This commit was generated by cvs2svn to compensate for changes in r55643,

which included commits to RCS files with non-trunk default branches.

5 files changed, 256 insertions, 46 deletions

diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in
index 8241c5d..bbf870e 100644
--- a/crypto/kerberosIV/doc/Makefile.in
+++ b/crypto/kerberosIV/doc/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.18 1998/04/19 08:37:12 assar Exp $
+# $Id: Makefile.in,v 1.19 1999/09/28 12:35:11 assar Exp $
 
 SHELL = /bin/sh
 
@@ -15,6 +15,16 @@ TEXI2HTML = texi2html
 prefix = @prefix@
 infodir = @infodir@
 
+TEXI_SOURCES = ack.texi				\
+	index.texi				\
+	install.texi				\
+	intro.texi				\
+	kth-krb.texi				\
+	otp.texi				\
+	problems.texi				\
+	setup.texi				\
+	whatis.texi
+
 all: info
 
 install: all installdirs
@@ -40,17 +50,17 @@ installdirs:
 
 info: kth-krb.info
 
-kth-krb.info: kth-krb.texi
+kth-krb.info: $(TEXI_SOURCES)
 	$(MAKEINFO) --no-split -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
 
 dvi: kth-krb.dvi
 
-kth-krb.dvi: kth-krb.texi
+kth-krb.dvi: $(TEXI_SOURCES)
 	$(TEXI2DVI) $(srcdir)/kth-krb.texi
 
 html: kth-krb.html
 
-kth-krb.html: kth-krb.texi
+kth-krb.html: $(TEXI_SOURCES)
 	$(TEXI2HTML) $(srcdir)/kth-krb.texi
 
 clean:
diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi
index e5830d0..327220c 100644
--- a/crypto/kerberosIV/doc/ack.texi
+++ b/crypto/kerberosIV/doc/ack.texi
@@ -85,6 +85,8 @@ Bugfixes and code has been contributed by:
 @code{<toddr@@rpi.edu>}
 @item Åke Sandgren
 @code{<ake@@cs.umu.se>}
+@item Thomas Nyström
+@code{<thn@@stacken.kth.se>}
 @item and we hope that those not mentioned here will forgive us.
 @end table
 
diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi
index b893ae1..26d2abf 100644
--- a/crypto/kerberosIV/doc/install.texi
+++ b/crypto/kerberosIV/doc/install.texi
@@ -15,6 +15,7 @@ from source.
 * Installing from source::      
 * Installing a binary distribution::  
 * Finishing the installation::  
+* .klogin::
 * Authentication modules::      
 @end menu
 
@@ -59,7 +60,7 @@ Use cracklib for password quality control in
 @code{kadmind}. This option requires 
 @cindex cracklib
 cracklib with the patch from
-@code{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
+@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
 
 @item @kbd{--with-dictpath=}@var{dictpath}
 This is the dictionary that cracklib should use.
@@ -76,7 +77,7 @@ about socks see @url{http://www.socks.nec.com/}.
 @cindex readline
 To enable history/line editing in @code{ftp} and @code{kadmin}, any
 present version of readline will be used.  If you have readline
-installed but in a place where configure does not managed to find it,
+installed but in a place where configure does not manage to find it,
 you can use this option.  The code also looks for @code{libedit}.  If
 there is no library at all, the bundled version of @code{editline} will
 be used.
@@ -92,12 +93,23 @@ spool directory is located.  This directory is only accessed by
 @pindex login
 @code{login}.
 
+@item @kbd{--with-hesiod=}@var{dir}
+@cindex Hesiod
+Enable the Hesiod support in
+@pindex push
+@code{push}.  With this option, it will try
+to use the hesiod library to locate the mail post-office for the user.
+
 @c @item @kbd{--enable-random-mkey}
 @c Do not use this option unless you think you know what you are doing.
 
 @item @kbd{--with-mkey=}@var{file}
 Put the master key here, the default is @file{/.k}.
 
+@item @kbd{--with-db-dir=}@var{dir}
+Where the kerberos database should be stored.  The default is
+@file{/var/kerberos}.
+
 @item @kbd{--without-berkeley-db}
 If you have
 @cindex Berkeley DB
@@ -108,20 +120,54 @@ since there currently isn't an easy way to convert a dbm database to a
 db one (you have to dump the old database and then load it with the new
 binaries).
 
-@item @kbd{--disable-shared-afs}
+@item @kbd{--without-afs-support}
+Do not include AFS support.
+
+@item @kbd{--with-afsws=}@var{dir}
+Where your AFS client installation resides.  The default is
+@file{/usr/afsws}.
+
+@item @kbd{--enable-rxkad}
+Build the rxkad library.  Normally automatically included if there is AFS.
+
+@item @kbd{--disable-dynamic-afs}
 The AFS support in AIX consists of a shared library that is loaded at
 runtime. This option disables this, and links with static system
 calls. Doing this will make the built binaries crash on a machine that
 doesn't have AFS in the kernel (for instance if the AFS module fails to
 load at boot).
 
-@item @kbd{--with-mips-api=api}
+@item @kbd{--with-mips-api=}@var{api}
 This option enables creation of different types of binaries on Irix.
 The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}.
 
 @item @kbd{--enable-legacy-kdestroy}
 This compile-time option creates a @code{kdestroy} that does not destroy
 any AFS tokens.
+
+@item @kbd{--disable-otp}
+Do not build the OTP (@pxref{One-Time Passwords}) library and programs,
+and do not include OTP support in the application programs.
+
+@item @kbd{--enable-match-subdomains}
+Normally, the host @samp{host.domain} will be considered to be part of
+the realm @samp{DOMAIN}.  With this option will also enable hosts of the
+form @samp{host.sub.domain}, @samp{host.sub1.sub2.domain}, and so on to
+be considered part of the realm @samp{DOMAIN}.
+
+@item @kbd{--enable-osfc2}
+Enable the use of enhanced C2 security on OSF/1. @xref{Digital SIA}.
+
+@item @kbd{--disable-mmap}
+Do not use the mmap system call.  Normally, configure detects if there
+is a working mmap and it is only used if there is one.  Only try this
+option if it fails to work anyhow.
+
+@item @kbd{--disable-cat-manpages}
+Do not install preformatted man pages.
+
+@c --with-des-quad-checksum
+
 @end table
 
 @node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
@@ -133,7 +179,7 @@ The binary distribution is supposed to be installed in
 recommended.  A symlink from @file{/usr/athena} to the install directory
 should be fine.
 
-@node Finishing the installation, Authentication modules, Installing a binary distribution, Installing programs
+@node Finishing the installation, .klogin, Installing a binary distribution, Installing programs
 @section Finishing the installation
 
 @pindex su
@@ -236,19 +282,64 @@ ttys. (From Wietse Venema)
 @end table
 
 @menu
+* .klogin::
 * Authentication modules::      
 @end menu
 
-@node  Authentication modules,  , Finishing the installation, Installing programs
+@node .klogin, Authentication modules, Finishing the installation, Installing programs
+@comment  node-name,  next,  previous,  up
+
+Each user can have an authorization file @file{~@var{user}/.klogin}
+@pindex .klogin
+that
+determines what principals can login as that user.  It is similar to the
+@file{~user/.rhosts} except that it does not use IP and privileged-port
+based authentication.  If this file does not exist, the user herself
+@samp{user@@LOCALREALM} will be allowed to login.  Supplementary local
+realms (@pxref{Install the configuration files}) also apply here.  If the
+file exists, it should contain the additional principals that are to
+be allowed to login as the local user @var{user}.
+
+This file is consulted by most of the daemons (@code{rlogind},
+@code{rshd}, @code{ftpd}, @code{telnetd}, @code{popper}, @code{kauthd}, and
+@code{kxd})
+@pindex rlogind
+@pindex rshd
+@pindex ftpd
+@pindex telnetd
+@pindex popper
+@pindex kauthd
+@pindex kxd
+to determine if the
+principal requesting a service is allowed to receive it.  It is also
+used by
+@pindex su
+@code{su}, which is a good way of keeping an access control list (ACL)
+on who is allowed to become root.  Assuming that @file{~root/.klogin}
+contains:
+
+@example
+nisse.root@@FOO.SE
+lisa.root@@FOO.SE
+@end example
+
+both nisse and lisa will be able to su to root by entering the password
+of their root instance.  If that fails or if the user is not listed in
+@file{~root/.klogin}, @code{su} falls back to the normal policy of who
+is permitted to su.  Also note that that nisse and lisa can login
+with e.g. @code{telnet} as root provided that they have tickets for
+their root instance.
+
+@node  Authentication modules, , .klogin, Installing programs
 @comment  node-name,  next,  previous,  up
 @section Authentication modules
 The problem of having different authentication mechanisms has been
 recognised by several vendors, and several solutions has appeared. In
 most cases these solutions involve some kind of shared modules that are
 loaded at run-time.  Modules for some of these systems can be found in
-@file{lib/auth}.  Presently there are modules for Digital's SIA, Linux'
-PAM (might also work on Solaris, when PAM gets supported), and IRIX'
-@code{login} and @code{xdm} (in @file{lib/auth/afskauthlib}).
+@file{lib/auth}.  Presently there are modules for Digital's SIA,
+Solaris' and Linux' PAM, and IRIX' @code{login} and @code{xdm} (in
+@file{lib/auth/afskauthlib}).
 
 @menu
 * Digital SIA::                 
@@ -382,9 +473,8 @@ files.
 @subsection PAM
 
 The PAM module was written more out of curiosity that anything else. It
-has not been updated for quite a while, since none of us are using
-Linux, and Solaris does not support PAM yet.  We've had positive reports
-from at least one person using the module, though.
+has not been updated for quite a while, but it seems to mostly work on
+both Linux and Solaris.
 
 To use this module you should:
 
@@ -402,5 +492,5 @@ There is currently no support for changing kerberos passwords. Use
 kpasswd instead.
 
 See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM
-module at @kbd{ftp://ftp.dementia.org/pub/pam}. It has a lot more
+module at @* @url{ftp://ftp.dementia.org/pub/pam}. It has a lot more
 features, and it is also more in line with other PAM modules.
diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
index 7713d45..d7a525f 100644
--- a/crypto/kerberosIV/doc/problems.texi
+++ b/crypto/kerberosIV/doc/problems.texi
@@ -23,6 +23,7 @@ datan$ env CC="cc -Ae" ./configure
 @end example
 @end cartouche
 
+@cindex GCC
 In general @kbd{gcc} works. The following combinations have also been
 verified to successfully compile the distribution:
 
@@ -56,12 +57,23 @@ Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
 build krb4 correctly. There is a @file{ndbm.h.Linux} right next to
 the source distribution.
 
+@cindex Linux
 There has been reports of non-working @file{libdb} on some Linux
 distributions.  If that happens, use the @kbd{--without-berkeley-db}
 when configuring.
 
+@subheading SunOS 5 (aka Solaris 2) problems
+
+@cindex SunOS 5
+
+When building shared libraries and using some combinations of GNU gcc/ld
+you better set the environment variable RUN_PATH to /usr/athena/lib
+(your target libdir). If you don't, then you will have to set
+LD_LIBRARY_PATH during runtime and the PAM module will not work.
+
 @subheading HP-UX problems
 
+@cindex HP-UX
 The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all
 systems.  To make problems even worse, there is never an archive version
 for static linking either. Therefore, when building ``truly portable''
@@ -73,8 +85,45 @@ are linking against that library.
 @kbd{rlogind} won't work on Crays until @code{forkpty()} has been
 ported, in the mean time use @kbd{telnetd}.
 
+@subheading IRIX problems
+
+@cindex IRIX
+
+IRIX has three different ABI:s (Application Binary Interface), there's
+an old 32 bit interface (known as O32, or just 32), a new 32 bit
+interface (N32), and a 64 bit interface (64). O32 and N32 are both 32
+bits, but they have different calling conventions, and alignment
+constraints, and similar. The N32 format is the default format from IRIX
+6.4.
+
+You select ABI at compile time, and you can do this with the
+@samp{--with-mips-abi} configure option. The valid arguments are
+@samp{o32}, @samp{n32}, and @samp{64}, N32 is the default. Libraries for
+the three different ABI:s are normally installed installed in different
+directories (@samp{lib}, @samp{lib32}, and @samp{lib64}). If you want
+more than one set of libraries you have to reconfigure and recompile for
+each ABI, but you should probably install only N32 binaries.
+
+@cindex GCC
+GCC had had some known problems with the different ABI:s. Old GCC could
+only handle O32, newer GCC can handle N32, and 64, but not O32, but in
+some versions of GCC the structure alignment was broken in N32.
+
+This confusion with different ABI:s can cause some trouble. For
+instance, the @file{afskauthlib.so} library has to use the same ABI as
+@file{xdm}, and @file{login}. The easiest way to check what ABI to use
+is to run @samp{file} on @file{/usr/bin/X11/xdm}.
+
+@cindex AFS
+Another problem that you might encounter if you run AFS is that Transarc
+apparently doesn't support the 64-bit ABI, and because of this you can't
+get tokens with a 64 bit application. If you really need to do this,
+there is a kernel module that provides this functionality at
+@url{ftp://ftp.pdc.kth.se/home/joda/irix-afs64.tar.gz}.
+
 @subheading AIX problems
 
+@cindex GCC
 @kbd{gcc} version 2.7.2.* has a bug which makes it miscompile
 @file{appl/telnet/telnetd/sys_term.c} (and possibily
 @file{appl/bsd/forkpty.c}), if used with too much optimization.
diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi
index 4d2d0ff..24a955d 100644
--- a/crypto/kerberosIV/doc/setup.texi
+++ b/crypto/kerberosIV/doc/setup.texi
@@ -92,7 +92,9 @@ ANOTHER.REALM           kerberos.another.realm
 @end example
 
 The first line defines the name of the local realm. The next few lines
-optionally defines supplementary local realms. The rest of the file
+optionally defines supplementary local realms. 
+@cindex supplementary local realms
+The rest of the file
 defines the names of the kerberos servers and the database
 administration servers for all known realms. You can define any number
 of kerberos slave servers similar to the one defined on line
@@ -111,7 +113,7 @@ support has been added for ports other than the default (750), and
 protocols other than UDP.
 
 The formal syntax for an entry is now
-@samp{@var{[proto}/@var{]host[}:@var{port]}}. @var{proto} is either
+@samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either
 @samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to
 talk to. Default value for @var{proto} is @samp{UDP} and for @var{port}
 whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or
@@ -145,6 +147,14 @@ server), and then @samp{kerberos-1.@var{REALM}},
 @samp{kerberos-2.@var{REALM}}, and so on.
 @end enumerate
 
+SRV records have been supported in BIND since 4.9.5T2A.  An example
+would look like the following in the zone file:
+
+@example
+kerberos-iv.udp.foo.se.  1M IN SRV  1 0 750 kerberos-1.foo.se.
+kerberos-iv.udp.foo.se.  1M IN SRV  0 0 750 kerberos.foo.se.
+@end example
+
 We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}}
 pointing to your kerberos master server.
 
@@ -190,31 +200,43 @@ beginning with a hash (#) are ignored.
 The currently defined variables are:
 
 @table @samp
-@item krb4_proxy
-@cindex krb4_proxy
-When getting tickets via HTTP, this specifies the proxy to use. The
-default is to speak directly to the KDC.
-@item kdc_time_sync
-@cindex kdc_time_sync
+@item kdc_timeout
+@cindex kdc_timeout
+The time in seconds to wait for an answer from the KDC (the default is 4
+seconds).
+@item kdc_timesync
+@cindex kdc_timesync
 This flag enables storing of the time differential to the KDC when
 getting an initial ticket. This differential is used later on to compute
 the correct time. This can help if your machine doesn't have a working
 clock.
-@item kdc_timeout
-@cindex kdc_timeout
-This allows you to change the default (4 seconds) timeout when talking
-to the KDC.
+@item firewall_address
+@cindex firewall_address
+The IP address that hosts outside the firewall see when connecting from
+within the firewall. If this is specified, the code will try to compute
+the value for @samp{reverse_lsb_test}.
+@item krb4_proxy
+@cindex krb4_proxy
+When getting tickets via HTTP, this specifies the proxy to use. The
+default is to speak directly to the KDC.
+@item krb_default_tkt_root
+@cindex krb_default_tkt_root
+The default prefix for ticket files.  The default is @file{/tmp/tkt}.
+Normally the uid or tty is appended to this prefix.
+@item krb_default_keyfile
+@cindex krb_default_keyfile
+The file where the server keys are stored, the default is @file{/etc/srvtab}.
+@item nat_in_use
+@cindex nat_in_use
+If the client is behind a Network Address Translator (NAT).
+@cindex Network Address Translator
+@cindex NAT
 @item reverse_lsb_test
 @cindex reverse_lsb_test
 Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe},
 @code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of
 the communicating hosts. This test can cause truble when using
 firewalls.
-@item firewall_address
-@cindex firewall_address
-The IP address that hosts outside the firewall see when connecting from
-within the firewall. If this is specified, the code will try to compute
-the value for @samp{reverse_lsb_test}.
 @end table
 
 @node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
@@ -242,12 +264,15 @@ for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
 @subsection Setup the server
 
 Login as root on the console of the kerberos server.  Add
-@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path.  Run
+@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path.  Create
+the directory @file{/var/kerberos} (@kbd{mkdir /var/kerberos}), which is
+where the database will be stored.  Then, to create the database, run
 @kbd{kdb_init}:
 @pindex kdb_init
 
 @example
 @cartouche
+hemlig# mkdir /var/kerberos
 hemlig# kdb_init
 Realm name [default  FOO.SE ]: 
 You will be prompted for the database Master Password.
@@ -366,6 +391,8 @@ Principal name: <>
 @code{kdb_edit} will loop until you hit the @kbd{return} key at the
 ``Principal name'' prompt. Now you have added nisse as an administrator.
 
+@page
+
 @node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server
 @subsection Start the server
 
@@ -470,7 +497,7 @@ Use the @code{kadmin} client to add users to the database:
 
 @example
 @cartouche
-hemlig# kadmin -u nisse.admin -m
+hemlig# kadmin -p nisse.admin -m
 Welcome to the Kerberos Administration Program, version 2
 Type "help" if you need it.
 admin:  <add nisse>
@@ -669,11 +696,34 @@ the kerberos server, every service needs to have a shared key with the
 kerberos server.  The service keys are stored in a file, usually called
 @file{/etc/srvtab}.  This file should not be readable to anyone but
 root, in order to keep the key from being divulged.  The name of this principal
-in the kerberos database is usually the service and the host.  The key
-for the pop service is called @samp{pop.@var{hostname}}.  The one for
-rsh/rlogin/telnet is named @samp{rcmd.@var{hostname}}.  (rcmd comes from
-``remote command'').  To create these keys you will use the the
-@code{ksrvutil} program.  Perform the
+in the kerberos database is usually the service name and the hostname.  Examples
+of such principals are @samp{pop.@var{hostname}} and
+@samp{rcmd.@var{hostname}}.  (rcmd comes from ``remote command''.)  Here
+is a list of the most commonly used srvtab types and what programs use them.
+
+@table @asis
+@item rcmd.@var{hostname}
+rsh, rcp, rlogin, telnet, kauth, su, kx
+@item rcmd.kerberos
+kprop
+@item pop.@var{hostname}
+popper, movemail, push
+@item sample.@var{hostname}
+sample_server, simple_server
+@item changepw.kerberos
+kadmin, kpasswd
+@item krbtgt.@var{realm}
+kerberos (not stored in any srvtab)
+@item ftp.@var{hostname}
+ftp (also tries with rcmd.@var{hostname})
+@item zephyr.zephyr
+Zephyr
+@item afs or afs.@var{cellname}
+Andrew File System
+@end table
+
+To create these keys you will use the the @code{ksrvutil} program.
+Perform the
 @pindex ksrvutil
 following:
 
@@ -733,9 +783,7 @@ master server fails. It is possible to have any number of such slave
 servers but more than three usually doesn't buy much more redundancy.
 
 First select a good server machine.  (@pxref{Choose a kerberos
-server}). Since the master and slave servers will use copies of the same
-database, they need to use the same master key.  Add the master key on
-the slave with @code{kstash}. (@pxref{Set up the server})
+server}). 
 
 On the master, add a @samp{rcmd.kerberos} (note, it should be literally
 ``kerberos'') principal (using @samp{ksrvutil get}). The
@@ -760,8 +808,13 @@ that contains the hostnames of your kerberos slave servers.
 
 Start @code{kpropd} with @samp{kpropd -i} on your slave servers.
 
-On your master server, create a dump of the database with @samp{kdb_util
-slave_dump /var/kerberos/slave_dump}, and then run @code{kprop}.
+On your master server, create a dump of the database and then propagate
+it.
+
+@example
+foo# kdb_util slave_dump /var/kerberos/slave_dump
+foo# kprop
+@end example
 
 You should now have copies of the database on your slave servers. You
 can verify this by issuing @samp{kdb_util dump @var{file}} on your
@@ -771,6 +824,10 @@ server. Note that the entries will not be in the same order.
 This procedure should be automated with a script run regularly by cron,
 for instance once an hour.
 
+Since the master and slave servers will use copies of the same
+database, they need to use the same master key.  Add the master key on
+the slave with @code{kstash}. (@pxref{Set up the server})
+
 To start the kerberos server on slaves, you first have to copy the
 master key from the master server. You can do this either by remembering
 the master password and issuing @samp{kstash}, or you can just copy the
@@ -815,6 +872,8 @@ principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and
 principals should have the same key (and key version number).  Remember
 to transfer this key in a safe manner. This is all that is required.
 
+@page
+
 @example
 @cartouche
 blubb$ klist