Initial import of KTH eBones. This has been cleaned up to only include

the "core" Kerberos functionality. The rest of the userland will get their
own changes later.

11 files changed, 2197 insertions, 0 deletions

diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in
new file mode 100644
index 0000000..5071e8e
--- /dev/null
+++ b/crypto/kerberosIV/doc/Makefile.in
@@ -0,0 +1,65 @@
+# $Id: Makefile.in,v 1.10 1997/05/06 03:05:55 joda Exp $
+
+SHELL = /bin/sh
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+INSTALL = @INSTALL@
+INSTALL_DATA = $(INSTALL)
+MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
+MAKEINFO = @MAKEINFO@
+TEXI2DVI = texi2dvi
+TEXI2HTML = texi2html
+
+prefix = @prefix@
+infodir = @infodir@
+
+all: info
+
+install: all installdirs
+	if test -f kth-krb.info; then \
+	  $(INSTALL_DATA) kth-krb.info $(infodir)/kth-krb.info; \
+	else \
+	  $(INSTALL_DATA) $(srcdir)/kth-krb.info $(infodir)/kth-krb.info; \
+	fi
+	if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \
+	  install-info --dir-file=$(infodir)/dir $(infodir)/kth-krb.info; \
+	else \
+	  true; \
+	fi
+
+uninstall:
+	rm -f $(infodir)/kth-krb.info
+
+installdirs:
+	$(MKINSTALLDIRS) $(infodir)
+
+info: kth-krb.info
+
+kth-krb.info: kth-krb.texi
+	$(MAKEINFO) -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
+
+dvi: kth-krb.dvi
+
+kth-krb.dvi: kth-krb.texi
+	$(TEXI2DVI) $(srcdir)/kth-krb.texi
+
+html: kth-krb.html
+
+kth-krb.html: kth-krb.texi
+	$(TEXI2HTML) $(srcdir)/kth-krb.texi
+
+clean:
+	rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr
+
+distclean: clean
+
+mostlyclean: clean
+
+maintainer-clean: clean
+	rm -f kth-krb.info
+
+check:
+
+.PHONY: install all installdirs uninstall info dvi html clean check distclean mostlyclean maintainer-clean
diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi
new file mode 100644
index 0000000..388f644
--- /dev/null
+++ b/crypto/kerberosIV/doc/ack.texi
@@ -0,0 +1,80 @@
+@node  Acknowledgments, Index, Resolving frequent problems, Top
+@comment  node-name,  next,  previous,  up
+@appendix Acknowledgments
+
+People from the MIT Athena project wrote the original code that this is
+based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the
+encryption functions and the calls to them. This was exported from the
+US as the ``Bones'' release.  Eric Young put back the calls and hooked
+in his libdes, thereby creating the ``eBones'' release.
+@cindex Bones
+@cindex eBones
+
+The ``rcmd'' programs where initially developed at the University of
+California at Berkeley and then hacked on by the FreeBSD and NetBSD
+projects.
+
+Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and
+@code{telnetd}.  The authentication and encryption code of @code{telnet}
+and @code{telnetd} was added by David Borman (then of Cray Research,
+Inc).  The encryption code was removed when this was exported and then
+added back by Juha Eskelinen, @code{<esc@@magic.fi>}.
+
+The @code{popper} was also a Berkeley program initially.
+
+The @code{login} has the same origins but has received code written by
+Wietse Venema at Eindhoven University of Technology, The Netherlands.
+
+@code{movemail} was (at least partially) written by Jonathan Kamens,
+@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991,
+1992, 1993, 1994 Free Software Foundation, Inc.
+
+@code{xnlock} was originally written by Dan Heller in 1985 for sunview.
+The X version was written by him in 1990.
+
+Some of the functions in @file{libroken} also come from Berkeley by the
+way of NetBSD/FreeBSD.
+
+The code to handle the dynamic loading of the AFS module for AIX is
+copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover,
+Germany.
+
+@code{editline} was written by Simmule Turner and Rich Salz.
+
+Bugfixes and code has been contributed by:
+@table @asis
+@item Derrick J Brashear
+@code{<shadow@@dementia.org>}
+@item Anders Gertz
+@code{<gertz@@lysator.liu.se>}
+@item Dejan Ilic
+@code{<svedja@@lysator.liu.se>}
+@item Kent Engström
+@code{<kent@@lysator.liu.se>}
+@item Simon Josefsson
+@code{<jas@@pdc.kth.se>}
+@item Robert Malmgren
+@code{<rom@@incolumitas.se>}
+@item Fredrik Ljungberg
+@code{<flag@@it.kth.se>}
+@item Lars Malinowsky
+@code{<lama@@pdc.kth.se>}
+@item Fabien Coelho
+@code{<coelho@@cri.ensmp.fr>}
+@item and we hope that those not mentioned here will forgive us.
+@end table
+
+Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English
+language from this text.
+
+Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us
+finish the documentation.
+
+This work was supported in part by SUNET and the Centre for Parallel
+Computers at KTH.
+
+The port to Windows 95/NT was supported by the Computer Council at KTH
+and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}.
+
+All the bugs were introduced by ourselves.
+
diff --git a/crypto/kerberosIV/doc/index.texi b/crypto/kerberosIV/doc/index.texi
new file mode 100644
index 0000000..ebe5d91
--- /dev/null
+++ b/crypto/kerberosIV/doc/index.texi
@@ -0,0 +1,6 @@
+@node Index, , Acknowledgments, Top
+@comment  node-name,  next,  previous,  up
+@unnumbered Index
+
+@printindex cp
+
diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi
new file mode 100644
index 0000000..240c04e
--- /dev/null
+++ b/crypto/kerberosIV/doc/install.texi
@@ -0,0 +1,368 @@
+@node Installing programs, How to set up a realm, What is Kerberos?, Top
+@chapter Installing programs
+
+You have a choise to either build the distribution from source code or
+to install binaries, if they are available for your machine.
+
+@c XXX
+
+We recommend building from sources, but using pre-compiled binaries
+might be easier.  If there are no binaries available for your machine or
+you want to do some specific configuration, you will have to compile
+from source.
+
+@menu
+* Installing from source::      
+* Installing a binary distribution::  
+* Finishing the installation::  
+* Authentication modules::      
+@end menu
+
+@node Installing from source, Installing a binary distribution, Installing programs, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Installing from source
+
+To build this software un-tar the distribution and run the
+@code{configure} script.
+
+To compile successfully, you will need an ANSI C compiler, such as
+@code{gcc}. Other compilers might also work, but setting the ``ANSI
+compliance'' too high, might break in parts of the code, not to mention
+the standard include files.
+
+To build in a separate build tree, run @code{configure} in the directory
+where the tree should reside.  You will need a Make that understands
+VPATH correctly.  GNU Make works fine.
+
+After building everything (which will take anywhere from a few minutes
+to a long time), you can install everything in @file{/usr/athena} with
+@kbd{make install} (running as root). It is possible to install in some
+other place, but it isn't recommended. To do this you will have to run
+@code{configure} with @samp{--prefix=/my/path}.
+
+If you need to change the default behavior, configure understands the
+following options:
+
+@table @asis
+@item @kbd{--with-shared}
+Create shared versions of the Kerberos libraries. Not really
+recommended and might not work on all systems.
+
+@item @kbd{--with-cracklib=}@var{dir}
+Use cracklib for password quality control in 
+@pindex kadmind
+@code{kadmind}. This option requires 
+@cindex cracklib
+cracklib with the patch from
+@code{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
+
+@item @kbd{--with-dictpath=}@var{dictpath}
+This is the dictionary that cracklib should use.
+
+@item @kbd{--with-socks=}@var{dir}
+@cindex firewall
+@cindex socks
+If you have to traverse a firewall and it uses the SocksV5 protocol
+(@cite{RFC 1928}), you can build with socks-support.  Point @var{dir} to
+the directory where you have socks5 installed.  For more information
+about socks see @kbd{http://www.socks.nec.com/}.
+
+@item @kbd{--with-readline=}@var{dir}
+@cindex readline
+To enable history/line editing in @code{ftp} and @code{kadmin}, any
+present version of readline will be used.  If you have readline
+installed but in a place where configure does not managed to find it,
+you can use this option.  The code also looks for @code{libedit}.  If
+there is no library at all, the bundled version of @code{editline} will
+be used.
+
+@item @kbd{--with-mailspool=}@var{dir}
+The configuration process tries to determine where your machine stores
+its incoming mail.  This is typically @file{/usr/spool/mail} or
+@file{/var/mail}.  If it does not work or you store your mail in some
+unusual directory, this option can be used to specify where the mail
+spool directory is located.  This directory is only accessed by
+@pindex popper
+@code{popper}, and the mail check in
+@pindex login
+@code{login}.
+
+@c @item @kbd{--enable-random-mkey}
+@c Do not use this option unless you think you know what you are doing.
+
+@item @kbd{--with-mkey=}@var{file}
+Put the master key here, the default is @file{/.k}.
+
+@item @kbd{--without-berkeley-db}
+If you have
+@cindex Berkeley DB
+Berkeley DB installed, it is preferred over
+@c XXX
+dbm. If you already are running Kerberos this option might be useful,
+since there currently isn't an easy way to convert a dbm database to a
+db one (you have to dump the old database and then load it with the new
+binaries).
+@end table
+
+@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Installing a binary distribution
+
+The binary distribution is supposed to be installed in
+@file{/usr/athena}, installing in some other place may work but is not
+recommended.  A symlink from @file{/usr/athena} to the install directory
+should be fine.
+
+@node Finishing the installation, Authentication modules, Installing a binary distribution, Installing programs
+@section Finishing the installation
+
+@pindex su
+The only program that needs to be installed setuid to root is @code{su}.
+
+If 
+@pindex rlogin
+@pindex rsh
+@code{rlogin} and @code{rsh} are setuid to root they will fall back to
+non-kerberised protocols if the kerberised ones fail for some
+reason. The old protocols use reserved ports as security, and therefore
+the programs have to be setuid to root. If you don't need this
+functionality consider turning off the setuid bit.
+
+@pindex login
+@code{login} does not have to be setuid, as it is always run by root
+(users should use @code{su} rather than @code{login}).  It will print a
+helpful message when not setuid to root and run by a user.
+
+The programs intended to be run by users are located in
+@file{/usr/athena/bin}.  Inform your users to include
+@file{/usr/athena/bin} in their paths, or copy or symlink the binaries
+to some good place.  The programs that you will want to use are:
+@code{kauth}/@code{kinit},
+@pindex kauth
+@pindex kinit
+@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp},
+@pindex klist
+@pindex kdestroy
+@pindex kpasswd
+@pindex ftp
+@code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su},
+@pindex telnet
+@pindex rcp
+@pindex rsh
+@pindex rlogin
+@pindex su
+@pindex xnlock
+@pindex afslog
+@pindex pagsh
+@pindex rxtelnet
+@pindex tenletxr
+@pindex rxterm
+@code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and
+@code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh}
+might also be useful.  Administrators will want to use @code{kadmin} and
+@code{ksrvutil}, which are located in @file{/usr/athena/sbin}.
+@pindex kadmin
+@pindex ksrvutil
+
+@code{telnetd} and @code{rlogind} assume that @code{login} is located in
+@file{/usr/athena/bin} (or whatever path you used as
+@samp{--prefix}). If for some reason you want to move @code{login}, you
+will have to specify the new location with the @samp{-L} switch when
+configuring
+@pindex telnetd
+telnetd
+and
+@pindex rlogind
+rlogind
+in @file{inetd.conf}.
+
+It should be possible to replace the system's default @code{login} with
+the kerberised @code{login}.  However some systems assume that login
+performs some serious amount of magic that our login might not do (although
+we've tried to do our best). So before replacing it on every machine,
+try and see what happens.  Another thing to try is to use one of the
+authentication modules (@xref{Authentication modules}) supplied.
+
+The @code{login} program that we use was in an earlier life the standard
+login program from NetBSD. In order to use it with a lot of weird
+systems, it has been ``enhanced'' with features from many other logins
+(Solaris, SunOS, IRIX, AIX, and others).  Some of these features are
+actually useful and you might want to use them even on other systems.
+
+@table @file
+@item /etc/fbtab
+@pindex fbtab
+@itemx /etc/logindevperm
+@pindex logindevperm
+Allows you to chown some devices when a user logs in on a certain
+terminal.  Commonly used to change the ownership of @file{/dev/mouse},
+@file{/dev/kbd}, and other devices when someone logs in on
+@file{/dev/console}.
+
+@file{/etc/fbtab} is the SunOS file name and it is tried first.  If
+there is no such file then the Solaris file name
+@file{/etc/logindevperm} is tried.
+@item /etc/environment
+@pindex environment
+This file specifies what environment variables should be set when a user
+logs in. (AIX-style)
+@item /etc/default/login
+@pindex default/login
+Almost the same as @file{/etc/environment}, but the System V style.
+@item /etc/login.access
+@pindex login.access
+Can be used to control who is allowed to login from where and on what
+ttys. (From Wietse Venema)
+@end table
+
+@menu
+* Authentication modules::      
+@end menu
+
+@node  Authentication modules,  , Finishing the installation, Installing programs
+@comment  node-name,  next,  previous,  up
+@section Authentication modules
+The problem of having different authentication mechanisms has been
+recognised by several vendors, and several solutions has appeared. In
+most cases these solutions involve some kind of shared modules that are
+loaded at run-time.  Modules for some of these systems can be found in
+@file{lib/auth}.  Presently there are modules for Digital's SIA, Linux'
+PAM (might also work on Solaris, when PAM gets supported), and IRIX'
+@code{login} and @code{xdm} (in @file{lib/auth/afskauthlib}).
+
+@menu
+* Digital SIA::                 
+* IRIX::                        
+* PAM::                         
+@end menu
+
+@node Digital SIA, IRIX, Authentication modules, Authentication modules
+@subsection Digital SIA
+
+To install the SIA module you will have to do the following:
+
+@itemize @bullet
+
+@item
+Make sure @file{libsia_krb4.so} is available in
+@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you
+might want to put it in @file{/usr/shlib} or someplace else. If you do,
+you'll have to edit @file{krb4_matrix.conf} to reflect the new location
+(you will also have to do this if you installed in some other directory
+than @file{/usr/athena}).
+@item
+Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}.
+@item
+Apply @file{security.patch} to @file{/sbin/init.d/security}.
+@item
+Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and
+@kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}.
+@item
+Digital thinks you should reboot your machine, but that really shouldn't
+be necessary.  It's usually sufficient just to run
+@kbd{/sbin/init.d/security start}.
+@end itemize
+
+Users with local passwords (like @samp{root}) should be able to login
+safely.
+
+When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't
+passed along as it should (since xdm zaps the environment). Instead you
+have to set @samp{KRBTKFILE} to the correct value in
+@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to
+@example
+KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
+@end example
+
+There is currently no support for changing passwords. Use @file{kpasswd}
+instead.
+
+@subsubheading Notes to users with Enhanced security
+
+Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two
+different problems. C2 deals with local security, adds better control of
+who can do what, auditing, and similar things. Kerberos deals with
+network security.
+
+To make C2 security work with Kerberos you will have to do the
+following.
+
+@itemize @bullet
+@item
+Replace all occurencies of @file{krb4_matrix.conf} with
+@file{krb4+c2_matrix.conf} in the directions above.
+@item
+You must enable ``vouching'' in the @samp{default} database.  This will
+make the OSFC2 module trust other SIA modules, so you can login without
+giving your C2 password. To do this use @samp{edauth} to edit the
+default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
+@samp{d_accept_alternate_vouching} capability, if not already present.
+@item
+For each user that does @emph{not} have a local C2 password, you should
+set the password expiration field to zero. You can do this for each
+user, or in the @samp{default} table. To to this use @samp{edauth} to
+set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
+@item
+You should make sure that you use Digital's login rather than the one
+distributed by us. The easiest way to do this is to replace
+@file{/usr/athena/bin/login} with @file{/bin/login}.
+@end itemize
+
+At present @samp{su} does not accept the vouching flag, so it will not
+work as expected. 
+
+Also, kerberised ftp will not work with C2 passwords. You can solve this
+by using both Digital's ftpd and our on different ports.
+
+@strong{Remember}, if you do these changes you will get a system that
+most certainly does @emph{not} fulfill the requirements of a C2
+system. If C2 is what you want, for instance if someone else is forcing
+you to use it, you're out of luck.  If you use enhanced security because
+you want a system that is more secure than it would otherwise be, you
+probably got an even more secure system. Passwords will not be sent in
+the clear, for instance.
+
+@node IRIX, PAM, Digital SIA, Authentication modules
+@subsection IRIX
+
+The IRIX support is a module that is compatible with Transarc's
+@file{afskauthlib.so}.  It should work with all programs that use this
+library, this should include @file{login} and @file{xdm}.
+
+The interface is not very documented but it seems that you have to copy
+@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to
+@file{/usr/lib}, or build your @file{afskauthlib.so} statically.
+
+The @file{afskauthlib.so} itself is able to reside in
+@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
+(wherever that is).
+
+Appart from this it should ``just work'', there are no configuration
+files.
+
+@node PAM,  , IRIX, Authentication modules
+@subsection PAM
+
+The PAM module was written more out of curiosity that anything else. It
+has not been updated for quite a while, since none of us are using
+Linux, and Solaris does not support PAM yet.  We've had positive reports
+from at least one person using the module, though.
+
+To use this module you should:
+
+@itemize @bullet
+@item
+Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You
+might actually want it on local disk, so @file{/lib/security} might be a
+better place if @file{/usr/athena} is not local.
+@item
+Look at @file{pam.conf.add} for examples of what to add to
+@file{/etc/pam.conf}.
+@end itemize
+
+There is currently no support for changing kerberos passwords. Use
+kpasswd instead.
+
+See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM
+module at @kbd{ftp://ftp.dementia.org/pub/pam}. It has a lot more
+features, and it is also more in line with other PAM modules.
diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi
new file mode 100644
index 0000000..830ca1a
--- /dev/null
+++ b/crypto/kerberosIV/doc/intro.texi
@@ -0,0 +1,69 @@
+@node Introduction, What is Kerberos?, Top, Top
+@comment  node-name,  next,  previous,  up
+@chapter Introduction
+
+This is an attempt at documenting the Kerberos 4 distribution from
+Kungliga Tekniska Högskolan (the Royal Institute of Technology in
+Stockholm, Sweden).  This distribution is based on eBones, but has been
+improved in many ways. It is more portable, and several new features
+have been added. It currently runs on the following systems:
+
+@itemize @bullet
+@item
+AIX 4.1, 4.2
+@item
+BSD/OS 2.0, 2.1
+@item
+Digital UNIX 3.2, 4.0
+@item
+HP-UX 9, 10
+@item
+IRIX 4.0, 5.2, 5.3, 6.1, 6.2, 6.3, 6.4
+@item
+Linux 1.3, 2.0
+@item
+NetBSD 1.2
+@item
+FreeBSD 2.2
+@item
+SunOS 4.1
+@item
+SunOS 5.4/5.5 (aka Solaris 2.4/2.5)
+@item
+Ultrix 4.4
+@item
+Cray UNICOS 9.
+@item
+Fujitsu UXP/V 4.1.
+@end itemize
+
+Some part compile and work on:
+
+@itemize @bullet
+@item
+OS/2 with EMX
+@item
+Windows 95/NT with gnu-win32 (with the proper amount of magic the
+libraries should compile with Microsoft C as well)
+@end itemize
+
+It should work on anything that is almost POSIX, has an ANSI C
+compiler, a dbm library (for the server side), and BSD Sockets.
+
+A web-page is available at @kbd{http://www.pdc.kth.se/kth-krb/}.
+
+@heading Bug reports
+
+If you cannot build the programs or they do not behave as you think they
+should, please send us a bug report.  The bug report should be sent to
+@code{<kth-krb-bugs@@nada.kth.se>}.  Please include information on what
+machine and operating system (including version) you are running, what
+you are trying to do, what happens, what you think should have happened,
+an example for us to repeat, the output you get when trying the example,
+and a patch for the problem if you have one.  Please make any patches
+with @code{diff -u} or @code{diff -c}.  The more detailed the bug report
+is, the easier it will be for us to reproduce, understand, and fix it.
+
+Suggestions, comments and other non bug reports are welcome.  Send them
+to @code{<kth-krb@@nada.kth.se>}.
+
diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi
new file mode 100644
index 0000000..8b26349
--- /dev/null
+++ b/crypto/kerberosIV/doc/kth-krb.texi
@@ -0,0 +1,300 @@
+\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@c $Id: kth-krb.texi,v 1.71 1997/05/25 21:31:00 assar Exp $
+@setfilename kth-krb.info
+@settitle KTH-KRB
+@iftex
+@afourpaper
+@end iftex
+@c some sensible characters, please?
+@tex
+\input latin1.tex
+@end tex
+@setchapternewpage on
+@syncodeindex pg cp
+@c %**end of header
+
+@dircategory Kerberos
+@direntry
+* Kth-krb: (kth-krb).           The Kerberos IV distribution from KTH
+@end direntry
+
+@c title page
+@titlepage
+@title KTH-KRB
+@subtitle Kerberos 4 from KTH
+@subtitle Edition -1.0, for version 0.9.5
+@subtitle 1997
+@author Johan Danielsson
+@author Assar Westerlund
+@author last updated $Date: 1997/05/25 21:31:00 $
+
+@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
+@def@copyrightstart{}
+@def@copyrightend{}
+@page
+@copyrightstart
+Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the Kungliga Tekniska
+     Högskolan and its contributors.
+
+4. Neither the name of the Institute nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1995 Eric Young (eay@@mincom.oz.au)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+   This product includes software developed by Eric Young (eay@@mincom.oz.au)
+
+THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (c) 1983, 1990 The Regents of the University of California.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+     This product includes software developed by the University of
+     California, Berkeley and its contributors.
+
+4. Neither the name of the University nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+@copynext
+
+Copyright (C) 1990 by the Massachusetts Institute of Technology
+
+Export of this software from the United States of America is assumed
+to require a specific license from the United States Government.
+It is the responsibility of any person or organization contemplating
+export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+@copynext
+
+Copyright 1987, 1989 by the Student Information Processing Board
+	of the Massachusetts Institute of Technology
+
+Permission to use, copy, modify, and distribute this software
+and its documentation for any purpose and without fee is
+hereby granted, provided that the above copyright notice
+appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation,
+and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
+used in advertising or publicity pertaining to distribution
+of the software without specific, written prior permission.
+M.I.T. and the M.I.T. S.I.P.B. make no representations about
+the suitability of this software for any purpose.  It is
+provided "as is" without express or implied warranty.
+
+@copynext
+
+Copyright 1992 Simmule Turner and Rich Salz.  All rights reserved. 
+
+This software is not subject to any license of the American Telephone 
+and Telegraph Company or of the Regents of the University of California. 
+
+Permission is granted to anyone to use this software for any purpose on
+any computer system, and to alter it and redistribute it freely, subject
+to the following restrictions:
+
+1. The authors are not responsible for the consequences of use of this
+   software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by
+   explicit claim or by omission.  Since few users ever read sources,
+   credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be
+   misrepresented as being the original software.  Since few users
+   ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
+
+@copyrightend
+@end titlepage
+
+@c Less filling! Tastes great!
+@iftex
+@parindent=0pt
+@global@parskip 6pt plus 1pt
+@global@chapheadingskip = 15pt plus 4pt minus 2pt 
+@global@secheadingskip = 12pt plus 3pt minus 2pt
+@global@subsecheadingskip = 9pt plus 2pt minus 2pt
+@end iftex
+@ifinfo
+@paragraphindent 0
+@end ifinfo
+
+@ifinfo
+@node Top, Introduction, (dir), (dir)
+@top KTH-krb
+@end ifinfo
+
+@menu
+* Introduction::                
+* What is Kerberos?::           
+* Installing programs::         
+* How to set up a realm::       
+* One-Time Passwords::          
+* Resolving frequent problems::  
+* Acknowledgments::             
+* Index::                       
+
+ --- The Detailed Node Listing ---
+
+Installing programs
+
+* Installing from source::      
+* Installing a binary distribution::  
+* Finishing the installation::  
+* Authentication modules::      
+
+Finishing the installation
+
+* Authentication modules::      
+
+Authentication modules
+
+* Digital SIA::                 
+* IRIX::                        
+* PAM::                         
+
+How to set up a realm
+
+* How to set up the kerberos server::  
+* Install the client programs::  
+* Install the kerberised services::  
+* Install a slave kerberos server::  
+* Cross-realm functionality ::  
+
+How to set up the kerberos server
+
+* Choose a realm name::         
+* Choose a kerberos server::    
+* Install the configuration files::  
+* Install the /etc/services::   
+* Install the kerberos server::  
+* Set up the server::           
+* Add a few important principals::  
+* Start the server::            
+* Try to get tickets::          
+* Create initial ACL for the admin server::  
+* Start the admin server::      
+* Add users to the database::   
+* Automate the startup of the servers::  
+
+One-Time Passwords
+
+* What are one time passwords?::  
+* When to use one time passwords?::  
+* Configuring OTPs::            
+
+Resolving frequent problems
+
+* Problems compiling Kerberos::  
+* Common error messages::       
+@end menu
+
+@include intro.texi
+@include whatis.texi
+@include install.texi
+@include setup.texi
+@include otp.texi
+@include problems.texi
+@include ack.texi
+@include index.texi
+
+@c @shortcontents
+@contents
+
+@bye
diff --git a/crypto/kerberosIV/doc/latin1.tex b/crypto/kerberosIV/doc/latin1.tex
new file mode 100644
index 0000000..e683dd2
--- /dev/null
+++ b/crypto/kerberosIV/doc/latin1.tex
@@ -0,0 +1,95 @@
+% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts.
+% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12
+\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi}
+\global\catcode`\^^a0=\active \global\let^^a0=~		% no-break space
+\global\catcode`\^^a1=\active \global\def^^a1{!`}		% inverted exclamation mark
+\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}}	% cent sign
+\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}}	% pound sign
+% currency sign, yen sign, broken bar
+\global\catcode`\^^a7=\active \global\let^^a7=\S		% section sign
+\global\catcode`\^^a8=\active \global\def^^a8{\"{}}		% diaeresis
+\global\catcode`\^^a9=\active \global\let^^a9=\copyright	% copyright sign
+% feminine ordinal indicator, left angle quotation mark
+\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign
+\global\catcode`\^^ad=\active \global\let^^ad=\-		% soft hyphen
+% registered trade mark sign
+\global\catcode`\^^af=\active \global\def^^af{\={}}		% macron
+% ...
+\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm}	% plus minus
+\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}}
+\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}}
+\global\catcode`\^^b4=\active \global\def^^b4{\'{}}		% acute accent
+\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu}	% mu
+\global\catcode`\^^b6=\active \global\let^^b6=\P		% pilcroy
+\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}}
+\global\catcode`\^^b8=\active \global\def^^b8{\c{}}		% cedilla
+\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}}
+% ...
+\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}}
+\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}}
+\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}}
+\global\catcode`\^^bf=\active \global\def^^bf{?`}		% inverted question mark
+\global\catcode`\^^c0=\active \global\def^^c0{\`A}
+\global\catcode`\^^c1=\active \global\def^^c1{\'A}
+\global\catcode`\^^c2=\active \global\def^^c2{\^A}
+\global\catcode`\^^c3=\active \global\def^^c3{\~A}
+\global\catcode`\^^c4=\active \global\def^^c4{\"A}		% capital a with diaeresis
+\global\catcode`\^^c5=\active \global\let^^c5=\AA		% capital a with ring above
+\global\catcode`\^^c6=\active \global\let^^c6=\AE
+\global\catcode`\^^c7=\active \global\def^^c7{\c C}
+\global\catcode`\^^c8=\active \global\def^^c8{\`E}
+\global\catcode`\^^c9=\active \global\def^^c9{\'E}
+\global\catcode`\^^ca=\active \global\def^^ca{\^E}
+\global\catcode`\^^cb=\active \global\def^^cb{\"E}
+\global\catcode`\^^cc=\active \global\def^^cc{\`I}
+\global\catcode`\^^cd=\active \global\def^^cd{\'I}
+\global\catcode`\^^ce=\active \global\def^^ce{\^I}
+\global\catcode`\^^cf=\active \global\def^^cf{\"I}
+% capital eth
+\global\catcode`\^^d1=\active \global\def^^d1{\~N}
+\global\catcode`\^^d2=\active \global\def^^d2{\`O}
+\global\catcode`\^^d3=\active \global\def^^d3{\'O}
+\global\catcode`\^^d4=\active \global\def^^d4{\^O}
+\global\catcode`\^^d5=\active \global\def^^d5{\~O}
+\global\catcode`\^^d6=\active \global\def^^d6{\"O}		% capital o with diaeresis
+\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign
+\global\catcode`\^^d8=\active \global\let^^d8=\O
+\global\catcode`\^^d9=\active \global\def^^d9{\`U}
+\global\catcode`\^^da=\active \global\def^^da{\'U}
+\global\catcode`\^^db=\active \global\def^^db{\^U}
+\global\catcode`\^^dc=\active \global\def^^dc{\"U}
+\global\catcode`\^^dd=\active \global\def^^dd{\'Y}
+% capital thorn
+\global\catcode`\^^df=\active \global\def^^df{\ss}
+\global\catcode`\^^e0=\active \global\def^^e0{\`a}
+\global\catcode`\^^e1=\active \global\def^^e1{\'a}
+\global\catcode`\^^e2=\active \global\def^^e2{\^a}
+\global\catcode`\^^e3=\active \global\def^^e3{\~a}
+\global\catcode`\^^e4=\active \global\def^^e4{\"a}		% small a with diaeresis
+\global\catcode`\^^e5=\active \global\let^^e5=\aa		% small a with ring above
+\global\catcode`\^^e6=\active \global\let^^e6=\ae
+\global\catcode`\^^e7=\active \global\def^^e7{\c c}
+\global\catcode`\^^e8=\active \global\def^^e8{\`e}
+\global\catcode`\^^e9=\active \global\def^^e9{\'e}
+\global\catcode`\^^ea=\active \global\def^^ea{\^e}
+\global\catcode`\^^eb=\active \global\def^^eb{\"e}
+\global\catcode`\^^ec=\active \global\def^^ec{\`\i}
+\global\catcode`\^^ed=\active \global\def^^ed{\'\i}
+\global\catcode`\^^ee=\active \global\def^^ee{\^\i}
+\global\catcode`\^^ef=\active \global\def^^ef{\"\i}
+% small eth
+\global\catcode`\^^f1=\active \global\def^^f1{\~n}
+\global\catcode`\^^f2=\active \global\def^^f2{\`o}
+\global\catcode`\^^f3=\active \global\def^^f3{\'o}
+\global\catcode`\^^f4=\active \global\def^^f4{\^o}
+\global\catcode`\^^f5=\active \global\def^^f5{\~o}
+\global\catcode`\^^f6=\active \global\def^^f6{\"o}		% small o with diaeresis
+\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign
+\global\catcode`\^^f8=\active \global\let^^f8=\o
+\global\catcode`\^^f9=\active \global\def^^f9{\`u}
+\global\catcode`\^^fa=\active \global\def^^fa{\'u}
+\global\catcode`\^^fb=\active \global\def^^fb{\^u}
+\global\catcode`\^^fc=\active \global\def^^fc{\"u}
+\global\catcode`\^^fd=\active \global\def^^fd{\'y}
+% capital thorn
+\global\catcode`\^^ff=\active \global\def^^ff{\"y}
diff --git a/crypto/kerberosIV/doc/otp.texi b/crypto/kerberosIV/doc/otp.texi
new file mode 100644
index 0000000..0a5929f
--- /dev/null
+++ b/crypto/kerberosIV/doc/otp.texi
@@ -0,0 +1,127 @@
+@node  One-Time Passwords, Resolving frequent problems, How to set up a realm, Top
+@chapter One-Time Passwords
+
+@cindex OTP
+@cindex One time passwords
+There is also support for using @dfn{one time passwords} (OTP) in this
+package.  Specifically @code{login}, @code{ftpd}, and @code{popper} have
+support for using them.
+
+@menu
+* What are one time passwords?::  
+* When to use one time passwords?::  
+* Configuring OTPs::            
+@end menu
+
+@node  What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords
+@comment  node-name,  next,  previous,  up
+@section What are one time passwords?
+
+One time passwords are, as the name implies, passwords that can only
+be used once.  This means that even if someone is eavesdropping on the
+network, they will not be able to make use of the passwords they steal.
+
+The OTPs used in this package support @cite{RFC 1938}.  This standard is
+also backwards compatible with the well-known S/Key.  There are lots of
+programs for generating these on everything from HP 48's to Crays.
+@cindex S/Key
+
+@node  When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords
+@comment  node-name,  next,  previous,  up
+@section When to use one time passwords?
+
+Why would you want to use OTPs instead of Kerberos?  The advantage of
+OTPs is that they don't require a computer to operate.  You can print
+out a list of passwords and take with you, or you could use your
+calculator or hand-held computer to generate them.
+
+The downside is that they only protect you against passive attacks.
+Only the initial connection is authenticated.  After that, anyone can
+eavesdrop on your session, so you should not send or view any sensitive
+data (e.g. passwords) over a OTP-initiated link.  You are also
+vulnerable to active attacks where intruders try to take over your
+TCP-session and/or introduce data in the middle of it.  In other words,
+they provide initial authentication, but neither integrity nor
+confidentiality.
+
+The OTPs are generated from the tuple (@var{seed}, @var{sequence
+number}, @var{pass-phrase}).  The seed and the sequence number will be
+printed as part of the @dfn{challenge} and you will have to generate the
+corresponding password or pick it from a list.
+
+In conclusion, they are simple and can be used everywhere but don't
+protect against all threats that Kerberos does.  Use them when you can't
+use Kerberos.
+
+@node  Configuring OTPs,  , When to use one time passwords?, One-Time Passwords
+@comment  node-name,  next,  previous,  up
+@section Configuring OTPs
+
+@heading Initializing
+
+To initialize your OTPs use the @code{otp} program.  This program will
+write an entry in a local file on this host with your current password
+(in this case the 100th) and the corresponding seed (@samp{foobar}).
+@pindex otp
+
+@example
+@cartouche
+datan:>otp 100 foobar
+Pass-phrase: <pass-phrase>
+Verifying password Pass-phrase: <pass-phrase>
+@end cartouche
+@end example
+
+@heading Generating
+
+To print out a list of them there is a program called
+@code{otpprint}.
+@pindex otpprint
+
+@example
+@cartouche
+datan:>otpprint 100 foobar
+Pass-phrase: <pass-phrase>
+91: SLAM BUY SUP DUSK SKY BEST
+92: DEEM SIGH ROB RASH JUG MAT
+93: DUET FISK HERS AREA TOLL SUP
+94: WOW RAIN LEAK SARA MARK WING
+95: COG YELL MILK CART ABE BAWL
+96: GROW SILK GIST OMEN CAM ANNE
+97: JAG QUAD NUT BEAT BHOY MAGI
+98: ADAM USED GENE NIP EYE SIS
+99: MY SUNG HERO AT DASH RAKE
+100: CORN KNIT BOTH TOGO SOUL BOG
+@end cartouche
+@end example
+
+@heading Using the OTPs
+
+When you try to use one and have initialized a series of
+one-time passwords for yourself you will get a challenge with the
+algorithm being used, the sequence number, and the seed.  Enter those in
+your generator or find the corresponding password in your list.
+
+@example
+@cartouche
+login: assar
+assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE>
+@end cartouche
+@end example
+
+The sequence number of the password will start at one less that the
+number you gave to @code{otp} and decrease by one every time you use it.
+You should try to keep track of which should be the current one so that
+you can be assured that nobody has stolen some of your passwords and
+used them.  When the number has reached zero you need to acquire a new
+series of passwords.
+
+Once you have initialized your series of passwords, you can always use
+them at any password prompt where you get the challenge as shown above.
+
+@heading Configuring servers
+
+@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to
+require one-time passwords when the connection has not been kerberos
+authenticated.  Check the man pages for these programs for the correct
+options.
diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
new file mode 100644
index 0000000..9e3630e
--- /dev/null
+++ b/crypto/kerberosIV/doc/problems.texi
@@ -0,0 +1,156 @@
+@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top
+@chapter Resolving frequent problems
+
+@menu
+* Problems compiling Kerberos::  
+* Common error messages::       
+@end menu
+
+@node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems
+@section Problems compiling Kerberos
+
+Many compilers require a switch to become ANSI compliant. Since kth-krb
+is written in ANSI C it is necessary to specify the name of the compiler
+to be used and the required switch to make it ANSI compliant. This is
+most easily done when running configure using the @kbd{env} command. For
+instance to build under HP-UX using the native compiler do:
+
+@cartouche
+@example
+datan$ env CC="cc -Ae" ./configure
+@end example
+@end cartouche
+
+In general @kbd{gcc} works. The following combinations have also been
+verified to successfully compile the distribution:
+
+@table @asis
+
+@item @samp{HP-UX}
+@kbd{cc -Ae}
+@item @samp{Digital UNIX}
+@kbd{cc -std1}
+@item @samp{AIX}
+@kbd{xlc}
+@item @samp{Solaris 2.x}
+@kbd{cc} (unbundled one)
+@item @samp{IRIX}
+@kbd{cc}
+
+@end table
+
+@subheading Linux problems
+
+Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
+build kth-krb correctly. There is a @file{ndbm.h.Linux} right next to
+the source distribution.
+
+There has been reports of non-working @file{libdb} on some Linux
+distributions.  If that happens, use the @kbd{--without-berkeley-db}
+when configuring.
+
+@subheading HP-UX problems
+
+The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all
+systems.  To make problems even worse, there is never an archive version
+for static linking either. Therefore, when building ``truly portable''
+binaries first install GNU gdbm or Berkeley DB, and make sure that you
+are linking against that library.
+
+@subheading Cray problems
+
+@kbd{rlogind} won't work on Crays until @code{forkpty()} has been
+ported, in the mean time use @kbd{telnetd}.
+
+@subheading AIX problems
+
+@kbd{gcc} version 2.7.2.1 has a bug which makes it miscompile
+@file{appl/telnet/telnetd/sys_term.c} (and possibily
+@file{appl/bsd/forkpty.c}), if used with too much optimization.
+
+@subheading C2 problems
+
+@cindex C2
+The programs that checks passwords works with @file{passwd}, OTP, and
+Kerberos paswords. This is problem if you use C2 security (or use some
+other password database), that normally keeps passwords in some obscure
+place. If you want to use Kerberos with C2 security you will have to
+think about what kind of changes are necessary. See also the discussion
+about Digital's SIA and C2 security, see @ref{Digital SIA}.
+
+@node Common error messages,  , Problems compiling Kerberos, Resolving frequent problems
+@section Common error messages
+
+These are some of the more obscure error messages you might encounter:
+
+@table @asis
+
+@item @samp{Time is out of bounds}
+
+The time on your machine differs from the time on either the kerberos
+server or the machine you are trying to login to. If it isn't obvious
+that this is the case, remember that all times are compared in UTC.
+
+On unix systems you usually can find out what the local time is by doing
+@code{telnet machine daytime}. This time (again, usually is the keyword)
+is with correction for time-zone and daylight savings.
+
+If you have problem keeping your clocks synchronized, consider using a
+time keeping system such as NTP (see also the discussion in
+@ref{Install the client programs}).
+
+@item @samp{Ticket issue date too far in the future}
+
+The time on the kerberos server is more than five minutes ahead of the
+time on the server.
+
+@item @samp{Can't decode authenticator}
+
+This means that there is a mismatch between the service key in the
+kerberos server and the service key file on the specific machine.
+Either:
+@itemize @bullet
+@item
+the server couldn't find a service key matching the request
+@item
+the service key (or version number) does not match the key the packet
+was encrypted with
+@end itemize
+
+@item @samp{Incorrect network address}
+
+The address in the ticket does not match the address you sent the
+request from. This happens on systems with more than one network
+address, either physically or logically. You can list addresses which
+should be considered equal in @file{/etc/krb.equiv} on your servers. 
+
+A note to programmers: a server should not pass @samp{*} as the instance
+to @samp{krb_rd_req}. It should try to figure out on which interface the
+request was received, for instance by using @samp{k_getsockinst}.
+
+If you change addresses on your computer you invalidate any tickets you
+might have. The easiest way to fix this is to get new tickets with the
+new address.
+
+@item @samp{Message integrity error}
+
+The packet is broken in some way:
+@itemize @bullet
+@item
+the lengths does not match the size of the packet, or
+@item
+the checksum does not match the contents of the packet
+@end itemize
+
+@item @samp{Can't send request}
+There is some problem contacting the kerberos server. Either the server
+is down, or it is using the wrong port (compare the entries for
+@samp{kerberos-iv} in @file{/etc/services}). The client might also have
+failed to guess what kerberos server to talk to (check
+@file{/etc/krb.conf} and @file{/etc/krb.realms}).
+
+@item @samp{Generic kerberos error}
+This is a generic catch-all error message.
+
+@end table
+
diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi
new file mode 100644
index 0000000..1b4b395
--- /dev/null
+++ b/crypto/kerberosIV/doc/setup.texi
@@ -0,0 +1,794 @@
+@node How to set up a realm, One-Time Passwords, Installing programs, Top
+@chapter How to set up a realm
+
+@quotation
+@flushleft
+	Who willed you? or whose will stands but mine?
+	There's none protector of the realm but I.
+	Break up the gates, I'll be your warrantize.
+	Shall I be flouted thus by dunghill grooms?
+        --- King Henry VI, 6.1
+@end flushleft
+@end quotation
+
+@menu
+* How to set up the kerberos server::  
+* Install the client programs::  
+* Install the kerberised services::  
+* Install a slave kerberos server::  
+* Cross-realm functionality ::  
+@end menu
+
+@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm
+@section How to set up the kerberos server
+
+@menu
+* Choose a realm name::         
+* Choose a kerberos server::    
+* Install the configuration files::  
+* Install the /etc/services::   
+* Install the kerberos server::  
+* Set up the server::           
+* Add a few important principals::  
+* Start the server::            
+* Try to get tickets::          
+* Create initial ACL for the admin server::  
+* Start the admin server::      
+* Add users to the database::   
+* Automate the startup of the servers::  
+@end menu
+
+@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server
+@subsection Choose a realm name
+
+A 
+@cindex realm
+realm is an administrative domain.  Kerberos realms are usually
+written in uppercase and consist of a Internet domain
+name@footnote{Using lowercase characters in the realm name might break
+in mysterious ways. This really should have been fixed, but has not.}.
+Call your realm the same as your Internet domain name if you do not have
+strong reasons for not doing so.  It will make life easier for you and
+everyone else.
+
+@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server
+@subsection Choose a kerberos server
+
+You need to choose a machine to run the 
+@pindex kerberos
+kerberos server program.  If the kerberos database residing on this host
+is compromised, your entire realm will be compromised.  Therefore, this
+machine must be as secure as possible.  Preferably it should not run any
+services other than Kerberos.  The secure-minded administrator might
+only allow logins on the console.
+
+This machine has also to be reliable.  If it is down, you will not be
+able to use any kerberised services unless you have also configured a
+slave server (@xref{Install a slave kerberos server}).
+
+Running the kerberos server requires very little CPU power and a small
+amount of disk. An old PC with some hundreds of megabytes of free disk
+space should do fine. Most of the disk space will be used for various
+logs.
+
+@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server
+@subsection Install the configuration files
+
+There are two important configuration files: @file{/etc/krb.conf} and
+@file{/etc/krb.realms}.
+@pindex krb.conf
+@pindex krb.realms
+
+The @file{krb.conf} file determines which machines are servers for
+different realms.  The format of this file is:
+
+@example
+THIS.REALM
+THIS.REALM              kerberos.this.realm admin server
+THIS.REALM              kerberos-1.this.realm
+ANOTHER.REALM           kerberos.another.realm
+@end example
+
+The first line defines the name of the local realm. Line two defines the
+name of the master kerberos server and the database administration
+server for this realm.  You can define any number of kerberos slave
+servers similar to the one defined in line three.  The clients will try
+to contact the servers in the order they are defined in @file{krb.conf}.
+
+The @samp{admin server} clause at the first entry states that this is
+the master server
+@cindex master server
+(the one to contact when modifying the database, such as changing
+passwords). There should be only one such entry for each realm.
+
+In the original MIT Kerberos 4 (as in most others), the server
+specification could only take the form of a host-name. To facilitate
+having kerberos servers in odd places (such as behind a firewall),
+support has been added for ports other than the default (750), and
+protocols other than UDP.
+
+The formal syntax for an entry is now
+@samp{@var{[proto}/@var{]host[}:@var{port]}}. @var{proto} is either
+@samp{udp} or @samp{tcp}, and @var{port} is the port to talk to. Default
+value for @var{proto} is @samp{udp} and for @var{port} whatever
+@samp{kerberos-iv} is defined to be in @file{/etc/services} or 750 if
+undefined.
+
+If the information about a realm is missing from the @file{krb.conf}
+file, or if the information is wrong, the following methods will be
+tried in order.
+
+@enumerate
+@item
+If you have an SRV-record (@cite{RFC 2052}) for your realm it will be
+used. This record should be of the form
+@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is
+either @samp{udp} or @samp{tcp}. (Note: the current implementation does
+not look at priority or weight when deciding which server to talk to.)
+@item
+If there isn't any SRV-record, it tries to find a TXT-record for the
+same domain. The contents of the record should have the same format as the
+host specification in @file{krb.conf}. (Note: this is a temporary
+solution if your name server doesn't support SRV records. The clients
+should work fine with SRV records, so if your name server supports them,
+they are very much preferred.)
+@item
+If no valid kerberos server is found, it will try to talk udp to the
+service @samp{kerberos-iv} with fall-back to port 750 with
+@samp{kerberos.@var{REALM}} (which is also assumed to be the master
+server), and then @samp{kerberos-1.@var{REALM}},
+@samp{kerberos-2.@var{REALM}}, and so on.
+@end enumerate
+
+We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}}
+pointing to your kerberos master server.
+
+The @file{krb.realms} file is used to find out what realm a particular
+host belongs to.  An example of this file could look like:
+
+@example
+this.realm            THIS.REALM
+.this.realm           THIS.REALM
+foo.com               SOME.OTHER.REALM
+www.foo.com           A.STRANGE.REALM
+.foo.com              FOO.REALM
+@end example
+
+Entries starting with a dot are taken as the name of a domain. Entries
+not starting with a dot are taken as a host-name. The first entry matched
+is used. The entry for @samp{this.realm} is only necessary if there is a
+host named @samp{this.realm}.
+
+If no matching realm is found in @file{krb.realms}, DNS is searched for
+the correct realm. For example, if we are looking for host @samp{a.b.c},
+@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c}
+and so on. The entry should be a TXT record containing the name of the
+realm, such as:
+
+@example
+krb4-realm.pdc.kth.se.  7200    TXT     "NADA.KTH.SE"
+@end example
+
+If this didn't help the domain name sans the first part in uppercase is
+tried.
+
+The plain vanilla version of Kerberos doesn't have any fancy methods of
+getting realms and servers so it is generally a good idea to keep
+@file{krb.conf} and @file{krb.realms} up to date.
+
+@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
+@subsection Updating /etc/services
+
+You should append or merge the contents of @file{services.append} to
+your @file{/etc/services} files or NIS-map. Remove any unused factory
+installed kerberos port definitions to avoid possible conflicts.
+@pindex services
+
+Most of the programs will fall back to the default ports if the port
+numbers are not found in @file{/etc/services}, but it is convenient to
+have them there anyway.
+
+@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server
+@subsection Install the kerberos server
+
+You should have already chosen the machine where you want to run the
+kerberos server and the realm name.  The machine should also be as
+secure as possible (@xref{Choose a kerberos server}) before installing
+the kerberos server.  In this example, we will install a kerberos server
+for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
+
+@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server
+@subsection Setup the server
+
+Login as root on the console of the kerberos server.  Add
+@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path.  Run
+@kbd{kdb_init}:
+@pindex kdb_init
+
+@example
+@cartouche
+hemlig# kdb_init
+Realm name [default  FOO.SE ]: 
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+
+Enter Kerberos master password: 
+Verifying password 
+Enter Kerberos master password: 
+@end cartouche
+@end example
+
+If you have set up the configuration files correctly, @kbd{kdb_init}
+should choose the correct realm as the default, otherwise a (good) guess
+is made.  Enter the master password.
+
+This password will only be used for encrypting the kerberos database on
+disk and for generating new random keys.  You will not have to remember
+it, only to type it again when you run @kbd{kstash}.  Choose something
+long and random.  Now run @kbd{kstash} using the same password:
+@pindex kstash
+
+@example
+@cartouche
+hemlig# kstash
+
+Enter Kerberos master password: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Wrote master key to /.k
+@end cartouche
+@end example
+
+After entering the same master password it will be saved in the file
+@file{/.k} and the kerberos server will read it when needed. Write down
+the master password and put it in a sealed envelope in a safe, you might
+need it if your disk crashes or should you want to set up a slave
+server.
+
+@code{kdb_init} initializes the database with a few entries:
+
+@table @samp
+@item krbtgt.@var{REALM}
+The key used for authenticating to the kerberos server.
+
+@item changepw.kerberos
+The key used for authenticating to the administrative server, i.e. when
+adding users, changing passwords, and so on.
+
+@item default
+This entry is copied to new items when these are added.  Enter here the
+values you want new entries to have, particularly the expiry date.
+
+@item K.M
+This is the master key and it is only used to verify that the master key
+that is saved un-encrypted in @file{/.k} is correct and corresponds to
+this database.
+
+@end table
+
+@code{kstash} only reads the master password and writes it to
+@file{/.k}.  This enables the kerberos server to start without you
+having to enter the master password.  This file (@file{/.k}) is only
+readable by root and resides on a ``secure'' machine.
+
+@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server
+@subsection Add a few important principals
+
+Now the kerberos database has been created, containing only a few
+principals.  The next step is to add a few more so that you can test
+that it works properly and so that you can administer your realm without
+having to use the console on the kerberos server.  Use @kbd{kdb_edit}
+to edit the kerberos database directly on the server.
+@pindex kdb_edit
+
+@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism
+for editing the database.  For normal purposes, use the @code{kadmin}
+program (@xref{Add users to the database}).
+
+The following example shows the adding of the principal
+@samp{nisse.admin} into the kerberos database.  This principal is used
+by @samp{nisse} when administrating the kerberos database.  Later on the
+normal principal for @samp{nisse} will be created.  Replace @samp{nisse}
+and @samp{password} with your own username and password.
+
+@example
+@cartouche
+hemlig# kdb_edit -n
+Opening database...
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: <nisse>
+Instance: <admin>
+
+<Not found>, Create [y] ? <>
+
+Principal: nisse, Instance: admin, kdc_key_ver: 1
+New Password: <password>
+Verifying password 
+New Password: <password>
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <>
+Max ticket lifetime (*5 minutes) [ 255 ] ? <>
+Attributes [ 0 ] ? <>
+Edit O.K.
+Principal name: <>
+@end cartouche
+@end example
+
+@code{kdb_edit} will loop until you hit the @kbd{return} key at the
+``Principal name'' prompt. Now you have added nisse as an administrator.
+
+@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server
+@subsection Start the server
+
+@pindex kerberos
+@example
+@cartouche
+hemlig# /usr/athena/libexec/kerberos &
+Kerberos server starting
+Sleep forever on error
+Log file is /var/log/kerberos.log
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+
+Current Kerberos master key version is 1
+Local realm: FOO.SE
+@end cartouche
+@end example
+
+@node  Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server
+@subsection Try to get tickets
+
+You can now verify that these principals have been added and that the
+server is working correctly.
+
+@pindex kinit
+@example
+@cartouche
+hemlig# kinit
+eBones International (hemlig.foo.se)
+Kerberos Initialization
+Kerberos name: <nisse.admin>
+Password: <password>
+@end cartouche
+@end example
+
+If you do not get any error message from @code{kinit}, then everything
+is working (otherwise, see @ref{Common error messages}).  Use
+@code{klist} to verify the tickets you acquired with @code{kinit}:
+
+@pindex klist
+@example
+@cartouche
+hemlig# klist
+Ticket file:    /tmp/tkt0
+Principal:      nisse.admin@@FOO.SE
+
+Issued           Expires          Principal
+May 24 21:06:03  May 25 07:06:03  krbtgt.FOO.SE@@FOO.SE
+@end cartouche
+@end example
+
+@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server
+@subsection Create initial ACL for the admin server
+
+The admin server, @code{kadmind}, uses a series of files to determine who has
+@pindex kadmind
+the right to perform certain operations.  The files are:
+@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and
+@file{admin_acl.mod}.  Create these with @samp{nisse.admin@@FOO.SE} as
+the contents.
+@pindex admin_acl.add
+@pindex admin_acl.get
+@pindex admin_acl.del
+@pindex admin_acl.mod
+
+@example
+@cartouche
+hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.add
+hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.get
+hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.mod
+hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.del
+@end cartouche
+@end example
+
+Later on you may wish to add more users with administration
+privileges. Make sure that you create both the administration principals
+and add them to the admin server ACL.
+
+@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server
+@subsection Start the admin server
+
+@pindex kadmind
+@example
+@cartouche
+hemlig# /usr/athena/libexec/kadmind &
+KADM Server KADM0.0A initializing
+Please do not use 'kill -9' to kill this job, use a
+regular kill instead
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+@end cartouche
+@end example
+
+@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server
+@subsection Add users to the database
+
+Use the @code{kadmin} client to add users to the database:
+@pindex kadmin
+
+@example
+@cartouche
+hemlig# kadmin -u nisse.admin -m
+Welcome to the Kerberos Administration Program, version 2
+Type "help" if you need it.
+admin:  <add nisse>
+Admin password: <nisse.admin's password>
+Maximum ticket lifetime?  (255)  [Forever]  
+Attributes?  [0x00]  
+Expiration date (enter yyyy-mm-dd) ?  [Sat Jan  1 05:59:00 2000]  
+Password for nisse:
+Verifying password Password for nisse:
+nisse added to database.
+@end cartouche
+@end example
+
+Add whatever other users you want to have in the same way.  Verify that
+a user is in the database and check the database entry for that user:
+
+@example
+@cartouche
+admin:  <get nisse>
+Info in Database for nisse.:
+Max Life: 255 (Forever)   Exp Date: Sat Jan  1 05:59:59 2000
+
+Attribs: 00  key: 0 0
+admin:  <^D>
+Cleaning up and exiting.
+@end cartouche
+@end example
+
+@node Automate the startup of the servers,  , Add users to the database, How to set up the kerberos server
+@subsection Automate the startup of the servers
+
+Add the lines that were used to start the kerberos server and the
+admin server to your startup scripts (@file{/etc/rc} or similar).
+@pindex rc
+
+@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm
+@section Install the client programs
+
+Making a machine a kerberos client only requires a few steps.  First you
+might need to change the configuration files as with the kerberos
+server.  (@xref{Install the configuration files} and @ref{Install the
+/etc/services}.) Also you need to make the programs in
+@file{/usr/athena/bin} available.  This can be done by adding the
+@file{/usr/athena/bin} directory to the users' paths, by making symbolic
+links, or even by copying the programs.
+
+You should also verify that the local time on the client is synchronised
+with the time on the kerberos server by some means. The maximum allowed
+time difference between the participating servers and a client is 5
+minutes.
+@cindex NTP.
+One good way to synchronize the time is NTP (Network Time Protocol), see
+@code{http://www.eecis.udel.edu/~ntp/}.
+
+If you need to run the client programs on a machine where you do not
+have root-access, you can hopefully just use the binaries and no
+configuration will be needed.  The heuristics used are mentioned above
+(see @ref{Install the configuration files}).  If this is not the case
+and you need to have @file{krb.conf} and/or @file{krb.realms}, you can
+copy them into a directory of your choice and
+@pindex krb.conf
+@pindex krb.realms
+set the environment variable @var{KRBCONFDIR} to point at this
+@cindex KRBCONFDIR
+directory.
+
+To test the client functionality, run the @code{kinit} program:
+
+@example
+@cartouche
+foo$ kinit
+eBones International (foo.foo.se)
+Kerberos Initialization
+Kerberos name: <nisse>
+Password: <password>
+
+foo$ klist
+Ticket file:    /tmp/tkt4711
+Principal:      nisse@@FOO.SE
+
+Issued           Expires          Principal
+May 24 21:06:03  May 25 07:06:03  krbtgt.FOO.SE@@FOO.SE
+@end cartouche
+@end example
+
+@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm
+@section Install the kerberised services
+
+These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp},
+@code{rxtelnet}, and so on.
+@pindex rsh
+@pindex rlogin
+@pindex telnet
+@pindex ftp
+@pindex rxtelnet
+
+First follow the steps mentioned in the prior section to make it a
+client and verify its operation.  Change @file{inetd.conf} next to use
+the new daemons.  Look at the file
+@pindex inetd.conf
+@file{etc/inetd.conf.changes} to see the changes that we recommend you
+perform on @file{inetd.conf}.
+
+You should at this point decide what services you want to run on
+each machine.
+
+@subsection rsh, rlogin, and rcp
+@pindex rsh
+@pindex rlogin
+@pindex rcp
+
+These exist in kerberised versions and ``old-style'' versions.  The
+different versions use different port numbers, so you can choose none,
+one, or both.  If you do not want to use ``old-style'' r* services, you
+can let the programs output the text ``Remote host requires Kerberos
+authentication'' instead of just refusing connections to that port.
+This is enabled with the @samp{-v} option.  The kerberised services
+exist in encrypted and non-encrypted versions.  The encrypted services
+have an ``e'' prepended to the name and the programs take @samp{-x} as an
+option indicating encryption.
+
+Our recommendation is to only use the kerberised services and give
+explanation messages for the old ports.
+
+@subsection telnet
+@pindex telnet
+
+The telnet service always uses the same port and negotiates as to which
+authentication method should be used.  The @code{telnetd} program has
+@pindex telnetd
+an option ``-a user'' that only allows kerberised and authenticated
+connections.  If this is not included, it falls back to using clear text
+passwords.  For obvious reasons, we recommend that you enable this
+option.  If you want to use one-time passwords (@xref{One-Time
+Passwords}) you can use the ``-a otp'' option which will allow OTPs or
+kerberised connections.
+
+@subsection ftp
+@pindex ftp
+
+The ftp service works as telnet does, with just one port being used.  By
+default only kerberos authenticated connections are allowed.  You can
+specify additional levels that are thus allowed with these options:
+
+@table @asis
+@item @kbd{-a otp}
+Allow one-time passwords (@xref{One-Time Passwords}).
+@item @kbd{-a ftp}
+Allow anonymous login (as user ``ftp'' or ``anonymous'').
+@item @kbd{-a safe}
+The same as @kbd{-a ftp}, for backwards compatibility.
+@item @kbd{-a plain}
+Allow clear-text passwords.
+@item @kbd{-a none}
+The same as @kbd{-a ftp -a plain}.
+@item @kbd{-a user}
+A no-op, also there for backwards compatibility reasons.
+@end table
+
+When running anonymous ftp you should read the man page on @code{ftpd}
+which explains how to set it up.
+
+@subsection pop
+@pindex popper
+
+The Post Office Protocol (POP) is used to retrieve mail from the mail
+hub.  The @code{popper} program implements the standard POP3 protocol
+and the kerberised KPOP.  Use the @samp{-k} option to run the kerberos
+version of the protocol. This service should only be run on your mail
+hub.
+
+@subsection kx
+@pindex kx
+
+@code{kx} allows you to run X over a kerberos-authenticated and
+encrypted connection.  This program is used by @code{rxtelnet},
+@code{tenletxr}, and @code{rxterm}.
+
+If you have some strange kind of operating system with X libraries that
+do not allow you to use unix-sockets, you need to specify the @samp{-t}
+@pindex kxd
+option to @code{kxd}.  Otherwise it should be sufficient by adding the
+daemon in @file{inetd.conf}.
+
+@subsection kauth
+@pindex kauth
+
+This service allows you to create tickets on a remote host.  To
+enable it just insert the corresponding line in @file{inetd.conf}.
+
+@section srvtabs
+@pindex srvtab
+
+In the same way every user needs to have a password registered with
+the kerberos server, every service needs to have a shared key with the
+kerberos server.  The service keys are stored in a file, usually called
+@file{/etc/srvtab}.  This file should not be readable to anyone but
+root, in order to keep the key from being divulged.  The name of this principal
+in the kerberos database is usually the service and the host.  The key
+for the pop service is called @samp{pop.@var{hostname}}.  The one for
+rsh/rlogin/telnet is named @samp{rcmd.@var{hostname}}.  (rcmd comes from
+``remote command'').  To create these keys you will use the the
+@code{ksrvutil} program.  Perform the
+@pindex ksrvutil
+following:
+
+@example
+@cartouche
+bar# ksrvutil -p nisse.admin get
+Name [rcmd]: <>
+Instance [bar]: <>
+Realm [FOO.SE]: <>
+Is this correct? (y,n) [y] <>
+Add more keys? (y,n) [n] <>
+Password for nisse.admin@@FOO.SE: <nisse.admin's password>
+Written rcmd.bar
+rcmd.bar@@FOO.SE
+Old keyfile in /etc/srvtab.old.
+@end cartouche
+@end example
+
+@subsection Complete test of the kerberised services
+
+Obtain a ticket on one machine (@samp{foo}) and use it to login with a
+kerberised service to a second machine (@samp{bar}).  The test should
+look like this if successful:
+
+@example
+@cartouche
+foo$ kinit nisse
+eBones International (foo.foo.se)
+Kerberos Initialization for "nisse"
+Password: <nisse's password>
+foo$ klist
+Ticket file:    /tmp/tkt4711
+Principal:      nisse@@FOO.SE
+
+Issued           Expires          Principal
+May 30 13:48:03  May 30 23:48:03  krbtgt.FOO.SE@@FOO.SE
+foo$ telnet bar
+Trying 17.17.17.17...
+Connected to bar.foo.se
+Escape character is '^]'.
+[ Trying mutual KERBEROS4 ... ]
+[ Kerberos V4 accepts you ]
+[ Kerberos V4 challenge successful ]
+bar$
+@end cartouche
+@end example
+
+You can also try with @code{rsh}, @code{rcp}, @code{rlogin},
+@code{rlogin -x}, and some other commands to see that everything is
+working all right.
+
+@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm
+@section Install a slave kerberos server
+
+It is desirable to have at least one backup (slave) server in case the
+master server fails. It is possible to have any number of such slave
+servers but more than three usually doesn't buy much more redundancy.
+
+First select a good server machine.  @xref{Choose a kerberos
+server}. Since the master and slave servers will use copies of the same
+database, they need to use the same master key.
+
+On the master, add a @samp{rcmd.kerberos} principal (using
+@samp{ksrvutil get}). The
+@pindex kprop
+@code{kprop} program, running on the master, will use this when
+authenticating to the
+@pindex kpropd
+@code{kpropd} daemons running on the slave servers.
+
+On your master server, create a file, e.g. @file{/var/kerberos/slaves},
+that contains the hostnames of your kerberos slave servers.
+
+Start @code{kpropd} with @samp{kpropd -i} on your slave servers.
+
+On your master server, create a dump of the database with @samp{kdb_util
+slave_dump /var/kerberos/slave_dump}, and then run @code{kprop}.
+
+You should now have copies of the database on your slave servers. You
+can verify this by issuing @samp{kdb_util dump @var{file}} on your
+slave servers, and comparing with the original file on the master
+server. Note that the entries will not be in the same order.
+
+This procedure should be automated with a script run regularly by cron,
+for instance once an hour.
+
+To start the kerberos server on slaves, you first have to copy the
+master key from the master server. You can do this either by remembering
+the master password and issuing @samp{kstash}, or you can just copy the
+keyfile. Remember that if you copy the file, do so on a safe media, not
+over the network. Good means include floppy or paper. Paper is better,
+since it is easier to swallow afterwards.
+
+The kerberos server should be started with @samp{-s} on the slave
+servers. This enables sanity checks, for example checking the time since
+the last update from the master.
+
+All changes to the database are made by @code{kadmind} at the master,
+and then propagated to the slaves, so you should @strong{not} run
+@code{kadmind} on the slaves.
+
+Finally add the slave servers to
+@file{/etc/krb.conf}. The clients will ask the servers in the order
+specified by that file.
+
+Consider adding CNAMEs to your slave servers, see @ref{Install the
+configuration files}.
+
+@node Cross-realm functionality ,  , Install a slave kerberos server, How to set up a realm
+@section Cross-realm functionality
+
+Suppose you are residing in the realm @samp{MY.REALM}, how do you
+authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
+@samp{MY.REALM} allows you to communicate with kerberised services in that
+realm. However, the computer in the other realm does not have a secret
+key shared with the kerberos server in your realm.
+
+It is possible to add a shared key between two realms that trust each
+other. When a client program, such as @code{telnet}, finds that the
+other computer is in a different realm, it will try to get a ticket
+granting ticket for that other realm, but from the local kerberos
+server. With that ticket granting ticket, it will then obtain service
+tickets from the kerberos server in the other realm.
+
+To add this functionality you have to add a principal to each realm. The
+principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and
+@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different
+principals should have the same key (and key version number).  Remember
+to transfer this key in a safe manner. This is all that is required.
+
+@example
+@cartouche
+blubb$ klist
+Ticket file:    /tmp/tkt3008
+Principal:      joda@@NADA.KTH.SE
+
+  Issued           Expires          Principal
+Jun  7 02:26:23  Jun  7 12:26:23  krbtgt.NADA.KTH.SE@@NADA.KTH.SE
+blubb$ telnet agat.e.kth.se
+Trying 130.237.48.12...
+Connected to agat.e.kth.se.
+Escape character is '^]'.
+[ Trying mutual KERBEROS4 ... ]
+[ Kerberos V4 accepts you ]
+[ Kerberos V4 challenge successful ]
+Last login: Sun Jun  2 20:51:50 from emma.pdc.kth.se
+
+agat$ exit
+Connection closed by foreign host.
+blubb$ klist
+Ticket file:    /tmp/tkt3008
+Principal:      joda@@NADA.KTH.SE
+
+  Issued           Expires          Principal
+Jun  7 02:26:23  Jun  7 12:26:23  krbtgt.NADA.KTH.SE@@NADA.KTH.SE
+Jun  7 02:26:50  Jun  7 12:26:50  krbtgt.E.KTH.SE@@NADA.KTH.SE
+Jun  7 02:26:51  Jun  7 12:26:51  rcmd.agat@@E.KTH.SE
+@end cartouche
+@end example
diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi
new file mode 100644
index 0000000..16989bb
--- /dev/null
+++ b/crypto/kerberosIV/doc/whatis.texi
@@ -0,0 +1,137 @@
+@node What is Kerberos?, Installing programs, Introduction, Top
+@chapter What is Kerberos?
+
+@quotation
+@flushleft
+        Now this Cerberus had three heads of dogs,
+        the tail of a dragon, and on his back the
+        heads of all sorts of snakes.
+        --- Pseudo-Apollodorus Library 2.5.12
+@end flushleft
+@end quotation
+
+Kerberos is a system for authenticating users and services on a network.
+It is built upon the assumption that the network is ``unsafe''.  For
+example, data sent over the network can be eavesdropped and altered, and
+addresses can also be faked.  Therefore they cannot be used for
+authentication purposes.
+@cindex authentication
+
+Kerberos is a trusted third-party service.  That means that there is a
+third party (the kerberos server) that is trusted by all the entities on
+the network (users and services, usually called @dfn{principals}).  All
+principals share a secret password (or key) with the kerberos server and
+this enables principals to verify that the messages from the kerberos
+server are authentic.  Thus trusting the kerberos server, users and
+services can authenticate each other.
+
+@section Basic mechanism
+
+@ifinfo
+@macro sub{arg}
+<\arg\>
+@end macro
+@end ifinfo
+
+@tex
+@def@xsub#1{$_{#1}$}
+@global@let@sub=@xsub
+@end tex
+
+In Kerberos, principals use @dfn{tickets} to prove that they are who
+they claim to be. In the following example, @var{A} is the initiator of
+the authentication exchange, usually a user, and @var{B} is the service
+that @var{A} wishes to use.
+
+To obtain a ticket for a specific service, @var{A} sends a ticket
+request to the kerberos server. The request basically contains @var{A}'s
+and @var{B}'s names. The kerberos server checks that both @var{A} and
+@var{B} are valid principals.
+
+Having verified the validity of the principals, it creates a packet
+containing @var{A}'s and @var{B}'s names, @var{A}'s network address
+(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
+of the ticket (@var{life}), and a secret @dfn{session key}
+@cindex session key
+(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
+(@var{K@sub{B}}).  The actual ticket (@var{T@sub{AB}}) looks like this:
+(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
+@var{K@sub{AB}}@}@var{K@sub{B}}).
+
+The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
+name, the current time, the lifetime of the ticket, and the session key, all
+encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
+@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
+decrypts the reply and retains it for later use.
+
+@sp 1
+
+Before sending a message to @var{B}, @var{A} creates an authenticator
+consisting of @var{A}'s name, @var{A}'s address, the current time, and a
+``checksum'' chosen by @var{A}, all encrypted with the secret session
+key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
+@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
+received from the kerberos server to @var{B}.  Upon reception, @var{B}
+decrypts the ticket using @var{B}'s secret key.  Since the ticket
+contains the session key that the authenticator was encrypted with,
+@var{B} can now also decrypt the authenticator. To verify that @var{A}
+really is @var{A}, @var{B} now has to compare the contents of the ticket
+with that of the authenticator. If everything matches, @var{B} now
+considers @var{A} as properly authenticated.
+
+@c (here we should have some more explanations)
+
+@section Different attacks
+
+@subheading Impersonating A
+
+An impostor, @var{C} could steal the authenticator and the ticket as it
+is transmitted across the network, and use them to impersonate
+@var{A}. The address in the ticket and the authenticator was added to
+make it more difficult to perform this attack.  To succeed @var{C} will
+have to either use the same machine as @var{A} or fake the source
+addresses of the packets. By including the time stamp in the
+authenticator, @var{C} does not have much time in which to mount the
+attack.
+
+@subheading Impersonating B
+
+@var{C} can hijack @var{B}'s network address, and when @var{A} sends
+her credentials, @var{C} just pretend to verify them. @var{C} can't
+be sure that she is talking to @var{A}.
+
+@section Defense strategies
+
+It would be possible to add a @dfn{replay cache}
+@cindex replay cache
+to the server side.  The idea is to save the authenticators sent during
+the last few minutes, so that @var{B} can detect when someone is trying
+to retransmit an already used message. This is somewhat impractical
+(mostly regarding efficiency), and is not part of Kerberos 4; MIT
+Kerberos 5 contains it.
+
+To authenticate @var{B}, @var{A} might request that @var{B} sends
+something back that proves that @var{B} has access to the session
+key. An example of this is the checksum that @var{A} sent as part of the
+authenticator. One typical procedure is to add one to the checksum,
+encrypt it with the session key and send it back to @var{A}.  This is
+called @dfn{mutual authentication}.
+
+The session key can also be used to add cryptographic checksums to the
+messages sent between @var{A} and @var{B} (known as @dfn{message
+integrity}).  Encryption can also be added (@dfn{message
+confidentiality}). This is probably the best approach in all cases.
+@cindex integrity
+@cindex confidentiality
+
+@section Further reading
+
+The original paper on Kerberos from 1988 is @cite{Kerberos: An
+Authentication Service for Open Network Systems}, by Jennifer Steiner,
+Clifford Neuman and Jeffrey I. Schiller.
+
+A less technical description can be found in @cite{Designing an
+Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
+from 1988.
+
+These and several other documents can be found on our web-page.