Vendor import of Heimdal 0.6.

author: nectar <nectar@FreeBSD.org> 2003-10-09 19:36:20 +0000
committer: nectar <nectar@FreeBSD.org> 2003-10-09 19:36:20 +0000
commit: 5c90662d441c12cd30c694eb1172d6fea2f8f282 (patch)
tree: cb08d962a1d1ff9fd191e67849a7057861f42a50 /crypto/heimdal/doc
parent: 12eb3dee85137da9effa7d2df35e855dd0a3814a (diff)
download: FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.zip
FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.tar.gz
6 files changed, 149 insertions, 25 deletions
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in
index 43e3c93..9ebf564 100644
--- a/crypto/heimdal/doc/Makefile.in
+++ b/crypto/heimdal/doc/Makefile.in
@@ -18,7 +18,7 @@
 
 # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
 
-# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $
+# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@
 LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
 NROFF = @NROFF@
@@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@
 
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
 @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
@@ -226,10 +227,10 @@ all: all-am
 
 .SUFFIXES:
 .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .info .ps .texi
-$(srcdir)/Makefile.in:  Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4)
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4)
 	cd $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign  doc/Makefile
-Makefile:  $(srcdir)/Makefile.in  $(top_builddir)/config.status
+Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)
 
 mostlyclean-libtool:
@@ -390,7 +391,9 @@ info: info-am
 
 info-am: $(INFO_DEPS)
 
-install-data-am: install-data-local install-info-am
+install-data-am: install-info-am
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
 install-exec-am:
 	@$(NORMAL_INSTALL)
@@ -441,12 +444,12 @@ uninstall-am: uninstall-info-am
 	clean-generic clean-libtool dist-info distclean \
 	distclean-generic distclean-libtool distdir dvi dvi-am info \
 	info-am install install-am install-data install-data-am \
-	install-data-local install-exec install-exec-am install-info \
-	install-info-am install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-aminfo maintainer-clean-generic mostlyclean \
-	mostlyclean-aminfo mostlyclean-generic mostlyclean-libtool \
-	uninstall uninstall-am uninstall-info-am
+	install-exec install-exec-am install-info install-info-am \
+	install-man install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-aminfo \
+	maintainer-clean-generic mostlyclean mostlyclean-aminfo \
+	mostlyclean-generic mostlyclean-libtool uninstall uninstall-am \
+	uninstall-info-am
 
 
 install-suid-programs:
@@ -572,7 +575,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 install-cat-mans:
 	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
-install-data-local: install-cat-mans
+install-data-hook: install-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi
index d28b816..458baa3 100644
--- a/crypto/heimdal/doc/ack.texi
+++ b/crypto/heimdal/doc/ack.texi
@@ -1,4 +1,4 @@
-@c $Id: ack.texi,v 1.15 2002/09/04 01:03:35 assar Exp $
+@c $Id: ack.texi,v 1.16 2003/03/15 14:21:41 lha Exp $
 
 @node  Acknowledgments, , Migration, Top
 @comment  node-name,  next,  previous,  up
@@ -60,6 +60,8 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
 @email{rnyberg@@it.su.se}
 @item Frank van der Linden
 @email{fvdl@@netbsd.org}
+@item Cizzi Storm
+@email{cizzi@@it.su.se}
 @item and we hope that those not mentioned here will forgive us.
 @end table
 
diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi
index 6c6ff3a..c190fe2 100644
--- a/crypto/heimdal/doc/intro.texi
+++ b/crypto/heimdal/doc/intro.texi
@@ -1,4 +1,4 @@
-@c $Id: intro.texi,v 1.12 2001/01/28 22:11:22 assar Exp $
+@c $Id: intro.texi,v 1.13 2003/03/15 13:42:16 lha Exp $
 
 @node Introduction, What is Kerberos?, Top, Top
 @c @node Introduction, What is Kerberos?, Top, Top
@@ -93,3 +93,9 @@ There are two mailing lists with talk about
 Heimdal. @email{heimdal-announce@@sics.se} is a low-volume announcement
 list, while @email{heimdal-discuss@@sics.se} is for general discussion.
 Send a message to @email{majordomo@@sics.se} to subscribe.
+
+@heading Heimdal source code, binaries and the manual
+
+The source code for heimdal, links to binaries and the manual (this
+document) can be found on our web-page at
+@url{http://www.pdc.kth.se/heimdal/}.
diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi
index 8b3f980..83c2a4a 100644
--- a/crypto/heimdal/doc/misc.texi
+++ b/crypto/heimdal/doc/misc.texi
@@ -1,4 +1,4 @@
-@c $Id: misc.texi,v 1.6 2001/02/24 05:09:24 assar Exp $
+@c $Id: misc.texi,v 1.13 2003/03/30 21:30:59 lha Exp $
 
 @node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top
 @chapter Things in search for a better place
@@ -37,7 +37,7 @@ says that people with `admin' instances should be given `enabled' shells
 when logging in.
 
 The numbers after the principal on the `srvtab' line are principal type,
-timestamp (in seconds since 1970), key version number (4), keytype (1 ==
+time stamp (in seconds since 1970), key version number (4), keytype (1 ==
 des), key length (always 8 with des), and then the key.
 
 To make the Heimdal KDC produce tickets that the Cisco can decode you
@@ -57,8 +57,70 @@ A working solution would be to hook up a machine with a real operating
 system to the console of the Cisco and then use it as a backwards
 terminal server.
 
-@section Making things work on Transarc AFS
+@section Making things work on Transarc/OpenAFS AFS
 
 @subsection How to get a KeyFile
 
 @file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM}
+
+or you can extract it with kadmin
+
+@example
+kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME
+@end example
+
+You have to make sure you have a @code{des-cbc-md5} encryption type since that
+is the key that will be converted.
+
+@subsection How to convert a srvtab to a KeyFile
+
+You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you
+AFS-cell.
+
+@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}.
+
+If keyfile already exists, this will add the new key in afs-srvtab to
+KeyFile.
+
+@section Using 2b tokens with AFS
+
+@subsection What is 2b ?
+
+2b is the name of the proposal that was implemented to give basic
+Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support
+since it still uses fcrypt for data encryption and not Kerberos
+encryption types.
+
+Its only possible (in all cases) to do this for DES encryption types because
+only then the token (the AFS equivalent of a ticket) will be be smaller
+than the maximum size that can fit in the token cache in
+OpenAFS/Transarc client. Its so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket.
+
+2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
+the part of the ticket that is encrypted with the service's key. The
+client doesn't know what's inside the encrypted data so to the client it doesn't matter.
+
+To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b
+uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.
+
+Its a requirement that all AFS servers that support 2b also support
+native Kerberos 5 in rxkad.
+
+@subsection Configuring Heimdal to use 2b tokens
+
+Support for 2b tokens are turned on for specific principals by adding
+them to the string list option @code{[kdc]use_2b} in the kdc's
+@file{krb5.conf} file.
+
+@example
+[kdc]
+	use_2b = @{
+		afs@@SU.SE = yes
+		afs/it.su.se@@SU.SE = yes
+	@}
+@end example
+
+@subsection Configuring AFS clients
+
+There is no need to configure AFS clients. The only software that
+needs to be installed/upgrade is a Kerberos 5 enabled @file{afslog}.
diff --git a/crypto/heimdal/doc/programming.texi b/crypto/heimdal/doc/programming.texi
index ffcac21..63f0715 100644
--- a/crypto/heimdal/doc/programming.texi
+++ b/crypto/heimdal/doc/programming.texi
@@ -1,4 +1,4 @@
-@c $Id: programming.texi,v 1.2 2001/05/16 22:11:00 assar Exp $
+@c $Id: programming.texi,v 1.2.8.1 2003/04/24 11:55:45 lha Exp $
 
 @node Programming with Kerberos
 @chapter Programming with Kerberos
@@ -45,7 +45,7 @@ replay cache, and checksum types.
 
 See the manual page for @manpage{krb5_auth_context,3}.
 
-@subsection Keytab managment
+@subsection Keytab management
 
 A keytab is a storage for locally stored keys. Heimdal includes keytab
 support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's,
diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi
index 9cd96e8..c9ed938 100644
--- a/crypto/heimdal/doc/setup.texi
+++ b/crypto/heimdal/doc/setup.texi
@@ -1,4 +1,4 @@
-@c $Id: setup.texi,v 1.25 2001/08/24 05:24:33 assar Exp $
+@c $Id: setup.texi,v 1.27 2003/03/30 21:43:00 lha Exp $
 
 @node Setting up a realm, Things in search for a better place, Building and Installing, Top
 
@@ -8,6 +8,7 @@
 * Configuration file::          
 * Creating the database::       
 * keytabs::                     
+* Serving Kerberos 4/524/kaserver::
 * Remote administration::       
 * Password changing::           
 * Testing clients and servers::  
@@ -165,7 +166,7 @@ krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
 @end smallexample
 
-@node keytabs, Remote administration, Creating the database, Setting up a realm
+@node keytabs, Serving Kerberos 4/524/kaserver, Creating the database, Setting up a realm
 @section keytabs
 
 To extract a service ticket from the database and put it in a keytab you
@@ -187,7 +188,56 @@ Version  Type             Principal
      1   des3-cbc-sha1    host/my.host.name@@MY.REALM
 @end example
 
-@node Remote administration, Password changing, keytabs, Setting up a realm
+@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm
+@section Serving Kerberos 4/524/kaserver
+
+Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
+theses services are default turned off. Kerberos 4 support also
+depends on if Kerberos 4 support is compiled in with heimdal.
+
+@subsection 524
+
+524 is a service that allows the kdc to convert Kerberos 5 tickets to
+Kerberos 4 tickets for backward compatibility. See also Using 2b
+tokens with AFS in @xref{Things in search for a better place}.
+
+524 can be turned on by adding this to the configuration file
+
+@example
+[kdc]
+	enable-524 = yes
+@end example
+
+@subsection Kerberos 4
+
+Kerberos 4 is the predecessor to to Kerberos 5. It only support single
+DES. You should only enable Kerberos 4 support if you have a need for
+for compatibility with an installed base of Kerberos 4 clients/servers.
+
+Kerberos 4 can be turned on by adding this to the configuration file
+
+@example
+[kdc]
+	enable-kerberos4 = yes
+@end example
+
+@subsection kaserver
+
+Kaserver is a Kerberos 4 that is used in AFS, the protocol have some
+features over plain Kerberos 4, but like kerberos 4 only use single
+DES too.
+
+You should only enable Kerberos 4 support if you have a need for for
+compatibility with an installed base of AFS machines.
+
+Kaserver can be turned on by adding this to the configuration file
+
+@example
+[kdc]
+	enable-kaserver = yes
+@end example
+
+@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
 @section Remote administration
 
 The administration server, @samp{kadmind}, can be started by
@@ -314,7 +364,7 @@ Every slave needs a keytab with a principal,
 @code{propd}, as follows:
 
 @example
-slave# ktutil get -p foo/admin host/`hostname`
+slave# ktutil get -p foo/admin hprop/`hostname`
 slave# hpropd
 @end example
 
@@ -434,8 +484,9 @@ Common types of salting includes
 @itemize @bullet
 @item @code{v4} (or @code{des:pw-salt:})
 
-The Kerberos 4 salting is using no salt att all. Reson there is colon
-that the end is that 
+The Kerberos 4 salting is using no salt att all. Reason there is colon
+that the end or the salt string is that it makes the salt the empty
+string (same as no salt).
 
 @item @code{v5} (or @code{pw-salt})
author	nectar <nectar@FreeBSD.org>	2003-10-09 19:36:20 +0000
committer	nectar <nectar@FreeBSD.org>	2003-10-09 19:36:20 +0000
commit	5c90662d441c12cd30c694eb1172d6fea2f8f282 (patch)
tree	cb08d962a1d1ff9fd191e67849a7057861f42a50 /crypto/heimdal/doc
parent	12eb3dee85137da9effa7d2df35e855dd0a3814a (diff)
download	FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.zip FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.tar.gz