- </Directory>
- </Directory>
- </Directory>
-
<!-- <Directory Id="dirdoc" Name="doc" src="$(var.DocDir)">
<?if $(var.Platform) = "Intel" ?>
<Component Win64="$(var.Win64)" Id="efl_leash_userdoc_pdf" Guid="68FB24DD-5EC2-4db1-AD42-5B9DDEC247C5" DiskId="1">
</Directory> <!-- /Kerberos -->
</Directory> <!-- /MIT -->
</Directory> <!-- /Program Files -->
- <Directory Id="WindowsFolder">
- <Component Win64="$(var.Win64)" Id="cmf_krb5_ini" Guid="C1AF0670-BBF1-4AA6-B2A6-6C8B1584A1F4" NeverOverwrite="yes" Permanent="yes" DiskId="1">
- <File Id="fil_krb5_ini" Name="krb5.ini" src="$(var.ConfigDir)krb5.ini" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_krb_con" Guid="5E91A051-CF14-45FF-BF64-CEE78A7A90C2" NeverOverwrite="yes" Permanent="yes" DiskId="1">
- <File Id="fil_krb_con" Name="krb.con" src="$(var.ConfigDir)krb.con" KeyPath="yes" />
- </Component>
- <Component Win64="$(var.Win64)" Id="cmf_krbrealm_con" Guid="D667B54F-1C98-43FB-87C6-0F0517623B90" NeverOverwrite="yes" Permanent="yes" DiskId="1">
- <File Id="fil_krbrealm_con" Name="krbrealm.con" src="$(var.ConfigDir)krbrealm.con" KeyPath="yes" />
- </Component>
+ <Directory Id="CommonAppDataFolder" Name="CommonAppDataFolder">
+ <Directory Id="APPDATAMITDIR" Name="MIT">
+ <Directory Id="APPDATAKERBEROS5DIR" Name="Kerberos5">
+ <Component Win64="$(var.Win64)" Id="cmf_krb5_ini" Guid="C1AF0670-BBF1-4AA6-B2A6-6C8B1584A1F4" NeverOverwrite="yes" Permanent="yes" DiskId="1">
+ <Condition>NOT SYSTEMKRB5INI</Condition>
+ <File Id="fil_krb5_ini" Name="krb5.ini" src="$(var.ConfigDir)krb5.ini" KeyPath="yes" />
+ <CreateFolder/>
+ </Component>
+ </Directory>
+ </Directory>
</Directory>
<Directory Id="ProgramMenuFolder">
<Registry Id="reg_docs20" Root="HKLM" Key="$(var.KfwRegRoot)\Documentation\$(var.VersionString)" Name="PatchLevel" Type="integer" Value="$(var.VersionPatch)" />
</Component>
- <!-- Shared assembly runtime for VS 2005 -->
- <?ifdef CL1400?>
- <?ifdef env.CommonProgramFiles6432?>
- <?define CPF="$(env.CommonProgramFiles(x86)"?>
- <?else?>
- <?define CPF="$(env.CommonProgramFiles)"?>
- <?endif?>
-
- <?if $(var.Platform) = "x64" ?>
- <?ifndef Debug?>
- <Merge Id="MSVCRT8MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_CRT_x86_x64.msm"/>
- <Merge Id="MSVCRT8POL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_CRT_x86_x64.msm"/>
- <Merge Id="MSVCRT8MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFC_x86_x64.msm"/>
- <Merge Id="MSVCRT8PFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFC_x86_x64.msm"/>
- <Merge Id="MSVCRT8MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFCLOC_x86_x64.msm"/>
- <Merge Id="MSVCRT8PFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFCLOC_x86_x64.msm"/>
- <?else?>
- <Merge Id="MSVCRT8MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_DebugCRT_x86_x64.msm"/>
- <Merge Id="MSVCRT8POL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_DebugCRT_x86_x64.msm"/>
- <Merge Id="MSVCRT8MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_DebugMFC_x86_x64.msm"/>
- <Merge Id="MSVCRT8PFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_DebugMFC_x86_x64.msm"/>
- <Merge Id="MSVCRT8MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFCLOC_x86_x64.msm"/>
- <Merge Id="MSVCRT8PFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFCLOC_x86_x64.msm"/>
- <?endif?>
- <?else?>
- <?ifndef Debug?>
- <Merge Id="MSVCRT8MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_CRT_x86.msm"/>
- <Merge Id="MSVCRT8POL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_CRT_x86.msm"/>
- <Merge Id="MSVCRT8MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFC_x86.msm"/>
- <Merge Id="MSVCRT8PFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFC_x86.msm"/>
- <Merge Id="MSVCRT8MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFCLOC_x86.msm"/>
- <Merge Id="MSVCRT8PFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFCLOC_x86.msm"/>
- <?else?>
- <Merge Id="MSVCRT8MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_DebugCRT_x86.msm"/>
- <Merge Id="MSVCRT8POL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_DebugCRT_x86.msm"/>
- <Merge Id="MSVCRT8MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_DebugMFC_x86.msm"/>
- <Merge Id="MSVCRT8PFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_DebugMFC_x86.msm"/>
- <Merge Id="MSVCRT8MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC80_MFCLOC_x86.msm"/>
- <Merge Id="MSVCRT8PFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\policy_8_0_Microsoft_VC80_MFCLOC_x86.msm"/>
- <?endif?>
- <?endif?>
+ <!-- Shared assembly runtime for VS 2010 -->
+ <!-- Note that these cause numerous LGHT1055 and ICE82 warnings. They are unavoidable but innocuous. -->
+ <?ifdef CL1600?>
+ <?ifdef env.CommonProgramFiles6432?>
+ <?define CPF="$(env.CommonProgramFiles(x86)"?>
+ <?else?>
+ <?define CPF="$(env.CommonProgramFiles)"?>
+ <?endif?>
+ <?if $(var.Platform) = "x64" ?>
+ <?ifndef Debug?>
+ <Merge Id="MSVCRT100MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_CRT_x64.msm"/>
+ <Merge Id="MSVCRT100MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFC_x64.msm"/>
+ <Merge Id="MSVCRT100MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFCLOC_x64.msm"/>
+ <?else?>
+ <Merge Id="MSVCRT100MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_DebugCRT_x64.msm"/>
+ <Merge Id="MSVCRT100MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_DebugMFC_x64.msm"/>
+ <Merge Id="MSVCRT100MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFCLOC_x64.msm"/>
+ <?endif?>
+ <?else?>
+ <?ifndef Debug?>
+ <Merge Id="MSVCRT100MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_CRT_x86.msm"/>
+ <Merge Id="MSVCRT100MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFC_x86.msm"/>
+ <Merge Id="MSVCRT100MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFCLOC_x86.msm"/>
+ <?else?>
+ <Merge Id="MSVCRT100MEM" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_DebugCRT_x86.msm"/>
+ <Merge Id="MSVCRT100MFC" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_DebugMFC_x86.msm"/>
+ <Merge Id="MSVCRT100MFL" DiskId="1" Language="0" src="$(var.CPF)\Merge Modules\Microsoft_VC100_MFCLOC_x86.msm"/>
+ <?endif?>
+ <?endif?>
<?endif?>
</Directory>
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\nowidctlpar\tx916\tx1832\tx2748\tx3664\tx4580\tx5496\tx6412\tx7328\tx8244\tx9160\tx10076\tx10992\tx11908\tx12824\tx13740\tx14656\f0\fs20 Copyright Notice and Legal Administrivia\par
----------------------------------------\par
\par
-Copyright (C) 1985-2005 by the Massachusetts Institute of Technology.\par
+Copyright (C) 1985-2011 by the Massachusetts Institute of Technology.\par
\par
All rights reserved.\par
\par
<?define cmf_krb524_dll_name="krb524.dll"?>
<?define cmf_krbcc32_dll_guid="56DAD1B9-4A59-46e6-81CA-54E2B6C9D618"?>
<?define cmf_krbcc32_dll_name="krbcc64.dll"?>
- <?define cmf_ccpaiserver_exe_guid="0192F58B-9129-426d-A271-E18455EDC80E"?>
+ <?define cmf_ccapiserver_exe_guid="0192F58B-9129-426d-A271-E18455EDC80E"?>
<?define cmf_ccapiserver_exe_name="ccapiserver.exe"?>
<?define cmf_krbv4w32_dll_guid="D195FADB-A3B0-4023-A824-8895552CDC56"?>
<?define cmf_krbv4w32_dll_name="krbv4w64.dll"?>
- <?define cmf_leash32_exe_guid="D195FADB-A3B0-4023-A824-8895552CDC56"?>
- <?define csc_leash32_exe_guid="9D43350A-A8AE-4405-AB82-64E90E5A1A70"?>
+ <?define cmf_leash_exe_guid="D195FADB-A3B0-4023-A824-8895552CDC56"?>
+ <?define csc_leash_exe_guid="9D43350A-A8AE-4405-AB82-64E90E5A1A70"?>
<?define rcm_leash_1_guid="7E5517FF-FB76-431f-A92B-2895C9BE7E98"?>
<?define rcm_leash_2_guid="008208AC-46BE-4ca4-BEA7-8FCAAD8BA7C3"?>
<?define rcm_leash_3_guid="66D97178-E735-499b-961F-C7B8B8074E1A"?>
<?define cmf_ccapiserver_exe_name="ccapiserver.exe"?>
<?define cmf_krbv4w32_dll_guid="DFA23F6C-5297-4876-AF52-6F7CF2CB34AC"?>
<?define cmf_krbv4w32_dll_name="krbv4w32.dll"?>
- <?define cmf_leash32_exe_guid="990D5F6B-4CEE-4706-96F4-F7AF12F97DF7"?>
- <?define csc_leash32_exe_guid="8A096700-47B1-4A0B-B7B5-44F75086DEAE"?>
+ <?define cmf_leash_exe_guid="990D5F6B-4CEE-4706-96F4-F7AF12F97DF7"?>
+ <?define csc_leash_exe_guid="8A096700-47B1-4A0B-B7B5-44F75086DEAE"?>
<?define rcm_leash_1_guid="B91648A0-26F7-43BB-A954-202FF3811E3C"?>
<?define rcm_leash_2_guid="0D8DCC52-F855-4C46-86A1-198E6EE0CB8A"?>
<?define rcm_leash_3_guid="9610A7E3-251F-4286-B776-1C3AF5DE7815"?>
<?xml version="1.0"?>
<Include>
- <?ifdef CL1400 ?>
- <MergeRef Id="MSVCRT8MEM"/>
- <MergeRef Id="MSVCRT8POL"/>
- <MergeRef Id="MSVCRT8MFC"/>
- <MergeRef Id="MSVCRT8PFC"/>
- <MergeRef Id="MSVCRT8MFL"/>
- <MergeRef Id="MSVCRT8PFL"/>
+ <?ifdef CL1600 ?>
+ <MergeRef Id="MSVCRT100MEM"/>
+ <MergeRef Id="MSVCRT100MFC"/>
+ <MergeRef Id="MSVCRT100MFL"/>
<?endif?>
-<?ifndef Debug?>
- <?ifdef CL1310 ?>
- <?ifdef comment?>
- <MergeRef Id="mergeVC1310LibMFC" />
- <MergeRef Id="mergeVC1310LibCRT" />
- <?else?>
- <ComponentRef Id="cmf_mfc71_dll" />
- <ComponentRef Id="cmf_msvcr71_dll" />
- <ComponentRef Id="cmf_msvcp71_dll" />
- <ComponentRef Id="cmf_mfc71chs_dll" />
- <ComponentRef Id="cmf_mfc71cht_dll" />
- <ComponentRef Id="cmf_mfc71deu_dll" />
- <ComponentRef Id="cmf_mfc71enu_dll" />
- <ComponentRef Id="cmf_mfc71esp_dll" />
- <ComponentRef Id="cmf_mfc71fra_dll" />
- <ComponentRef Id="cmf_mfc71ita_dll" />
- <ComponentRef Id="cmf_mfc71jpn_dll" />
- <ComponentRef Id="cmf_mfc71kor_dll" />
- <?endif?>
- <?endif?>
- <?ifdef CL1300 ?>
- <?ifdef comment?>
- <MergeRef Id="mergeVC1300LibMFC" />
- <MergeRef Id="mergeVC1300LibCRT" />
- <?else?>
- <ComponentRef Id="cmf_mfc70_dll" />
- <ComponentRef Id="cmf_msvcr70_dll" />
- <ComponentRef Id="cmf_msvcp70_dll" />
- <ComponentRef Id="cmf_mfc70chs_dll" />
- <ComponentRef Id="cmf_mfc70cht_dll" />
- <ComponentRef Id="cmf_mfc70deu_dll" />
- <ComponentRef Id="cmf_mfc70enu_dll" />
- <ComponentRef Id="cmf_mfc70esp_dll" />
- <ComponentRef Id="cmf_mfc70fra_dll" />
- <ComponentRef Id="cmf_mfc70ita_dll" />
- <ComponentRef Id="cmf_mfc70jpn_dll" />
- <ComponentRef Id="cmf_mfc70kor_dll" />
- <?endif?>
- <?endif?>
- <?ifdef CL1200 ?>
- <ComponentRef Id="cmf_mfc42_dll" />
- <ComponentRef Id="cmf_msvcp60_dll" />
- <ComponentRef Id="cmf_msvcrt_dll" />
- <?endif?>
-<?else?>
- <?ifdef CL1310 ?>
- <ComponentRef Id="cmf_mfc71d_dll" />
- <ComponentRef Id="cmf_msvcr71d_dll" />
- <ComponentRef Id="cmf_msvcp71d_dll" />
- <ComponentRef Id="cmf_mfc71chs_dll" />
- <ComponentRef Id="cmf_mfc71cht_dll" />
- <ComponentRef Id="cmf_mfc71deu_dll" />
- <ComponentRef Id="cmf_mfc71enu_dll" />
- <ComponentRef Id="cmf_mfc71esp_dll" />
- <ComponentRef Id="cmf_mfc71fra_dll" />
- <ComponentRef Id="cmf_mfc71ita_dll" />
- <ComponentRef Id="cmf_mfc71jpn_dll" />
- <ComponentRef Id="cmf_mfc71kor_dll" />
- <?endif?>
- <?ifdef CL1300 ?>
- <ComponentRef Id="cmf_mfc70d_dll" />
- <ComponentRef Id="cmf_msvcr70d_dll" />
- <ComponentRef Id="cmf_msvcp70d_dll" />
- <ComponentRef Id="cmf_mfc70chs_dll" />
- <ComponentRef Id="cmf_mfc70cht_dll" />
- <ComponentRef Id="cmf_mfc70deu_dll" />
- <ComponentRef Id="cmf_mfc70enu_dll" />
- <ComponentRef Id="cmf_mfc70esp_dll" />
- <ComponentRef Id="cmf_mfc70fra_dll" />
- <ComponentRef Id="cmf_mfc70ita_dll" />
- <ComponentRef Id="cmf_mfc70jpn_dll" />
- <ComponentRef Id="cmf_mfc70kor_dll" />
- <?endif?>
- <?ifdef CL1200 ?>
- <ComponentRef Id="cmf_mfc42d_dll" />
- <ComponentRef Id="cmf_msvcp60d_dll" />
- <ComponentRef Id="cmf_msvcrtd_dll" />
- <?endif?>
-<?endif?>
</Include>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>
+<Include xmlns="http://schemas.microsoft.com/wix/2003/01/wi">
+
+ <!-- User configurable options -->
+
+ <!-- Items enclosed in double percent marks will be substituted by
+ the build script. -->
+
+ <!-- TargetDir should point to build target directory and must end with
+ a backslash. If not specified, assume we are in TargetDir\install -->
+
+ <!-- <?define TargetDir="%TARGETDIR%\"?> -->
+
+ <!-- ConfigDir should point to directory containing configuration files
+ (krb5.ini, krb.con, krbrealm.con) to be bundled with the installer.
+ The directory name should end with a backslash. -->
+
+ <!-- <?define ConfigDir="%CONFIGDIR-WIX%\"?> -->
+
+ <!-- VersionMajor, VersionMinor and VersionPatch must all be specified, or
+ none should be specified (in which case, the defaults will be
+ selected below. -->
+
+ <!-- version defs go here -->
+ <!-- <?define VersionMajor="%VERSION_MAJOR%"?>
+ <?define VersionMinor="%VERSION_MINOR%"?>
+ <?define VersionPatch="%VERSION_PATCH%"?> -->
+
+ <!-- BuildLang is the language code for the installation. If you are
+ changing this, you should also change the ProductCode below. -->
+ <?ifndef BuildLang?>
+ <?define BuildLang="1033"?>
+ <?endif?>
+
+ <!-- ProductCode is an uppercase GUID. Each release should have its
+ own ProductCode. If one is not defined, we generate a random one. -->
+ <?ifndef ProductCode?>
+ <?define ProductCode="????????-????-????-????-????????????"?>
+ <?endif?>
+
+ <!-- DefaultRealm, is your default realm. Must be uppercase -->
+ <?define DefaultRealm="ATHENA.MIT.EDU"?>
+
+ <!-- One of the following must be defined and must correspond to the
+ version of compiler used for building Kerberos for Windows -->
+
+ <!-- <?define CL1200?> -->
+ <!-- <?define CL1300?> -->
+ <!-- <?define CL1310?> -->
+ <!-- <?define CL1400?> -->
+ <?define CL1600?>
+
+ <!-- At most one of the following could be defined and must correspond
+ to the type of build performed. -->
+ <?define Debug?>
+ <!--<?define Release?>-->
+
+ <!-- We are including debug symbols anyway. Undefine this for a leaner
+ installer without debug syms. -->
+ <?define DebugSyms?>
+
+ <!-- Optional defines -->
+ <!-- <?define Beta="1"?> --> <!-- Numeric Beta identifier -->
+ <!-- <?define OldHelp?> --> <!-- Specifies the use of the old leash32.hlp file
+ instead of the new leash32.chm file -->
+
+
+ <!-- End of user configurable options -->
+
+ <!-- Assert that required options are defined, or select defaults if
+ they weren't -->
+
+ <?ifndef TargetDir?>
+ <?define TargetDir="$(sys.SOURCEFILEDIR)..\..\..\"?>
+ <?endif?>
+
+ <?ifndef ConfigDir?>
+ <?define ConfigDir="$(env.SystemRoot)\"?>
+ <?endif?>
+
+ <?ifndef VersionMajor?>
+ <?define VersionMajor="4"?>
+ <?define VersionMinor="0"?>
+ <?define VersionPatch="0"?>
+ <?else?>
+ <?if Not ($(var.VersionMinor) And $(var.VersionPatch))?>
+ <?error VersionMajor, VersionMinor and VersionPatch should be specified together?>
+ <?endif?>
+ <?endif?>
+
+ <?ifndef ProductCode?>
+ <?error Must define ProductCode?>
+ <?endif?>
+
+ <?ifndef BuildLang?>
+ <?error Must define BuildLang?>
+ <?endif?>
+
+ <!-- DefaultRealm. Must be uppercase. -->
+ <?ifndef DefaultRealm?>
+ <?error Must define DefaultRealm?>
+ <?endif?>
+
+ <!-- The build makefile defines 'Date' and 'Time' which are strings that
+ identify the time at which the build was performed. -->
+</Include>
"Leash", MB_OK);
}
-
+#ifndef NO_KRB4
// Save to Kerberos Four config. file "Krb.con"
CStdioFile krbCon;
if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeCreate |
krbCon.WriteString(".KERBEROS.OPTION. dns\n");
krbCon. Close();
+#endif // NO_KRB4
return TRUE;
}
#include "mitwhich.h"
#include <leasherr.h>
#include "lglobals.h"
+#include "out2con.h"
#include <krb5.h>
#include <com_err.h>
}
ReleaseMutex(ticketinfo.lockObj);
- ldi.size = sizeof(ldi);
+ ldi.size = LSH_DLGINFO_EX_V1_SZ;
ldi.dlgtype = DLGTYPE_PASSWD;
ldi.title = "Initialize Ticket";
ldi.username = username;
{
autoInit = TRUE;
}
+ else if (0 == stricmp(optionParam+1, "console") ||
+ 0 == stricmp(optionParam+1, "c"))
+ {
+ CreateConsoleEcho();
+ }
else
{
MessageBox(hMsg,
"'-renew' or '-r' to perform ticket renewal (and exit)\n"
"'-destroy' or '-d' to perform ticket destruction (and exit)\n"
"'-autoinit' or '-a' to perform automatic ticket initialization\n"
+ "'-console' or '-c' to attach a console for debugging\n"
"'-ms2mit' or '-import' or '-m' to perform ticket importation (and exit)",
"Leash Error", MB_OK);
return FALSE;
ReleaseMutex(m_tgsReqMutex);
#endif
LSH_DLGINFO_EX ldi;
- ldi.size = sizeof(ldi);
+ ldi.size = LSH_DLGINFO_EX_V1_SZ;
ldi.dlgtype = DLGTYPE_PASSWD;
ldi.title = "Initialize Ticket";
ldi.username = NULL;
ReleaseMutex(m_tgsReqMutex);
#endif
LSH_DLGINFO_EX ldi;
- ldi.size = sizeof(ldi);
+ ldi.size = LSH_DLGINFO_EX_V1_SZ;
ldi.dlgtype = DLGTYPE_PASSWD;
ldi.title = "Initialize Ticket";
ldi.username = NULL;
ReleaseMutex(m_tgsReqMutex);
#endif
LSH_DLGINFO_EX ldi;
- ldi.size = sizeof(ldi);
+ ldi.size = LSH_DLGINFO_EX_V1_SZ;
ldi.dlgtype = DLGTYPE_PASSWD;
ldi.title = "Initialize Ticket";
ldi.username = NULL;
#endif
if ( ProbeKDC() ) {
LSH_DLGINFO_EX ldi;
- ldi.size = sizeof(ldi);
+ ldi.size = LSH_DLGINFO_EX_V1_SZ;
ldi.dlgtype = DLGTYPE_PASSWD;
ldi.title = "Initialize Ticket";
ldi.username = NULL;
#endif
// Help
-#define HID_GET_TICKETS_COMMAND 98312
+#define HID_GET_TICKETS_COMMAND 98343 // ID_INIT_TICKET + 65536
+#define HID_RENEW_TICKETS_COMMAND 98312 // ID_RENEW_TICKET + 65536
+#define HID_IMPORT_TICKETS_COMMAND 98342 // ID_IMPORT_TICKET + 65536
#define HID_DESTROY_TICKETS_COMMAND 98313
#define HID_SYNCHRONIZE_TIME_OPTION 98314
#define HID_CHANGE_PASSWORD_COMMAND 98315
#define HID_KERBEROS_PROPERTIES_EDITHOST 131271
#define HID_KERBEROS_PROPERTIES_LISTDOM 131279
-////@#+This might be problematic with the latest Platform SDK...
-////#define USE_HTMLHELP
+#define USE_HTMLHELP
#ifdef USE_HTMLHELP
#if _MSC_VER >= 1300
static char THIS_FILE[] = __FILE__;
#endif
-////Some unknown Platform SDK/VC uglines
-#if defined(__HTMLHELP_H__)
-#ifdef HtmlHelp
-#undef HtmlHelp
-#endif
-#endif
-
-
/////////////////////////////////////////////////////////////////////////////
// CLeashProperties dialog
BEGIN_MESSAGE_MAP(CLeashView, CFormView)
//{{AFX_MSG_MAP(CLeashView)
+ ON_MESSAGE(WM_WARNINGPOPUP, OnWarningPopup)
ON_MESSAGE(WM_GOODBYE, OnGoodbye)
ON_MESSAGE(WM_TRAYICON, OnTrayIcon)
ON_NOTIFY(TVN_ITEMEXPANDED, IDC_TREEVIEW, OnItemexpandedTreeview)
m_publicIPAddress = 0;
m_autoRenewTickets = 0;
m_autoRenewalAttempted = 0;
-
+ m_pWarningMessage = NULL;
m_bIconAdded = FALSE;
m_bIconDeleted = FALSE;
#ifndef KRB5_TC_NOTICKET
m_tvinsert.hParent = NULL;
m_tvinsert.hInsertAfter = TVI_LAST;
- m_tvinsert.item.mask = TVIF_IMAGE | TVIF_SELECTEDIMAGE | TVIF_TEXT;
+ m_tvinsert.item.mask = TVIF_IMAGE | TVIF_SELECTEDIMAGE;
m_tvinsert.item.hItem = NULL;
m_tvinsert.item.state = 0;
m_tvinsert.item.stateMask = 0; //TVIS_EXPANDED;
if (CLeashApp::m_hKrb5DLL && m_listKrb5) {
m_tvinsert.item.pszText = ticketinfo.Krb5.principal;
+ m_tvinsert.item.mask |= TVIF_TEXT;
switch ( iconStatusKrb5 ) {
case ACTIVE_TICKET:
m_tvinsert.item.iSelectedImage = ACTIVE_PARENT_NODE;
#ifndef NO_KRB4
} else if (CLeashApp::m_hKrb4DLL && m_listKrb4) {
m_tvinsert.item.pszText = ticketinfo.Krb4.principal;
+ m_tvinsert.item.mask |= TVIF_TEXT;
switch ( iconStatusKrb4 ) {
case ACTIVE_TICKET:
m_tvinsert.item.iSelectedImage = ACTIVE_PARENT_NODE;
#endif
} else {
m_tvinsert.item.iSelectedImage = NONE_PARENT_NODE;
+ m_tvinsert.item.pszText = NULL;
}
m_tvinsert.item.iImage = m_tvinsert.item.iSelectedImage;
m_tvinsert.item.cChildren = 0;
m_bIconDeleted = TRUE;
}
+BOOL CLeashView::PostWarningMessage(const CString& message)
+{
+ if (m_pWarningMessage)
+ {
+ return FALSE; // can't post more than one warning at a time
+ }
+ m_pWarningMessage = new CString(message);
+ PostMessage(WM_WARNINGPOPUP);
+ return TRUE;
+}
+
+LRESULT CLeashView::OnWarningPopup(WPARAM wParam, LPARAM lParam)
+{
+ CLeashMessageBox leashMessageBox(CMainFrame::m_isMinimum ? GetDesktopWindow() : NULL,
+ *m_pWarningMessage, 100000);
+ leashMessageBox.DoModal();
+ delete m_pWarningMessage;
+ m_pWarningMessage = NULL;
+ return 0L;
+}
+
BOOL CLeashView::PreTranslateMessage(MSG* pMsg)
{
if ( pMsg->message == ID_OBTAIN_TGT_WITH_LPARAM )
ReleaseMutex(ticketinfo.lockObj);
AlarmBeep();
- CLeashMessageBox leashMessageBox(!CMainFrame::m_isMinimum ? GetDesktopWindow() : NULL,
- lowTicketWarning, 100000);
- leashMessageBox.DoModal();
+ PostWarningMessage(lowTicketWarning);
if (WaitForSingleObject( ticketinfo.lockObj, 100 ) != WAIT_OBJECT_0)
throw("Unable to lock ticketinfo");
}
#endif
#define WM_TRAYICON (WM_USER+100)
+#define WM_WARNINGPOPUP (WM_USER+101)
enum ticketTimeLeft{NO_TICKETS, ZERO_MINUTES_LEFT, FIVE_MINUTES_LEFT, TEN_MINUTES_LEFT,
FIFTEEN_MINUTES_LEFT, TWENTY_MINUTES_LEFT, PLENTY_OF_TIME,
#endif
INT m_hKerb5State;
INT m_hAFSState;
+ CString* m_pWarningMessage;
BOOL m_bIconAdded;
BOOL m_bIconDeleted;
static UINT InitTicket(void *);
static UINT RenewTicket(void *);
static UINT ImportTicket(void *);
+ // Queue a warning popup message.
+ // This is a workaround to the MFC deficiency that you cannot safely create
+ // a modal dialog while processing messages within AfxPreTranslateMessage()
+ // returns TRUE if message is queued successfully.
+ BOOL PostWarningMessage(const CString& message);
+ afx_msg LRESULT OnWarningPopup(WPARAM wParam, LPARAM lParam);
protected: // create from serialization only
DECLARE_DYNCREATE(CLeashView)
#define OFF 0
#define TRUE_FLAG 1
#define FALSE_FLAG 0
+#ifdef _WIN64
+#define LEASHDLL "leashw64.dll"
+#define KERB5DLL "krb5_64.dll"
+#define KERB5_PPROFILE_DLL "xpprof64.dll"
+#else
#define LEASHDLL "leashw32.dll"
-#define KERB4DLL "krbv4w32.dll"
#define KERB5DLL "krb5_32.dll"
#define KERB5_PPROFILE_DLL "xpprof32.dll"
+#endif
#define SECUR32DLL "secur32.dll"
-
#define KRB_FILE "KRB.CON"
#define KRBREALM_FILE "KRBREALM.CON"
#define TICKET_FILE "TICKET.KRB"
-////Wow. Why?
-#define WIN95_AUTOEXEC "C:\\AUTOEXEC.BAT"
-#define LEASH_HELP_FILE "leash32.chm"
+#define LEASH_HELP_FILE "leash.chm"
extern int config_boolean_to_int(const char *);
extern BOOL SetRegistryVariable(const CString& regVariable,
!endif
MFCLIB=MFC100D.LIB
-EXE_NAME=leash32
+EXE_NAME=leash
WSHELPER=wshelp32
!if ("$(CPU)" == "IA64") || ("$(CPU)" == "AMD64") || ("$(CPU)" == "ALPHA64")
-EXE_NAME=leash64
WSHELPER=wshelp64
!endif
+SUBDIRS= htmlhelp
+
OBJS= \
$(OUTPRE)Krb4EditDomainRealmList.obj \
$(OUTPRE)CLeashDragListBox.obj \
$(OUTPRE)LeashView.obj \
$(OUTPRE)lglobals.obj \
$(OUTPRE)MainFrm.obj \
+ $(OUTPRE)out2con.obj \
$(OUTPRE)StdAfx.obj \
$(OUTPRE)AfsProperties.obj \
$(OUTPRE)VSroutines.obj \
--- /dev/null
+BUILDTOP=..\..\..
+
+TARGETTYPE=NONE
+
+TARGET=leash.chm
+HHK=leash32.hhk
+HHP=leash32.hhp
+ERR=leash.log
+
+all:: $(TARGET) rename
+
+clean::
+ @if exist $(TARGET) del $(TARGET)
+ @if exist $(ERR) del $(ERR)
+
+rename:
+ @if exist $(TARGET) ren $(TARGET) $(TARGET)
+ @if exist $(ERR) ren $(ERR) $(ERR)
+
+# We rename the file to get a lower-case file.
+# It looks like the silly help compiler gives us uppercase.
+$(TARGET): $(HHK) $(HHP)
+ - hhc $(HHP)
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<HTML>
+<HEAD>
+<meta name="GENERATOR" content="Microsoft® HTML Help Workshop 4.1">
+<!-- Sitemap 1.0 -->
+</HEAD><BODY>
+<OBJECT type="text/site properties">
+ <param name="Auto Generated" value="Yes">
+</OBJECT>
+<UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Why Use Leash?">
+ <param name="Local" value="html/leash_topic_why_use.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Help Topics">
+ <param name="Local" value="html/leash_topic_leash_help_topics.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Screen Display (Kerberometer and Dash Notification)">
+ <param name="Local" value="html/leash_topic_leash_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash System Tray Tool">
+ <param name="Local" value="html/leash_topic_leash_systray.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="System Tray Menu">
+ <param name="Local" value="html/leash_topic_leash_systray.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Commands">
+ <param name="Local" value="html/leash_menu_commands.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Exit Command">
+ <param name="Local" value="html/leash_file_exit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Get Ticket(s)/Token(s) Command, Ctrl+T">
+ <param name="Local" value="html/leash_command_get_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Import Ticket(s)/Token(s) Command, Ctrl+I">
+ <param name="Local" value="html/leash_command_import_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Renew Ticket(s)/Token(s) Command, Ctrl+R">
+ <param name="Local" value="html/leash_command_renew_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Destroy Ticket(s)/Token(s) Command, Ctrl+D">
+ <param name="Local" value="html/leash_command_destroy_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Change Password Command">
+ <param name="Local" value="html/leash_command_change_password.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Reset Window Size/Pos Option">
+ <param name="Local" value="html/leash_command_reset_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Synchronize Time">
+ <param name="Local" value="html/leash_command_sync_time.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Update Display Command, F5">
+ <param name="Local" value="html/leash_command_update_display.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Large Icons">
+ <param name="Local" value="html/leash_view_large_icons.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Toolbar">
+ <param name="Local" value="html/leash_view_toolbar.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Status Bar">
+ <param name="Local" value="html/leash_view_status_bar.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Debug Window">
+ <param name="Local" value="html/leash_view_debug_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Automatic Ticket Renewal Option">
+ <param name="Local" value="html/leash_option_auto_renewal.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Destroy Tickets/Tokens on Exit Option">
+ <param name="Local" value="html/leash_option_destroy_tickets_on_exit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Expiration Alarm Option">
+ <param name="Local" value="html/leash_option_expiration_alarm.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Upper Case Realm Name Option">
+ <param name="Local" value="html/leash_option_upper_case_realm.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Properties\85 Command, Ctrl+L">
+ <param name="Local" value="html/leash_option_leash_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Properties Command, Ctrl+K">
+ <param name="Local" value="html/leash_option_kerberos_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos v4 Properties\85 Command, Ctrl+4">
+ <param name="Local" value="html/leash_option_krb4_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos v5 Properties Command, Ctrl+5">
+ <param name="Local" value="html/leash_option_krb5_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="AFS Properties Command, Ctrl+A">
+ <param name="Local" value="html/leash_option_afs_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="About Leash">
+ <param name="Local" value="html/leash_help_about_leash32.htm">
+ </OBJECT>
+ </UL>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Help Topics">
+ <param name="Local" value="html/leash_topic_kerberos_help_topics.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="About Kerberos">
+ <param name="Local" value="html/leash_topic_about_kerberos.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Names">
+ <param name="Local" value="html/leash_topic_kerberos_names.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Tickets">
+ <param name="Local" value="html/leash_topic_kerberos_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Using Kerberos in a Command Prompt Environment">
+ <param name="Local" value="html/leash_topic_kerberos_command_prompt.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Timing Issues">
+ <param name="Local" value="html/leash_topic_timing_issues.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos for Windows Command Line Tools Manpages">
+ <param name="Local" value="html/leash_manpages.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="KINIT Command">
+ <param name="Local" value="html/leash_manpage_kinit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="KLIST Command">
+ <param name="Local" value="html/leash_manpage_klist.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="KDESTROY Command">
+ <param name="Local" value="html/leash_manpage_kdestroy.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="MS2MIT Command">
+ <param name="Local" value="html/leash_manpage_ms2mit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="AKLOG Command">
+ <param name="Local" value="html/leash_manpage_aklog.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Common Leash Error Messages">
+ <param name="Local" value="html/leash_errors.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Error 8: Unknown username, instance, or realm.">
+ <param name="Local" value="html/leash_topic_error_8.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Error 57: Cannot contact the Kerberos server for the selected realm.">
+ <param name="Local" value="html/leash_topic_error_57.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Error 62: Password incorrect.">
+ <param name="Local" value="html/leash_topic_error_62.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Invalid principal.">
+ <param name="Local" value="html/leash_topic_error_invalid_principal.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="How To Use Leash Online Help">
+ <param name="Local" value="html/leash_topic_online_help.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Leash Copyright">
+ <param name="Local" value="html/leash_copyright.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Copyright">
+ <param name="Local" value="html/leash_kerberos_copyright.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Kerberos Export Restrictions and Source Code Access">
+ <param name="Local" value="html/leash_export.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="Reporting Bugs and Requesting Assistance">
+ <param name="Local" value="html/leash_bug_reports.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Name" value="The MIT Kerberos Team">
+ <param name="Local" value="html/leash_acknowledgements.htm">
+ </OBJECT>
+</UL>
+</BODY></HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(status bar)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="status bar">
+</OBJECT>
+
+<P><A NAME="afx_hidw_status_bar"></A><B>Status Bar</B></P>
+
+<P>The status bar is displayed at the bottom of the <<YourApp>> window. To display or hide the status bar, use the
+<b> Status Bar</b> command in the <b> View</b> menu.</P>
+
+<P>The left area of the status bar describes actions of menu items as you use the arrow keys to navigate through menus. This area similarly shows messages that describe the actions of toolbar buttons as you
+press them, before releasing them. If after viewing the description of the toolbar button command you wish not to execute the command, then release the mouse button while the pointer is off the toolbar button.</P>
+
+<P>The right areas of the status bar indicate which of the following keys are latched down:</P>
+
+<P><B>Indicator Description</B></P>
+
+<P>CAP The Caps Lock key is latched down.</P>
+
+<P>NUM The Num Lock key is latched down.</P>
+
+<P>SCRL The Scroll Lock key is latched down.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(toolbar)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e" width="14" height="14">
+ <PARAM NAME="Keyword" VALUE="toolbar">
+</OBJECT>
+
+<P><A NAME="afx_hidw_toolbar"></A><B>Toolbar</B></P>
+
+
+<P>The toolbar is displayed across the top of the application window, below the menu bar. The toolbar provides quick mouse access to many tools used in <<YourApp>>,</P>
+
+<P>To hide or display the toolbar, click <b>Toolbar</b> from the <b> View</b> menu.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(About command (Help menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_app_about"></A><B>About command (Help menu)</B></P>
+
+<P>Use this command to display the copyright notice and version number of your copy of <<YourApp>>.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(File Exit command)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="exit">
+</OBJECT>
+
+<P><A NAME="hid_app_exit"></A><B>Exit command (File menu)</B></P>
+
+<P>Use this command to end your <<YourApp>> session. You can also use the
+<b> Close</b> command on the application <b> Control</b> menu. <<YourApp>> prompts you to save documents with unsaved changes.</P>
+
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Help Using Help Command)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_context_help"></A><B>Context Help command </B></P>
+
+
+<P>Use this command to obtain help on some portion of <<YourApp>>. When you choose the
+toolbar's <b> Context Help</b> button, the mouse pointer will change to an arrow and question mark. Then click somewhere in the <<YourApp>> window, such as another
+toolbar button. The help topic will be shown for the item you clicked.</P>
+
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Index command (Help menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_help_index"></A><B>Index command (Help menu)</B></P>
+
+<P>Use this command to display the opening screen of help. From the opening screen, you can jump to step-by-step instructions for using <<YourApp>> and various types of reference information. </P>
+
+<P>Once you open help, you can click the <b> Contents</b> button whenever you want to return to the opening screen.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Using Help command (Help menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_help_using"></A><B>Using Help command (Help menu)</B></P>
+
+<P>Use this command for instructions about using help.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><HTML><HEAD><META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"><TITLE>(Close command (Control menus))</TITLE></HEAD><BODY><P><A NAME="hid_sc_close"></A><B>Close command (Control menus)</B></P><P>Use this command to close the active window or dialog box.</P><P>Double-clicking a <b>Control</b> menu box is the same as choosing the <b> Close</b> command.</P><P>Note: If you have multiple windows open for a single document, the <b> Close</b> command on the document<b> Control</b> menu closes only one window at a time. You can close all windows at once with the<b> Close</b> command on the <b> File</b> menu.</P></BODY></HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Maximize command (System menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_sc_maximize"></A><B>Maximize command (System menu)</B></P>
+
+<P>Use this command to enlarge the active window to fill the available space.</P>
+
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(System Minimize Command)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_sc_minimize"></A><B>Minimize command (application Control menu)</B></P>
+
+<P>Use this command to reduce the <<YourApp>> window to an icon.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Move command (Control menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_sc_move"></A><B>Move command (Control menu)</B></P>
+
+<P>Use this command to display a four-headed arrow so you can move the active window or dialog box with the arrow keys.</P>
+
+<P>Note: This command is unavailable if you maximize the window.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Restore command (Control menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_sc_restore"></A><B>Restore command (Control menu)</B></P>
+
+<P>Use this command to return the active window to its size and position before you chose the
+<b> Maximize</b> or <b> Minimize</b> command.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(Size command (System menu))</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<P><A NAME="hid_sc_size"></A><B>Size command (System menu)</B></P>
+
+<P>Use this command to display a four-headed arrow so you can size the active window with the arrow keys.</P>
+
+<P>After the pointer changes to the four-headed arrow:</P>
+
+<P>1.Press one of the direction keys (left, right, up, or down arrow key) to move the pointer to the border you want to move. </P>
+
+<P>2.Press a direction key to move the border.</P>
+
+<P>3.Press ENTER when the window is the size you want.</P>
+
+<P>Note: This command is unavailable if you maximize the window.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(View Status Bar Command)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="status bar">
+</OBJECT>
+
+<P><A NAME="hid_view_status_bar"></A><B>Status Bar command (View menu)</B></P>
+
+<P>Use this command to display and hide the status bar, which describes the action to be executed by the selected menu item or
+pressed toolbar button, and keyboard latch state. A checkmark appears next to the menu item when the
+status bar is displayed.</P>
+
+<P>See <A HREF="afx_hidw_status_bar.htm">Status Bar</A> for help on using the status bar.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>(View Toolbar command)</TITLE>
+</HEAD>
+
+<BODY>
+
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="toolbar">
+</OBJECT>
+
+<P><A NAME="hid_view_toolbar"></A><B>Toolbar command (View menu)</B></P>
+
+<P>Use this command to display and hide the toolbar, which includes buttons for some of the most common commands in <<YourApp>>, such as
+<b> File Open</b>. A checkmark appears next to the menu item when the toolbar is displayed.</P>
+
+<P>See <A HREF="afx_hidw_toolbar.htm">Toolbar</A> for help on using the toolbar.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>The MIT Kerberos Team</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="acknowledgements">
+</object>
+<p></p>
+<h1><a name="id_help_people"></a>The MIT Kerberos Team</h1>
+This is by no means a complete list, as we have contributors and
+collaborators from all over the net. <br>
+<big><span style="font-weight: bold; text-decoration: underline;"><br>
+MIT Team Members</span></big>
+<ul>
+ <li>Marshall Vale - Team Leader </li>
+ <li>Jeffrey Altman </li>
+ <li><a href="http://web.mit.edu/lxs/www/">Alexandra Ellwood</a> ('97)
+PGP key: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x22412C62">22412C62</a>
+ </li>
+ <li>Sam Hartman ('97) PGP keys: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C86260F">3C86260F</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x68DEB5D1">68DEB5D1</a>
+ </li>
+ <li><a href="http://web.mit.edu/pbh/www/home.html">Paul Hill</a> </li>
+ <li>Scott McGuire </li>
+ <li>Ken Raeburn ('88) PGP keys: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xC43E7B98">C43E7B98</a>
+ </li>
+ <li>Jeff Schiller ('79) PGP keys: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xF414952B">F414952B</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x0DBF906D">0DBF906D</a>
+ </li>
+ <li><a href="http://www.mit.edu/people/tlyu/home.html">Tom Yu</a>
+('96) PGP keys: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2E2F668E">2E2F668E</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x749D7889">749D7889</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xF376813D">F376813D</a>
+ </li>
+</ul>
+The following people are not officially affiliated with MIT, but
+contribute to the MIT Kerberos V5 effort:
+<ul>
+ <li><a href="http://web.mit.edu/probe/www/home.html">Richard Basch</a>
+('90) </li>
+ <li>Danilo Almeida ('98) </li>
+ <li>Marc Horowitz ('92) </li>
+ <li>Barry Jaspan ('92) </li>
+ <li>Miro Jurisic ('01) </li>
+ <li>Ezra Peisach ('89) </li>
+ <li><a href="http://web.mit.edu/tytso/www/home.html">Ted Ts'o</a>
+('90) PGP keys: <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x80B07A4F">80B07A4F</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xE086CB93">E086CB93</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x103D4013">103D4013</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x93674C40">93674C40</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xF1A37611">F1A37611</a>
+ <a
+ href="http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x466B4289">466B4289</a></li>
+</ul>
+<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Reporting Bugs and Requesting Assistance</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="bugs">
+</object>
+<p></p>
+<h1><a name="id_help_problems"></a>Reporting Bugs and Requesting
+Assistance<br>
+</h1>
+<p></p>
+<p class="MsoNormal" style="">If you find bugs, please mail
+them to kfw-bugs@MIT.EDU.</p>
+<p class="MsoNormal">kerberos@MIT.EDU is a mailing list set up for
+discussing
+Kerberos issues. It is gatewayed to the Usenet newsgroup
+'comp.protocols.kerberos'. If you prefer to read it via mail, send a
+request to
+kerberos-request@MIT.EDU to get added or subscribe via the web page:<o:p> </o:p></p>
+<p class="MsoNormal" style="text-indent: 0.5in;"><a
+ href="http://mailman.mit.edu/mailman/listinfo/kerberos">http://mailman.mit.edu/mailman/listinfo/kerberos</a><o:p></o:p></p>
+<p class="MsoNormal"><o:p> </o:p></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Change Password Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="change">
+</object>
+<h3><a name="hid_change_password_command"></a><a name="id_help_change"></a><b>Change Password Command</b></h3>
+<p>The Change Password command is found on the Action menu; it is also
+the fifth button (from the left) in the toolbar. This command
+changes your Kerberos password.<br>
+</p>
+<p><img style="width: 616px; height: 377px;"
+ alt="Change Password Dialog" title="Change Password Dialog"
+ src="..%5CImages%5CLeash_change_password.jpg"><br>
+</p>
+<p>Note: This command will not change your local machine password
+unless your Windows Logon Session is authenticated using Kerberos.<br>
+</p>
+<p><a href="leash_topic_password_choice.htm#id_help_choose">How To
+Choose a Password</a>.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Destroy Tickets Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="destroy"> <param name="Keyword"
+ value="key, Ctrl+D">
+</object>
+<h3><b><a name="id_help_destroy"></a><a
+ name="hid_destroy_tickets_command"></a>Destroy Ticket(s)/Token(s) Command, Ctrl+D</b></h3>
+This command is found on the Action menu; it is also the fourth button
+(from the left) in the toolbar. Use this command to destroy all
+of the Kerberos tickets (and perhaps AFS tokens) on your local
+machine. Leash confirms your intentions before completing the
+request. Tickets for individual services may not be destroyed by
+the Leash Application.<br>
+<br>
+Once tickets are destroyed, you must Get or Import new tickets before
+Kerberized applications can once again access network services.<br>
+<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Get Tickets Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="renew"> <param name="Keyword"
+ value="key, Ctrl+T">
+</object>
+<h3><b><a name="hid_get_tickets_command"></a><a name="id_help_get"></a>Get Ticket(s)/Token(s) Command, Ctrl+T</b></h3>
+This command is found under the Action menu; it is also the first
+button (from the left) in the toolbar. Use this command to obtain
+new Kerberos tickets (and perhaps AFS tokens.)<br>
+<br>
+<img style="width: 700px; height: 584px;"
+ alt="Advanced Initialize Tickets Dialog"
+ title="Advanced Initialize Tickets Dialog"
+ src="../Images/Leash_init_ticket_advanced.jpg"><br>
+<br>
+<img style="width: 700px; height: 316px;"
+ alt="Basic Initialize Tickets Dialog"
+ title="Basic Initialize Tickets Dialog"
+ src="..%5CImages%5CLeash_init_ticket_basic.jpg"><br>
+<br>
+When you select this commmand, Leash displays a dialog requesting your
+Username, Kerberos Realm, and Password; if these are correct, Leash
+will obtain tickets for you. You may optionally specify a ticket
+lifetime and various Kerberos 5 ticket options: <br>
+<ul>
+ <li>ticket forwarding</li>
+ <li>addressless tickets</li>
+ <li>renewable ticket times<br>
+ </li>
+</ul>
+<p>See Also</p>
+<p><a href="leash_topic_kerberos_tickets.htm">Kerberos tickets</a></p>
+<p>AFS tokens</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Import Tickets Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="renew"> <param name="Keyword"
+ value="key, Ctrl+T">
+</object>
+<h3><b><a name="hid_import_tickets_command"></a><a name="id_help_import"></a>Import Ticket(s)/Token(s) Command, Ctrl+I</b></h3>
+This command is found on the Action menu; it is the third button (from
+the left) in the toolbar. Use this command to import Kerberos
+tickets from your Windows Logon Session. Importing tickets will
+result in the destruction of existing tickets. Leash will confirm
+the operation if necessary.<br>
+<br>
+Note: This command is only available if your Windows Logon
+Session is authenticated using Kerberos.<br>
+<p>See Also</p>
+<p><a href="leash_topic_kerberos_tickets.htm">Kerberos tickets</a></p>
+<p>AFS tokens</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Renew Tickets Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="renew"> <param name="Keyword"
+ value="key, Ctrl+T">
+</object>
+<h3><b><a name="hid_renew_tickets_command"></a><a name="id_help_renew"></a>Renew Ticket(s)/Token(s) Command, Ctrl+R</b></h3>
+This command is found on the Action menu; it is also the second button
+(from the left) in the toolbar. Use this command to renew the
+Kerberos tickets (and perhaps AFS tokens) on your local machine without
+requiring the use of a password. If your existing tickets cannot
+be renewed the ticket initialization dialog will be displayed allowing
+you to request new tickets.<br>
+<br>
+Note: This command is only available if your existing Kerberos tickets
+are renewable.<br>
+<br>
+<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Reset Window Size/Pos Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="reset">
+</object>
+<h3><a name="hid_reset_window_option"></a><b>Reset Window Size/Pos
+Option</b></h3>
+<p>When you select this from the Options menu, the Leash window moves
+to its default size and position, near the upper left corner of the
+screen.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Synchronize Time Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="synchronize">
+</object>
+<h3><a name="hid_scnchronize_time_option"></a><b>Synchronize Time</b></h3>
+<p>This command is found on the Action menu; it is also the sixth
+button (from the left) in the toolbar. When you select this
+command, Leash synchronizes the local machine time with the time server
+specified in the Leash Properties dialog.<br>
+</p>
+<p>Note: Kerberos authentication protocol requires loosely synchronized
+time between computers. The local machine clock and the Kerberos
+server clock need to be within five minutes of each other for Kerberos
+to function properly. This function can also be performed with
+the clock icon on the toolbar and has no keyboard equivalent.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Update Display Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="update"> <param name="Keyword" value="Key, F5">
+</object>
+<h3><b><a name="id_help_pdate"></a><a name="hid_update_display_cammand"></a>Update Display Command, F5</b></h3>
+<p>Use this command (in the Actions menu, or the black rectangular
+icon) to update the display of your current Kerberos tickets. You can
+also perform this function by clicking in the main Leash window.</p>
+<p><b>Why Use It...</b></p>
+<p>Although most end users will likely find this Leash feature
+irrelevant, application developers and support staff may occasionally
+find it to be useful. For example, you may want an immediate status
+check of Kerberos tickets if you have just used command-line <a
+ href="leash_external_kinit.htm">kinit</a> or <a
+ href="leash_external_kdestroy.htm">kdestroy</a> and want to check that
+they have functioned successfully.</p>
+<p><b>How It Works...</b></p>
+<p>While Leash automatically checks the status of your Kerberos tickets
+every 30 seconds, the Update Display command forces an immediate status
+check.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Copyright</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="copyright, Leash">
+</object>
+<p></p>
+<h1><a name="id_help_lcopyright"></a>Leash Copyright</h1>
+<p></p>
+<p>This software is being provided to you, the LICENSEE, by the
+Massachusetts Institute of Technology (M.I.T) under the following
+license. By obtaining, using and/or copying this software, you agree
+that you have read, understood, and will comply with these terms and
+conditions: </p>
+<p>Permission to use, copy, modify and distribute this software and its
+documentation for any purpose and without fee or royalty is hereby
+granted, provided that you agree to comply with the following copyright
+notice and statements, including the disclaimer, and that the same
+appear on ALL copies of the software and documentation, including
+modifications that you make for internal use or for distribution:</p>
+<p>Copyright 1992-2004 by the Massachusetts Institute of Technology.
+All rights reserved. </p>
+<p>THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO
+REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example,
+but not limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE
+OF THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
+PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. </p>
+<p>The name of the Massachusetts Institute of Technology or M.I.T. may
+NOT be used in advertising or publicity pertaining to distribution of
+the software. Title to copyright in this software and any associated
+documentation shall at all times remain with M.I.T., and USER agrees to
+preserve same.</p>
+<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos,
+Moira, OLC, X Window System, and Zephyr are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Copyright</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="copyright, Leash">
+</object>
+<p></p>
+<h1><a name="id_leash_errors"></a>Common Leash Error Messages</h1>
+<p></p>
+This section describes error messages commonly displayed by Leash.
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Export Restrictions and Source Code Access</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="export">
+</object>
+<p></p>
+<h1><a name="id_help_export"></a>Kerberos Export Restrictions and Source Code Access</h1>
+<p></p>
+<p>Copyright (C) 1989-2004 by the Massachusetts Institute of Technology</p>
+<p><b>Export of this software from the United States of America may
+require a specific license from the United States Government. It is the
+responsibility of any person or organization contemplating export to
+obtain such a license before exporting.</b></p>
+<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright notice
+appear in all copies and that both that copyright notice and this
+permission notice appear in supporting documentation, and that the name
+of M.I.T. not be used in advertising or publicity pertaining to
+distribution of the software without specific, written prior
+permission. M.I.T. makes no representations about the suitability of
+this software for any purpose. It is provided "as is" without express
+or implied warranty.</p>
+<p>Export of the documentation is not restricted.</p>
+<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>aklog.exe</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="kdestroy, exe">
+</object>
+<p><b>aklog.exe program</b></p>
+<p>aklog is a program which may be used to obtain AFS tokens for a cell
+which may or may not be equivalent to the Kerberos realm whose tickets
+are used to obtain the tokens.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>kdestroy.exe</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="kdestroy, exe">
+</OBJECT>
+
+<P><B>kdestroy.exe program</B></P>
+
+<P>This is another way to destroy your tickets. Running this application will immediately destroy all tickets and tokens you might have, no matter how they were obtained.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>kinit.exe</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="kinit, exe">
+</OBJECT>
+
+<P><B>kinit.exe program</B></P>
+
+<P>This is a little program which will run a command-prompt, text-based version of the ticket initialization window. (However, unlike in the graphical version, you do not have the option of changing the ticket lifetime.) This can be useful if you have a slow computer, or if you are having difficulty with the graphical version for some reason.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>Why Use</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="klist, exe">
+</OBJECT>
+
+<P><B>klist.exe program</B></P>
+
+<P>This application will quickly list all of the tickets you have.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>ms2mit.exe</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="kdestroy, exe">
+</object>
+<p><b>ms2mit.exe program</b></p>
+<p>This is another way to import Windows Logon Session Kerberos tickets
+for use by Leash and other Kerberos for Windows applications. The
+functionality is equivalent to the Import Tickets Command.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Exit/End Leash Program</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="exit">
+</object>
+<h3><b><a name="id_help_exit"></a><a name="hid_exit_command"></a>Exit Command</b></h3>
+<p>From the File menu, you can use this command to exit the Leash
+program. If any other means is used to close the Leash window,
+the Leash program will continue to execute and remain present in the
+Windows System Tray.<br>
+</p>
+<p><b>Important Note...</b></p>
+<p>Exiting the Leash program will <b>not</b> destroy your current
+Kerberos tickets. Unless you have selected this in the options menu,
+you need to use the destroy tickets command.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>About Leash Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="help, About Leash">
+</object>
+<h3><a name="hid_about_leash32_comand"></a><b>About Leash</b></h3>
+<p>When you access this window from the Help menu, you see a Module
+list, three radio buttons, and a Properties button. Modules are
+executables and dll files that Leash may require.<br>
+</p>
+<p><img style="width: 471px; height: 269px;" alt="About Leash dialog"
+ title="About Leash dialog" src="..%5CImages%5CLeash_about_leash.jpg"><br>
+</p>
+<p>The radio buttons let you choose to view a list of:
+</p>
+<ul>
+ <li>Leash Modules - displays the modules that Leash currently has
+loaded for its own use; <br>
+ <br>
+ </li>
+ <li>All Modules - displays Leash modules as well as those loaded by
+the OS;<br>
+ <br>
+ </li>
+ <li>Missing Modules - displays modules that Leash needs for
+complete functionality but that are not found. (Leash can still
+function with some modules missing.). This is useful if part of Leash
+is missing; you can find which files are needed to restore full
+functionality. </li>
+</ul>
+<p>If you select a module and click on the Properties button, Leash
+displays the properties of the selected module - both the general
+properties and those of this particular version.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Copyright</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="copyright, kerberos">
+</object>
+<p></p>
+<h1><a name="id_help_kcopyright"></a>Kerberos Copyright</h1>
+<p></p>
+<p>This software is being provided to you, the LICENSEE, by the
+Massachusetts Institute of Technology (M.I.T.) under the following
+license. By obtaining, using and/or copying this software, you agree
+that you have read, understood, and will comply with these terms and
+conditions: </p>
+<p>Permission to use, copy, modify and distribute this software and its
+documentation for any purpose and without fee or royalty is hereby
+granted, provided that you agree to comply with the following copyright
+notice and statements, including the disclaimer, and that the same
+appear on ALL copies of the software and documentation, including
+modifications that you make for internal use or for distribution:</p>
+<p>Copyright 1992-2004 by the Massachusetts Institute of Technology.
+All rights reserved. </p>
+<p>THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO
+REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example,
+but not limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
+MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE
+OF THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
+PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. </p>
+<p>The name of the Massachusetts Institute of Technology or M.I.T. may
+NOT be used in advertising or publicity pertaining to distribution of
+the software. Title to copyright in this software and any associated
+documentation shall at all times remain with M.I.T., and USER agrees to
+preserve same.</p>
+<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos,
+Moira, OLC, X Window System, and Zephyr are trademarks of the
+Massachusetts Institute of Technology (MIT). No commercial use of these
+trademarks may be made without prior written permission of MIT.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>AKLOG Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="kinit, man">
+</object>
+<p><h2><a name="id_help_kinit"></a>AKLOG Command</h2></p>
+<p>(from UNIX man page)</p>
+<pre><code>User Commands AKLOG(1)<br><br>NAME<br> aklog - Obtain tokens for authentication to AFS<br><br>SYNOPSIS<br> aklog [ -d ] [ -force ] [ -hosts ] [ -zsubs ] [ -noprdb ] [<br> [ -cell | -c ] cell [ -k kerberos-realm ] ] [ [ -path | -p ]<br> pathname ]<br><br>DESCRIPTION<br> The aklog program is used to authenticate to a cell or<br> directory in AFS, the Andrew Filesystem, by obtaining AFS<br> tokens. Ordinarily, aklog is not used directly but called by<br> attach(1).<br><br> If aklog is invoked with no command line arguments, it will<br> obtain tokens for the workstation's local cell. It is pos-<br> sible to invoke aklog with arbitrarily many cells and path-<br> names specified on the command line. aklog knows how to<br> expand cell name abbreviations, so short forms of cell names<br> can be use used. In addition, aklog understands the follow-<br> ing command line options:<br><br> -cell | -c cell<br> This flag is not ordinarily necessary since aklog can<br> usually figure out when an argument is a cell. It can<br> be used to introduce a cell name that would ordinarily<br> be mistaken for a path name if this should be required.<br> If this flag is omitted, an argument will be treated as<br> a cell name if it contains no slashes (/) and is neither<br> "." nor ".." .<br><br> -k kerberos-realm<br> This flag is valid only when immediately following the<br> name of a cell. It is used to tell aklog what kerberos<br> realm should be used while authenticating to the preced-<br> ing cell. This argument is unnecessary except when the<br> workstation is not properly configured. Ordinarily,<br> aklog can determine this information on its own.<br><br> -path | -p pathname<br> Like the -cell flag, this flag is usually unnecessary.<br> When it appears, the next command line argument is<br> always treated as a path name. Ordinarily, an argument<br> is treated as a path name if it is "." or ".." or if it<br> contains a slash (/).<br><br> -hosts<br> Prints all the server addresses which may act as a sin-<br> gle point of failure in accessing the specified direc-<br> tory path. Each element of the path is examined, and as<br> new volumes are traversed, if they are not replicated,<br> the server's IP address containing the volume will be<br> displayed. Attach(1) invokes aklog with this option.<br> The output is of the form<br><br> host: IP address<br><br> -zsubs<br> Causes the printing of the zephyr subscription informa-<br> tion that a person using a given path or cell would<br> want. Attach(1) invokes aklog with this option. The<br> output is of the form<br><br> zsub: instance<br><br> where instance is the instance of a class filsrv zephyr<br> subscription.<br><br> -noprdb<br> Ordinarily, aklog looks up the AFS ID corresponding to<br> the name of the person invoking the command. Specifying<br> this flag turns off this functionality. This may be<br> desirable if the protection database is unavailable for<br> some reason and tokens are desired anyway.<br><br> -d Turns on printing of debugging information. This option<br> is not intended for general users.<br><br> -force<br> Forces aklog to obtain new tokens even if the user<br> already appears to have tokens identical to the new ones<br> they would get. This option is most often required when<br> the user has recently been added to an AFS group.<br><br>EXIT CODES<br> The exit status of aklog will be one of the following:<br><br> 0 Success -- No error occurred.<br><br> 1 Usage -- Bad command syntax; accompanied by a usage<br> message.<br><br> 2 Something failed -- More than one cell or pathname was<br> given on the command line and at least one failure<br> occurred. A more specific error status is returned<br> when only one directive is given.<br><br> 3 AFS -- Unable to get AFS configuration or unable to get<br> information about a specific cell.<br><br> 4 Kerberos -- Unable to get tickets for authentication.<br><br> 5 Token -- Unable to get tokens.<br><br> 6 Bad pathname -- The path given was not a directory or<br> lstat(2) failed on some component of the pathname.<br><br> 7 Miscellaneous -- An internal failure occurred. For<br> example, aklog returns this if it runs out of memory.<br><br>EXAMPLES<br> To get tokens for the local cell:<br> % aklog<br><br> To get tokens for the athena.mit.edu cell:<br> % aklog athena.mit.edu<br> or<br> % aklog athena<br><br> To get tokens adequate to read<br> /afs/athena.mit.edu/user/p/potato:<br> % aklog /afs/athena.mit.edu/user/p/potato<br><br> To get tokens for a test cell that is in a test Kerberos<br> realm:<br> % aklog testcell.mit.edu -k TESTREALM.MIT.EDU<br><br>SEE ALSO<br> attach(1), tokens(1), unlog(1)<br><br><br></code></pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>KDESTROY Command</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="kdestroy, man">
+</OBJECT>
+
+<P><h2><A NAME="id_help_kdestroy"></A>KDESTROY Command</h2></P>
+
+<P>(from UNIX man page)</P>
+
+<PRE><CODE>User Commands KDESTROY ( 1 )
+
+NAME
+ kdestroy - destroy Kerberos tickets
+
+SYNOPSIS
+ kdestroy [-5] [-4] [-q] [-c cache_name]
+
+DESCRIPTION
+
+ The kdestroy utility destroys the user's active Kerberos
+ authorization tickets by writing zeros to the specified credentials
+ cache that contains them. If the credentials cache is not specified,
+ the default credentials cache is destroyed. If kdestroy was built with
+ Kerberos 4 support, the default behavior is to destroy both Kerberos 5
+ and Kerberos 4 credentials. Otherwise, kdestroy will default to
+ destroying only Kerberos 5 credentials.
+
+OPTIONS
+
+ -5 destroy Kerberos 5 credentials. This overrides whatever the
+ default built-in behavior may be. This option may be used with -4
+
+ -4 destroy Kerberos 4 credentials. This overrides whatever the
+ default built-in behavior may be. This option is only available
+ if kinit was built with Kerberos 4 compatibility. This option may
+ be used with -5
+
+ -q Run quietly. Normally kdestroy beeps if it fails to destroy the
+ user's tickets. The -q flag suppresses this behavior.
+
+ -c cache_name
+ use cache_name as the credentials (ticket) cache name and
+ location; if this option is not used, the default cache name and
+ location are used.
+
+ The default credentials cache may vary between systems. If the
+ KRB5CCNAME environment variable is set, its value is used to name the
+ default ticket cache.
+
+ Most installations recommend that you place the kdestroy command in
+ your .logout file, so that your tickets are destroyed automatically
+ when you log out.
+
+ENVIRONMENT
+ Kdestroy uses the following environment variables:
+
+ KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache.
+
+ KRBTKFILE Filename of the Kerberos 4 credentials (ticket) cache.
+
+FILES
+ /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
+ ([uid] is the decimal UID of the user).
+
+ /tmp/tkt[uid] default location of Kerberos 4 credentials cache ([uid]
+ is the decimal UID of the user).
+
+SEE ALSO
+ kinit(1), klist(1), krb5(3)
+
+BUGS
+ Only the tickets in the specified credentials cache are
+ destroyed. Separate ticket caches are used to hold root instance and
+ password changing tickets. These should probably be destroyed too,
+ or all of a user's tickets kept in a single credentials cache.</CODE></PRE>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>KINIT Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="kinit, man">
+</object>
+<p><h2><a name="id_help_kinit"></a>KINIT Command</h2></p>
+<p>(from UNIX man page)</p>
+<pre><code>User Commands KINIT(1)<br><br>NAME<br> kinit - obtain and cache Kerberos ticket-granting ticket<br><br>SYNOPSIS<br> kinit<br> [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r<br> renewable_life] [-p | -P] [-f | -F] [-A] [-v] [-R] [-k<br> [-t keytab_file]] [-c cache_name] [-S service_name]<br> [principal]<br><br>DESCRIPTION<br> kinit obtains and caches an initial ticket-granting ticket<br> for principal.Thetypicaldefaultbehavior Kerberos 5 tickets.<br> However, if kinit was built with both Kerberos 4 support and<br> with the default behavior of acquiring both types of tick-<br> ets, it will try to acquire both Kerberos 5 and Kerberos 4<br> by default. Any documentation particular to Kerberos 4 does<br> not apply if Kerberos 4 support was not built into kinit.<br><br>OPTIONS<br> -5 get Kerberos 5 tickets. This overrides whatever the<br> default built-in behavior may be. This option may be<br> used with -4<br><br> -4 get Kerberos 4 tickets. This overrides whatever the<br> default built-in behavior may be. This option is only<br> available if kinit was built with Kerberos 4 compati-<br> bility. This option may be used with -5<br><br> -V display verbose output.<br><br> -l lifetime<br> requests a ticket with the lifetime lifetime. The<br> value for lifetime must be followed immediately by one<br> of the following delimiters:<br><br> s seconds<br> m minutes<br> h hours<br> d days<br><br> as in "kinit -l 90m". You cannot mix units; a value of<br> `3h30m' will result in an error.<br><br> If the -l option is not specified, the default ticket<br> lifetime (configured by each site) is used. Specifying<br> a ticket lifetime longer than the maximum ticket life-<br> time (configured by each site) results in a ticket with<br> the maximum lifetime.<br><br> -s start_time<br> requests a postdated ticket, valid starting at<br> start_time. Postdated tickets are issued with the<br> invalid flag set, and need to be fed back to the kdc<br> before use. (Not applicaple to Kerberos 4.)<br><br> -r renewable_life<br> requests renewable tickets, with a total lifetime of<br> renewable_life. The duration is in the same format as<br> the -l option, with the same delimiters. (Not applica-<br> ple to Kerberos 4.)<br><br> -f request forwardable tickets. (Not applicaple to Ker-<br> beros 4.)<br><br> -F do not request forwardable tickets. (Not applicaple to<br> Kerberos 4.)<br><br> -p request proxiable tickets. (Not applicaple to Kerberos<br> 4.)<br><br> -P do not request proxiable tickets. (Not applicaple to<br> Kerberos 4.)<br><br> -A request address-less tickets. (Not applicaple to Ker-<br> beros 4.)<br><br> -v requests that the ticket granting ticket in the cache<br> (with the invalid flag set) be passed to the kdc for<br> validation. If the ticket is within its requested time<br> range, the cache is replaced with the validated ticket.<br> (Not applicaple to Kerberos 4.)<br><br> -R requests renewal of the ticket-granting ticket. Note<br> that an expired ticket cannot be renewed, even if the<br> ticket is still within its renewable life. When using<br> this option with Kerberos 4, the kdc must support Ker-<br> beros 5 to Kerberos 4 ticket conversion.<br><br> -k [-t keytab_file]<br> requests a host ticket, obtained from a key in the<br> local host's keytab file. The name and location of the<br> keytab file may be specified with the -t keytab_file<br> option; otherwise the default name and location will be<br> used. When using this option with Kerberos 4, the kdc<br> must support Kerberos 5 to Kerberos 4 ticket conver-<br> sion.<br><br> -c cache_name<br> use cache_name as the Kerberos 5 credentials (ticket)<br> cache name and location; if this option is not used,<br> the default cache name and location are used.<br><br> The default credentials cache may vary between systems.<br><br> If the KRB5CCNAME environment variable is set, its<br> value is used to name the default ticket cache. Any<br> existing contents of the cache are destroyed by kinit.<br> (Note: The default name for Kerberos 4 comes from the<br> KRBTKFILE environment variable. This option does not<br> apply to Kerberos 4.)<br><br> -S service_name<br> specify an alternate service name to use when getting<br> initial tickets. (Applicable to Kerberos 5 or if using<br> both Kerberos 5 and Kerberos 4 with a kdc that supports<br> Kerberos 5 to Kerberos 4 ticket conversion.)<br><br>ENVIRONMENT<br> Kinit uses the following environment variables:<br><br> KRB5CCNAME Location of the Kerberos 5 credentials<br> (ticket) cache.<br><br> KRBTKFILE Filename of the Kerberos 4 credentials<br> (ticket) cache.<br><br>FILES<br> /tmp/krb5cc_[uid] default location of Kerberos 5 creden-<br> tials cache ([uid] is the decimal UID of<br> the user).<br><br> /tmp/tkt[uid] default location of Kerberos 4 credentials<br> cache ([uid] is the decimal UID of the user).<br><br> /etc/krb5.keytab<br> default location for the local host's keytab<br> file.<br><br>SEE ALSO<br> klist(1), kdestroy(1), krb5(3)<br><br><br></code></pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>KLIST Command</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="klist, man">
+</OBJECT>
+
+<P><h2><A NAME="id_help_klist"></A>KLIST Command</h2></P>
+
+<P>(from UNIX man page)</P>
+
+<PRE><CODE>User Commands KLIST ( 1 )
+
+NAME
+ klist - list cached Kerberos tickets
+
+SYNOPSIS
+ klist [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t] [-K]]
+ [cache_name | keytab_name]
+
+DESCRIPTION
+
+ Klist lists the Kerberos principal and Kerberos tickets held in a
+ credentials cache, or the keys held in a keytab file. If klist was
+ built with Kerberos 4 support, the default behavior is to list both
+ Kerberos 5 and Kerberos 4 credentials. Otherwise, klist will default
+ to listing only Kerberos 5 credentials.
+
+OPTIONS
+ -5 list Kerberos 5 credentials. This overrides whatever the default
+ built-in behavior may be. This option may be used with -4
+
+ -4 list Kerberos 4 credentials. This overrides whatever the default
+ built-in behavior may be. This option is only available if kinit was
+ built with Kerberos 4 compatibility. This option may be used with -5
+
+ -e displays the encryption types of the session key and the ticket
+ for each credential in the credential cache, or each key in the
+ keytab file.
+
+ -c List tickets held in a credentials cache. This is the default if
+ neither -c nor -k is specified.
+
+ -f shows the flags present in the credentials, using the following
+ abbreviations:
+
+ F Forwardable
+ f forwarded
+ P Proxiable
+ p proxy
+ D postDateable
+ d postdated
+ R Renewable
+ I Initial
+ i invalid
+
+ -s causes klist to run silently (produce no output), but to still set
+ the exit status according to whether it finds the credentials cache.
+ The exit status is `0' if klist finds a credentials cache, and `1' if
+ it does not.
+
+ -a display list of addresses in credentials.
+
+ -n show numeric addresses instead of reverse-resolving addresses.
+
+ -k List keys held in a keytab file.
+
+ -t display the time entry timestamps for each keytab entry in the
+ keytab file.
+
+ -K display the value of the encryption key in each keytab entry in
+ the keytab file.
+
+ If cache_name or keytab_name is not specified, klist will display the
+ credentials in the default credentials cache or keytab file as
+ appropriate. If the KRB5CCNAME environment variable is set, its
+ value is used to name the default ticket cache.
+
+ENVIRONMENT
+ Klist uses the following environment variables:
+
+ KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache.
+
+ KRBTKFILE Filename of the Kerberos 4 credentials (ticket) cache.
+
+FILES
+ /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
+ ([uid] is the decimal UID of the user).
+
+ /tmp/tkt[uid] default location of Kerberos 4 credentials cache ([uid]
+ is the decimal UID of the user).
+
+ /etc/krb5.keytab
+ default location for the local host's keytab file.
+
+SEE ALSO
+ kinit(1), kdestroy(1), krb5(3)</CODE></PRE>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>MS2MIT Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="kinit, man">
+</object>
+<p><h2><a name="id_help_kinit"></a>MS2MIT Command</h2></p>
+<pre><code>NAME<br> ms2mit - import Kerberos credentials from the current Windows Logon <br> Session and insert them into the Kerberos for Windows <br> default Credentials Cache<br><br>SYNOPSIS<br> ms2mit<br><br>DESCRIPTION<br><br> <br><br>SEE ALSO<br> klist(1), kdestroy(1), krb5(3)</code></pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Copyright</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="copyright, Leash">
+</object>
+<p></p>
+<h1><a name="id_kfw_manpages"></a>Kerberos for Windows Command Line Tools Manpages</h1>
+<p></p>
+<p>This section reproduces the manpages for the Kerberos for Windows command line tools.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Commands</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject" classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+<param name="Keyword" value="commands">
+</object>
+<p></p>
+<h2><a name="id_help_commands"></a><a name="hid_leash_commands"></a>Leash Commands</h2>
+<p></p>
+<p>File:<br>
+<img style="width: 232px; height: 52px;" alt="File menu"
+ title="File menu" src="..%5CImages%5CLeash_menu_file.jpg"><br>
+</p>
+<p><a href="leash_file_exit.htm">Exit</a></p>
+<p>Action:<br>
+<img style="width: 288px; height: 223px;" alt="Action Menu"
+ title="Action Menu" src="..%5CImages%5Cleash_menu_action.jpg"><br>
+</p>
+<p><a href="leash_command_get_tickets.htm#id_help_get">Get Ticket(s)/Token(s)</a></p>
+<p><a href="leash_command_renew_tickets.htm#id_help_renew">Renew Ticket(s)/Token(s)</a></p>
+<p><a href="leash_command_import_tickets.htm#id_help_import">Import Ticket(s)/Token(s)</a></p>
+<p><a href="leash_command_destroy_tickets.htm">Destroy Ticket(s)/Token(s)</a></p>
+<p><a href="leash_command_change_password.htm">Change Password </a></p>
+<p><a href="leash_command_reset_window.htm">Reset Window Size/Pos </a></p>
+<p><a href="leash_command_sync_time.htm">Synchronize Time </a></p>
+<p><a href="leash_command_update_display.htm#hid_update_display_command">Update Display </a></p>
+<p>View:<br>
+<img style="width: 232px; height: 116px;" alt="View menu"
+ title="View menu" src="..%5CImages%5CLeash_menu_view.jpg"><br>
+</p>
+<p><a href="leash_view_large_icons.htm">Large Icons </a></p>
+<p><a href="leash_view_toolbar.htm">Toolbar </a></p>
+<p><a href="leash_view_status_bar.htm">Status Bar </a></p>
+<p><a href="leash_view_debug_window.htm">Debug Window </a></p>
+<p>Options:<br>
+<img style="width: 416px; height: 233px;" alt="Options menu"
+ title="Options menu" src="..%5CImages%5CLeash_menu_options.jpg"><br>
+</p>
+<p><a href="leash_option_upper_case_realm.htm">Upper Case Realm Name </a></p>
+<p><a href="leash_option_expiration_alarm.htm">Expiration Alarm </a></p>
+<p><a href="leash_option_destroy_tickets_on_exit.htm">Destroy Tickets/Tokens on Exit </a></p>
+<p><a href="leash_option_leash_properties.htm">Leash Properties\85</a></p>
+<p><a href="leash_option_kerberos_properties.htm">Kerberos Properties </a></p>
+<p><a href="leash_option_krb4_properties.htm">Kerberos v4 Properties\85</a></p>
+<p><a href="leash_option_krb5_properties.htm">Kerberos v5 Properties\85</a></p>
+<p><a href="leash_option_afs_properties.htm">AFS Properties </a></p>
+<p><u>Help:<br>
+<img style="width: 320px; height: 52px;" alt="Help menu"
+ title="Help menu" src="..%5CImages%5CLeash_menu_help.jpg"><br>
+</u></p>
+<p><a href="leash_help_about_leash32.htm">About Leash...</a></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Why Use</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="help, Why use Leash">
+</object>
+<p><b>Why Use Leash</b></p>
+<p>This command, found under the Help menu, starts Leash help (the
+document you are currently viewing).</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>AFS Properties Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="properties, AFS"> <param name="Keyword"
+ value="key, Ctrl+A">
+</object>
+<h3><a name="hid_afs_properties_command"></a><b>AFS Properties Command,
+Ctrl+A</b></h3>
+<p>The AFS Properties dialog can be found on the Options menu when AFS
+is available.</p>
+<p><img style="width: 550px; height: 178px;" alt="AFS Properties Dialog"
+ title="AFS Properties Dialog"
+ src="..%5CImages%5CLeash_properties_afs.jpg"><br>
+</p>
+<p>There is a radio button pair to enable or disable the retrieval and
+display of AFS tokens. There is also an AFS Properties button to bring
+up the AFS Client Configuration program in order to alter settings for
+Client Properties, Cell Hosts, and Submounts.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Automatic Ticket Renewal Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="expiration">
+</object>
+<h3><a name="hid_low_ticket_alarm_option"></a><b>Automatic Ticket
+Renewal Option</b></h3>
+When Automatic Ticket Renewal is on, whenever tickets (or tokens) are
+near expiration (within 15 minutes) Leash will attempt to extend the
+ticket lifetime either via ticket renewal or ticket importation.
+If these attempts fail, Leash will display the ticket initialization
+dialog. In this way, Leash ensures that there are always valid
+Kerberos tickets (and AFS tokens).<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Destroy Tickets/Tokens on Exit Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="destroy">
+</object>
+<h3><a name="hid_destroy_tickets_on_exit"></a><b>Destroy Tickets/Tokens
+on Exit Option</b></h3>
+<p>If this option is selected under the Options menu, Leash destroys
+your tickets and tokens when you Exit Leash; otherwise, the tickets
+remain. This option is turned off by default. </p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Low Ticket/Token Time Alarm Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="expiration">
+</object>
+<h3><a name="hid_low_ticket_alarm_option"></a><b>Expiration Alarm Option</b></h3>
+<p>Leash will always pop up windows with warnings that your tickets are
+about to expire, beginning 15 minutes before the time of expiration and
+continuing every 5 minutes. However, when this option is selected under
+the Options menu, a bell will ring as well. </p>
+<p>When you view your tickets and tokens, those shown in yellow are due
+to expire in less than 15 minutes; those in green have 15 minutes or
+greater. (A red ticket is one you have but is expired; gray tickets are
+not available to you at the current time, because Leash or your machine
+is missing a requisite module or piece of functionality.)<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Properties Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="properties, Kerberos"> <param name="Keyword"
+ value="key, Ctrl+K">
+</object>
+<h3><a name="hid_kerberos_properties_command"></a><b>Kerberos Properties Command, Ctrl+K</b></h3>
+<p>When you select this from the Options menu, Leash will display a
+tabbed window. The box within this window has four tabs: <br>
+</p>
+<ul>
+ <li>Default Realm Configuration</li>
+ <li>Ticket Lifetime and Other Initialization Options<br>
+ </li>
+ <li>Realm/Server Mapping<br>
+ </li>
+ <li>DNS/Realm Mapping.</li>
+</ul>
+<p><i>Default Realm Configuration:<br>
+<img style="width: 623px; height: 558px;"
+ alt="Default Realm Configuration" title="Default Realm Configuration"
+ src="..%5CImages%5CLeash_properties_krb_1.jpg"><br>
+</i></p>
+<p>There are two groups, the <span style="font-weight: bold;">Kerberos
+Realm/Host Server</span> and the <span style="font-weight: bold;">Computer
+Host/Domain Name</span>. </p>
+<p>Kerberos Realm/Host Server: In the <span style="font-weight: bold;">Your
+Kerberos Realm</span> field, select a Kerberos realm from the dropdown
+list. The list is editable using the Realm/Server Mapping tab. Leash
+automatically fills in your Kerberos server with the first server in
+the "Servers Hosting a KDC" list on the Realm/Server Mappings tab. </p>
+<p>Computer Host/Domain Name: The field labeled <span
+ style="font-weight: bold;">Your Computer's Host Name</span> displays
+the name of your local machine. The <span
+ style="font-weight: bold;">Your Computer's Domain Name</span> field
+displays the domain to which your local machine currently belongs.<br>
+</p>
+<p><i>Ticket Lifetime and Other Initialization Options:<br>
+<img style="width: 623px; height: 558px;" alt="Ticket Lifetime"
+ title="Ticket Lifetime" src="..%5CImages%5CLeash_properties_krb_2.jpg"><br>
+</i></p>
+<p>
+</p>
+<>There are two expiration times associated with Kerberos
+tickets. The first specifies the length of the time period during
+which the tickets are valid for use. The second specifies the
+length of the renewable lifetime. Valid Kerberos tickets may have
+their valid use lifetime repeatedly extended up until the renewable
+lifetime expires. The settings on this page are used to configure
+default lifetime values for Leash to use when requesting Kerberos
+tickets from the Kerberos server (key distribution center). The
+Kerberos server may issue tickets with shorter lifetimes than were
+requested.<br>
+<br>
+The minimum and maximum values are used by the ticket initialization
+dialog box when constructing the Lifetime and Renewable Lifetime
+sliders. These sliders can be used to modify the requested ticket
+lifetimes when Kerberos tickets are initialized.<br>
+<br>
+When the <b>Request Kerberos 4
+credentials</b> button is checked, Leash will attempt to retrieve
+Kerberos 4
+credentials when ticket initialization, renewal, or importation is
+performed.<span style=""> </span>Leash will attempt a Kerberos
+5 to Kerberos 4 conversion and if that fails an initial Kerberos 4
+ticket
+request will be generated.<span style=""> </span>Kerberos
+realms are increasingly configured to support on Kerberos 5.<span
+ style=""> </span>If the realms you use do not support Kerberos
+4 it is suggested that this button be unchecked.</>
+<><o:p> </o:p><br>
+<br>
+When the <b style="">Preserve Ticket Initialization Options</b> button
+is checked, changes
+to the Lifetime, Renewable Lifetime, and Kerberos 5 ticket properties
+on the
+Ticket Initialization Dialog will be saved as the new default values
+for the
+current user. <o:p></o:p></>
+<p>
+</p>
+<p><i>Realm/Server Mapping</i>:<br>
+<img style="width: 623px; height: 558px;" alt="Realm / Server Mapping"
+ title="Realm / Server Mapping"
+ src="..%5CImages%5CLeash_properties_krb_3.jpg"><br>
+</p>
+The <span style="font-weight: bold;">Kerberos Realms</span> list box
+is used to add, remove or rename realms from the local Kerberos
+configuration files. To add a new realm, click on the Insert button
+beneath the Kerberos Realms list box. In the dialog, type the
+name of the new realm and click OK. However, for the realm to be
+inserted, it needs one or more servers. Immediately after you
+enter the new realm name, you will be prompted for the names of one
+Kerberos server in that realm. If you do not enter a server name,
+Leash will not insert the realm.<br>
+<br>
+To add servers to an existing realm, select the realm from the Kerberos
+Realms list box and click the Insert button under Servers Hosting a KDC
+list box. You will be prompted for the name of the new
+server. You can also remove servers, and designate either one or
+none as the administrative server. (The administrative server is
+the preferred server for performing password changes.) <br>
+<br>
+By clicking and dragging on the server that you want to move, you can
+change their order; this is important because the server listed at the
+top appears in this window under the <span style="font-weight: bold;">Default
+Realm Configuration</span> tab as the value for <span
+ style="font-weight: bold;">Your Kerberos Server</span>.<br>
+<br>
+The <span style="font-weight: bold;">Use DNS KDC Lookup</span>
+checkbox is used to specify whether or not Kerberos should utilize the
+domain name service to attempt to find Kerberos Servers when the
+existing listed servers are not available.<br>
+<br>
+<p><i>DNS/Realm Mapping</i>:<br>
+<img style="width: 623px; height: 558px;" alt="DNS / Realm Mapping"
+ title="DNS / Realm Mapping"
+ src="..%5CImages%5CLeash_properties_krb_4.jpg"><br>
+</p>
+<p>Each entry here consists of two portions: the domain name (such as
+.mit.edu) or hostname (such as dialup.athena.mit.edu) followed by a
+space and the Kerberos realm (such as ATHENA.MIT.EDU) which is used by
+that domain or machine. You can insert new entries, edit existing
+ones, or delete old entries.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Four Properties Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="properties, Kerberos4"> <param name="Keyword"
+ value="key, Ctrl+4">
+</object>
+<h3><a name="hid_krb4_properties_command"></a><b>Kerberos v4 Properties\85 Command, Ctrl+4</b></h3>
+<p>The Kerberos v4 Properties dialog is accessible from the Options
+menu. <br>
+</p>
+<p><img style="width: 623px; height: 513px;"
+ alt="Kerberos Four Properties" title="Kerberos Four Properties"
+ src="..%5CImages%5CLeash_properties_krb4.jpg"><br>
+</p>
+<p>Here, you can specify the name of the in-memory cache used to store
+the Kerberos 4 tickets. The format of the name is \93API:\94 followed
+by the cache name. Disk caches are not supported by Kerberos for
+Windows.<br>
+<br>
+The paths to the Kerberos 4 configuration files: krb.con and
+krbrealm.con may be changed from this dialog if necessary. The
+default is to store the configuration files in the Windows directory.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Five Properties Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="properties, Kerberos5"> <param name="Keyword"
+ value="key, Ctrl+5">
+</object>
+<h3><a name="hid_krb5_properties_command"></a><b>Kerberos v5 Properties Command, Ctrl+5</b></h3>
+The Kerberos v5 Properties dialog is accessible from the Options menu.
+This dialog has two tabs: <span style="font-weight: bold;">File
+Location</span> and <span style="font-weight: bold;">Configuration
+Options</span>.<br>
+<br>
+<span style="font-style: italic;">File Location:</span><br>
+<br>
+<img style="width: 633px; height: 477px;"
+ alt="Kerberos Five Properties: File Location"
+ title="Kerberos Five Properties: File Location"
+ src="..%5CImages%5CLeash_properties_krb5_1.jpg"><br>
+<br>
+<p class="MsoBodyTextIndent2" style="text-indent: 0in;">The <b>File
+Location</b>
+tab allows you to specify the location of the default Kerberos 5 ticket
+cache and
+configuration file.<span style=""> </span>The <b style="">Ticket
+File </b>field specifies the name of
+the in-memory cache (Ticket File) used to store the Kerberos 5 tickets.<span
+ style=""> </span>The format of the name is \93API:\94 followed by
+the cache name or "MSLSA:".<span style=""> </span>Disk caches
+(type "FILE:") are not
+supported by Kerberos for Windows.<span style=""> </span>The <b
+ style="">Configuration File </b>field specifies the
+path to the Kerberos 5 configuration file, krb5.ini.<span style="">
+</span>If <b style="">Confirm
+that new configuration file exists</b> is checked when the
+configuration file
+location is changed, then Leash will not accept values which are not
+pre-existing Kerberos 5 configuration files.<br>
+</p>
+<p class="MsoBodyTextIndent2" style="text-indent: 0in;"><span
+ style="font-style: italic;"><br>
+Configuration Options:</span><br>
+</p>
+<p class="MsoBodyTextIndent2" style="text-indent: 0in;"><img
+ style="width: 633px; height: 477px;"
+ alt="Kerberos Five Properties: Configuration Options"
+ title="Kerberos Five Properties: Configuration Options"
+ src="..%5CImages%5CLeash_properties_krb5_2.jpg"><br>
+</p>
+<p class="MsoBodyTextIndent2" style="text-indent: 0in;"></p>
+<p class="MsoNormal">On the <b style="">Configuration
+Options</b> page, you provide default attribute values to be used when
+requesting Kerberos 5 tickets from the Kerberos server.<span style="">
+</span></p>
+<p class="MsoNormal">When <b style="">Forwardable </b>tickets
+are received from the Kerberos Server, these tickets can be forwarded
+to a
+remote host when you connect via telnet, ssh, ftp, rlogin, or similar
+applications.<span style=""> </span>When tickets are
+forwarded, there is no need to obtain Kerberos tickets again to access
+Kerberized
+services on the remote host. </p>
+<p class="MsoNormal">When <b style="">Proxiable </b>tickets
+are received from the Kerberos Server, these tickets can be passed onto
+Kerberized services which can in turn act on your behalf.<span style=""> </span><o:p> </o:p></p>
+<p class="MsoNormal">When <b style="">Renewable</b>
+tickets are received from the Kerberos Server, the ticket lifetimes may
+be
+renewed without prompting the user for her password.<span style="">
+</span>This allows Kerberos tickets to be issued
+with short lifetimes allowing compromised accounts to be disabled on
+short
+notice without requiring the user to enter a password every few hours.<span
+ style=""> </span>When combined with <b style="">Automatic
+Ticket Renewal </b>(Option menu), Leash can maintain valid
+tickets for a week, a month, or longer by automatically renewing
+tickets prior
+to their expiration.<span style=""> </span>The ability to
+renew tickets without a password is limited by the ticket\92s renewable
+lifetime as
+issued by the Kerberos Server.<o:p></o:p></p>
+<p class="MsoNormal">Traditionally, Kerberos tickets have included a
+list of
+network addresses within the tickets.<span style="">
+</span>This address list restricts the use of the tickets to the
+computers
+which are assigned those addresses.<span style=""> </span>The
+use of address lists has become a headache for many users of Kerberos
+on
+network connections which use either Network Address Translation
+(Cable/DSL
+routers) or Network Address Hiding (VPN) capabilities.<span style="">
+</span>On these networks the address of the client
+machine appears to be different to the network service than it does to
+the
+client.<span style=""> </span>The result is the Kerberos
+ticket is deemed to be invalid by the service even though it has not been
+stolen.<span style=""> </span>When <b style="">No Addresses </b>is
+checked, Kerberos will not insert an address list
+into the Kerberos tickets.<span style=""> </span>For
+Kerberized services which do not require address lists, this will
+enable
+Kerberos to be used across NAT and VPN based connections.<span style=""> </span><o:p> </o:p></p>
+<p class="MsoNormal">Note 1:<span style=""> </span>As of
+Kerberos 5 release 1.3, the library default is to disable the use of
+address
+lists.<span style=""> </span>Leash will detect the setting
+from the Kerberos 5 configuration and check the <b style="">No
+Addresses</b> box.<span style=""> </span>If you
+attempt to re-enable address lists while the library is configured to
+disable
+them , Leash will warn you that the Kerberos 5 configuration file must
+be
+altered. <span style=""> </span><o:p> </o:p></p>
+<p class="MsoNormal">Note 2: Distributed Computing Environment (DCE)
+servers
+require the use of address lists.</p>
+<br>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Properties Command</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="properties, Leash"> <param name="Keyword"
+ value="key, Ctrl+L">
+</object>
+<h3><a name="hid_leash_properties_command"></a><b>Leash Properties\85 Command, Ctrl+L</b></h3>
+<p>
+</p>
+<p class="MsoNormal">The Leash Properties dialog, located on the
+Options menu,
+allows you to configure operational properties specific to the Leash
+application which are not accessible directly via the Options menu.</p>
+<p><br>
+<img style="width: 578px; height: 377px;" alt="Leash Properties"
+ title="Leash Properties" src="..%5CImages%5CLeash_properties_leash.jpg"></p>
+<p class="MsoNormal">Here you can set a time server from which Leash
+will obtain
+the correct time.<span style=""> </span>Leash needs the
+correct time because of the time dependencies in Kerberos tickets.<span
+ style=""> </span>When you specify a time server, Leash tries
+to get the time from that server when you next run the Synchronize Time
+command.<span style=""> </span>The default value for the time
+server is "time".<span style=""> </span>If access to
+a time server were to fail, Leash would notify you, and revert to the
+server
+"time".<span style=""> </span>Whichever server
+succeeds, Leash would tell you where it found the time.<span style="">
+</span>See the Synchronize Time command for more
+information.</p>
+<p class="MsoNormal">
+</p>
+<p class="MsoNormal">The <b style="">Automatic MSLSA
+Ticket Importation</b> radio buttons allow you to configure how Leash
+interacts
+with the Microsoft Kerberos Authentication Provider.<span style="">
+</span>Leash will automatically import Kerberos
+Tickets from the Microsoft LSA at startup depending upon the selected
+option
+and whether or not the Kerberos Authentication Provider was used for
+Windows
+Logon authorization.<span style=""> </span><b style="">Never</b>
+means do not import tickets from
+the MSLSA; <b style="">Always</b> means do import
+tickets from the MSLSA; and <b style="">When MSLSA
+Principal matches Default Realm</b> means import tickets from the MSLSA
+only if
+the Kerberos principal belongs to the Kerberos Realm specified within
+the <u style="">Kerberos Properties Dialog.</u><o:p></o:p></p>
+<p class="MsoNormal"><o:p></o:p></p>
+<p class="MsoNormal">When <b>Request Kerberos 4 credentials</b> is
+checked, Leash
+will attempt to retrieve Kerberos 4 credentials when ticket
+initialization,
+renewal, or importation is performed.<span style="">
+</span>Leash will attempt a Kerberos 5 to Kerberos 4 conversion and if
+that
+fails an initial Kerberos 4 ticket request will be generated.<span
+ style=""> </span>Kerberos realms are increasingly configured
+to support on Kerberos 5.<span style=""> </span>If the realms
+you use do not support Kerberos 4 it is suggested that this button be
+unchecked.</p>
+<p class="MsoNormal">The <b>Restore Leash Defaults</b> button is used
+to restore
+user configurable Leash settings to the defaults as configured either
+by the
+local machine system administrator or by the Kerberos for Windows
+distribution.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Upper Case Realm Name Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="uppercase">
+</object>
+<h3><a name="hid_uppercase_realm_option"></a><b>Upper Case Realm Name
+Option</b></h3>
+<p>
+</p>
+<p class="MsoNormal">The default for this (accessible from the Options
+menu) is
+on; when this option is selected, the Kerberos realm name that you type
+(such
+as ATHENA.MIT.EDU) is converted to upper case regardless of how you
+type it.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>KERBEROS</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="about">
+</OBJECT>
+
+<P><H2><A NAME="id_help_kerberos"></A><A NAME="hid_about_kerberos"></A>About Kerberos</H2></P>
+
+<P>In Greek myth, the three-headed dog Kerberos guarded the gates of Hades.
+These days, Kerberos is an <A
+HREF="leas6oyq.htm#id_help_authentic">authentication</A> service developed at
+MIT for open network computing environments such as MITnet. Kerberos verifies
+that you are who you claim to be by matching your username and password,
+called a Kerberos <A HREF="leash_topic_kerberos_principal.htm#id_help_principal">principal</A>, to a
+private key encryption. </P>
+
+<P>When you start an application that relies on Kerberos authentication, you
+must identify yourself by giving your Kerberos principal. The Kerberos service
+checks to make sure that your name and password match the encrypted key before
+it gives you access to the service you have requested. The security of the
+network environment is maintained by never sending your unencrypted Kerberos
+password over the network. </P>
+
+<P>To use the Athena system, you must have a Kerberos username and password.
+Some Macintosh and Windows applications at MIT that use Kerberos to
+authenticate a user's identity are Eudora, Zephyr and AFS.</P>
+
+<P><B>See Also</B></P>
+
+<P><A HREF="leash_topic_kerberos_auth_service.htm">An Authentication Service for Open Network
+Systems</A></P>
+
+<P>(This technical description of Kerberos, by Steiner, Neuman, and Schiller,
+is available via anonymous ftp from athena-dist.mit.edu,
+/pub/kerberos/doc/usenix.txt.)</P>
+
+<P><A HREF="leash_topic_kerberos_principals.htm">Kerberos: How Does the Other Guy Know Who I
+Am?</A>.</P>
+
+<P>(This basic introduction to Kerberos and definitions of Kerberos-related
+terms is available in the SIPB publication <I>An Inessential Guide to
+Athena</I>.)</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Error 57</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="error, 57">
+</object>
+<p><h2><a name="krb_unknown_realm"></a><span style="font-weight: bold;">Kerberos Error 57: Cannot contact the Kerberos server for the selected realm.</span></h2></p>
+<p>This error has three common causes:</p>
+<p>1.The realm is misspelled, e.g. pbh@AHTENA.MIT.EDU instead of
+pbh@ATHENA.MIT.EDU (realms are case sensitive).</p>
+<p>2.Your krb.con file contains an entry for ATHENA.MIT.EDU but not
+athena.mit.edu.</p>
+<p>3.The realm is missing from your KRB.CON file, which should be
+located in your \net\kerb directory. If you suspect the problem is with
+your KRB.CON file, either call the Network Help Desk, 3-4101, or copy
+the /etc/krb.conf file from a nearby UNIX workstation to your
+\net\kerb\krb.con file.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Error 62</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="error, 62">
+</object>
+<p><h2><a name="krb_incorr_passwd"></a><span style="font-weight: bold;">Kerberos Error 62: Password incorrect.</span></h2></p>
+<p>This means that either you have misspelled your password or you have
+gotten the case wrong. Check the state of your CAPS Lock key.</p>
+<p>Characters do not echo to the screen or cause a beep when you type
+your password so that nearby users won't be able to tell how many
+letters are in your password.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Error 8</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="error, 8">
+</object>
+<p><h2><a name="krb_unknown_user"></a><span style="font-weight: bold;">Kerberos Error 8: Unknown username, instance, or realm.</span></h2></p>
+<p>This error usually occurs when the username is not known for the
+designated realm. For example, at the time of this writing, there is no
+user "zzwn" in the Athena realm, so entering zzwn as a username will
+generate this error. </p>
+<p>Check the entered username or realm name for spelling mistakes or
+the wrong case.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Invalid Principle</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="error, invalid principal">
+</object>
+<p><h2><a name="lsh_invprincipal"></a><span style="font-weight: bold;">Invalid principal.</span></h2></p>
+<p>This usually means that you just clicked on the OK button or pressed
+Enter without typing your username. </p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>An Authentication Service for Open Network Systems</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="Kerberos">
+</object>
+<p><b><a name="id_help_usenix88"></a><i>Kerberos</i>: An Authentication
+Service for Open Network Systems</b></p>
+<p style="text-align: center;"><i>Jennifer G. Steiner</i></p>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Project Athena </address>
+</div>
+<div></div>
+<div style="text-align: center;">
+<address>Massachusetts Institute of Technology</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Cambridge, MA 02139 </address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>steiner@ATHENA.MIT.EDU</address>
+</div>
+<div style="text-align: center;"></div>
+<p style="text-align: center;"><i>Clifford Neuman</i> *</p>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Department of Computer Science, FR-35</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>University of Washington</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Seattle, WA 98195</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>bcn@CS.WASHINGTON.EDU</address>
+</div>
+<div style="text-align: center;"></div>
+<p style="text-align: center;">Jeffrey I. Schiller</p>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Project Athena</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Massachusetts Institute of Technology</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>Cambridge, MA 02139</address>
+</div>
+<div style="text-align: center;"></div>
+<div style="text-align: center;">
+<address>jis@ATHENA.MIT.EDU</address>
+</div>
+<p>* Clifford Neuman was a member of the Project Athena staff during
+the design and initial implementation phase of <i>Kerberos.</i></p>
+<p></p>
+<p style="text-align: center;"><i>ABSTRACT</i></p>
+<p style="text-align: center;">In an open network computing
+environment, a workstation cannot be trusted to identify its users
+correctly to network services. <i>Kerberos</i> provides an alternative
+approach whereby a trusted third-party authentication service is used
+to verify users' identities. This paper gives an overview of the <i>Kerberos</i>
+authentication model as implemented for MIT's Project Athena. It
+describes the protocols used by clients, servers, and <i>Kerberos</i>
+to achieve authentication. It also describes the management and
+replication of the database required. The views of <i>Kerberos</i> as
+seen by the user, programmer, and administrator are described. Finally,
+the role of <i>Kerberos</i> in the larger Athena picture is given,
+along with a list of applications that presently use <i>Kerberos</i>
+for user authentication. We describe the addition of <i>Kerberos</i>
+authentication to the Sun Network File System as a case study for
+integrating <i>Kerberos</i> with an existing application.</p>
+<p><b>Introduction</b></p>
+<p>This paper gives an overview of <i>Kerberos,</i> an authentication
+system designed by Miller and Neumanfor open network computing
+environments, and describes our experience using it at MIT's Project
+Athena. In the first section of the paper, we explain why a new
+authentication model is needed for open networks, and what its
+requirements are. The second section lists the components of the <i>Kerberos</i>
+software and describes how they interact in providing the
+authentication service. In Section 3, we describe the <i>Kerberos</i>
+naming scheme.</p>
+<p>Section 4 presents the building blocks of <i>Kerberos</i>
+authentication - the <i>ticket</i> and the <i>authenticator.</i> This
+leads to a discussion of the two authentication protocols: the initial
+authentication of a user to <i>Kerberos</i> (analogous to logging in),
+and the protocol for mutual authentication of a potential consumer and
+a potential producer of a network service.</p>
+<p><i>Kerberos</i> requires a database of information about its
+clients; Section 5 describes the database, its management, and the
+protocol for its modification. Section 6 describes the <i>Kerberos</i>
+interface to its users, applications programmers, and administrators.
+In Section 7, we describe how the Project Athena <i>Kerberos</i> fits
+into the rest of the Athena environment. We also describe the
+interaction of different <i>Kerberos</i> authentication domains, or <i>realms
+;</i> in our case, the relation between the Project Athena <i>Kerberos</i>
+and the <i>Kerberos</i> running at MIT's Laboratory for Computer
+Science.</p>
+<p>In Section 8, we mention open issues and problems as yet unsolved.
+The last section gives the current status of <i>Kerberos</i> at
+Project Athena. In the appendix, we describe in detail how <i>Kerberos</i>
+is applied to a network file service to authenticate users who wish to
+gain access to remote file systems. </p>
+<p><b>Conventions.</b> Throughout this paper we use terms that may be
+ambiguous, new to the reader, or used differently elsewhere. Below we
+state our use of those terms. </p>
+<p><i>User, Client, Server.</i> By <i>user,</i> we mean a human being
+who uses a program or service. A <i>client</i> also uses something,
+but is not necessarily a person; it can be a program. Often network
+applications consist of two parts; one program which runs on one
+machine and requests a remote service, and another program which runs
+on the remote machine and performs that service. We call those the <i>client</i>
+side and <i>server</i> side of the application, respectively. Often, a
+<i>client</i> will contact a <i>server</i> on behalf of a <i>user.</i></p>
+<p>Each entity that uses the <i>Kerberos</i> system, be it a user or a
+network server, is in one sense a client, since it uses the <i>Kerberos</i>
+service. So to distinguish <i>Kerberos</i> clients from clients of
+other services, we use the term <i>principal</i> to indicate such an
+entity. Note that a <i>Kerberos</i> principal can be either a user or
+a server. (We describe the naming of <i>Kerberos</i> principals in a
+later section.) </p>
+<p><i>Service vs. Server.</i> We use <i>service</i> as an abstract
+specification of some actions to be performed. A process which performs
+those actions is called a <i>server.</i> At a given time, there may be
+several <i>servers</i> (usually running on different machines)
+performing a given <i>service.</i> For example, at Athena there is one
+BSD UNIX <i>rlog-in</i> server running on each of our timesharing
+machines. </p>
+<p><i>Key, Private Key, Password. Kerberos</i> uses private key
+encryption. Each <i>Kerberos</i> principal is assigned a large number,
+its private key, known only to that principal and <i>Kerberos.</i> In
+the case of a user, the private key is the result of a one-way function
+applied to the user's <i>password.</i> We use <i>key</i> as shorthand
+for <i>private key.</i> </p>
+<p><i>Credentials.</i> Unfortunately, this word has a special meaning
+for both the Sun Network File System and the <i>Kerberos</i> system.
+We explicitly state whether we mean NFS credentials or <i>Kerberos</i>
+credentials, otherwise the term is used in the normal English language
+sense. </p>
+<p><i>Master and Slave.</i> It is possible to run <i>Kerberos</i>
+authentication software on more than one machine. However, there is
+always only one definitive copy of the <i>Kerberos</i> database. The
+machine which houses this database is called the <i>master</i>
+machine, or just the <i>master.</i> Other machines may possess
+read-only copies of the <i>Kerberos</i> database, and these are called
+<i>slaves.</i></p>
+<p><b>1. Motivation</b></p>
+<p>In a non-networked personal computing environment, resources and
+information can be protected by physically securing the personal
+computer. In a timesharing computing environment, the operating system
+protects users from one another and controls resources. In order to
+determine what each user is able to read or modify, it is necessary for
+the timesharing system to identify each user. This is accomplished when
+the user logs in.</p>
+<p>In a network of users requiring services from many separate
+computers, there are three approaches one can take to access control:
+One can do nothing, relying on the machine to which the user is logged
+in to prevent unauthorized access; one can require the host to prove
+its identity, but trust the host's word as to who the user is; or one
+can require the user to prove her/his identity for each required
+service.</p>
+<p>In a closed environment where all the machines are under strict
+control, one can use the first approach. When the organization controls
+all the hosts communicating over the network, this is a reasonable
+approach.</p>
+<p>In a more open environment, one might selectively trust only those
+hosts under organizational control. In this case, each host must be
+required to prove its identity. The rlog-in and rsh programs use this
+approach. In those protocols, authentication is done by checking the
+Internet address from which a connection has been established.</p>
+<p>In the Athena environment, we must be able to honor requests from
+hosts that are not under organizational control. Users have complete
+control of their workstations: they can reboot them, bring them up
+standalone, or even boot off their own tapes. As such, the third
+approach must be taken; the user must prove her/his identity for each
+desired service. The server must also prove its identity. It is not
+sufficient to physically secure the host running a network server;
+someone elsewhere on the network may be masquerading as the given
+server.</p>
+<p>Our environment places several requirements on an identification
+mechanism. First, it must be secure. Circumventing it must be difficult
+enough that a potential attacker does not find the authentication
+mechanism to be the weak link. Someone watching the network should not
+be able to obtain the information necessary to impersonate another
+user. Second, it must be reliable. Access to many services will depend
+on the authentication service. If it is not reliable, the system of
+services as a whole will not be. Third, it should be transparent.
+Ideally, the user should not be aware of authentication taking place.
+Finally, it should be scalable. Many systems can communicate with
+Athena hosts. Not all of these will support our mechanism, but software
+should not break if they did.</p>
+<p>Kerberos is the result of our work to satisfy the above
+requirements. When a user walks up to a workstation s/he "logs in". As
+far as the user can tell, this initial identification is sufficient to
+prove her/his identity to all the required network servers for the
+duration of the log-in session. The security of Kerberos relies on the
+security of several authentication servers, but not on the system from
+which users log in, nor on the security of the end servers that will be
+used. The authentication server provides a properly authenticated user
+with a way to prove her/his identity to servers scattered across the
+network.</p>
+<p>Authentication is a fundamental building block for a secure
+networked environment. If, for example, a server knows for certain the
+identity of a client, it can decide whether to provide the service,
+whether the user should be given special privileges, who should receive
+the bill for the service, and so forth. In other words, authorization
+and accounting schemes can be built on top of the authentication that
+Kerberos provides, resulting in equivalent security to the lone
+personal computer or the timesharing system.</p>
+<p><b>2. What is <i>Kerberos</i> ?</b></p>
+<p><i>Kerberos</i> is a trusted third-party authentication service
+based on the model presented by Needham and Schroeder.It is trusted in
+the sense that each of its clients believes <i>Kerberos'</i> judgement
+as to the identity of each of its other clients to be accurate. Time
+stamps (large numbers representing the current date and time) have been
+added to the original model to aid in the detection of <i>replay.</i>
+Replay occurs when a message is stolen off the network and resent
+later. For a more complete description of replay, and other issues of
+authentication, see Voydock and Kent.</p>
+<p><b>2.1. What Does It Do?</b></p>
+<p><i>Kerberos</i> keeps a database of its clients and their <i>private
+keys. </i>The private key is a large number known only to <i>Kerberos</i>
+and the client it belongs to. In the case that the client is a user, it
+is an encrypted password. Network services requiring authentication
+register with <i>Kerberos,</i> as do clients wishing to use those
+services. The private keys are negotiated at registration.</p>
+<p>Because <i>Kerberos</i> knows these private keys, it can create
+messages which convince one client that another is really who it claims
+to be. <i>Kerberos</i> also generates temporary private keys, called <i>session
+keys,</i> which are given to two clients and no one else. A session key
+can be used to encrypt messages between two parties.</p>
+<p><i>Kerberos</i> provides three distinct levels of protection. The
+application programmer determines which is appropriate, according to
+the requirements of the application. For example, some applications
+require only that authenticity be established at the initiation of a
+network connection, and can assume that further messages from a given
+network address originate from the authenticated party. Our
+authenticated network file system uses this level of security.</p>
+<p>Other applications require authentication of each message, but do
+not care whether the content of the message is disclosed or not. For
+these, <i>Kerberos</i> provides <i>safe messages.</i> Yet a higher
+level of security is provided by <i>private messages,</i> where each
+message is not only authenticated, but also encrypted. Private messages
+are used, for example, by the <i>Kerberos</i> server itself for
+sending passwords over the network</p>
+<p><b>2.2. Software Components</b></p>
+<p>The Athena implementation comprises several modules (see Figure 1).
+The <i>Kerberos</i> applications library provides an interface for
+application clients and application servers. It contains, among others,
+routines for creating or reading authentication requests, and the
+routines for creating safe or private messages.<br>
+</p>
+<ul style="margin-left: 40px;">
+ <li><span style="font-style: italic;">Kerberos</span> applications
+library</li>
+ <li>encryption library</li>
+ <li>database library</li>
+ <li>database administration programs</li>
+ <li>administration server</li>
+ <li>authentication server</li>
+ <li>propogation software</li>
+ <li>user programs</li>
+ <li>applications</li>
+</ul>
+<p style="text-align: left; margin-left: 40px;"><b>Figure 1. </b>Kerberos
+Software Components</p>
+<p>Encryption in <i>Kerberos</i> is based on DES, the Data Encryption
+Standard.The encryption library implements those routines. Several
+methods of encryption are provided, with tradeoffs between speed and
+security. An extension to the DES Cypher Block Chaining (CBC) mode,
+called the Propagating CBC mode, is also provided. In CBC, an error is
+propagated only through the current block of the cipher, whereas in
+PCBC, the error is propagated throughout the message. This renders the
+entire message useless if an error occurs, rather than just a portion
+of it. The encryption library is an independent module, and may be
+replaced with other DES implementations or a different encryption
+library.</p>
+<p>Another replaceable module is the database management system. The
+current Athena implementation of the database library uses <i>ndbm,</i>
+although INGRES was originally used. Other database management
+libraries could be used as well.</p>
+<p>The <i>Kerberos</i> database needs are straightforward; a record is
+held for each principal, containing the name, private key, and
+expiration date of the principal, along with some administrative
+information. (The expiration date is the date after which an entry is
+no longer valid. It is usually set to a few years into the future at
+registration.)</p>
+<p>Other user information, such as real name, phone number, and so
+forth, is kept by another server, the <i>Hesiod</i> nameserver. This
+way, sensitive information, namely passwords, can be handled by <i>Kerberos,</i>
+using fairly high security measures; while the non-sensitive
+information kept by <i>Hesiod</i> is dealt with differently; it can,
+for example, be sent unencrypted over the network.</p>
+<p>The <i>Kerberos</i> servers use the database library, as do the
+tools for administering the database.</p>
+<p>The <i>administration server</i> (or KDBM server) provides a
+read-write network interface to the database. The client side of the
+program may be run on any machine on the network. The server side,
+however, must run on the machine housing the <i>Kerberos</i> database
+in order to make changes to the database.</p>
+<p>The <i>authentication server </i>(or <i>Kerberos</i> server), on
+the other hand, performs read-only operations on the <i>Kerberos</i>
+database, namely, the authentication of principals, and generation of
+session keys. Since this server does not modify the <i>Kerberos</i>
+database, it may run on a machine housing a read-only copy of the
+master <i>Kerberos</i> database.</p>
+<p>Database propagation software manages replication of the <i>Kerberos</i>
+database. It is possible to have copies of the database on several
+different machines, with a copy of the authentication server running on
+each machine. Each of these <i>slave</i> machines receives an update
+of the <i>Kerberos</i> database from the <i>master</i> machine at
+given intervals.</p>
+<p>Finally, there are end-user programs for logging in to <i>Kerberos,</i>
+changing a <i>Kerberos</i> password, and displaying or destroying <i>Kerberos</i>
+<i>tickets</i> (tickets are explained later on).</p>
+<p><b>3. <i>Kerberos</i> Names</b></p>
+<p>Part of authenticating an entity is naming it. The process of
+authentication is the verification that the client is the one named in
+a request. What does a name consist of? In <i>Kerberos,</i> both users
+and servers are named. As far as the authentication server is
+concerned, they are equivalent. A name consists of a primary name, an
+instance, and a realm, expressed as <i>name.instance@realm</i> (see
+Figure 2).</p>
+<p style="margin-left: 80px;">bcn</p>
+<p style="margin-left: 80px;">treese.root</p>
+<p style="margin-left: 80px;">jis@LCS.MIT.EDU</p>
+<p style="margin-left: 80px;">rlog-in.priam@ATHENA.MIT.EDU</p>
+<p style="margin-left: 40px;"><b>Figure 2.</b> <i>Kerberos</i> Names</p>
+<p>The <i>primary name</i> is the name of the user or the service. The
+<i>instance</i> is used to distinguish among variations on the primary
+name. For users, an instance may entail special privileges, such as the
+"root" or "admin" instances. For services in the Athena environment,
+the instance is usually the name of the machine on which the server
+runs. For example, the <i>rlog-in</i> service has different instances
+on different hosts: <i>rlog-in.priam</i> is the <i>rlog-in</i> server
+on the host named priam. A <i>Kerberos</i> ticket is only good for a
+single named server. As such, a separate ticket is required to gain
+access to different instances of the same service. The <i>realm</i> is
+the name of an administrative entity that maintains authentication
+data. For example, different institutions may each have their own <i>Kerberos</i>
+machine, housing a different database. They have different <i>Kerberos</i>
+realms. (Realms are discussed further in section 8.2.).</p>
+<p><b>4. How It Works</b></p>
+<p>This section describes the <i>Kerberos</i> authentication
+protocols. The following abbreviations are used in the figures.<br>
+</p>
+<div style="margin-left: 40px;">
+<pre>c -> client<br>s -> server<br>addr -> client's network address<br>life -> lifetime of ticket<br>tgs, TGS -> ticket-granting ticket<br>Kerberos -> authentication server<br>KDBM -> administration server<br>K<sub>x</sub> -> x's private key<br>K<sub>x,y</sub> -> session key for x and y<br>{abc}K<sub>x</sub> -> abc encrypted in x's key<br>T<sub>x,y</sub> -> x's ticket to use y<br>A<sub>x</sub> -> authenticator for x<br>WS -> workstation<br></pre>
+<span style="font-weight: bold;"></span></div>
+<p>As mentioned above, the <i>Kerberos</i> authentication model is
+based on the Needham and Schroeder key distribution protocol. When a
+user requests a service, her/his identity must be established. To do
+this, a ticket is presented to the server, along with proof that the
+ticket was originally issued to the user, not stolen. There are three
+phases to authentication through <i>Kerberos.</i> In the first phase,
+the user obtains credentials to be used to request access to other
+services. In the second phase, the user requests authentication for a
+specific service. In the final phase, the user presents those
+credentials to the end server.</p>
+<p><b>4.1 Credentials</b></p>
+<p>There are two types of credentials used in the <i>Kerberos</i>
+authentication model: <i>tickets</i> and <i>authenticators.</i> Both
+are based on private key encryption, but they are encrypted using
+different keys. A ticket is used to securely pass the identity of the
+person to whom the ticket was issued between the authentication server
+and the end server. A ticket also passes information that can be used
+to make sure that the person using the ticket is the same person to
+which it was issued. The authenticator contains the additional
+information which, when compared against that in the ticket proves that
+the client presenting the ticket is the same one to which the ticket
+was issued.</p>
+<p>A ticket is good for a single server and a single client. It
+contains the name of the server, the name of the client, the Internet
+address of the client, a time stamp, a lifetime, and a random session
+key. This information is encrypted using the key of the server for
+which the ticket will be used. Once the ticket has been issued, it may
+be used multiple times by the named client to gain access to the named
+server, until the ticket expires. Note that because the ticket is
+encrypted in the key of the server, it is safe to allow the user to
+pass the ticket on to the server without having to worry about the user
+modifying the ticket (see Figure 3).<br>
+</p>
+<p style="margin-left: 40px;">{s, c, addr, timestamp, life, K<sub>s,c</sub>}
+K<sub>s</sub><br>
+</p>
+<p style="margin-left: 40px;"><b>Figure 3.</b> Kerberos Ticket.</p>
+<p>Unlike the ticket, the authenticator can only be used once. A new
+one must be generated each time a client wants to use a service. This
+does not present a problem because the client is able to build the
+authenticator itself. An authenticator contains the name of the client,
+the workstation's IP address, and the current workstation time. The
+authenticator is encrypted in the session key that is part of the
+ticket (see Figure 4).</p>
+<div style="margin-left: 40px;">{ c, addr, timestamp } K<sub>s,c</sub><br>
+</div>
+<p style="margin-left: 40px;"><b>Figure 4.</b> A <i>Kerberos</i>
+Authenticator</p>
+<p><b>4.2. Getting the Initial Ticket</b></p>
+<p>When the user walks up to a workstation, only one piece of
+information can prove her/his identity: the user's password. The
+initial exchange with the authentication server is designed to minimize
+the chance that the password will be compromised, while at the same
+time not allowing a user to properly authenticate her/himself without
+knowledge of that password. The process of logging in appears to the
+user to be the same as logging in to a timesharing system. Behind the
+scenes, though, it is quite different (see Figure 5).</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 447px; height: 170px;" alt=""
+ src="../Images/Kerberos_auth_serv_fig_5.jpg"><br>
+Figure 5.</b> Getting the Initial Ticket.</p>
+<p>The user is prompted for her/his username. Once it has been entered,
+a request is sent to the authentication server containing the user's
+name and the name of a special service known as the <i>ticket-granting
+service.</i></p>
+<p>The authentication server checks that it knows about the client. If
+so, it generates a random session key which will later be used between
+the client and the ticket-granting server. It then creates a ticket for
+the ticket-granting server which contains the client's name, the name
+of the ticket-granting server, the current time, a lifetime for the
+ticket, the client's IP address, and the random session key just
+created. This is all encrypted in a key known only to the
+ticket-granting server and the authentication server.</p>
+<p>The authentication server then sends the ticket, along with a copy
+of the random session key and some additional information, back to the
+client. This response is encrypted in the client's private key, known
+only to <i>Kerberos</i> and the client, which is derived from the
+user's password.</p>
+<p>Once the response has been received by the client, the user is asked
+for her/his password. The password is converted to a DES key and used
+to decrypt the response from the authentication server. The ticket and
+the session key, along with some of the other information, are stored
+for future use, and the user's password and DES key are erased from
+memory.</p>
+<p>Once the exchange has been completed, the workstation possesses
+information that it can use to prove the identity of its user for the
+lifetime of the ticket-granting ticket. As long as the software on the
+workstation had not been previously tampered with, no information
+exists that will allow someone else to impersonate the user beyond the
+life of the ticket.</p>
+<p><b>4.3. Requesting a Service</b></p>
+<p>For the moment, let us pretend that the user already has a ticket
+for the desired server. In order to gain access to the server, the
+application builds an authenticator containing the client's name and IP
+address, and the current time. The authenticator is then encrypted in
+the session key that was received with the ticket for the server. The
+client then sends the authenticator along with the ticket to the server
+in a manner defined by the individual application.</p>
+<p>Once the authenticator and ticket have been received by the server,
+the server decrypts the ticket, uses the session key included in the
+ticket to decrypt the authenticator, compares the information in the
+ticket with that in the authenticator, the IP address from which the
+request was received, and the present time. If everything matches, it
+allows the request to proceed (see Figure 6).</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 434px; height: 101px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_6.jpg"><br>
+Figure 6.</b> Requesting a Service</p>
+<p>It is assumed that clocks are synchronized to within several
+minutes. If the time in the request is too far in the future or the
+past, the server treats the request as an attempt to replay a previous
+request. The server is also allowed to keep track of all past requests
+with time stamps that are still valid. In order to further foil replay
+attacks, a request received with the same ticket and time stamp as one
+already received can be discarded.</p>
+<p>Finally, if the client specifies that it wants the server to prove
+its identity too, the server adds one to the time stamp the client sent
+in the authenticator, encrypts the result in the session key, and sends
+the result back to the client (see Figure 7).</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 421px; height: 108px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_7.jpg"><br>
+Figure 7.</b> Mutual Authentication</p>
+<p>At the end of this exchange, the server is certain that, according
+to <i>Kerberos,</i> the client is who it says it is. If mutual
+authentication occurs, the client is also convinced that the server is
+authentic. Moreover, the client and server share a key which no one
+else knows, and can safely assume that a reasonably recent message
+encrypted in that key originated with the other party.</p>
+<p><b>4.4 Getting Server Tickets</b></p>
+<p>Recall that a ticket is only good for a single server. As such, it
+is necessary to obtain a separate ticket for each service the client
+wants to use. Tickets for individual servers can be obtained from the
+ticket-granting service. Since the ticket-granting service is itself a
+service, it makes use of the service access protocol described in the
+previous section.</p>
+<p>When a program requires a ticket that has not already been
+requested, it sends a request to the ticket-granting server (see Figure
+8). The request contains the name of the server for which a ticket is
+requested, along with the ticket-granting ticket and an authenticator
+built as described in the previous section.</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 482px; height: 183px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_8.jpg"><br>
+Figure 8.</b> Getting a Server Ticket</p>
+<p>The ticket-granting server then checks the authenticator and
+ticket-granting ticket as described above. If valid, the
+ticket-granting server generates a new random session key to be used
+between the client and the new server. It then builds a ticket for the
+new server containing the client's name, the server name, the current
+time, the client's IP address and the new session key it just
+generated. The lifetime of the new ticket is the minimum of the
+remaining life for the ticket-granting ticket and the default for the
+service.</p>
+<p>The ticket-granting server then sends the ticket, along with the
+session key and other information, back to the client. This time,
+however, the reply is encrypted in the session key that was part of the
+ticket-granting ticket. This way, there is no need for the user to
+enter her/his password again. Figure 9 summarizes the authentication
+protocols.</p>
+<p></p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 702px; height: 334px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_9.jpg"><br>
+Figure 9. </b><i>Kerberos</i> Authentication Protocols.</p>
+<p><b>5. <i>Kerberos</i> Database</b></p>
+<p>Up to this point, we have discussed operations requiring read-only
+access to the <i>Kerberos</i> database. These operations are performed
+by the authentication service, which can run on both master and slave
+machines (see Figure 10).</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 416px; height: 271px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_10.jpg"><br>
+Figure 10.</b> Authentication Requests.</p>
+<p>In this section, we discuss operations that require write access to
+the database. These operations are performed by the administration
+service, called the <i>Kerberos</i> Database Management Service <i>(KDBM).</i>
+The current implementation stipulates that changes may only be made to
+the master <i>Kerberos</i> database; slave copies are read-only.
+Therefore, the KDBM server may only run on the master <i>Kerberos</i>
+machine (see Figure 11).</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 401px; height: 273px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_11.jpg"><br>
+Figure 11.</b> Administration Requests</p>
+<p>Note that, while authentication can still occur (on slaves),
+administration requests cannot be serviced if the master machine is
+down. In our experience, this has not presented a problem, as
+administration requests are infrequent.</p>
+<p>The KDBM handles requests from users to change their passwords. The
+client side of this program, which sends requests to the KDBM over the
+network, is the <i>kpasswd</i> program. The KDBM also accepts requests
+from <i>Kerberos</i> administrators, who may add principals to the
+database, as well as change passwords for existing principals. The
+client side of the administration program, which also sends requests to
+the KDBM over the network, is the <i>kadmin</i> program.</p>
+<p><b>5.1. The KDBM Server</b></p>
+<p>The KDBM server accepts requests to add principals to the database
+or change the passwords for existing principals. This service is unique
+in that the ticket-granting service will not issue tickets for it.
+Instead, the authentication service itself must be used (the same
+service that is used to get a ticket-granting ticket). The purpose of
+this is to require the user to enter a password. If this were not so,
+then if a user left her/his workstation unattended, a passerby could
+walk up and change her/his password for them, something which should be
+prevented. Likewise, if an administrator left her/his workstation
+unguarded, a passerby could change any password in the system.</p>
+<p>When the KDBM server receives a request, it authorizes it by
+comparing the authenticated principal name of the requester of the
+change to the principal name of the target of the request. If they are
+the same, the request is permitted. If they are not the same, the KDBM
+server consults an access control list (stored in a file on the master <i>Kerberos</i>
+system). If the requester's principal name is found in this file, the
+request is permitted, otherwise it is denied.</p>
+<p>By convention, names with a. <b>NULL</b> instance (the default
+instance) do not appear in the access control list file; instead, an <b>admin</b>
+instance is used. Therefore, for a user to become an administrator of <i>Kerberos</i>
+an <b>admin</b> instance for that username must be created, and added
+to the access control list. This convention allows an administrator to
+use a different password for <i>Kerberos</i> administration then s/he
+would use for normal log-in.</p>
+<p>All requests to the KDBM program, whether permitted or denied, are
+logged.</p>
+<p><b>5.2. The <i>kadmin</i> and <i>kpasswd</i> Programs</b></p>
+<p>Administrators of <i>Kerberos</i> use the <i>kadmin</i> program to
+add principals to the database, or change the passwords of existing
+principals. An administrator is required to enter the password for
+their <i>admin</i> instance name when they invoke the <i>kadmin</i>
+program. This password is used to fetch a ticket for the KDBM server
+(see Figure 12).</p>
+<p></p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 642px; height: 304px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_12.jpg"><br>
+Figure 12.</b> Kerberos Administration Protocol.</p>
+<p>Users may change their <i>Kerberos</i> passwords using the <i>kpasswd</i>
+program. They are required to enter their old password when they invoke
+the program. This password is used to fetch a ticket for the KDBM
+server.</p>
+<p><b>5.3. Database Replication</b></p>
+<p>Each <i>Kerberos</i> realm has a <i>master</i> <i>Kerberos</i>
+machine, which houses the master copy of the authentication database.
+It is possible (although not necessary) to have additional, read-only
+copies of the database on <i>slave</i> machines elsewhere in the
+system. The advantages of having multiple copies of the database are
+those usually cited for replication: higher availability and better
+performance. If the master machine is down, authentication can still be
+achieved on one of the slave machines. The ability to perform
+authentication on any one of several machines reduces the probability
+of a bottleneck at the master machine.</p>
+<p>Keeping multiple copies of the database introduces the problem of
+data consistency. We have found that very simple methods suffice for
+dealing with inconsistency. The master database is dumped every hour.
+The database is sent, in its entirety, to the slave machines, which
+then update their own databases. A program on the master host, called <i>kprop,</i>
+sends the update to a peer program, called <i>kpropd,</i> running on
+each of the slave machines (see Figure 13). First <i>kprop</i> sends a
+checksum of the new database it is about to send. The checksum is
+encrypted in the <i>Kerberos</i> master database key, which both the
+master and slave <i>Kerberos</i> machines possess. The data is then
+transferred over the network to the <i>kpropd</i> on the slave
+machine. The slave propagation server calculates a checksum of the data
+it has received, and if it matches the checksum sent by the master, the
+new information is used to update the slave's database.</p>
+<p style="margin-left: 40px;"><b><img
+ style="width: 387px; height: 247px;" alt=""
+ src="..%5CImages%5CKerberos_auth_serv_fig_13.jpg"><br>
+Figure 13. </b>Database Propagation</p>
+<p>All passwords in the <i>Kerberos</i> database are encrypted in the
+master database key Therefore, the information passed from master to
+slave over the network is not useful to an eavesdropper. However, it is
+essential that only information from the master host be accepted by the
+slaves, and that tampering of data be detected, thus the checksum.</p>
+<p><b>6. <i>Kerberos</i> From the Outside Looking In</b></p>
+<p>The section will describe <i>Kerberos</i> from the practical point
+of view, first as seen by the user, then from the application
+programmer's viewpoint, and finally, through the tasks of the <i>Kerberos</i>
+administrator.</p>
+<p><b>6.1. User's Eye View</b></p>
+<p>If all goes well, the user will hardly notice that <i>Kerberos</i>
+is present. In our UNIX implementation, the ticket-granting ticket is
+obtained from <i>Kerberos</i> as part of the <i>log-in</i> process.
+The changing of a user's <i>Kerberos</i> password is part of the <i>passwd</i>
+program. And <i>Kerberos</i> tickets are automatically destroyed when
+a user logs out.</p>
+<p>If the user's log-in session lasts longer than the lifetime of the
+ticket-granting ticket (currently 8 hours), the user will notice <i>Kerberos'</i>
+presence because the next time a <i>Kerberos -authenticated</i>
+application is executed, it will fail. The <i>Kerberos</i> ticket for
+it will have expired. At that point, the user can run the <i>kinit</i>
+program to obtain a new ticket for the ticket-granting server. As when
+logging in, a password must be provided in order to get it. A user
+executing the <i>klist</i> command out of curiosity may be surprised
+at all the tickets which have silently been obtained on her/his behalf
+for services which require <i>Kerberos</i> authentication.</p>
+<p><b>6.2. From the Programmer's Viewpoint</b></p>
+<p>A programmer writing a <i>Kerberos</i> application will often be
+adding authentication to an already existing network application
+consisting of a client and server side. We call this process
+"Kerberizing" a program. Kerberizing usually involves making a call to
+the <i>Kerberos</i> library in order to perform authentication at the
+initial request for service. It may also involve calls to the DES
+library to encrypt messages and data which are subsequently sent
+between application client and application server.</p>
+<p>The most commonly used library functions are <i>krb_mk_req</i> on
+the client side, and <i>krb_rd_req</i> on the server side. The <i>krb_mk_req</i>
+routine takes as parameters the name, instance, and realm of the target
+server, which will be requested, and possibly a checksum of the data to
+be sent. The client then sends the message returned by the <i>krb_mk_req</i>
+call over the network to the server side of the application. When the
+server receives this message, it makes a call to the library routine <i>krb_rd_req.</i>
+The routine returns a judgement about the authenticity of the sender's
+alleged identity.</p>
+<p>If the application requires that messages sent between client and
+server be secret, then library calls can be made to <i>krb_mk_priv
+(krb_rd_priv)</i> to encrypt (decrypt) messages in the session key
+which both sides now share.</p>
+<p><b>6.3. The <i>Kerberos</i> Administrator's Job</b></p>
+<p>The <i>Kerberos</i> administrator's job begins with running a
+program to initialize the database. Another program must be run to
+register essential principals in the database, such as the <i>Kerberos</i>
+administrator's name with an <b>admin </b>instance. The <i>Kerberos</i>
+authentication server and the administration server must be started up.
+If there are slave databases, the administrator must arrange that the
+programs to propagate database updates from master to slaves be kicked
+off periodically.</p>
+<p>After these initial steps have been taken, the administrator
+manipulates the database over the network, using the <i>kadmin</i>
+program. Through that program, new principals can be added, and
+passwords can be changed.</p>
+<p>In particular, when a new <i>Kerberos</i> application is added to
+the system, the <i>Kerberos</i> administrator must take a few steps to
+get it working. The server must be registered in the database, and
+assigned a private key (usually this is an automatically generated
+random key). Then, some data (including the server's key) must be
+extracted from the database and installed in a file on the server's
+machine. The default file is <i>/etc/srvtab.</i> The <i>krb_rd_req</i>
+library routine called by the server (see the previous section) uses
+the information in that file to decrypt messages sent encrypted in the
+server's private key. The <i>/etc/srvtab</i> file authenticates the
+server as a password typed at a terminal authenticates the user.</p>
+<p>The <i>Kerberos</i> administrator must also ensure that <i>Kerberos</i>
+machines are physically secure, and would also be wise to maintain
+backups of the Master database.</p>
+<p><b>7. The Bigger Picture</b></p>
+<p>In this section, we describe how <i>Kerberos</i> fits into the
+Athena environment, including its use by other network services and
+applications, and how it interacts with remote <i>Kerberos</i> realms.
+For a more complete description of the Athena environment, please see
+G. W. Treese.</p>
+<p><b>7.1. Other Network Services' Use of <i>Kerberos</i></b></p>
+<p>Several network applications have been modified to use <i>Kerberos.</i>
+The <i>rlog-in</i> and <i>rsh</i> commands first try to authenticate
+using <i>Kerberos.</i> A user with valid <i>Kerberos</i> tickets can
+rlog-in to another Athena machine without having to set up.<i>rhosts</i>
+files. If the <i>Kerberos</i> authentication fails, the programs fall
+back on their usual methods of authorization, in this case, the.<i>rhosts</i>
+files.</p>
+<p>We have modified the Post Office Protocol to use <i>Kerberos</i>
+for authenticating users who wish to retrieve their electronic mail
+from the "post office". A message delivery program, called <i>Zephyr,</i>
+has been recently developed at Athena, and it uses <i>Kerberos</i> for
+authentication as well.</p>
+<p>The program for signing up new users, called <i>register,</i> uses
+both the Service Management System (SMS) and <i>Kerberos.</i> From
+SMS, it determines whether the information entered by the would-be new
+Athena user, such as name and MIT identification number, is valid. It
+then checks with <i>Kerberos</i> to see if the requested username is
+unique. If all goes well, a new entry is made to the <i>Kerberos</i>
+database, containing the username and password.</p>
+<p>For a detailed discussion of the use of <i>Kerberos</i> to secure
+Sun's Network File System, please refer to the appendix..</p>
+<p><b>7.2. Interaction with Other Kerberi</b></p>
+<p>It is expected that different administrative organizations will want
+to use <i>Kerberos</i> for user authentication. It is also expected
+that in many cases, users in one organization will want to use services
+in another. <i>Kerberos</i> supports multiple administrative domains.
+The specification of names in <i>Kerberos</i> includes a field called
+the <i>realm.</i> This field contains the name of the administrative
+domain within which the user is to be authenticated.</p>
+<p>Services are usually registered in a single realm and will only
+accept credentials issued by an authentication server for that realm. A
+user is usually registered in a single realm (the local realm), but it
+is possible for her/him to obtain credentials issued by another realm
+(the remote realm), on the strength of the authentication provided by
+the local realm. Credentials valid in a remote realm indicate the realm
+in which the user was originally authenticated. Services in the remote
+realm can choose whether to honor those credentials, depending on the
+degree of security required and the level of trust in the realm that
+initially authenticated the user.</p>
+<p>In order to perform cross-realm authentication, it is necessary that
+the administrators of each pair of realms select a key to be shared
+between their realms. A user in the local realm can then request a
+ticket-granting ticket from the local authentication server for the
+ticket-granting server in the remote realm. When that ticket is used,
+the remote ticket-granting server recognizes that the request is not
+from its own realm, and it uses the previously exchanged key to decrypt
+the ticket-granting ticket. It then issues a ticket as it normally
+would, except that the realm field for the client contains the name of
+the realm in which the client was originally authenticated.</p>
+<p>This approach could be extended to allow one to authenticate oneself
+through a series of realms until reaching the realm with the desired
+service. In order to do this, though, it would be necessary to record
+the entire path that was taken, and not just the name of the initial
+realm in which the user was authenticated. In such a situation, all
+that is known by the server is that A says that B says that C says that
+the user is so-and-so. This statement can only be trusted if everyone
+along the path is also trusted.</p>
+<p><b>8. Issues and Open Problems</b></p>
+<p>There are a number of issues and open problems associated with the <i>Kerberos</i>
+authentication mechanism. Among the issues are how to decide the
+correct lifetime for a ticket, how to allow proxies, and how to
+guarantee workstation integrity.</p>
+<p>The ticket lifetime problem is a matter of choosing the proper
+tradeoff between security and convenience. If the life of a ticket is
+long, then if a ticket and its associated session key are stolen or
+misplaced, they can be used for a longer period of time. Such
+information can be stolen if a user forgets to log out of a public
+workstation. Alternatively, if a user has been authenticated on a
+system that allows multiple users, another user with access to root
+might be able to find the information needed to use stolen tickets. The
+problem with giving a ticket a short lifetime, however, is that when it
+expires, the user will have to obtain a new one which requires the user
+to enter the password again.</p>
+<p>An open problem is the proxy problem. How can an authenticated user
+allow a server to acquire other network services on her/his behalf? An
+example where this would be important is the use of a service that will
+gain access to protected files directly from a fileserver. Another
+example of this problem is what we call <i>authentication forwarding.</i>
+If a user is logged into a workstation and logs in to a remote host, it
+would be nice if the user had access to the same services available
+locally, while running a program on the remote host. What makes this
+difficult is that the user might not trust the remote host, thus
+authentication forwarding is not desirable in all cases. We do not
+presently have a solution to this problem.</p>
+<p>Another problem, and one that is important in the Athena
+environment, is how to guarantee the integrity of the software running
+on a workstation. This is not so much of a problem on private
+workstations since the user that will be using it has control over it.
+On public workstations, however, someone might have come along and
+modified the <i>log-in</i> program to save the user's password. The
+only solution presently available in our environment is to make it
+difficult for people to modify software running on the public
+workstations. A better solution would require that the user's key never
+leave a system that the user knows can be trusted. One way this could
+be done would be if the user possessed a <i>smartcard</i> capable of
+doing the encryptions required in the authentication protocol.</p>
+<p><b>9. Status</b></p>
+<p>A prototype version of <i>Kerberos</i> went into production in
+September of 1986. Since January of 1987, <i>Kerberos</i> has been
+Project Athena's sole means of authenticating its 5,000 users, 650
+workstations, and 65 servers. In addition, <i>Kerberos</i> is now
+being used in place of.<i>rhosts</i> files for controlling access in
+several of Athena's timesharing systems.</p>
+<p><b>10. Acknowledgments</b></p>
+<p><i>Kerberos</i> was initially designed by Steve Miller and Clifford
+Neuman with suggestions from Jeff Schiller and Jerry Saltzer. Since
+that time, numerous other people have been involved with the project.
+Among them are Jim Aspnes, Bob Baldwin, John Barba, Richard Basch, Jim
+Bloom, Bill Bryant, Mark Colan, Rob French, Dan Geer, John Kohl, John
+Kubiatowicz, Bob Mckie, Brian Murphy, John Ostlund Ken Raeburn, Chris
+Reed, Jon Rochlis, Mike Shanzer, Bill Sommerfeld, Ted T'so, Win Treese,
+and Stan Zanarotti.</p>
+<p>We are grateful to Dan Geer, Kathy Lieben, Josh Lubarr, Ken Raeburn,
+Jerry Saltzer, Ed Steiner, Robbert van Renesse, and Win Treese whose
+suggestions much improved earlier drafts of this paper.</p>
+<p>The illustration on the title page is by Betsy Bruemmer.</p>
+<p><b>Appendix</b></p>
+<p><b><i>Kerberos</i> Application to Sun's Network File System (NFS)</b></p>
+<p>A key component of the Project Athena workstation system is the
+interposing of the network between the user's workstation and her/his
+private file storage (home directory). All private storage resides on a
+set of computers (currently VAX 11/750s) that are dedicated to this
+purpose. This allows us to offer services on publicly available UNIX
+workstations. When a user logs in to one of these publicly available
+workstations, rather then validate her/his name and password against a
+locally resident password file, we use <i>Kerberos</i> to determine
+her/his authenticity. The <i>log-in</i> program prompts for a username
+(as on any UNIX system). This username is used to fetch a <i>Kerberos</i>
+ticket-granting ticket. The <i>log-in</i> program uses the password to
+generate a DES key for decrypting the ticket. If decryption is
+successful, the user's home directory is located by consulting the <i>Hesiod</i>
+naming service and mounted through NFS. The <i>log-in</i> program then
+turns control over to the user's shell, which then can run the
+traditional per-user customization files because the home directory is
+now "attached" to the workstation. The <i>Hesiod</i> service is also
+used to construct an entry in the local password file. (This is for the
+benefit of programs that look up information in <i>/etc/passwd.)</i></p>
+<p>From several options for delivery of remote file service, we chose
+Sun's Network File System. However this system fails to mesh with our
+needs in a crucial way. NFS assumes that all workstations fall into two
+categories (as viewed from a file server's point of view): trusted and
+untrusted. Untrusted systems cannot access any files at all, trusted
+can. Trusted systems are completely trusted. It is assumed that a
+trusted system is managed by friendly management. Specifically, it is
+possible from a trusted workstation to masquerade as any valid user of
+the file service system and thus gain access to just about every file
+on the system. (Only files owned by "root" are exempted.).</p>
+<p>In our environment, the management of a workstation (in the
+traditional sense of UNIX system management) is in the hands of the
+user currently using it. We make no secret of the root password on our
+workstations, as we realize that a truly unfriendly user can break in
+by the very fact that s/he is sitting in the same physical location as
+the machine and has access to all console functions. Therefore we
+cannot truly trust our workstations in the NFS interpretation of trust.
+To allow proper access controls in our environment we had to make some
+modifications to the base NFS software, and integrate <i>Kerberos</i>
+into the scheme.</p>
+<p><b>Unmodified NFS</b></p>
+<p>In the implementation of NFS that we started with (from the
+University of Wisconsin), authentication was provided in the form of a
+piece of data included in each NFS request (called a "credential" in
+NFS terminology). This credential contains information about the unique
+user identifier (UID) of the requester and a list of the group
+identifiers (GIDs) of the requester's membership. This information is
+then used by the NFS server for access checking. The difference between
+a trusted and a non-trusted workstation is whether or not its
+credentials are accepted by the NFS server.</p>
+<p><b>Modified NFS</b></p>
+<p>In our environment, NFS servers must accept credentials from a
+workstation if and only if the credentials indicate the UID of the
+workstation's user, and no other.</p>
+<p>One obvious solution would be to change the nature of credentials
+from mere indicators of UID and GIDs to full blown <i>Kerberos</i>
+authenticated data. However a significant performance penalty would be
+paid if this solution were adopted. Credentials are exchanged on every
+NFS operation including all disk read and write activities. Including a
+<i>Kerberos</i> authentication on each disk transaction would add a
+fair number of full-blown encryptions (done in software) per
+transaction and, according to our envelope calculations, would have
+delivered unacceptable performance. (It would also have required
+placing the <i>Kerberos</i> library routines in the kernel address
+space.)</p>
+<p>We needed a hybrid approach, described below. The basic idea is to
+have the NFS server map credentials received from client workstations,
+to a valid (and possibly different) credential on the server system.
+This mapping is performed in the server's kernel on each NFS
+transaction and is setup at "mount" time by a user-level process that
+engages in <i>Kerberos -</i> moderated authentication prior to
+establishing a valid kernel credential mapping.</p>
+<p>To implement this we added a new system call to the kernel (required
+only on server systems, not on client systems) that provides for the
+control of the mapping function that maps incoming credentials from
+client workstations to credentials valid for use on the server (if
+any). The basic mapping function maps the tuple:</p>
+<p><CLIENT-IP-ADDRESS, UID-ON-CLIENT></p>
+<p>to a valid NFS credential on the server system. The
+CLIENT-IP-ADDRESS is extracted from the NFS request packet and the
+UID-ON-CLIENT is extracted from the credential supplied by the client
+system. Note: all information in the client-generated credential except
+the UID-ON-CLIENT is discarded.</p>
+<p>If no mapping exists, the server reacts in one of two ways,
+depending it is configured. In our friendly configuration we default
+the unmappable requests into the credentials for the user "nobody" who
+has no privileged access and has a unique UID. Unfriendly servers
+return an NFS access error when no valid mapping can be found for an
+incoming NFS credential.</p>
+<p>Our new system call is used to add and delete entries from the
+kernel resident map. It also provides the ability to flush all entries
+that map to a specific UID on the server system, or flush all entries
+from a given CLIENT-IP-ADDRESS.</p>
+<p>We modified the mount daemon (which handles NFS mount requests on
+server systems) to accept a new transaction type, the <i>Kerberos</i>
+authentication mapping request. Basically, as part of the mounting
+process, the client system provides a <i>Kerberos</i> authenticator
+along with an indication of her/his UID-ON-CLIENT (encrypted in the <i>Kerberos</i>
+authenticator) on the workstation. The server's mount daemon converts
+the <i>Kerberos</i> principal name into a local username. This
+username is then looked up in a special file to yield the user's UID
+and GIDs list. For efficiency, this file is a <i>ndbm</i> database
+file with the username as the key. From this information, an NFS
+credential is constructed and handed to the kernel as the valid mapping
+of the <CLIENT-IP-ADDRESS, CLIENT-UID> tuple for this request.</p>
+<p>At unmount time a request is sent to the mount daemon to remove the
+previously added mapping from the kernel. It is also possible to send a
+request at log-out time to invalidate all mapping for the current user
+on the server in question, thus cleaning up any remaining mappings that
+exist (though they shouldn't) before the workstation is made available
+for the next user.</p>
+<p><b>Security Implications of the Modified NFS</b></p>
+<p>This implementation is not completely secure. For starters, user
+data is still sent across the network in an unencrypted, and therefore
+interceptable, form. The low-level, per-transaction authentication is
+based on a <CLIENT-IP-ADDRESS, CLIENT-UID> pair provided
+unencrypted in the request packet. This information could be forged and
+thus security compromised. However, it should be noted that only while
+a user is actively using her/his files (i.e., while logged in) are
+valid mappings in place and therefore this form of attack is limited to
+when the user in question is logged in. When a user is not logged in,
+no amount of IP address forgery will permit unauthorized access to
+her/his files.</p>
+<p><b>References</b></p>
+<p>1.S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer, <i>Section
+E.2.1: Kerberos Authentication and Authorization System</i>, M.I.T.
+Project Athena, Cambridge, Massachusetts (December 21, 1987). </p>
+<p>2.E. Balkovich, S. R. Lerman, and R. P. Parmelee, "Computing in
+Higher Education: The Athena Experience," <i>Communications of the ACM.</i>
+<b>28</b>(11), pp. 1214-1224, ACM (November, 1985).</p>
+<p>3.R. M. Needham and M. D. Schroeder, "Using Encryption for
+Authentication in Large Networks of Computers," <i>Communications of
+the ACM</i> <b>21</b>(12), pp. 993-999 (December, 1978). </p>
+<p>4.V. L. Voydock and S. T. Kent, "Security Mechanisms in High-Level
+Network Protocols," <i>Computing Surveys</i> <b>15</b>(2), ACM (June
+1983).</p>
+<p>5.National Bureau of Standards, "Data Encryption Standard," Federal
+Information Processing Standards Publication 46, Government Printing
+Office, Washington, D.C. (1977). </p>
+<p>6.S. P. Dyer, "Hesiod," in <i>Usenix Conference Proceedings</i>
+(Winter, 1988). </p>
+<p>7.W. J. Bryant, <i>Kerberos Programmer's Tutorial</i>, M.I.T.
+Project Athena (In preparation). </p>
+<p>8.W. J. Bryant, <i>Kerberos Administrator's Manual</i>, M.I.T.
+Project Athena (In preparation).</p>
+<p>9.G. W. Treese, "Berkeley Unix on 1000 Workstations: Athena Changes
+to 4.3BSD," in <i>Usenix Conference Proceedings</i> (Winter, 1988)</p>
+<p>10.C. A. DellaFera, M. W. Eichin, R. S. French, D. C. Jedlinsky, J.
+T. Kohl, and W. E. Sommerfeld, "The Zephyr Notification System," in <i>Usenix
+Conference Proceedings</i> (Winter, 1988).</p>
+<p>11.M. A. Rosenstein, D. E. Geer, and P. J. Levine, in <i>Usenix
+Conference Proceedings</i> (Winter, 1988).</p>
+<p>12.R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B. Lyon,
+"Design and Implementation of the Sun Network Filesystem," in <i>Usenix
+Conference Proceedings </i>(Summer, 1985).</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>Using Kerberos in a Command Prompt Environment</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="DOS commands">
+</OBJECT>
+
+<P><H2><A NAME="id_help_dos_kerberos"></A>Using Kerberos in a Command Prompt Environment</H2></P>
+
+<P>Command Prompt commands that are available to perform Kerberos functions</P>
+
+<P><A HREF="leash_manpage_kinit.htm">KINIT</A> - Kerberos log-in utility</P>
+
+<P><A HREF="leash_manpage_klist.htm">KLIST</A> - list currently held Kerberos tickets</P>
+
+<P><A HREF="leash_manpage_kdestroy.htm">KDESTROY</A> - destroy Kerberos tickets</P>
+
+<P><A HREF="leash_manpage_ms2mit.htm">MS2MIT</A> - import Kerberos tickets from Windows Logon Session</P>
+
+<P><A HREF="leash_manpage_aklog.htm">AKLOG</A> - obtain AFS tokens</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Program</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="Kerberos Help Topics">
+</object>
+<p></p>
+<h1><b>Kerberos Help Topics</b></h1>
+<p></p>
+<p><a href="leash_topic_about_kerberos.htm">About Kerberos</a></p>
+<p><a href="leash_topic_kerberos_names.htm">Kerberos Names</a></p>
+<p><a href="leash_topic_kerberos_tickets.htm">Kerberos Tickets</a></p>
+<p><a href="leash_topic_kerberos_command_prompt.htm">Using Kerberos in
+a Command Prompt Environment</a></p>
+<p><a href="leash_kerberos_copyright.htm">Kerberos Copyright</a></p>
+<p><a href="leash_export.htm">Kerberos Export Restrictions and Source
+Code Access</a></p>
+<p><a href="leash_topic_timing_issues.htm">Kerberos Timing Issues</a></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>Kerberos Names</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="names">
+</OBJECT>
+
+<P><H2><A NAME="id_help_names"></A>Kerberos Names</H2></P>
+
+<P>A Kerberos name contains three parts. The first is the principal name, which is usually a user's or service's name. The second is the instance, which in the case of a user is usually null. Some users may have privileged instances, however, such as "root" or "admin." In the case of a service, the instance is the name of the machine on which it runs; i.e. there can be an <B>rlogin</B> service running on the machine ABC, which is different from the rlogin service running on the machine XYZ. The third part of a Kerberos name is the realm. The realm corresponds to the Kerberos service providing authentication for the principal. For example, at MIT there is a Kerberos running at the Laboratory for Computer Science and one running at Project Athena.</P>
+
+<P>When writing a Kerberos name, the principal name is separated from the instance (if not null) by a period, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:</P>
+
+<P>billb</P>
+
+<P>jis.admin</P>
+
+<P>srz@LCS.MIT.EDU</P>
+
+<P>treese.root@ATHENA.MIT.EDU</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos: How does the other guy know who I am?</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="guide">
+</object>
+<p><b><a name="id_help_sipb"></a>Kerberos: How Does the Other Guy Know
+Who I Am?</b></p>
+<p>A portion of the text below was copied with permission from <i>An
+Inessential Guide to Athena</i> (5th edition) published by the MIT
+Student Information Processing Board.</p>
+<p>MIT's Athena Project developed a system known as Kerberos to provide
+for security on a physically insecure network. A complete description
+of the mechanisms used by Kerberos to provide this security is beyond
+the scope of this document. This section describes why Kerberos is
+necessary in a distributed computing environment, the theory behind
+Kerberos (with pointers to further information), and the user commands
+which interface to Kerberos. It also gives hints for using Kerberos
+more effectively.</p>
+<p><b>Why</b> <b>Kerberos</b> <b>is </b><a name="id_help_authentic"></a><b>needed</b>.
+Most moderately-sized to large computer systems use some form of
+password protection scheme to <i>authenticate </i>users; that is,
+they require a user who wishes to log in to give both his name and a
+secret password which only he and the computer system know. Anyone who
+happens to know the password can claim to be that user. It is therefore
+desirable to prevent people from listening in on the conversation
+between the computer and the user's terminal or workstation.</p>
+<p>This is relatively easy in the case of terminals directly connected
+to the machine, since each terminal has its own cable. In a local-area
+network, several (typically between 10 and 200) computers share one
+cable, and any computer can listen in on any network traffic. With the
+advent of network monitoring packages for IBM PC's and similar
+machines, it is relatively easy for a determined user to set up a
+program to listen in on a network for any and all passwords being sent
+over. This would allow an intruder to masquerade as someone else,
+violating their privacy and perhaps stealing information (academic or
+otherwise). <b>Note that THE ELECTRONIC COMMUNICATIONS PRIVACY ACT of
+1986 makes this a Federal crime</b> punishable by lots of nasty stuff
+(ask your lawyer for details).</p>
+<p>In addition, since Athena (like the Internet) uses a
+workstation-based model of computation, with most operations taking
+place on a single-user workstation with occasional requests (for files,
+etc.) going to other "server" machines, Athena needed to set up some
+way to allow users to <i>prove</i> their identity to such server
+machines.</p>
+<p><b>A few definitions</b>. Knowledge of the following terms is not
+essential for use of Kerberos but is helpful in understanding what is
+going on:</p>
+<p><b>user:</b>A human being who wishes to use a computer system. A
+user, through his workstation, may make a series of requests to several
+servers in the course of a session, and would like to avoid (due to
+sheer laziness, among other things) having to type his password to each
+machine in question.</p>
+<p><b>service:</b>A program or set of programs running on a computer
+which is accessible over the network. The service would like to know
+with certainty that the workstation to which it is providing the
+service is really being used by the <b>user</b> who claims to be
+logged in on the workstation. Note that workstations are <i>not </i>services,
+and thus one may not use Kerberos to log into them over the network.</p>
+<p><a name="id_help_principal"></a><b>principal:</b>An entity which can
+both prove its identity and verify the identities of other principals
+who wish to communicate with it; each <b>user</b> and each <b>service</b>
+registered with Kerberos is thus a principal.</p>
+<p><b>ticket:</b> A block of data which, when given to a user, enables
+her to prove her identity to a service. Tickets are stored in RAM in an
+area of memory reserved by the Kerberos cache. They are automatically
+erased when the computer is rebooted or when the user issues the
+destroy tickets command from Leash. They may also be destroyed from a
+Command Prompt by executing the command: kdestroy. Tickets contain
+information which must be considered private to the user, and thus
+should be protected. As they contain a time stamp, they cease to be
+valid after a limited time. One ticket is needed for each service;
+tickets are used to build <b>authenticators</b>, which are sent over
+the network to the service.</p>
+<p><b>authenticator:</b> A block of data which a user's workstation
+sends over the network to a specific service to prove that the
+workstation really is in use by that user. An authenticator expires
+after five minutes. One authenticator is typically built per session of
+use of a service; once the service decodes the authenticator, it
+generally permits the user to operate for as long as she wants. This
+behavior is not in any way mandated by the Kerberos suite of programs
+and libraries (it is just a detail of the implementation), but it is
+convenient and considered secure enough for most environments.</p>
+<p><b>How It Works...</b></p>
+<p>Kerberos uses a standard encryption-based authentication technique
+with a few variations designed to increase ease of use across
+administrative entities and reduce the number of possible "attacks" on
+the system. The system uses cryptographically sealed <i>tickets</i>
+and <i>authenticators</i>} which may be passed over the network and
+decrypted only by a user or machine which knows the appropriate
+encryption/decryption key.</p>
+<p><b>Using Kerberos...</b></p>
+<p>After obtaining your initial ticket getting ticket either by logging
+onto your workstation or by utilizing a Kerberos Ticket Manager (e.g.,
+Leash), Kerberos aware applications will generate authenticators and
+obtain service tickets without further end user interaction.
+Examples of programs which utilize Kerberos authentication include
+e-mail, distributed file systems, remote login tools, and browsers.<br>
+</p>
+<p><b>Registering with Kerberos...</b></p>
+<p>To use Kerberos you must have an account registered in a REALM
+associated with the service(s) you wish to access. Contact your
+network administrator to determine the registration procedures for your
+organization.<br>
+</p>
+<p>Once registered with Kerberos, tickets are obtained by the login
+program every time you log onto a workstation. You can also manually
+obtain new tickets (which you usually do only if your old ones have
+expired, 10 hours after you log in) by running the program<code> kinit</code>.
+It prompts for a username, requests an initial ticket from Kerberos,
+and then asks for your password. If you are not registered with
+Kerberos, it will print<code> Principal unknown (Kerberos)</code>.
+Unless you mistype your username, this should not happen. To correct
+this, or any other errors, contact the appropriate Help Desk personnel
+for your organization.<br>
+<br>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>Kerberos Tickets</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<P><H2><SUP><A NAME="id_help_tickets"></A></SUP>Kerberos Tickets</H2></P>
+
+<P>When you authenticate yourself with Kerberos, through either the Leash program or the kinit command, Kerberos gives you an initial Kerberos ticket. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as telnet, ftp or email. The ticket transactions are done transparently, so you don't have to worry about their management.</P>
+
+<P>Note, however, that tickets expire. Privileged tickets, such as root instance tickets, expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day, depending on the installation's policy. On Athena, the default time limit is 10 hours; if your login session extends beyond the time limit, you will have to reauthenticate yourself to Kerberos to get new tickets.</P>
+
+<P><B>See Also</B></P>
+
+<P><A HREF="leash_topic_kerberos_auth_service.htm">An Authentication Service</A></P>
+
+<P><A HREF="leash_topic_kerberos_principals.htm">How Does the Other Guy Know Who I Am?</A></P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>Leash Program</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="Leash program">
+</OBJECT>
+
+<P><B><A NAME="id_help_leash"></A><A NAME="hid_leash_program"></A>Leash Program</B></P>
+
+<P><I><B>leash</B> \'le-sh\ n [ME lees, leshe, fr. OF laisse, fr. laissier] 1: a line for leading or restraining an animal 2a: a set of three animals (as greyhounds, foxes, bucks, or hares) 2b: a set of three - leash vt 3: a Windows program developed at MIT to manage a user's Kerberos tickets.</I></P>
+
+<H1>Leash Help Topics</H1>
+
+<P><A HREF="leash_topic_leash_window.htm">Leash Screen Display (Kerberometer and Dash Notification)</A></P>
+
+<P><A HREF="leash_menu_commands.htm">Leash Commands</A></P>
+
+<P><A HREF="leash_topic_online_help.htm">How To Use Leash Online Help</A></P>
+
+<P><A HREF="leash_copyright.htm">Leash Copyright</A></P>
+
+<P><A HREF="leash_acknowledgements.htm">Acknowledgments</A></P>
+
+<P><A HREF="leash_bug_reports.htm">Reporting Problems with Leash</A></P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash System Tray Tool</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="systray">
+</object>
+<p></p>
+<h2><a name="id_help_systray"></a>Leash System Tray Tool</h2>
+<p class="MsoNormal">While Leash is running one of the following icons
+will be
+displayed in the system tray based upon the current state of your
+Kerberos
+tickets.<span style=""> </span>Clicking on the icon with the
+first mouse button will open or close the Leash display window.<span
+ style=""> </span>Clicking with the second mouse button will
+display a menu of commands.</p>
+<img style="width: 367px; height: 53px;" alt="System Tray Icons"
+ title="System Tray Icons" src="..%5CImages%5CLeash_systray_icons.jpg"><br>
+<br>
+<ul>
+ <li>Green: <span style=""> </span>tickets are
+valid and have a lifetime of greater than 20 minutes</li>
+ <li>Grey: <span style=""> </span>no
+tickets
+are present</li>
+ <li>Orange:<span style=""> </span>tickets are
+valid and about to expire</li>
+ <li>Red:<span style=""> </span>tickets
+have expired<br>
+ </li>
+</ul>
+<h3>System Tray Menu<br>
+</h3>
+<img style="width: 650px; height: 253px;" alt="System Tray Menu"
+ title="System Tray Menu" src="..%5CImages%5CLeash_systray_menu.jpg"><br>
+<br>
+<ul>
+ <li><span style="font-weight: bold;">Open Leash Window</span> will
+restore the <a href="leash_topic_leash_window.htm">Leash Ticket
+Display window</a>. If the window is already open this option will
+appear as <span style="font-weight: bold;">Close Leash Window</span>.<br>
+ </li>
+ <li><a href="leash_command_get_tickets.htm">Get Ticket(s)/Token(s)</a></li>
+ <li><a href="leash_command_renew_tickets.htm">Renew Ticket(s)/Token(s)</a></li>
+ <li><a href="leash_command_import_tickets.htm">Import Tickets</a></li>
+ <li><a href="leash_command_destroy_tickets.htm">Destroy
+Ticket(s)/Token(s)</a></li>
+ <li><a href="leash_command_change_password.htm">Change Password</a></li>
+ <li><a href="leash_option_auto_renewal.htm">Automatic Ticket Renewal</a></li>
+ <li><a href="leash_option_expiration_alarm.htm">Expiration Alarm</a></li>
+ <li><a href="leash_file_exit.htm">Exit</a></li>
+</ul>
+<p class="MsoNormal"><o:p></o:p></p>
+<br>
+<p></p>
+<p></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Screen Display (Kerberometer and Dash Notification)</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="display">
+</object>
+<p></p>
+<h2><a name="id_help_meter"></a>Leash Screen Display (Kerberometer and Dash Notification)</h2>
+<p></p>
+<p class="MsoBodyTextIndent2" style="text-indent: 0in;">The window
+title contains
+the name \93Leash\94 followed by the current date and time.<span style="">
+</span>Below the title are a menu bar; a tool bar
+(optional); a tree view; and a status bar (optional).</p>
+<p class="MsoNormal"><b><o:p><img style="width: 718px; height: 453px;"
+ alt="Leash Display Window" title="Leash Display Window"
+ src="..%5CImages%5CLeash_display_window.jpg"><br>
+</o:p></b></p>
+<p class="MsoNormal"></p>
+<p class="MsoNormal">The root of the Leash tree view shows the active
+user
+principal name (user@REALM).<span style=""> </span>This entry
+appears with a "+" icon and a Kerberos icon to its left.<span style="">
+</span>Click on this plus icon of a line to expand
+the branch, displaying a "-" icon.<span style="">
+</span>To retract the branch click on the minus sign.</p>
+<p class="MsoNormal">Below user principal, the tree contains ticket
+categories.<span style=""> </span>Below each ticket category
+are the current tickets belonging to the group.<span style="">
+</span>Each ticket entry contains the current ticket status, the time
+it was
+issued, the time it will expire, and the service principal and flags.<span
+ style=""> </span>For Kerberos 5 tickets, encryption types and
+network address information are listed below each ticket.</p>
+<p class="MsoNormal">The tree updates once per minute.<span style="">
+</span>If you need an immediate update of your
+ticket status, you can either click in the window or the press the
+Update
+Display button on the toolbar.</p>
+<p class="MsoNormal"><o:p></o:p>On the right of the status bar is a
+display of the remaining
+time of your tickets (both Kerberos 4 and Kerberos 5, as some programs
+obtain
+only Kerberos 4 tickets, these are not necessarily the same) in hours,
+minutes,
+and seconds.<span style=""> </span>This used to be known as
+the <b>Kerberometer</b>.<span style=""> </span></p>
+<p class="MsoNormal">Each ticket is described and represented by an
+icon of a
+little ticket. The color of the ticket changes based on its viability: </p>
+<p class="MsoNormal" style="margin-left: 1.5in;">green = normal</p>
+<p class="MsoNormal" style="margin-left: 1.5in;">yellow = tickets are
+within 15
+minutes of expiration</p>
+<p class="MsoNormal" style="margin-left: 1.5in;">red = tickets have
+expired, or you
+have no tickets</p>
+<p class="MsoNormal" style="margin-left: 1.5in;">gray = these tickets
+are not available
+to you</p>
+<p class="MsoNormal"><o:p></o:p><span
+ style="font-family: "Times New Roman";"></span>At 15, 10, and 5
+minutes before your Kerberos tickets expire, a screen pops up to warn
+that your Kerberos tickets will expire soon and to give you the
+opportunity to renew them. This used to be known as Dash-style
+notification.</p>
+<p class="MsoNormal">Andrew File System (AFS) tokens information is
+displayed
+only on machines that have either OpenAFS for Windows <a
+ href="http://www.openafs.org/">http://www.openafs.org</a> or Transarc
+AFS 3.6
+for Windows.<o:p></o:p></p>
+<p class="MsoNormal"></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Help on Using Leash Online Help</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="help, online">
+</object>
+<h1><a name="id_help_leash_help"></a>How To Use Leash Online Help</h1>
+<p>In Leash, <b>F1</b> are the online Help keys. Here's what they do:</p>
+<p><b>Pressing F1...</b><b>gets you...</b></p>
+<p>in the Leash main window: <span style="font-weight: bold;">Leash
+Help Topics</span> -- click the one you need.</p>
+<p>in Leash Help Topics: Contents for How To Use Help -- list of topics
+explaining the features and functions of Windows online help -- click
+the one you need.</p>
+<p>in a Leash dialogue box: context-sensitive help, i.e., the specific
+topic that explains where you are and what you're doing.</p>
+<p>at an error message: explanation for the error message.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+<HEAD>
+<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
+<TITLE>How to Choose a Password</TITLE>
+</HEAD>
+
+<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
+
+<OBJECT TYPE="application/x-oleobject" CLASSID="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e">
+ <PARAM NAME="Keyword" VALUE="choose">
+</OBJECT>
+
+<P><A NAME="hid_choose_password"></A><A NAME="id_help_choose"></A><B>How To Choose a Password...</B></P>
+
+<P>Your passwords are the keys to many computers, from a bank machine to a multiuser mainframe to a server on a network. Your password helps to prove that you are who you say you are, and ensures your privacy.</P>
+
+<P>Compromised passwords are the means by which most unauthorized (and unscrupulous) people gain access to a system. Someone logging on under your name has access not only to your computer files, but to most of the facilities of the computer system. Since tampering can have far-reaching and serious consequences, it's important to take to heart the following guidelines for choosing a password.</P>
+
+<P><B>Do choose</B>:</P>
+
+<P>*Something easy for you to remember with at least six characters.</P>
+
+<P>*Something obscure. For instance, you might deliberately misspell a term or use an odd character in an otherwise familiar term, such as "phnybon" instead of "funnybone." Or use a combination of two unrelated words or a combination of letters and numbers.</P>
+
+<P>*A combination of letters and numbers, or a phrase like "many colors" and then use only the consonants "mnYc0l0rz."</P>
+
+<P>*An acronym for your favorite saying, for example, "L!isn!" (Live! It's Saturday Night!)</P>
+
+<P><B>Don't choose</B>:</P>
+
+<P>*Your name in any form - first, middle, last, maiden, spelled backwards, nickname or initials.</P>
+
+<P>*Your userid, or your userid spelled backwards.</P>
+
+<P>*Part of your userid or name.</P>
+
+<P>*Any common name, such as Joe.</P>
+
+<P>*The name of a close relative, friend, or pet.</P>
+
+<P>*Your phone or office number, address, birthday, or anniversary.</P>
+
+<P>*Your license-plate number, your social-security number, or any all numeral password.</P>
+
+<P>*Names from popular culture, e.g., spock, sleepy. </P>
+
+<P>*Any word in a dictionary.</P>
+
+<P>*Passwords of fewer than four characters.</P>
+
+<P><B>Mum's the Word</B></P>
+
+<P>Never tell anyone your password -- not even your system administrator or account manager -- and don't write it down. Make sure you have chosen a password that you can remember. And, finally, change your password at regular intervals</P>
+
+<P>Reprinted from i/s, Vol. 4, No. 9,</P>
+
+<P>May 1989. Revised March 1993.</P>
+
+<P>Copyright C 1993 MIT Information Systems</P>
+
+<P>Send comments or questions about this publication to</P>
+
+<P><comment-ispubs@mit.edu> or call x3-5150</P>
+
+<P>Before You Begin...</P>
+
+<P>Remember that <I>passwords are case-sensitive, </I>and<I> </I>note whether your keyboard has Caps Lock on.<B> </B>Leash is<B> </B>not programmed to inform you about the state of your Caps Lock key.</P>
+
+<P><B>How To Use Change Password...</B></P>
+
+<P><B>1.</B>In Leash, click on the Change Password button (the one that says abc and has a green arrow), type your username in the first field of the dialogue box that opens, and press Enter or click OK. You may start over anytime by clicking Restart, stop at any time by clicking Cancel, or get help at any time with the Help button.</P>
+
+<P><B>2.</B>Type your <I>current</I> password in the second field and press Enter or click OK.</P>
+
+<P>The program checks the username and password you entered and notifies you if either is invalid.</P>
+
+<P><B>3.</B>Type your <I>new</I> password in the third field and press Enter or click OK.</P>
+
+<P><B>4</B>.Retype your <I>new</I> password, to verify it, and press Enter or click OK.</P>
+
+<P>Once you have entered the new password twice with consistent spellings, the Leash program replaces your old password with the new, <I>if it is a strong password. </I>If Kerberos determines the password is weak, a message notifies you, and you need to<I> </I>repeat steps 1 through 4 with a strong password, as described by the "How To Choose a Password" guidelines above.</P>
+
+<P><B>How Change Password Works...</B></P>
+
+<P>When you type into the password fields of the dialog box, neither characters nor sounds echo back, thus keeping secret even the number of password characters. The program accepts only printable characters for new passwords, i.e., characters between ASCII codes 0x20 and 0x7E.</P>
+
+<P>When you have entered the new password twice consistently, the program attempts to change the password via a dialogue with the Kerberos administrative server. Some Kerberos sites, including MIT's Athena environment, check the password's strength before allowing the change to take place and notifies you if it determines that the password is weak.</P>
+
+</BODY>
+</HTML>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Kerberos Timing Issues</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="time">
+</object>
+<p></p>
+<h2><a name="id_help_time"></a>Kerberos Timing Issues</h2>
+<p></p>
+<p>To resynchronize your computer's clock to the network's clock,
+manually set it, or run the leash Synchronize Time Command. If
+you are using Windows XP or Windows 2003, the Date and Time Control
+Panel contains an Internet Time page which can be used to automatically
+synchronize the clock on a regular basis.<br>
+</p>
+<p><b>Why Do It...</b></p>
+<p>Kerberos authentication uses time stamps as part of its protocol.
+When the clocks of the Kerberos server and your computer are too far
+out of synchronization, you cannot authenticate properly.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Why use Leash?</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="why">
+</object>
+<h1><a name="id_help_purpose"></a><a name="hid_why_use_leash32"></a>Why
+Use Leash?</h1>
+<p class="MsoNormal">Leash is a graphical system-tray tool designed to
+manage for
+Kerberos tickets on Microsoft Windows. <span style=""> </span>Leash
+is used to obtain Kerberos tickets,
+change your Kerberos password, and obtain Andrew File System (AFS)
+tokens.</p>
+<p>Leash combines the functionality of several command line tools a
+user would use to manage Kerberos functions: <a
+ href="leash_external_kinit.htm">kinit</a>, <a
+ href="leash_external_klist.htm">klist</a>, <a
+ href="leash_external_kdestroy.htm">kdestroy</a>, ms2mit, aklog, and
+passwd or kpasswd. Leash combines all of these functions into one user
+interface and supports auto-renewal or <a
+ href="leash_topic_leash_window.htm">user notification</a> when tickets
+are approaching expiration.</p>
+<p class="MsoNormal">There are many ways to execute Leash. In addition
+to
+clicking on a Leash shortcut, you can start Leash from the Windows
+command
+Prompt or Run... option. <span style=""> </span>Command-line
+options may be specified.<span style=""> </span>If you run Leash
+with the options -i or -kinit, it will display the ticket
+initialization dialog
+and exit; -m or \96ms2mit or \96import will import tickets from the
+Microsoft
+Windows logon session (if available) and exit; -d or -destroy will
+destroy all
+existing tickets and exit; -r or \96renew will renew existing Kerberos
+tickets
+(if possible) and exit; -a or \96autoinit will display the ticket
+initialization
+dialog if you have no Kerberos tickets.<o:p> </o:p></p>
+<p class="MsoNormal">You may create a shortcut to Leash within your
+Windows
+Startup folder (Start Menu->Programs->Startup).<span style="">
+</span><span style=""> </span>A
+shortcut to \93Leash32.exe \96autoinit\94 ensures that Kerberos tickets are
+available
+for the use of Kerberized applications throughout your Windows logon
+session.</p>
+<p class="MsoNormal">If Leash is not executed before using a Kerberized
+application, the application may prompt you for your password. Some
+applications, like lpr, never prompt you for a password. These
+applications
+simply terminate with a message indicating that you are not
+authenticated. Before
+these applications can successfully be used a separate program, such as
+Leash
+or kinit, must be used to first authenticate you using Kerberos.<b><o:p> </o:p></b></p>
+<p class="MsoNormal">Leash does not perform a logon in the sense of the
+Windows
+Logon Service.<span style=""> </span>A logon service would do
+more than manage Kerberos tickets. A logon service would authenticate
+you to
+the local machine, validate access to your local file system and
+performs
+additional set-up tasks. These are beyond the scope of Leash. Leash
+simply
+allows you to manage Kerberos tickets on behalf of compatible
+applications and
+to change your Kerberos password. <o:p></o:p></p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Debug Window Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="debug">
+</object>
+<h3><a name="hid_debug_window_option"></a><b>Debug Window</b></h3>
+<p>When this item (found under the Action menu) is checked, the Leash
+Debug Window appears. <br>
+</p>
+<p><img style="width: 640px; height: 439px;" alt="Debug Window"
+ title="Debug Window" src="..%5CImages%5CLeash_debug_window.jpg"></p>
+<p></p>
+<p class="MsoNormal" style="">From this window, commands that
+Leash issues to the Kerberos server are visible. Here, you can see
+exactly what
+Leash is doing. This action is useful if you are having a problem with
+Leash
+and want to see more exactly what is going on, or if you are writing
+Kerberized
+applications dependent on Kerberos tickets or the actions of Leash.<o:p> </o:p></p>
+<p class="MsoNormal" style="">Note: Debugging is only
+supported by Kerberos 4 and AFS.<span style="">
+</span>Kerberos 5 protocol operations cannot be debugged using Leash.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Large Icons Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="large icons">
+</object>
+<h3><a name="hid_large_icons_option"></a><b>Large Icons</b></h3>
+<p>
+</p>
+<p class="MsoNormal">When this option is checked on the View menu, the
+icons and
+fonts in the main window (such as the picture of Kerberos) will be
+about twice
+as big as the minimal icon and font size.<span style="">
+</span>Naturally, smaller icons allow many more tickets to fit into a
+nonscrolling window.<span style=""> </span>The default setting
+of Leash is Large Icons.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Status Bar Option</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="status bar">
+</object>
+<h3><a name="hid_status_bar_option"></a><b>Status Bar</b></h3>
+<p>
+</p>
+<p class="MsoNormal" style="">The Status Bar is on by default;
+turning it off causes the bar at the bottom of the Leash window (with
+the time
+remaining on any tickets that you might have) to disappear.</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=Windows-1252">
+ <title>Leash Toolbar</title>
+</head>
+<body bgcolor="#ffffff" text="#000000">
+<object type="application/x-oleobject"
+ classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
+ name="Keyword" value="toolbar">
+</object>
+<h3><a name="hid_toolbar_option"></a><b>Leash Toolbar</b></h3>
+<p>
+</p>
+<p class="MsoNormal">By default, this option on the View menu is
+selected. When
+it is checked, the toolbar containing icons for commonly used commands
+is
+visible. Otherwise, Leash hides it.<br>
+</p>
+<p class="MsoNormal"><img style="width: 718px; height: 28px;"
+ alt="Leash Toolbar" title="Leash Toolbar"
+ src="..%5CImages%5CLeash_toolbar.jpg"><br>
+</p>
+<p class="MsoNormal"></p>
+<p class="MsoNormal">The Leash Toolbar contains buttons which act as
+shortcuts to
+the most frequently used Actions found on the Menubar.<span style="">
+</span>From left to right:</p>
+<ol style="margin-top: 0in;" start="1" type="1">
+ <li class="MsoNormal" style=""><a href="leash_command_get_tickets.htm">Get
+Tickets</a></li>
+ <li class="MsoNormal" style=""><a
+ href="leash_command_renew_tickets.htm">Renew Tickets</a></li>
+ <li class="MsoNormal" style=""><a
+ href="leash_command_import_tickets.htm">Import Tickets</a></li>
+ <li class="MsoNormal" style=""><a
+ href="leash_command_destroy_tickets.htm">Destroy Tickets</a></li>
+ <li class="MsoNormal" style=""><a
+ href="leash_command_change_password.htm">Change Password</a></li>
+ <li class="MsoNormal" style=""><a
+ href="leash_command_update_display.htm">Update Display</a></li>
+ <li class="MsoNormal" style=""><a href="leash_command_sync_time.htm">Synchronize
+Time</a><o:p></o:p></li>
+</ol>
+<br>
+</body>
+</html>
--- /dev/null
+<HTML>
+<!-- Sitemap 1.0 -->
+<OBJECT type="text/site properties">
+</OBJECT>
+<UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="about">
+ <param name="Name" value="KERBEROS">
+ <param name="Local" value="html/leash_topic_about_kerberos.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="acknowledgements">
+ <param name="Name" value="Acknowledgements">
+ <param name="Local" value="html/leash_acknowledgements.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="aklog">
+ <param name="See Also" value="aklog">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exe">
+ <param name="Local" value="html/leash_external_aklog.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="man">
+ <param name="Local" value="html/leash_manpage_aklog.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="bugs">
+ <param name="Name" value="Reporting Problems With Leash">
+ <param name="Local" value="html/leash_bug_reports.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="change">
+ <param name="Name" value="Change Password Command">
+ <param name="Local" value="html/leash_command_change_password.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="choose">
+ <param name="Name" value="How to Choose a Password">
+ <param name="Local" value="html/leash_topic_password_choice.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="commands">
+ <param name="Name" value="Leash Commands">
+ <param name="Local" value="html/leash_menu_commands.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="copyright">
+ <param name="See Also" value="copyright">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="kerberos">
+ <param name="Local" value="html/leash_kerberos_copyright.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Leash32">
+ <param name="Local" value="html/leash_copyright.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="debug">
+ <param name="Name" value="Debug Window Option">
+ <param name="Local" value="html/leash_view_debug_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="destroy">
+ <param name="Name" value="Destroy Tickets/Tokens on Exit Option">
+ <param name="Local" value="html/leash_option_tickets_on_exit.htm">
+ <param name="Name" value="Destroy Tickets Command">
+ <param name="Local" value="html/leash_command_destroy_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="display">
+ <param name="Name" value="Leash Display (Kerberometer and Dash Notification)">
+ <param name="Local" value="html/leash_topic_leash_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="DOS commands">
+ <param name="Name" value="Using Kerberos in a Command Prompt Environment">
+ <param name="Local" value="html/leash_topic_kerberos_command_prompt.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="error">
+ <param name="See Also" value="error">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="57">
+ <param name="Local" value="html/leash_topic_error_57.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="62">
+ <param name="Local" value="html/leash_topic_error_62.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="8">
+ <param name="Local" value="html/leash_topic_error_8.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="invalid principal">
+ <param name="Local" value="html/leash_topic_invalid_principal.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exit">
+ <param name="Name" value="Exit/End Leash Program">
+ <param name="Local" value="html/leash_file_exit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="expiration">
+ <param name="Name" value="Low Ticket/Token Time Alarm Option">
+ <param name="Local" value="html/leash_option_expiration_alarm.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="export">
+ <param name="Name" value="Kerberos Export Restrictions and Source Code Access">
+ <param name="Local" value="html/leash_export.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="get">
+ <param name="Name" value="InitializeTickets Command">
+ <param name="Local" value="html/leash_command_get_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="guide">
+ <param name="Name" value="Kerberos: How does the other guy know who I am?">
+ <param name="Local" value="html/leash_topic_kerberos_principals.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="help">
+ <param name="See Also" value="help">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="import">
+ <param name="Name" value="ImportTickets Command">
+ <param name="Local" value="html/leash_command_import_tickets.htm">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="About Kerberos">
+ <param name="Local" value="html/leash_topic_about_kerberos.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="About Leash32">
+ <param name="Local" value="html/leash_help_about_leash32.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="online">
+ <param name="Local" value="html/leash_topic_online_help.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Why use Leash32">
+ <param name="Local" value="html/leash_topic_why_use.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="kdestroy">
+ <param name="See Also" value="kdestroy">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exe">
+ <param name="Local" value="html/leash_external_kdestroy.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="man">
+ <param name="Local" value="html/leash_manpage_kdestroy.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Kerberos">
+ <param name="Name" value="An Authentication Service for Open Network Systems">
+ <param name="Local" value="html/leash_topic_kerberos_auth_service.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="key">
+ <param name="See Also" value="key">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+4">
+ <param name="Local" value="html/leash_option_krb4_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+5">
+ <param name="Local" value="html/leash_option_krb5_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+A">
+ <param name="Local" value="html/leash_option_afs_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+D">
+ <param name="Local" value="html/leash_command_destroy_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+I">
+ <param name="Local" value="html/leash_command_import_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+K">
+ <param name="Local" value="html/leash_option_kerberos_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+L">
+ <param name="Local" value="html/leash_option_leash_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+R">
+ <param name="Local" value="html/leash_command_renew_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Ctrl+T">
+ <param name="Local" value="html/leash_command_get_tickets.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Key">
+ <param name="See Also" value="Key">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="F5">
+ <param name="Local" value="html/leash_command_update_display.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="kinit">
+ <param name="See Also" value="kinit">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exe">
+ <param name="Local" value="html/leash_external_kinit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="man">
+ <param name="Local" value="html/leash_manpage_kinit.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="klist">
+ <param name="See Also" value="klist">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exe">
+ <param name="Local" value="html/leash_external_klist.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="man">
+ <param name="Local" value="html/leash_manpage_klist.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="large icons">
+ <param name="Name" value="Large Icons Option">
+ <param name="Local" value="html/leash_view_large_icons.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Leash program">
+ <param name="Name" value="Leash Program">
+ <param name="Local" value="html/leash_topic_leash_help_topics.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="ms2mit">
+ <param name="See Also" value="ms2mit">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="exe">
+ <param name="Local" value="html/leash_external_ms2mit.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="man">
+ <param name="Local" value="html/leash_manpage_ms2mit.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="names">
+ <param name="Name" value="Kerberos Names">
+ <param name="Local" value="html/leash_topic_kerberos_names.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="properties">
+ <param name="See Also" value="properties">
+ </OBJECT>
+ <UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="AFS">
+ <param name="Local" value="html/leash_option_afs_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Kerberos">
+ <param name="Local" value="html/leash_option_kerberos_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Kerberos4">
+ <param name="Local" value="html/leash_option_krb4_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Kerberos5">
+ <param name="Local" value="html/leash_option_krb5_properties.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="Leash">
+ <param name="Local" value="html/leash_option_leash_properties.htm">
+ </OBJECT>
+ </UL>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="renew">
+ <param name="Name" value="RenewTickets Command">
+ <param name="Local" value="html/leash_command_renew_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="reset">
+ <param name="Name" value="Reset Window Size/Pos Command">
+ <param name="Local" value="html/leash_command_reset_window.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="status bar">
+ <param name="Name" value="Status Bar Option">
+ <param name="Local" value="html/leash_view_status_bar.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="synchronize">
+ <param name="Name" value="Synchronize Time Command">
+ <param name="Local" value="html/leash_command_sync_time.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="tickets">
+ <param name="Name" value="How Kerberos Shares Tickets">
+ <param name="Local" value="html/leash_topic_sharing_tickets.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="time">
+ <param name="Name" value="Kerberos Timing Issues">
+ <param name="Local" value="html/leash_topic_timing_issues.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="toolbar">
+ <param name="Name" value="Toolbar Option">
+ <param name="Local" value="html/leash_view_toolbar.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="update">
+ <param name="Name" value="Update Display Command">
+ <param name="Local" value="html/leash_command_update_display.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="uppercase">
+ <param name="Name" value="Upper Case Realm Name Option">
+ <param name="Local" value="html/leash_option_upper_case_realm.htm">
+ </OBJECT>
+ <LI> <OBJECT type="text/sitemap">
+ <param name="Keyword" value="why">
+ <param name="Name" value="Why use Leash?">
+ <param name="Local" value="html/leash_topic_why_use.htm">
+ </OBJECT>
+</UL></HTML>
--- /dev/null
+[OPTIONS]
+Auto Index=Yes
+Auto TOC=9
+Compatibility=1.1 or later
+Compiled file=leash.chm
+Contents file=Table of Contents.hhc
+Default Font=Arial,10,0
+Default Window=Default Leash Help Window
+Default topic=html\leash_topic_why_use.htm
+Display compile progress=Yes
+Error log file=.\leash.log
+Full-text search=Yes
+Index file=leash32.hhk
+Language=0x409 English (United States)
+Title=Leash Ticket Manager Help
+
+[WINDOWS]
+Default Leash Help Window="Leash Ticket Manager Help","Table of Contents.hhc","leash32.hhk","html\leash_topic_leash_help_topics.htm","html\leash_topic_leash_help_topics.htm",,,,,0x42520,320,0x304e,[0,0,800,560],0x7b0000,,,,,,0
+
+
+[FILES]
+html\leash_topic_why_use.htm
+html\leash_topic_leash_help_topics.htm
+html\leash_topic_leash_window.htm
+html\leash_topic_leash_systray.htm
+html\leash_menu_commands.htm
+html\leash_file_exit.htm
+html\leash_command_get_tickets.htm
+html\leash_command_import_tickets.htm
+html\leash_command_renew_tickets.htm
+html\leash_command_destroy_tickets.htm
+html\leash_command_change_password.htm
+html\leash_topic_password_choice.htm
+html\leash_command_reset_window.htm
+html\leash_command_sync_time.htm
+html\leash_command_update_display.htm
+html\leash_view_large_icons.htm
+html\leash_view_toolbar.htm
+html\leash_view_status_bar.htm
+html\leash_view_debug_window.htm
+html\leash_option_auto_renewal.htm
+html\leash_option_destroy_tickets_on_exit.htm
+html\leash_option_expiration_alarm.htm
+html\leash_option_upper_case_realm.htm
+html\leash_option_leash_properties.htm
+html\leash_option_kerberos_properties.htm
+html\leash_option_krb4_properties.htm
+html\leash_option_krb5_properties.htm
+html\leash_option_afs_properties.htm
+html\leash_menu_help_why_use.htm
+html\leash_help_about_leash32.htm
+html\leash_topic_kerberos_help_topics.htm
+html\leash_topic_about_kerberos.htm
+html\leash_topic_kerberos_names.htm
+html\leash_topic_kerberos_tickets.htm
+html\leash_topic_kerberos_command_prompt.htm
+html\leash_topic_timing_issues.htm
+html\leash_external_kdestroy.htm
+html\leash_external_kinit.htm
+html\leash_external_klist.htm
+html\leash_external_ms2mit.htm
+html\leash_external_aklog.htm
+html\leash_topic_kerberos_principals.htm
+html\leash_topic_kerberos_auth_service.htm
+html\leash_manpages.htm
+html\leash_manpage_kinit.htm
+html\leash_manpage_klist.htm
+html\leash_manpage_kdestroy.htm
+html\leash_manpage_ms2mit.htm
+html\leash_manpage_aklog.htm
+html\leash_errors.htm
+html\leash_topic_error_8.htm
+html\leash_topic_error_57.htm
+html\leash_topic_error_62.htm
+html\leash_topic_error_invalid_principal.htm
+html\leash_topic_online_help.htm
+html\leash_copyright.htm
+html\leash_kerberos_copyright.htm
+html\leash_export.htm
+html\leash_bug_reports.htm
+html\leash_acknowledgements.htm
+html\hid_view_toolbar.htm
+html\afx_hidw_toolbar.htm
+html\hid_view_status_bar.htm
+html\afx_hidw_status_bar.htm
+html\hid_app_about.htm
+html\hid_app_exit.htm
+html\hid_help_index.htm
+html\hid_help_using.htm
+html\hid_context_help.htm
+html\hid_sc_size.htm
+html\hid_sc_move.htm
+html\hid_sc_minimize.htm
+html\hid_sc_maximize.htm
+html\hid_sc_close.htm
+html\hid_sc_restore.htm
+
+[ALIAS]
+HID_ABOUT_KERBEROS = html\leash_topic_about_kerberos.htm
+HID_ABOUT_LEASH32_COMMAND = html\leash_menu_commands.htm
+HID_ABOUT_LEASH32_MODULES = html\leash_help_about_leash32.htm
+HID_AFS_PROPERTIES_COMMAND = html\leash_option_afs_properties.htm
+HID_CHANGE_PASSWORD_COMMAND = html\leash_command_change_password.htm
+HID_DEBUG_WINDOW = html\leash_view_debug_window.htm
+HID_DEBUG_WINDOW_OPTION = html\leash_view_debug_window.htm
+HID_DESTROY_TICKETS_COMMAND = html\leash_command_destroy_tickets.htm
+HID_DESTROY_TICKETS_ON_EXIT = html\leash_option_destroy_tickets_on_exit.htm
+HID_EXIT_COMMAND = html\leash_file_exit.htm
+HID_GET_TICKETS_COMMAND = html\leash_command_get_tickets.htm
+HID_RENEW_TICKETS_COMMAND = html\leash_command_renew_tickets.htm
+HID_IMPORT_TICKETS_COMMAND = html\leash_command_import_tickets.htm
+HID_HELP_CONTENTS = html\leash_topic_leash_help_topics.htm
+HID_KERBEROS_PROPERTIES_ADDDOM = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_ADDHOST = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_ADDHOST = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_ADDRLM = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_COMMAND = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_EDIT = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_EDITDOM = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_EDITHOST = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_LISTDOM = html\leash_option_kerberos_properties.htm
+HID_KERBEROS_PROPERTIES_LISTRLM = html\leash_option_kerberos_properties.htm
+HID_KRB4_PROPERTIES_COMMAND = html\leash_option_krb4_properties.htm
+HID_KRB4_PROPERTIES_EDIT = html\leash_option_krb4_properties.htm
+HID_KRB5_PROPERTIES_COMMAND = html\leash_option_krb5_properties.htm
+HID_KRB5_PROPERTIES_EDIT = html\leash_option_krb5_properties.htm
+HID_KRB5_PROPERTIES_FORWARDING = html\leash_option_krb5_properties.htm
+HID_LARGE_ICONS_OPTION = html\leash_view_large_icons.htm
+HID_LEASH_COMMANDS = html\leash_menu_commands.htm
+HID_LEASH_PROGRAM = html\leash_topic_leash_help_topics.htm
+HID_LEASH_PROPERTIES_COMMAND = html\leash_option_leash_properties.htm
+HID_LEASH_PROPERTIES_EDIT = html\leash_option_leash_properties.htm
+HID_LOW_TICKET_ALARM_OPTION = html\leash_option_expiration_alarm.htm
+HID_RESET_WINDOW_OPTION = html\leash_command_reset_window.htm
+HID_SCNCHRONIZE_TIME_OPTION = html\leash_command_sync_time.htm
+HID_STATUS_BAR_OPTION = html\leash_view_status_bar.htm
+HID_TOOLBAR_OPTION = html\leash_view_toolbar.htm
+HID_UPDATE_DISPLAY_COMMAND = html\leash_command_update_display.htm
+HID_UPPERCASE_REALM_OPTION = html\leash_option_upper_case_realm.htm
+HID_WHY_USE_LEASH32 = html\leash_topic_why_use.htm
+ID_CHANGEPASSWORD = html\leash_command_change_password.htm
+ID_COUNTDOWN = html\leash_option_expiration_alarm.htm
+ID_DESTROY = html\leash_command_destroy_tickets.htm
+ID_EXIT = html\leash_file_exit.htm
+ID_HELP_CHOOSE_PASSWORD = html\leash_topic_password_choice.htm
+ID_HELP_KERBEROS = html\leash_topic_kerberos_help_topics.htm
+ID_HELP_LEASH = html\leash_topic_leash_help_topics.htm
+ID_HELP_PURPOSE = html\leash_topic_why_use.htm
+ID_INITTICKETS = html\leash_command_get_tickets.htm
+hid_view_toolbar = html\hid_view_toolbar.htm
+afx_hidw_toolbar = html\afx_hidw_toolbar.htm
+hid_view_status_bar = html\hid_view_status_bar.htm
+afx_hidw_status_bar = html\afx_hidw_status_bar.htm
+hid_app_about = html\hid_app_about.htm
+hid_app_exit = html\hid_app_exit.htm
+hid_help_index = html\hid_help_index.htm
+hid_help_using = html\hid_help_using.htm
+hid_context_help = html\hid_context_help.htm
+hid_sc_size = html\hid_sc_size.htm
+hid_sc_move = html\hid_sc_move.htm
+hid_sc_minimize = html\hid_sc_minimize.htm
+hid_sc_maximize = html\hid_sc_maximize.htm
+hid_sc_close = html\hid_sc_close.htm
+hid_sc_restore = html\hid_sc_restore.htm
+
+[MAP]
+#define HID_ABOUT_KERBEROS 98320
+#define HID_ABOUT_LEASH32_COMMAND 123200
+#define HID_ABOUT_LEASH32_MODULES 131225
+#define HID_AFS_PROPERTIES_COMMAND 98327
+#define HID_CHANGE_PASSWORD_COMMAND 98315
+#define HID_DEBUG_WINDOW 131229
+#define HID_DEBUG_WINDOW_OPTION 98317
+#define HID_DESTROY_TICKETS_COMMAND 98313
+#define HID_DESTROY_TICKETS_ON_EXIT 98321
+#define HID_EXIT_COMMAND 123201
+#define HID_GET_TICKETS_COMMAND 98343
+#define HID_RENEW_TICKETS_COMMAND 98312
+#define HID_IMPORT_TICKETS_COMMAND 98342
+#define HID_HELP_CONTENTS 98340
+#define HID_KERBEROS_PROPERTIES_ADDDOM 131255
+#define HID_KERBEROS_PROPERTIES_ADDHOST 131254
+#define HID_KERBEROS_PROPERTIES_ADDHOST 131269
+#define HID_KERBEROS_PROPERTIES_ADDRLM 131253
+#define HID_KERBEROS_PROPERTIES_COMMAND 98337
+#define HID_KERBEROS_PROPERTIES_EDIT 131233
+#define HID_KERBEROS_PROPERTIES_EDITDOM 131256
+#define HID_KERBEROS_PROPERTIES_EDITHOST 131271
+#define HID_KERBEROS_PROPERTIES_LISTDOM 131279
+#define HID_KERBEROS_PROPERTIES_LISTRLM 131250
+#define HID_KRB4_PROPERTIES_COMMAND 98329
+#define HID_KRB4_PROPERTIES_EDIT 131232
+#define HID_KRB5_PROPERTIES_COMMAND 98330
+#define HID_KRB5_PROPERTIES_EDIT 131241
+#define HID_KRB5_PROPERTIES_FORWARDING 131240
+#define HID_KRBCHECK_OPTION 98335
+#define HID_LARGE_ICONS_OPTION 98322
+#define HID_LEASH_COMMANDS 131200
+#define HID_LEASH_PROGRAM 98319
+#define HID_LEASH_PROPERTIES_COMMAND 98331
+#define HID_LEASH_PROPERTIES_EDIT 131239
+#define HID_LOW_TICKET_ALARM_OPTION 98334
+#define HID_RESET_WINDOW_OPTION 98326
+#define HID_SCNCHRONIZE_TIME_OPTION 98314
+#define HID_STATUS_BAR_OPTION 124929
+#define HID_TOOLBAR_OPTION 124928
+#define HID_UPDATE_DISPLAY_COMMAND 98316
+#define HID_UPPERCASE_REALM_OPTION 98323
+#define HID_WHY_USE_LEASH32 98341
+#define ID_CHANGEPASSWORD 112
+#define ID_COUNTDOWN 101
+#define ID_DESTROY 111
+#define ID_EXIT 200
+#define ID_HELP_CHOOSE_PASSWORD 2511841056
+#define ID_HELP_KERBEROS 211
+#define ID_HELP_LEASH 210
+#define ID_HELP_PURPOSE 115
+#define ID_INITTICKETS 113
+#define KRB_BAD_NAME 39525457
+#define KRB_BAD_TIME 39525413
+#DEFINE KRB_ERROR_78 39525454
+#define KRB_INCORR_PASSWD 39525438
+#define KRB_NO_TKT_FILE 39525446
+#define KRB_UNKNOWN_REALM 39525433
+#define KRB_UNKNOWN_USER 39525384
+#define LSH_INVINSTANCE 40591875
+
+[INFOTYPES]
--- /dev/null
+#include "out2con.h"
+
+#include <windows.h>
+#include <stdio.h>
+#include <io.h>
+
+class ConsoleEcho
+{
+public:
+ ConsoleEcho();
+ ~ConsoleEcho();
+
+private:
+ DWORD ThreadLoop();
+
+ static DWORD WINAPI ThreadFunc(void* param);
+
+ FILE m_originalStdout;
+ int m_stdoutfd;
+ int m_pipefd;
+ HANDLE m_hReadPipe, m_hWritePipe;
+ HANDLE m_hThread;
+
+ static const int BUFSIZE=512;
+};
+
+
+ConsoleEcho *
+CreateConsoleEcho()
+{
+ return new ConsoleEcho;
+}
+
+void
+DestroyConsoleEcho(ConsoleEcho *echo)
+{
+ delete echo;
+}
+
+
+DWORD WINAPI ConsoleEcho::ThreadFunc(void* param)
+{
+ return ((ConsoleEcho*)(param))->ThreadLoop();
+}
+
+
+DWORD ConsoleEcho::ThreadLoop()
+{
+ DWORD dwRead, dwWritten;
+ CHAR chBuf[BUFSIZE];
+ BOOL bSuccess = FALSE;
+ // Note that the following does not work when running in the msvc2010
+ // debugger with redirected output; you still get the redirected file
+ // handle, not the console:
+ //HANDLE hConsoleStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
+ // This seems to be more reliable:
+ HANDLE hConsoleStdOut = CreateFile("CONOUT$",
+ GENERIC_WRITE,
+ FILE_SHARE_WRITE,
+ NULL, OPEN_EXISTING, 0, 0);
+ for (;;) {
+ // read from redirected stdout
+ bSuccess = ReadFile(m_hReadPipe, chBuf, BUFSIZE, &dwRead, NULL);
+ if (!bSuccess || (dwRead == 0))
+ break;
+
+ // write to console
+ WriteFile(hConsoleStdOut, chBuf, dwRead, &dwWritten, NULL);
+ // also write to original stdout
+ if (m_stdoutfd>=0) {
+ _write(m_stdoutfd, chBuf, dwRead);
+ // _commit() causes assert if m_stdoutfd is a device (e.g., console or NUL).
+ if (!_isatty(m_stdoutfd))
+ _commit(m_stdoutfd);
+ }
+ }
+ CloseHandle(hConsoleStdOut);
+ return 0;
+}
+
+ConsoleEcho::ConsoleEcho()
+{
+ // setup console
+ AllocConsole();
+ // create pipe
+ CreatePipe(&m_hReadPipe, &m_hWritePipe, NULL, 0);
+ // save original stdout to preserve commandline-specified redirection
+ m_stdoutfd = _fileno(stdout);
+ // and copy the whole damn FILE structure so we can restore it
+ // when we're done. I don't know any other way to restore the
+ // crazy windows gui default '-2' filedesc stdout.
+ m_originalStdout = *stdout;
+ // hook up the write end of our pipe to stdout
+ m_pipefd = _open_osfhandle((intptr_t)m_hWritePipe, 0);
+ // take our os file handle and allocate a crt FILE for it
+ FILE* fp = _fdopen(m_pipefd, "w");
+ // copy to stdout
+ *stdout = *fp;
+ // now slam the allocated FILE's _flag to zero to mark it as free without
+ // actually closing the os file handle and pipe
+ fp->_flag = 0;
+
+ // disable buffering
+ setvbuf(stdout, NULL, _IONBF, 0);
+
+ // Create a thread to process our pipe, forwarding output
+ // to both the console and the original stdout
+ m_hThread = CreateThread(NULL, 0, &ThreadFunc, this, 0, NULL);
+}
+
+ConsoleEcho::~ConsoleEcho()
+{
+ // fclose() unfortunately immediately invalidates the read pipe before the
+ // pipe thread has a chance to flush it, so don't do that.
+ //fclose(stdout);
+
+ // instead, just slam the original stdout
+ *stdout = m_originalStdout;
+ //printf("Safe to printf now and no longer echoed to console.\n");
+ // Close write pipe
+ _close(m_pipefd);
+ // and wait here for pipe thread to exit
+ WaitForSingleObject(m_hThread, 1000);
+ // now close read pipe as well
+ CloseHandle(m_hReadPipe);
+}
--- /dev/null
+#ifndef OUT2CON_H
+#define OUT2CON_H
+
+/* Call CreateConsoleEcho() to create a console and begin echoing stdout to it.
+ * The original stream (if any) will still receive output from stdout.
+ * Call DestroyConsoleEcho() to stop echoing stdout to the console.
+ * The original stream continues to receive stdout.
+ *
+ * WARNING: it is not safe to use stdout from another thread during
+ * CreateConsoleEcho() or DestroyConsoleEcho()
+ */
+
+class ConsoleEcho;
+
+ConsoleEcho *
+CreateConsoleEcho();
+
+void
+DestroyConsoleEcho(ConsoleEcho *consoleEcho);
+
+// Convenience class to automatically echo to console within a scope
+class AutoConsoleEcho
+{
+public:
+ AutoConsoleEcho() : m_echo(CreateConsoleEcho())
+ {
+ }
+
+ ~AutoConsoleEcho()
+ {
+ DestroyConsoleEcho(m_echo);
+ }
+private:
+ ConsoleEcho* m_echo;
+};
+
+
+#endif
WINDLLFLAGS = /nologo /dll /incremental:no /release $(LOPTS)
-DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -DNO_KRB4
+DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -DNO_KRB4 -DUSE_MESSAGE_BOX
!ifdef NODEBUG
DEFINES = $(DEFINES)
!else
while (!(code = pkrb5_cc_next_cred(ctx, cache, &KRBv5Cursor, &KRBv5Credentials)))
{
+ if ((*pkrb5_is_config_principal)(ctx, KRBv5Credentials.server))
+ { /* skip configuration credentials */
+ (*pkrb5_free_cred_contents)(ctx, &KRBv5Credentials);
+ continue;
+ }
if (!list)
{
list = (TicketList*) calloc(1, sizeof(TicketList));
krb5_principal me = 0;
char* name = 0;
krb5_creds my_creds;
- krb5_get_init_creds_opt options;
+ krb5_get_init_creds_opt * options = NULL;
krb5_address ** addrs = NULL;
int i = 0, addr_count = 0;
if (!pkrb5_init_context)
return 0;
- pkrb5_get_init_creds_opt_init(&options);
memset(&my_creds, 0, sizeof(my_creds));
if (alt_ctx)
if (code) goto cleanup;
}
+ code = pkrb5_get_init_creds_opt_alloc(ctx, &options);
+ if (code) goto cleanup;
+
code = pkrb5_cc_default(ctx, &cc);
if (code) goto cleanup;
renew_life *= 5*60;
if (lifetime)
- pkrb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
- pkrb5_get_init_creds_opt_set_forwardable(&options,
- forwardable ? 1 : 0);
- pkrb5_get_init_creds_opt_set_proxiable(&options,
- proxiable ? 1 : 0);
- pkrb5_get_init_creds_opt_set_renew_life(&options,
- renew_life);
+ pkrb5_get_init_creds_opt_set_tkt_life(options, lifetime);
+ pkrb5_get_init_creds_opt_set_forwardable(options,
+ forwardable ? 1 : 0);
+ pkrb5_get_init_creds_opt_set_proxiable(options,
+ proxiable ? 1 : 0);
+ pkrb5_get_init_creds_opt_set_renew_life(options,
+ renew_life);
if (addressless)
- pkrb5_get_init_creds_opt_set_address_list(&options,NULL);
+ pkrb5_get_init_creds_opt_set_address_list(options,NULL);
else {
if (publicIP)
{
netIPAddr = htonl(publicIP);
memcpy(addrs[i]->contents,&netIPAddr,4);
- pkrb5_get_init_creds_opt_set_address_list(&options,addrs);
+ pkrb5_get_init_creds_opt_set_address_list(options,addrs);
}
}
+ code = pkrb5_get_init_creds_opt_set_out_ccache(ctx, options, cc);
+ if (code)
+ goto cleanup;
+
code = pkrb5_get_init_creds_password(ctx,
&my_creds,
me,
hParent, // prompter data
0, // start time
0, // service name
- &options);
- if (code) goto cleanup;
-
- code = pkrb5_cc_initialize(ctx, cc, me);
- if (code) goto cleanup;
-
- code = pkrb5_cc_store_cred(ctx, cc, &my_creds);
- if (code) goto cleanup;
-
+ options);
cleanup:
if ( addrs ) {
for ( i=0;i<addr_count;i++ ) {
pkrb5_free_principal(ctx, me);
if (cc)
pkrb5_cc_close(ctx, cc);
+ if (options)
+ pkrb5_get_init_creds_opt_free(ctx, options);
if (ctx && (ctx != alt_ctx))
pkrb5_free_context(ctx);
return(code);
extern HINSTANCE hLeashInst;
size_t maxwidth = 0;
int numlines = 0;
- int len;
+ size_t len;
char * plines[16], *p = preface ? preface : "";
int i;
// krb5 functions
DECL_FUNC_PTR(krb5_change_password);
+DECL_FUNC_PTR(krb5_get_init_creds_opt_alloc);
+DECL_FUNC_PTR(krb5_get_init_creds_opt_free);
DECL_FUNC_PTR(krb5_get_init_creds_opt_init);
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_tkt_life);
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable);
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);
+DECL_FUNC_PTR(krb5_get_init_creds_opt_set_out_ccache);
DECL_FUNC_PTR(krb5_get_init_creds_password);
DECL_FUNC_PTR(krb5_build_principal_ext);
DECL_FUNC_PTR(krb5_cc_resolve);
DECL_FUNC_PTR(krb5_free_default_realm);
DECL_FUNC_PTR(krb5_principal_compare);
DECL_FUNC_PTR(krb5_string_to_deltat);
+DECL_FUNC_PTR(krb5_is_config_principal);
// ComErr functions
DECL_FUNC_PTR(com_err);
FUNC_INFO k5_fi[] = {
MAKE_FUNC_INFO(krb5_change_password),
+ MAKE_FUNC_INFO(krb5_get_init_creds_opt_alloc),
+ MAKE_FUNC_INFO(krb5_get_init_creds_opt_free),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_init),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_tkt_life),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_renew_life),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_forwardable),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_proxiable),
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_address_list),
+ MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_out_ccache),
MAKE_FUNC_INFO(krb5_get_init_creds_password),
MAKE_FUNC_INFO(krb5_build_principal_ext),
MAKE_FUNC_INFO(krb5_cc_resolve),
MAKE_FUNC_INFO(krb5_free_default_realm),
MAKE_FUNC_INFO(krb5_principal_compare),
MAKE_FUNC_INFO(krb5_string_to_deltat),
+ MAKE_FUNC_INFO(krb5_is_config_principal),
END_FUNC_INFO
};
// krb5 functions
extern DECL_FUNC_PTR(krb5_change_password);
+extern DECL_FUNC_PTR(krb5_get_init_creds_opt_alloc);
+extern DECL_FUNC_PTR(krb5_get_init_creds_opt_free);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_init);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_tkt_life);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);
+extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_out_ccache);
extern DECL_FUNC_PTR(krb5_get_init_creds_password);
extern DECL_FUNC_PTR(krb5_build_principal_ext);
extern DECL_FUNC_PTR(krb5_cc_resolve);
extern DECL_FUNC_PTR(krb5_free_default_realm);
extern DECL_FUNC_PTR(krb5_principal_compare);
extern DECL_FUNC_PTR(krb5_string_to_deltat);
+extern DECL_FUNC_PTR(krb5_is_config_principal);
#ifndef NO_KRB4
// Krb524 functions
{
char message[2048];
char *p = message;
- int size = sizeof(message);
+ int size = sizeof(message) - 1; /* -1 to leave room for NULL terminator */
int n;
// XXX: ignore AFS for now.
n = _snprintf(p, size,
"Kerberos 5: %s (error %ld)\n",
perror_message(rc5),
- rc5 & 255 // XXX: & 255??!!!
+ rc5
);
p += n;
size -= n;
size -= n;
}
#ifdef USE_MESSAGE_BOX
+ *p = 0; /* ensure NULL termination of message */
if ( displayMB )
MessageBox(NULL, message, "Leash", MB_OK | MB_ICONERROR | MB_TASKMODAL |
MB_SETFOREGROUND);
char first_part[256];
char second_part[256];
char temp[1024];
+ char* custom_msg;
int count;
int i;
int rc5 = 0;
rcA = rcB;
}
#endif /* NO_AFS */
-
+ custom_msg = (rc5 == KRB5KRB_AP_ERR_BAD_INTEGRITY) ? "Password incorrect" : NULL;
return leash_error_message("Ticket initialization failed.",
- rcL,
- rc5, rcA, 0,
+ rcL, rc5, rcA, custom_msg,
displayErrors);
}
long
Leash_kdestroy(void)
{
+ Leash_afs_unlog();
+ Leash_krb5_kdestroy();
+
return 0;
}
strs++;
GlobalUnlock( hData );
- SendMessage(hLeash, 32810, 0, (LPARAM) hData);
+ /* 32809 = ID_OBTAIN_TGT_WITH_LPARAM in src/windows/leash/resource.h */
+ SendMessage(hLeash, 32809, 0, (LPARAM) hData);
}
}
GlobalFree( hData );
#define K5_DESCRIPTION "Kerberos v5 support - internal support code for " KRB5_PRODUCTNAME_STR
#define K5_INTERNAL_NAME "krb5support\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#error not win32??
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "k5sprt64.dll\0"
#else
#define K5_ORIGINAL_NAME "k5sprt32.dll\0"
#endif
#define K5_DESCRIPTION "COM_ERR - Common Error Handler for " KRB5_PRODUCTNAME_STR "\0"
#define K5_INTERNAL_NAME "comerr\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "comerr16.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "comerr64.dll\0"
#else
#define K5_ORIGINAL_NAME "comerr32.dll\0"
#endif
#define K5_DESCRIPTION "PROFILE - Profile Library " KRB5_PRODUCTNAME_STR "\0"
#define K5_INTERNAL_NAME "profile\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "xpprof16.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "xpprof64.dll\0"
#else
#define K5_ORIGINAL_NAME "xpprof32.dll\0"
#endif
#define K5_DESCRIPTION "Kerberos v5 - " KRB5_PRODUCTNAME_STR "\0"
#define K5_INTERNAL_NAME "krb5\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "krb5_16.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "krb5_64.dll\0"
#else
#define K5_ORIGINAL_NAME "krb5_32.dll\0"
#endif
#define K5_DESCRIPTION "GSSAPI - GSS API implementation for Kerberos 5 mechanism\0"
#define K5_INTERNAL_NAME "gssapi\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "gssapi.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "gssapi64.dll\0"
#else
#define K5_ORIGINAL_NAME "gssapi32.dll\0"
#endif
#define K5_DESCRIPTION "Leash32 Kerberos Ticket Manager - " KRB5_PRODUCTNAME_STR "\0"
#define K5_FILETYPE VFT_APP
#define K5_INTERNAL_NAME "LEASH\0"
-#define K5_ORIGINAL_NAME "leash32.exe\0"
+#define K5_ORIGINAL_NAME "leash.exe\0"
#endif
#ifdef LEASHDLL_LIB
#define K5_DESCRIPTION "Leash Helper API - " KRB5_PRODUCTNAME_STR "\0"
#define K5_INTERNAL_NAME "leashw\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "leashw.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "leashw64.dll\0"
#else
#define K5_ORIGINAL_NAME "leashw32.dll\0"
#endif
#define K5_DESCRIPTION "Winsock Helper (wshelper) API - " KRB5_PRODUCTNAME_STR "\0"
#define K5_INTERNAL_NAME "wshelper\0"
#define K5_FILETYPE VFT_DLL
-#if !defined(_WIN32)
-#define K5_ORIGINAL_NAME "wshelper.dll\0"
+#if defined(_WIN64)
+#define K5_ORIGINAL_NAME "wshelper64.dll\0"
#else
#define K5_ORIGINAL_NAME "wshelper32.dll\0"
#endif
projects / krb5.git / commitdiff
