diff options
author | nectar <nectar@FreeBSD.org> | 2003-10-09 19:36:20 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2003-10-09 19:36:20 +0000 |
commit | 5c90662d441c12cd30c694eb1172d6fea2f8f282 (patch) | |
tree | cb08d962a1d1ff9fd191e67849a7057861f42a50 /crypto/heimdal/doc | |
parent | 12eb3dee85137da9effa7d2df35e855dd0a3814a (diff) | |
download | FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.zip FreeBSD-src-5c90662d441c12cd30c694eb1172d6fea2f8f282.tar.gz |
Vendor import of Heimdal 0.6.
Diffstat (limited to 'crypto/heimdal/doc')
-rw-r--r-- | crypto/heimdal/doc/Makefile.in | 27 | ||||
-rw-r--r-- | crypto/heimdal/doc/ack.texi | 4 | ||||
-rw-r--r-- | crypto/heimdal/doc/intro.texi | 8 | ||||
-rw-r--r-- | crypto/heimdal/doc/misc.texi | 68 | ||||
-rw-r--r-- | crypto/heimdal/doc/programming.texi | 4 | ||||
-rw-r--r-- | crypto/heimdal/doc/setup.texi | 63 |
6 files changed, 149 insertions, 25 deletions
diff --git a/crypto/heimdal/doc/Makefile.in b/crypto/heimdal/doc/Makefile.in index 43e3c93..9ebf564 100644 --- a/crypto/heimdal/doc/Makefile.in +++ b/crypto/heimdal/doc/Makefile.in @@ -18,7 +18,7 @@ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ +# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ SHELL = @SHELL@ srcdir = @srcdir@ @@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ @@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @@ -226,10 +227,10 @@ all: all-am .SUFFIXES: .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .dvi .info .ps .texi -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status +Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in $(top_builddir)/config.status cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) mostlyclean-libtool: @@ -390,7 +391,9 @@ info: info-am info-am: $(INFO_DEPS) -install-data-am: install-data-local install-info-am +install-data-am: install-info-am + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-exec-am: @$(NORMAL_INSTALL) @@ -441,12 +444,12 @@ uninstall-am: uninstall-info-am clean-generic clean-libtool dist-info distclean \ distclean-generic distclean-libtool distdir dvi dvi-am info \ info-am install install-am install-data install-data-am \ - install-data-local install-exec install-exec-am install-info \ - install-info-am install-man install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-aminfo maintainer-clean-generic mostlyclean \ - mostlyclean-aminfo mostlyclean-generic mostlyclean-libtool \ - uninstall uninstall-am uninstall-info-am + install-exec install-exec-am install-info install-info-am \ + install-man install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-aminfo \ + maintainer-clean-generic mostlyclean mostlyclean-aminfo \ + mostlyclean-generic mostlyclean-libtool uninstall uninstall-am \ + uninstall-info-am install-suid-programs: @@ -572,7 +575,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) -install-data-local: install-cat-mans +install-data-hook: install-cat-mans .et.h: $(COMPILE_ET) $< diff --git a/crypto/heimdal/doc/ack.texi b/crypto/heimdal/doc/ack.texi index d28b816..458baa3 100644 --- a/crypto/heimdal/doc/ack.texi +++ b/crypto/heimdal/doc/ack.texi @@ -1,4 +1,4 @@ -@c $Id: ack.texi,v 1.15 2002/09/04 01:03:35 assar Exp $ +@c $Id: ack.texi,v 1.16 2003/03/15 14:21:41 lha Exp $ @node Acknowledgments, , Migration, Top @comment node-name, next, previous, up @@ -60,6 +60,8 @@ Bugfixes, documentation, encouragement, and code has been contributed by: @email{rnyberg@@it.su.se} @item Frank van der Linden @email{fvdl@@netbsd.org} +@item Cizzi Storm +@email{cizzi@@it.su.se} @item and we hope that those not mentioned here will forgive us. @end table diff --git a/crypto/heimdal/doc/intro.texi b/crypto/heimdal/doc/intro.texi index 6c6ff3a..c190fe2 100644 --- a/crypto/heimdal/doc/intro.texi +++ b/crypto/heimdal/doc/intro.texi @@ -1,4 +1,4 @@ -@c $Id: intro.texi,v 1.12 2001/01/28 22:11:22 assar Exp $ +@c $Id: intro.texi,v 1.13 2003/03/15 13:42:16 lha Exp $ @node Introduction, What is Kerberos?, Top, Top @c @node Introduction, What is Kerberos?, Top, Top @@ -93,3 +93,9 @@ There are two mailing lists with talk about Heimdal. @email{heimdal-announce@@sics.se} is a low-volume announcement list, while @email{heimdal-discuss@@sics.se} is for general discussion. Send a message to @email{majordomo@@sics.se} to subscribe. + +@heading Heimdal source code, binaries and the manual + +The source code for heimdal, links to binaries and the manual (this +document) can be found on our web-page at +@url{http://www.pdc.kth.se/heimdal/}. diff --git a/crypto/heimdal/doc/misc.texi b/crypto/heimdal/doc/misc.texi index 8b3f980..83c2a4a 100644 --- a/crypto/heimdal/doc/misc.texi +++ b/crypto/heimdal/doc/misc.texi @@ -1,4 +1,4 @@ -@c $Id: misc.texi,v 1.6 2001/02/24 05:09:24 assar Exp $ +@c $Id: misc.texi,v 1.13 2003/03/30 21:30:59 lha Exp $ @node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top @chapter Things in search for a better place @@ -37,7 +37,7 @@ says that people with `admin' instances should be given `enabled' shells when logging in. The numbers after the principal on the `srvtab' line are principal type, -timestamp (in seconds since 1970), key version number (4), keytype (1 == +time stamp (in seconds since 1970), key version number (4), keytype (1 == des), key length (always 8 with des), and then the key. To make the Heimdal KDC produce tickets that the Cisco can decode you @@ -57,8 +57,70 @@ A working solution would be to hook up a machine with a real operating system to the console of the Cisco and then use it as a backwards terminal server. -@section Making things work on Transarc AFS +@section Making things work on Transarc/OpenAFS AFS @subsection How to get a KeyFile @file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM} + +or you can extract it with kadmin + +@example +kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME +@end example + +You have to make sure you have a @code{des-cbc-md5} encryption type since that +is the key that will be converted. + +@subsection How to convert a srvtab to a KeyFile + +You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you +AFS-cell. + +@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. + +If keyfile already exists, this will add the new key in afs-srvtab to +KeyFile. + +@section Using 2b tokens with AFS + +@subsection What is 2b ? + +2b is the name of the proposal that was implemented to give basic +Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support +since it still uses fcrypt for data encryption and not Kerberos +encryption types. + +Its only possible (in all cases) to do this for DES encryption types because +only then the token (the AFS equivalent of a ticket) will be be smaller +than the maximum size that can fit in the token cache in +OpenAFS/Transarc client. Its so tight fit that some extra wrapping on the ASN1/DER encoding is removed from the Kerberos ticket. + +2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for +the part of the ticket that is encrypted with the service's key. The +client doesn't know what's inside the encrypted data so to the client it doesn't matter. + +To differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b +uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. + +Its a requirement that all AFS servers that support 2b also support +native Kerberos 5 in rxkad. + +@subsection Configuring Heimdal to use 2b tokens + +Support for 2b tokens are turned on for specific principals by adding +them to the string list option @code{[kdc]use_2b} in the kdc's +@file{krb5.conf} file. + +@example +[kdc] + use_2b = @{ + afs@@SU.SE = yes + afs/it.su.se@@SU.SE = yes + @} +@end example + +@subsection Configuring AFS clients + +There is no need to configure AFS clients. The only software that +needs to be installed/upgrade is a Kerberos 5 enabled @file{afslog}. diff --git a/crypto/heimdal/doc/programming.texi b/crypto/heimdal/doc/programming.texi index ffcac21..63f0715 100644 --- a/crypto/heimdal/doc/programming.texi +++ b/crypto/heimdal/doc/programming.texi @@ -1,4 +1,4 @@ -@c $Id: programming.texi,v 1.2 2001/05/16 22:11:00 assar Exp $ +@c $Id: programming.texi,v 1.2.8.1 2003/04/24 11:55:45 lha Exp $ @node Programming with Kerberos @chapter Programming with Kerberos @@ -45,7 +45,7 @@ replay cache, and checksum types. See the manual page for @manpage{krb5_auth_context,3}. -@subsection Keytab managment +@subsection Keytab management A keytab is a storage for locally stored keys. Heimdal includes keytab support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, diff --git a/crypto/heimdal/doc/setup.texi b/crypto/heimdal/doc/setup.texi index 9cd96e8..c9ed938 100644 --- a/crypto/heimdal/doc/setup.texi +++ b/crypto/heimdal/doc/setup.texi @@ -1,4 +1,4 @@ -@c $Id: setup.texi,v 1.25 2001/08/24 05:24:33 assar Exp $ +@c $Id: setup.texi,v 1.27 2003/03/30 21:43:00 lha Exp $ @node Setting up a realm, Things in search for a better place, Building and Installing, Top @@ -8,6 +8,7 @@ * Configuration file:: * Creating the database:: * keytabs:: +* Serving Kerberos 4/524/kaserver:: * Remote administration:: * Password changing:: * Testing clients and servers:: @@ -165,7 +166,7 @@ krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ... @end smallexample -@node keytabs, Remote administration, Creating the database, Setting up a realm +@node keytabs, Serving Kerberos 4/524/kaserver, Creating the database, Setting up a realm @section keytabs To extract a service ticket from the database and put it in a keytab you @@ -187,7 +188,56 @@ Version Type Principal 1 des3-cbc-sha1 host/my.host.name@@MY.REALM @end example -@node Remote administration, Password changing, keytabs, Setting up a realm +@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm +@section Serving Kerberos 4/524/kaserver + +Heimdal can be configured to support 524, Kerberos 4 or kaserver. All +theses services are default turned off. Kerberos 4 support also +depends on if Kerberos 4 support is compiled in with heimdal. + +@subsection 524 + +524 is a service that allows the kdc to convert Kerberos 5 tickets to +Kerberos 4 tickets for backward compatibility. See also Using 2b +tokens with AFS in @xref{Things in search for a better place}. + +524 can be turned on by adding this to the configuration file + +@example +[kdc] + enable-524 = yes +@end example + +@subsection Kerberos 4 + +Kerberos 4 is the predecessor to to Kerberos 5. It only support single +DES. You should only enable Kerberos 4 support if you have a need for +for compatibility with an installed base of Kerberos 4 clients/servers. + +Kerberos 4 can be turned on by adding this to the configuration file + +@example +[kdc] + enable-kerberos4 = yes +@end example + +@subsection kaserver + +Kaserver is a Kerberos 4 that is used in AFS, the protocol have some +features over plain Kerberos 4, but like kerberos 4 only use single +DES too. + +You should only enable Kerberos 4 support if you have a need for for +compatibility with an installed base of AFS machines. + +Kaserver can be turned on by adding this to the configuration file + +@example +[kdc] + enable-kaserver = yes +@end example + +@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm @section Remote administration The administration server, @samp{kadmind}, can be started by @@ -314,7 +364,7 @@ Every slave needs a keytab with a principal, @code{propd}, as follows: @example -slave# ktutil get -p foo/admin host/`hostname` +slave# ktutil get -p foo/admin hprop/`hostname` slave# hpropd @end example @@ -434,8 +484,9 @@ Common types of salting includes @itemize @bullet @item @code{v4} (or @code{des:pw-salt:}) -The Kerberos 4 salting is using no salt att all. Reson there is colon -that the end is that +The Kerberos 4 salting is using no salt att all. Reason there is colon +that the end or the salt string is that it makes the salt the empty +string (same as no salt). @item @code{v5} (or @code{pw-salt}) |