diff options
author | peter <peter@FreeBSD.org> | 1995-12-30 19:02:48 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1995-12-30 19:02:48 +0000 |
commit | ab124e78b0271ddb904b761b31e5c9a0cf24e070 (patch) | |
tree | 0cf1447720c45721ed3d214a4eaaa6834bda155d /eBones/man | |
parent | 15748830d0fcd29294a1969a1012655e74908c1e (diff) | |
download | FreeBSD-src-ab124e78b0271ddb904b761b31e5c9a0cf24e070.zip FreeBSD-src-ab124e78b0271ddb904b761b31e5c9a0cf24e070.tar.gz |
recording cvs-1.6 file death
Diffstat (limited to 'eBones/man')
-rw-r--r-- | eBones/man/acl_check.3 | 183 | ||||
-rw-r--r-- | eBones/man/ext_srvtab.8 | 62 | ||||
-rw-r--r-- | eBones/man/kadmind.8 | 117 | ||||
-rw-r--r-- | eBones/man/kdb_destroy.8 | 36 | ||||
-rw-r--r-- | eBones/man/kdb_edit.8 | 58 | ||||
-rw-r--r-- | eBones/man/kdb_init.8 | 45 | ||||
-rw-r--r-- | eBones/man/kdb_util.8 | 64 | ||||
-rw-r--r-- | eBones/man/klist.1 | 84 | ||||
-rw-r--r-- | eBones/man/krb.3 | 462 | ||||
-rw-r--r-- | eBones/man/krb_realmofhost.3 | 161 | ||||
-rw-r--r-- | eBones/man/krb_sendauth.3 | 348 | ||||
-rw-r--r-- | eBones/man/krb_set_tkt_string.3 | 43 | ||||
-rw-r--r-- | eBones/man/ksrvtgt.1 | 51 | ||||
-rw-r--r-- | eBones/man/kstash.8 | 44 | ||||
-rw-r--r-- | eBones/man/kuserok.3 | 63 | ||||
-rw-r--r-- | eBones/man/tf_util.3 | 151 |
16 files changed, 0 insertions, 1972 deletions
diff --git a/eBones/man/acl_check.3 b/eBones/man/acl_check.3 deleted file mode 100644 index 2e5129c..0000000 --- a/eBones/man/acl_check.3 +++ /dev/null @@ -1,183 +0,0 @@ -.\" from: acl_check.3,v 4.1 89/01/23 11:06:54 jtkohl Exp $ -.\" $Id: acl_check.3,v 1.1.1.1 1994/09/30 14:50:05 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -acl_canonicalize_principal, acl_check, acl_exact_match, acl_add, -acl_delete, acl_initialize \- Access control list routines -.SH SYNOPSIS -.nf -.nj -.ft B -cc <files> \-lacl \-lkrb -.PP -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -acl_canonicalize_principal(principal, buf) -char *principal; -char *buf; -.PP -.ft B -acl_check(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_exact_match(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_add(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_delete(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_initialize(acl_file, mode) -char *acl_file; -int mode; -.fi -.ft R -.SH DESCRIPTION -.SS Introduction -.PP -An access control list (ACL) is a list of principals, where each -principal is represented by a text string which cannot contain -whitespace. The library allows application programs to refer to named -access control lists to test membership and to atomically add and -delete principals using a natural and intuitive interface. At -present, the names of access control lists are required to be Unix -filenames, and refer to human-readable Unix files; in the future, when -a networked ACL server is implemented, the names may refer to a -different namespace specific to the ACL service. -.PP -.SS Principal Names -.PP -Principal names have the form -.nf -.in +5n -<name>[.<instance>][@<realm>] -.in -5n -e.g.: -.in +5n -asp -asp.root -asp@ATHENA.MIT.EDU -asp.@ATHENA.MIT.EDU -asp.root@ATHENA.MIT.EDU -.in -5n -.fi -It is possible for principals to be underspecified. If an instance is -missing, it is assumed to be "". If realm is missing, it is assumed -to be the local realm as determined by -.IR krb_get_lrealm (3). -The canonical form contains all of name, instance, -and realm; the acl_add and acl_delete routines will always -leave the file in that form. Note that the canonical form of -asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU. -.SS Routines -.PP -.I acl_canonicalize_principal -stores the canonical form of -.I principal -in -.IR buf . -.I Buf -must contain enough -space to store a principal, given the limits on the sizes of name, -instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ, -respectively, in -.IR /usr/include/kerberosIV/krb.h . -.PP -.I acl_check -returns nonzero if -.I principal -appears in -.IR acl . -Returns 0 if principal -does not appear in acl, or if an error occurs. Canonicalizes -principal before checking, and allows the ACL to contain wildcards. The -only supported wildcards are entries of the form -name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the -its component field. For example, "jtkohl.*@*" would match principal -jtkohl, with any instance and any realm. -.PP -.I acl_exact_match -performs like -.IR acl_check , -but does no canonicalization or wildcard matching. -.PP -.I acl_add -atomically adds -.I principal -to -.IR acl . -Returns 0 if successful, nonzero otherwise. It is considered a failure -if -.I principal -is already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_delete -atomically deletes -.I principal -from -.IR acl . -Returns 0 if successful, -nonzero otherwise. It is considered a failure if -.I principal -is not -already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_initialize -initializes -.IR acl_file . -If the file -.I acl_file -does not exist, -.I acl_initialize -creates it with mode -.IR mode . -If the file -.I acl_file -exists, -.I acl_initialize -removes all members. Returns 0 if successful, -nonzero otherwise. WARNING: Mode argument is likely to change with -the eventual introduction of an ACL service. -.SH NOTES -In the presence of concurrency, there is a very small chance that -.I acl_add -or -.I acl_delete -could report success even though it would have -had no effect. This is a necessary side effect of using lock files -for concurrency control rather than flock(2), which is not supported -by NFS. -.PP -The current implementation caches ACLs in memory in a hash-table -format for increased efficiency in checking membership; one effect of -the caching scheme is that one file descriptor will be kept open for -each ACL cached, up to a maximum of 8. -.SH SEE ALSO -kerberos(3), krb_get_lrealm(3) -.SH AUTHOR -James Aspnes (MIT Project Athena) diff --git a/eBones/man/ext_srvtab.8 b/eBones/man/ext_srvtab.8 deleted file mode 100644 index 565c3a3..0000000 --- a/eBones/man/ext_srvtab.8 +++ /dev/null @@ -1,62 +0,0 @@ -.\" from: ext_srvtab.8,v 4.2 89/07/18 16:53:18 jtkohl Exp $ -.\" $Id: ext_srvtab.8,v 1.1.1.1 1994/09/30 14:50:05 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH EXT_SRVTAB 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ext_srvtab \- extract service key files from Kerberos key distribution center database -.SH SYNOPSIS -ext_srvtab [ -.B \-n -] [ -.B \-r realm -] [ -.B hostname ... -] -.SH DESCRIPTION -.I ext_srvtab -extracts service key files from the Kerberos key distribution center -(KDC) database. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -For each -.I hostname -specified on the command line, -.I ext_srvtab -creates the service key file -.IR hostname -new-srvtab, -containing all the entries in the database with an instance field of -.I hostname. -This new file contains all the keys registered for Kerberos-mediated -service providing programs which use the -.IR krb_get_phost (3) -principal and instance conventions to run on the host -.IR hostname . -If the -.B \-r -option is specified, the realm fields in the extracted file will -match the given realm rather than the local realm. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.TP -/etc/kerberosIV/master_key -Master key cache file. -.SH SEE ALSO -read_service_key(3), krb_get_phost(3) diff --git a/eBones/man/kadmind.8 b/eBones/man/kadmind.8 deleted file mode 100644 index 1eb10d7..0000000 --- a/eBones/man/kadmind.8 +++ /dev/null @@ -1,117 +0,0 @@ -.\" from: kadmind.8,v 4.1 89/07/25 17:28:33 jtkohl Exp $ -.\" $Id: kadmind.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmind \- network daemon for Kerberos database administration -.SH SYNOPSIS -.B kadmind -[ -.B \-n -] [ -.B \-h -] [ -.B \-r realm -] [ -.B \-f filename -] [ -.B \-d dbname -] [ -.B \-a acldir -] -.SH DESCRIPTION -.I kadmind -is the network database server for the Kerberos password-changing and -administration tools. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. -.PP -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -If the -.B \-r -.I realm -option is specified, the admin server will pretend that its -local realm is -.I realm -instead of the actual local realm of the host it is running on. -This makes it possible to run a server for a foreign kerberos -realm. -.PP -If the -.B \-f -.I filename -option is specified, then that file is used to hold the log information -instead of the default. -.PP -If the -.B \-d -.I dbname -option is specified, then that file is used as the database name instead -of the default. -.PP -If the -.B \-a -.I acldir -option is specified, then -.I acldir -is used as the directory in which to search for access control lists -instead of the default. -.PP -If the -.B \-h -option is specified, -.I kadmind -prints out a short summary of the permissible control arguments, and -then exits. -.PP -When performing requests on behalf of clients, -.I kadmind -checks access control lists (ACLs) to determine the authorization of the client -to perform the requested action. -Currently three distinct access types are supported: -.TP 1i -Addition -(.add ACL file). If a principal is on this list, it may add new -principals to the database. -.TP -Retrieval -(.get ACL file). If a principal is on this list, it may retrieve -database entries. NOTE: A principal's private key is never returned by -the get functions. -.TP -Modification -(.mod ACL file). If a principal is on this list, it may modify entries -in the database. -.PP -A principal is always granted authorization to change its own password. -.SH FILES -.TP 20n -/var/log/kadmind.syslog -Default log file. -.TP -/etc/kerberosIV/admin_acl.{add,get,mod} -Access control list files -.TP -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.TP -/etc/kerberosIV/master_key -Master key cache file. -.SH "SEE ALSO" -kerberos(1), kpasswd(1), kadmin(8), acl_check(3) -.SH AUTHORS -Douglas A. Church, MIT Project Athena -.br -John T. Kohl, Project Athena/Digital Equipment Corporation diff --git a/eBones/man/kdb_destroy.8 b/eBones/man/kdb_destroy.8 deleted file mode 100644 index 2e57876..0000000 --- a/eBones/man/kdb_destroy.8 +++ /dev/null @@ -1,36 +0,0 @@ -.\" from: kdb_destroy.8,v 4.1 89/01/23 11:08:02 jtkohl Exp $ -.\" $Id: kdb_destroy.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_DESTROY 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_destroy \- destroy Kerberos key distribution center database -.SH SYNOPSIS -kdb_destroy -.SH DESCRIPTION -.I kdb_destroy -deletes a Kerberos key distribution center database. -.PP -The user is prompted to verify that the database should be destroyed. A -response beginning with `y' or `Y' confirms deletion. -Any other response aborts deletion. -.SH DIAGNOSTICS -.TP 20n -"Database cannot be deleted at /kerberos/principal" -The attempt to delete the database failed (probably due to a system or -access permission error). -.TP -"Database not deleted." -The user aborted the deletion. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.SH SEE ALSO -kdb_init(8) diff --git a/eBones/man/kdb_edit.8 b/eBones/man/kdb_edit.8 deleted file mode 100644 index 44a0fa6..0000000 --- a/eBones/man/kdb_edit.8 +++ /dev/null @@ -1,58 +0,0 @@ -.\" from: kdb_edit.8,v 4.1 89/01/23 11:08:55 jtkohl Exp $ -.\" $Id: kdb_edit.8,v 1.2 1995/02/08 10:54:20 jkh Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_EDIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_edit \- Kerberos key distribution center database editing utility -.SH SYNOPSIS -kdb_edit [ -.B \-n -] -.SH DESCRIPTION -.I kdb_edit -is used to create or change principals stored in the Kerberos key -distribution center (KDC) database. -.PP -When executed, -.I kdb_edit -prompts for the master key string and verifies that it matches the -master key stored in the database. -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -Once the master key has been verified, -.I kdb_edit -begins a prompt loop. The user is prompted for the principal and -instance to be modified. If the entry is not found the user may create -it. -Once an entry is found or created, the user may set the password, -expiration date, maximum ticket lifetime, and attributes. -Default expiration dates, maximum ticket lifetimes, and attributes are -presented in brackets; if the user presses return the default is selected. -There is no default password. -The password "RANDOM" and an empty password are interpreted specially, -if entered the user may have the program select a random DES key for the -principal. -.PP -Upon successfully creating or changing the entry, ``Edit O.K.'' is -printed. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.TP -/etc/kerberosIV/master_key -Master key cache file. diff --git a/eBones/man/kdb_init.8 b/eBones/man/kdb_init.8 deleted file mode 100644 index d884d00..0000000 --- a/eBones/man/kdb_init.8 +++ /dev/null @@ -1,45 +0,0 @@ -.\" from: kdb_init.8,v 4.1 89/01/23 11:09:02 jtkohl Exp $ -.\" $Id: kdb_init.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_INIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_init \- Initialize Kerberos key distribution center database -.SH SYNOPSIS -kdb_init [ -.B realm -] -.SH DESCRIPTION -.I kdb_init -initializes a Kerberos key distribution center database, creating the -necessary principals. -.PP -If the optional -.I realm -argument is not present, -.I kdb_init -prompts for a realm name (defaulting to the definition in -/usr/include/kerberosIV/krb.h). -After determining the realm to be created, it prompts for -a master key password. The master key password is used to encrypt -every encryption key stored in the database. -.SH DIAGNOSTICS -.TP 20n -"/etc/kerberosIV/principal: File exists" -An attempt was made to create a database on a machine which already had -an existing database. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.TP -/usr/include/kerberosIV/krb.h -Include file defining default realm -.SH SEE ALSO -kdb_destroy(8) diff --git a/eBones/man/kdb_util.8 b/eBones/man/kdb_util.8 deleted file mode 100644 index 4183ef3..0000000 --- a/eBones/man/kdb_util.8 +++ /dev/null @@ -1,64 +0,0 @@ -.\" from: kdb_util.8,v 4.1 89/01/23 11:09:11 jtkohl Exp $ -.\" $Id: kdb_util.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_UTIL 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_util \- Kerberos key distribution center database utility -.SH SYNOPSIS -kdb_util -.B operation filename -.SH DESCRIPTION -.I kdb_util -allows the Kerberos key distribution center (KDC) database administrator to -perform utility functions on the database. -.PP -.I Operation -must be one of the following: -.TP 10n -.I load -initializes the KDC database with the records described by the -text contained in the file -.IR filename . -Any existing database is overwritten. -.TP -.I dump -dumps the KDC database into a text representation in the file -.IR filename . -.TP -.I slave_dump -performs a database dump like the -.I dump -operation, and additionally creates a semaphore file signalling the -propagation software that an update is available for distribution to -slave KDC databases. -.TP -.I new_master_key -prompts for the old and new master key strings, and then dumps the KDC -database into a text representation in the file -.IR filename . -The keys in the text representation are encrypted in the new master key. -.TP -.I convert_old_db -prompts for the master key string, and then dumps the KDC database into -a text representation in the file -.IR filename . -The existing database is assumed to be encrypted using the old format -(encrypted by the key schedule of the master key); the dumped database -is encrypted using the new format (encrypted directly with master key). -.PP -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -.IR filename .dump_ok -semaphore file created by -.IR slave_dump. diff --git a/eBones/man/klist.1 b/eBones/man/klist.1 deleted file mode 100644 index af7e31a..0000000 --- a/eBones/man/klist.1 +++ /dev/null @@ -1,84 +0,0 @@ -.\" from: klist.1,v 4.8 89/01/24 14:35:09 jtkohl Exp $ -.\" $Id: klist.1,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KLIST 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -klist \- list currently held Kerberos tickets -.SH SYNOPSIS -.B klist -[ -\fB\-s \fR|\fB \-t\fR -] [ -.B \-file -name ] [ -.B \-srvtab -] -.br -.SH DESCRIPTION -.I klist -prints the name of the tickets file and the -identity of the principal the tickets are for (as listed in the -tickets file), and -lists the principal names of all Kerberos tickets currently held by -the user, along with the issue and expire time for each authenticator. -Principal names are listed in the form -.I name.instance@realm, -with the '.' omitted if the instance is null, -and the '@' omitted if the realm is null. - -If given the -.B \-s -option, -.I klist -does not print the issue and expire times, the name of the tickets file, -or the identity of the principal. - -If given the -.B \-t -option, -.B klist -checks for the existence of a non-expired ticket-granting-ticket in the -ticket file. If one is present, it exits with status 0, else it exits -with status 1. No output is generated when this option is specified. - -If given the -.B \-file -option, the following argument is used as the ticket file. -Otherwise, if the -.B KRBTKFILE -environment variable is set, it is used. -If this environment variable -is not set, the file -.B /tmp/tkt[uid] -is used, where -.B uid -is the current user-id of the user. - -If given the -.B \-srvtab -option, the file is treated as a service key file, and the names of the -keys contained therein are printed. If no file is -specified with a -.B \-file -option, the default is -.IR /etc/kerberosIV/srvtab . -.SH FILES -.TP 2i -/etc/kerberosIV/krb.conf -to get the name of the local realm -.TP -/tmp/tkt[uid] -as the default ticket file ([uid] is the decimal UID of the user). -.TP -/etc/kerberosIV/srvtab -as the default service key file -.SH SEE ALSO -.PP -kerberos(1), kinit(1), kdestroy(1) -.SH BUGS -When reading a file as a service key file, very little sanity or error -checking is performed. diff --git a/eBones/man/krb.3 b/eBones/man/krb.3 deleted file mode 100644 index 98a720b..0000000 --- a/eBones/man/krb.3 +++ /dev/null @@ -1,462 +0,0 @@ -.\" $Source: /home/ncvs/src/eBones/man/krb.3,v $ -.\" $Author: rgrimes $ -.\" $Header: /home/ncvs/src/eBones/man/krb.3,v 1.1.1.1 1994/05/27 05:12:09 rgrimes Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <mit-copyright.h>. -.\" -.TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred, -krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err, -krb_rd_err, krb_ck_repl \- Kerberos authentication library -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/des.h> -#include <kerberosIV/krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -int krb_mk_req(authent,service,instance,realm,checksum) -KTEXT authent; -char *service; -char *instance; -char *realm; -u_long checksum; -.PP -.ft B -int krb_rd_req(authent,service,instance,from_addr,ad,fn) -KTEXT authent; -char *service; -char *instance; -u_long from_addr; -AUTH_DAT *ad; -char *fn; -.PP -.ft B -int krb_kntoln(ad,lname) -AUTH_DAT *ad; -char *lname; -.PP -.ft B -int krb_set_key(key,cvt) -char *key; -int cvt; -.PP -.ft B -int krb_get_cred(service,instance,realm,c) -char *service; -char *instance; -char *realm; -CREDENTIALS *c; -.PP -.ft B -long krb_mk_priv(in,out,in_length,schedule,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -des_key_schedule schedule; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_priv(in,in_length,schedule,key,sender,receiver,msg_data) -u_char *in; -u_long in_length; -Key_schedule schedule; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_safe(in,out,in_length,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_safe(in,length,key,sender,receiver,msg_data) -u_char *in; -u_long length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_err(out,code,string) -u_char *out; -long code; -char *string; -.PP -.ft B -long krb_rd_err(in,length,code,msg_data) -u_char *in; -u_long length; -long code; -MSG_DAT *msg_data; -.fi -.ft R -.SH DESCRIPTION -This library supports network authentication and various related -operations. The library contains many routines beyond those described -in this man page, but they are not intended to be used directly. -Instead, they are called by the routines that are described, the -authentication server and the login program. -.PP -.I krb_err_txt[] -contains text string descriptions of various Kerberos error codes returned -by some of the routines below. -.PP -.I krb_mk_req -takes a pointer to a text structure in which an authenticator is to be -built. It also takes the name, instance, and realm of the service to be -used and an optional checksum. It is up to the application to decide -how to generate the checksum. -.I krb_mk_req -then retrieves a ticket for the desired service and creates an -authenticator. The authenticator is built in -.I authent -and is accessible -to the calling procedure. -.PP -It is up to the application to get the authenticator to the service -where it will be read by -.I krb_rd_req. -Unless an attacker posesses the session key contained in the ticket, it -will be unable to modify the authenticator. Thus, the checksum can be -used to verify the authenticity of the other data that will pass through -a connection. -.PP -.I krb_rd_req -takes an authenticator of type -.B KTEXT, -a service name, an instance, the address of the -host originating the request, and a pointer to a structure of type -.B AUTH_DAT -which is filled in with information obtained from the authenticator. -It also optionally takes the name of the file in which it will find the -secret key(s) for the service. -If the supplied -.I instance -contains "*", then the first service key with the same service name -found in the service key file will be used, and the -.I instance -argument will be filled in with the chosen instance. This means that -the caller must provide space for such an instance name. -.PP -It is used to find out information about the principal when a request -has been made to a service. It is up to the application protocol to get -the authenticator from the client to the service. The authenticator is -then passed to -.I krb_rd_req -to extract the desired information. -.PP -.I krb_rd_req -returns zero (RD_AP_OK) upon successful authentication. If a packet was -forged, modified, or replayed, authentication will fail. If the -authentication fails, a non-zero value is returned indicating the -particular problem encountered. See -.I krb.h -for the list of error codes. -.PP -If the last argument is the null string (""), krb_rd_req will use the -file /etc/kerberosIV/srvtab to find its keys. If the last argument is -NULL, it will assume that the key has been set by -.I krb_set_key -and will not bother looking further. -.PP -.I krb_kntoln -converts a Kerberos name to a local name. It takes a structure -of type AUTH_DAT and uses the name and instance to look in the database -/etc/kerberosIV/aname to find the corresponding local name. The local name is -returned and can be used by an application to change uids, directories, -or other parameters. It is not an integral part of Kerberos, but is -instead provided to support the use of Kerberos in existing utilities. -.PP -.I krb_set_key -takes as an argument a des key. It then creates -a key schedule from it and saves the original key to be used as an -initialization vector. -It is used to set the server's key which -must be used to decrypt tickets. -.PP -If called with a non-zero second argument, -.I krb_set_key -will first convert the input from a string of arbitrary length to a DES -key by encrypting it with a one-way function. -.PP -In most cases it should not be necessary to call -.I krb_set_key. -The necessary keys will usually be obtained and set inside -.I krb_rd_req. krb_set_key -is provided for those applications that do not wish to place the -application keys on disk. -.PP -.I krb_get_cred -searches the caller's ticket file for a ticket for the given service, instance, -and realm; and, if a ticket is found, fills in the given CREDENTIALS structure -with the ticket information. -.PP -If the ticket was found, -.I krb_get_cred -returns GC_OK. -If the ticket file can't be found, can't be read, doesn't belong to -the user (other than root), isn't a regular file, or is in the wrong -mode, the error GC_TKFIL is returned. -.PP -.I krb_mk_priv -creates an encrypted, authenticated -message from any arbitrary application data, pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key -and the key schedule, -.I schedule, -are used to encrypt the data and some header information using -.I pcbc_encrypt. -.I sender -and -.I receiver -point to the Internet address of the two parties. -In addition to providing privacy, this protocol message protects -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -.PP -.I krb_rd_priv -decrypts and authenticates a received -.I krb_mk_priv -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -and the key schedule, -.I schedule, -are used to decrypt and verify the received message. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h. -The routine fills in the -.I app_data -field with a pointer to the decrypted application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_safe -creates an authenticated, but unencrypted message from any arbitrary -application data, -pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key, -is used to seed the -.I quad_cksum() -checksum algorithm used as part of the authentication. -.I sender -and -.I receiver -point to the Internet address of the two parties. -This message does not provide privacy, but does protect (via detection) -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -The authentication provided by this routine is not as strong as that -provided by -.I krb_mk_priv -or by computing the checksum using -.I cbc_cksum -instead, both of which authenticate via DES. -.PP - -.I krb_rd_safe -authenticates a received -.I krb_mk_safe -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -is used to seed the quad_cksum() routine as part of the authentication. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: -the -.I app_data -field with a pointer to the application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. -(The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_err -constructs an application level error message that may be used along -with -.I krb_mk_priv -or -.I krb_mk_safe. -.I out -is a pointer to the output buffer, -.I code -is an application specific error code, and -.I string -is an application specific error string. - -.PP -.I krb_rd_err -unpacks a received -.I krb_mk_err -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -.I code -is a pointer to a value to be filled in with the error -value provided by the application. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: the -.I app_data -field with a pointer to the application error text, -.I app_length -with the length of the -.I app_data -field, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). - -The routine returns zero if the error message has been successfully received, -or a Kerberos error code. -.PP -The -.I KTEXT -structure is used to pass around text of varying lengths. It consists -of a buffer for the data, and a length. krb_rd_req takes an argument of this -type containing the authenticator, and krb_mk_req returns the -authenticator in a structure of this type. KTEXT itself is really a -pointer to the structure. The actual structure is of type KTEXT_ST. -.PP -The -.I AUTH_DAT -structure is filled in by krb_rd_req. It must be allocated before -calling krb_rd_req, and a pointer to it is passed. The structure is -filled in with data obtained from Kerberos. -.I MSG_DAT -structure is filled in by either krb_rd_priv, krb_rd_safe, or -krb_rd_err. It must be allocated before the call and a pointer to it -is passed. The structure is -filled in with data obtained from Kerberos. -.PP -.SH FILES -/usr/include/kerberosIV/krb.h -.br -/usr/lib/libkrb.a -.br -/usr/include/kerberosIV/des.h -.br -/usr/lib/libdes.a -.br -/etc/kerberosIV/aname -.br -/etc/kerberosIV/srvtab -.br -/tmp/tkt[uid] -.SH "SEE ALSO" -kerberos(1), des_crypt(3) -.SH DIAGNOSTICS -.SH BUGS -The caller of -.I krb_rd_req, krb_rd_priv, and krb_rd_safe -must check time order and for replay attempts. -.I krb_ck_repl -is not implemented yet. -.SH AUTHORS -Clifford Neuman, MIT Project Athena -.br -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology diff --git a/eBones/man/krb_realmofhost.3 b/eBones/man/krb_realmofhost.3 deleted file mode 100644 index 63aa1eb..0000000 --- a/eBones/man/krb_realmofhost.3 +++ /dev/null @@ -1,161 +0,0 @@ -.\" from: krb_realmofhost.3,v 4.1 89/01/23 11:10:47 jtkohl Exp $ -.\" $Id: krb_realmofhost.3,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_REALMOFHOST 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_realmofhost, krb_get_phost, krb_get_krbhst, krb_get_admhst, -krb_get_lrealm \- additional Kerberos utility routines -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -#include <kerberosIV/des.h> -#include <netinet/in.h> -.PP -.ft B -char *krb_realmofhost(host) -char *host; -.PP -.ft B -char *krb_get_phost(alias) -char *alias; -.PP -.ft B -krb_get_krbhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_admhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_lrealm(realm,n) -char *realm; -int n; -.fi -.ft R -.SH DESCRIPTION -.I krb_realmofhost -returns the Kerberos realm of the host -.IR host , -as determined by the translation table -.IR /etc/kerberosIV/krb.realms . -.I host -should be the fully-qualified domain-style primary host name of the host -in question. In order to prevent certain security attacks, this routine -must either have -.I a priori -knowledge of a host's realm, or obtain such information securely. -.PP -The format of the translation file is described by -.IR krb.realms (5). -If -.I host -exactly matches a host_name line, the corresponding realm -is returned. -Otherwise, if the domain portion of -.I host -matches a domain_name line, the corresponding realm -is returned. -If -.I host -contains a domain, but no translation is found, -.IR host 's -domain is converted to upper-case and returned. -If -.I host -contains no discernable domain, or an error occurs, -the local realm name, as supplied by -.IR krb_get_lrealm (3), -is returned. -.PP -.I krb_get_phost -converts the hostname -.I alias -(which can be either an official name or an alias) into the instance -name to be used in obtaining Kerberos tickets for most services, -including the Berkeley rcmd suite (rlogin, rcp, rsh). -.br -The current convention is to return the first segment of the official -domain-style name after conversion to lower case. -.PP -.I krb_get_krbhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos key distribution center (KDC) -for realm -.IR realm , -as specified in the configuration file (\fI/etc/kerberosIV/krb.conf\fR). -The configuration file is described by -.IR krb.conf (5). -If the host is successfully filled in, the routine -returns KSUCCESS. -If the file cannot be opened, and -.I n -equals 1, then the value of KRB_HOST as defined in -.I <krb.h> -is filled in, and KSUCCESS is returned. If there are fewer than -.I n -hosts running a Kerberos KDC for the requested realm, or the -configuration file is malformed, the routine -returns KFAILURE. -.PP -.I krb_get_admhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos KDC database administration server -for realm -.IR realm , -as specified in the configuration file (\fI/etc/kerberosIV/krb.conf\fR). -If the file cannot be opened or is malformed, or there are fewer than -.I n -hosts running a Kerberos KDC database administration server, -the routine returns KFAILURE. -.PP -The character arrays used as return values for -.IR krb_get_krbhst , -.IR krb_get_admhst , -should be large enough to -hold any hostname (MAXHOSTNAMELEN from <sys/param.h>). -.PP -.I krb_get_lrealm -fills in -.I realm -with the -.IR n th -realm of the local host, as specified in the configuration file. -.I realm -should be at least REALM_SZ (from -.IR <krb.h>) characters long. -.PP -.SH SEE ALSO -kerberos(3), krb.conf(5), krb.realms(5) -.SH FILES -.TP 20n -/etc/kerberosIV/krb.realms -translation file for host-to-realm mapping. -.TP -/etc/kerberosIV/krb.conf -local realm-name and realm/server configuration file. -.SH BUGS -The current convention for instance names is too limited; the full -domain name should be used. -.PP -.I krb_get_lrealm -currently only supports -.I n -= 1. It should really consult the user's ticket cache to determine the -user's current realm, rather than consulting a file on the host. diff --git a/eBones/man/krb_sendauth.3 b/eBones/man/krb_sendauth.3 deleted file mode 100644 index a749bb5..0000000 --- a/eBones/man/krb_sendauth.3 +++ /dev/null @@ -1,348 +0,0 @@ -.\" from: krb_sendauth.3,v 4.1 89/01/23 11:10:58 jtkohl Exp $ -.\" $Id: krb_sendauth.3,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1988 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_SENDAUTH 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_sendauth, krb_recvauth, krb_net_write, krb_net_read \- -Kerberos routines for sending authentication via network stream sockets -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -#include <kerberosIV/des.h> -#include <netinet/in.h> -.PP -.fi -.HP 1i -.ft B -int krb_sendauth(options, fd, ktext, service, inst, realm, checksum, -msg_data, cred, schedule, laddr, faddr, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst, *realm; -u_long checksum; -MSG_DAT *msg_data; -CREDENTIALS *cred; -Key_schedule schedule; -struct sockaddr_in *laddr, *faddr; -char *version; -.PP -.fi -.HP 1i -.ft B -int krb_recvauth(options, fd, ktext, service, inst, faddr, laddr, -auth_data, filename, schedule, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst; -struct sockaddr_in *faddr, *laddr; -AUTH_DAT *auth_data; -char *filename; -Key_schedule schedule; -char *version; -.PP -.ft B -int krb_net_write(fd, buf, len) -int fd; -char *buf; -int len; -.PP -.ft B -int krb_net_read(fd, buf, len) -int fd; -char *buf; -int len; -.fi -.SH DESCRIPTION -.PP -These functions, -which are built on top of the core Kerberos library, -provide a convenient means for client and server -programs to send authentication messages -to one another through network connections. -The -.I krb_sendauth -function sends an authenticated ticket from the client program to -the server program by writing the ticket to a network socket. -The -.I krb_recvauth -function receives the ticket from the client by -reading from a network socket. - -.SH KRB_SENDAUTH -.PP -This function writes the ticket to -the network socket specified by the -file descriptor -.IR fd, -returning KSUCCESS if the write proceeds successfully, -and an error code if it does not. - -The -.I ktext -argument should point to an allocated KTEXT_ST structure. -The -.IR service, -.IR inst, -and -.IR realm -arguments specify the server program's Kerberos principal name, -instance, and realm. -If you are writing a client that uses the local realm exclusively, -you can set the -.I realm -argument to NULL. - -The -.I version -argument allows the client program to pass an application-specific -version string that the server program can then match against -its own version string. -The -.I version -string can be up to KSEND_VNO_LEN (see -.IR <krb.h> ) -characters in length. - -The -.I checksum -argument can be used to pass checksum information to the -server program. -The client program is responsible for specifying this information. -This checksum information is difficult to corrupt because -.I krb_sendauth -passes it over the network in encrypted form. -The -.I checksum -argument is passed as the checksum argument to -.IR krb_mk_req . - -You can set -.IR krb_sendauth's -other arguments to NULL unless you want the -client and server programs to mutually authenticate -themselves. -In the case of mutual authentication, -the client authenticates itself to the server program, -and demands that the server in turn authenticate itself to -the client. - -.SH KRB_SENDAUTH AND MUTUAL AUTHENTICATION -.PP -If you want mutual authentication, -make sure that you read all pending data from the local socket -before calling -.IR krb_sendauth. -Set -.IR krb_sendauth's -.I options -argument to -.BR KOPT_DO_MUTUAL -(this macro is defined in the -.IR krb.h -file); -make sure that the -.I laddr -argument points to -the address of the local socket, -and that -.I faddr -points to the foreign socket's network address. - -.I Krb_sendauth -fills in the other arguments-- -.IR msg_data , -.IR cred , -and -.IR schedule --before -sending the ticket to the server program. -You must, however, allocate space for these arguments -before calling the function. - -.I Krb_sendauth -supports two other options: -.BR KOPT_DONT_MK_REQ, -and -.BR KOPT_DONT_CANON. -If called with -.I options -set as KOPT_DONT_MK_REQ, -.I krb_sendauth -will not use the -.I krb_mk_req -function to retrieve the ticket from the Kerberos server. -The -.I ktext -argument must point to an existing ticket and authenticator (such as -would be created by -.IR krb_mk_req ), -and the -.IR service, -.IR inst, -and -.IR realm -arguments can be set to NULL. - -If called with -.I options -set as KOPT_DONT_CANON, -.I krb_sendauth -will not convert the service's instance to canonical form using -.IR krb_get_phost (3). - -If you want to call -.I krb_sendauth -with a multiple -.I options -specification, -construct -.I options -as a bitwise-OR of the options you want to specify. - -.SH KRB_RECVAUTH -.PP -The -.I krb_recvauth -function -reads a ticket/authenticator pair from the socket pointed to by the -.I fd -argument. -Set the -.I options -argument -as a bitwise-OR of the options desired. -Currently only KOPT_DO_MUTUAL is useful to the receiver. - -The -.I ktext -argument -should point to an allocated KTEXT_ST structure. -.I Krb_recvauth -fills -.I ktext -with the -ticket/authenticator pair read from -.IR fd , -then passes it to -.IR krb_rd_req . - -The -.I service -and -.I inst -arguments -specify the expected service and instance for which the ticket was -generated. They are also passed to -.IR krb_rd_req. -The -.I inst -argument may be set to "*" if the caller wishes -.I krb_mk_req -to fill in the instance used (note that there must be space in the -.I inst -argument to hold a full instance name, see -.IR krb_mk_req (3)). - -The -.I faddr -argument -should point to the address of the peer which is presenting the ticket. -It is also passed to -.IR krb_rd_req . - -If the client and server plan to mutually authenticate -one another, -the -.I laddr -argument -should point to the local address of the file descriptor. -Otherwise you can set this argument to NULL. - -The -.I auth_data -argument -should point to an allocated AUTH_DAT area. -It is passed to and filled in by -.IR krb_rd_req . -The checksum passed to the corresponding -.I krb_sendauth -is available as part of the filled-in AUTH_DAT area. - -The -.I filename -argument -specifies the filename -which the service program should use to obtain its service key. -.I Krb_recvauth -passes -.I filename -to the -.I krb_rd_req -function. -If you set this argument to "", -.I krb_rd_req -looks for the service key in the file -.IR /etc/kerberosIV/srvtab. - -If the client and server are performing mutual authenication, -the -.I schedule -argument -should point to an allocated Key_schedule. -Otherwise it is ignored and may be NULL. - -The -.I version -argument should point to a character array of at least KSEND_VNO_LEN -characters. It is filled in with the version string passed by the client to -.IR krb_sendauth. -.PP -.SH KRB_NET_WRITE AND KRB_NET_READ -.PP -The -.I krb_net_write -function -emulates the write(2) system call, but guarantees that all data -specified is written to -.I fd -before returning, unless an error condition occurs. -.PP -The -.I krb_net_read -function -emulates the read(2) system call, but guarantees that the requested -amount of data is read from -.I fd -before returning, unless an error condition occurs. -.PP -.SH BUGS -.IR krb_sendauth, -.IR krb_recvauth, -.IR krb_net_write, -and -.IR krb_net_read -will not work properly on sockets set to non-blocking I/O mode. - -.SH SEE ALSO - -krb_mk_req(3), krb_rd_req(3), krb_get_phost(3) - -.SH AUTHOR -John T. Kohl, MIT Project Athena -.SH RESTRICTIONS -Copyright 1988, Massachusetts Instititute of Technology. -For copying and distribution information, -please see the file <Copyright.h>. diff --git a/eBones/man/krb_set_tkt_string.3 b/eBones/man/krb_set_tkt_string.3 deleted file mode 100644 index 73b5e5d..0000000 --- a/eBones/man/krb_set_tkt_string.3 +++ /dev/null @@ -1,43 +0,0 @@ -.\" from: krb_set_tkt_string.3,v 4.1 89/01/23 11:11:09 jtkohl Exp $ -.\" $Id: krb_set_tkt_string.3,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_SET_TKT_STRING 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_set_tkt_string \- set Kerberos ticket cache file name -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -void krb_set_tkt_string(filename) -char *filename; -.fi -.ft R -.SH DESCRIPTION -.I krb_set_tkt_string -sets the name of the file that holds the user's -cache of Kerberos server tickets and associated session keys. -.PP -The string -.I filename -passed in is copied into local storage. -Only MAXPATHLEN-1 (see <sys/param.h>) characters of the filename are -copied in for use as the cache file name. -.PP -This routine should be called during initialization, before other -Kerberos routines are called; otherwise the routines which fetch the -ticket cache file name may be called and return an undesired ticket file -name until this routine is called. -.SH FILES -.TP 20n -/tmp/tkt[uid] -default ticket file name, unless the environment variable KRBTKFILE is set. -[uid] denotes the user's uid, in decimal. -.SH SEE ALSO -kerberos(3), setenv(3) diff --git a/eBones/man/ksrvtgt.1 b/eBones/man/ksrvtgt.1 deleted file mode 100644 index 129c745..0000000 --- a/eBones/man/ksrvtgt.1 +++ /dev/null @@ -1,51 +0,0 @@ -.\" from: ksrvtgt.1,v 4.1 89/01/24 14:36:28 jtkohl Exp $ -.\" $Id: ksrvtgt.1,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KSRVTGT 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ksrvtgt \- fetch and store Kerberos ticket-granting-ticket using a -service key -.SH SYNOPSIS -.B ksrvtgt -name instance [[realm] srvtab] -.SH DESCRIPTION -.I ksrvtgt -retrieves a ticket-granting ticket with a lifetime of five (5) minutes -for the principal -.I name.instance@realm -(or -.I name.instance@localrealm -if -.I realm -is not supplied on the command line), decrypts the response using -the service key found in -.I srvtab -(or in -.B /etc/kerberosIV/srvtab -if -.I srvtab -is not specified on the command line), and stores the ticket in the -standard ticket cache. -.PP -This command is intended primarily for use in shell scripts and other -batch-type facilities. -.SH DIAGNOSTICS -"Generic kerberos failure (kfailure)" can indicate a whole range of -problems, the most common of which is the inability to read the service -key file. -.SH FILES -.TP 2i -/etc/kerberosIV/krb.conf -to get the name of the local realm. -.TP -/tmp/tkt[uid] -The default ticket file. -.TP -/etc/kerberosIV/srvtab -The default service key file. -.SH SEE ALSO -kerberos(1), kinit(1), kdestroy(1) diff --git a/eBones/man/kstash.8 b/eBones/man/kstash.8 deleted file mode 100644 index ac8c57b..0000000 --- a/eBones/man/kstash.8 +++ /dev/null @@ -1,44 +0,0 @@ -.\" from: kstash.8,v 4.1 89/01/23 11:11:39 jtkohl Exp $ -.\" $Id: kstash.8,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KSTASH 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kstash \- stash Kerberos key distribution center database master key -.SH SYNOPSIS -kstash -.SH DESCRIPTION -.I kstash -saves the Kerberos key distribution center (KDC) database master key in -the master key cache file. -.PP -The user is prompted to enter the key, to verify the authenticity of the -key and the authorization to store the key in the file. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.TP -"kstash: Unable to open master key file" -The attempt to open the cache file for writing failed (probably due to a -system or access permission error). -.TP -"kstash: Write I/O error on master key file" -The -.BR write (2) -system call returned an error while -.I kstash -was attempting to write the key to the file. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.db -DBM file containing database -.TP -/etc/kerberosIV/principal.ok -Semaphore indicating that the DBM database is not being modified. -.TP -/etc/kerberosIV/master_key -Master key cache file. diff --git a/eBones/man/kuserok.3 b/eBones/man/kuserok.3 deleted file mode 100644 index c7581a6..0000000 --- a/eBones/man/kuserok.3 +++ /dev/null @@ -1,63 +0,0 @@ -.\" from: kuserok.3,v 4.1 89/01/23 11:11:49 jtkohl Exp $ -.\" $Id: kuserok.3,v 1.1.1.1 1994/09/30 14:50:07 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KUSEROK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kuserok \- Kerberos version of ruserok -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -kuserok(kdata, localuser) -AUTH_DAT *auth_data; -char *localuser; -.fi -.ft R -.SH DESCRIPTION -.I kuserok -determines whether a Kerberos principal described by the structure -.I auth_data -is authorized to login as user -.I localuser -according to the authorization file -("~\fIlocaluser\fR/.klogin" by default). It returns 0 (zero) if authorized, -1 (one) if not authorized. -.PP -If there is no account for -.I localuser -on the local machine, authorization is not granted. -If there is no authorization file, and the Kerberos principal described -by -.I auth_data -translates to -.I localuser -(using -.IR krb_kntoln (3)), -authorization is granted. -If the authorization file -can't be accessed, or the file is not owned by -.IR localuser, -authorization is denied. Otherwise, the file is searched for -a matching principal name, instance, and realm. If a match is found, -authorization is granted, else authorization is denied. -.PP -The file entries are in the format: -.nf -.in +5n - name.instance@realm -.in -5n -.fi -with one entry per line. -.SH SEE ALSO -kerberos(3), ruserok(3), krb_kntoln(3) -.SH FILES -.TP 20n -~\fIlocaluser\fR/.klogin -authorization list diff --git a/eBones/man/tf_util.3 b/eBones/man/tf_util.3 deleted file mode 100644 index ee6e436..0000000 --- a/eBones/man/tf_util.3 +++ /dev/null @@ -1,151 +0,0 @@ -.\" from: tf_util.3,v 4.2 89/04/25 17:17:11 jtkohl Exp $ -.\" $Id: tf_util.3,v 1.1.1.1 1994/09/30 14:50:08 csgr Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH TF_UTIL 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tf_init, tf_get_pname, tf_get_pinst, tf_get_cred, tf_close \ -\- Routines for manipulating a Kerberos ticket file -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -tf_init(tf_name, rw) -char *tf_name; -int rw; -.PP -.ft B -tf_get_pname(pname) -char *pname; -.PP -.ft B -tf_get_pinst(pinst) -char *pinst; -.PP -.ft B -tf_get_cred(c) -CREDENTIALS *c; -.PP -.ft B -tf_close() -.PP -.fi -.SH DESCRIPTION -This group of routines are provided to manipulate the Kerberos tickets -file. A ticket file has the following format: -.nf -.in +4 -.sp -principal's name (null-terminated string) -principal's instance (null-terminated string) -CREDENTIAL_1 -CREDENTIAL_2 - ... -CREDENTIAL_n -EOF -.sp -.in -4 -.LP -Where "CREDENTIAL_x" consists of the following fixed-length -fields from the CREDENTIALS structure (defined in <krb.h>): -.nf -.sp -.in +4 - char service[ANAME_SZ] - char instance[INST_SZ] - char realm[REALM_SZ] - des_cblock session - int lifetime - int kvno - KTEXT_ST ticket_st - long issue_date -.in -4 -.sp -.fi -.PP -.I tf_init -must be called before the other ticket file -routines. -It takes the name of the ticket file to use, -and a read/write flag as arguments. -It tries to open the ticket file, checks the mode and if -everything is okay, locks the file. If it's opened for -reading, the lock is shared. If it's opened for writing, -the lock is exclusive. -KSUCCESS is returned if all went well, otherwise one of the -following: -.nf -.sp -NO_TKT_FIL - file wasn't there -TKT_FIL_ACC - file was in wrong mode, etc. -TKT_FIL_LCK - couldn't lock the file, even after a retry -.sp -.fi -.PP -The -.I tf_get_pname -reads the principal's name from a ticket file. -It should only be called after tf_init has been called. The -principal's name is filled into the -.I pname -parameter. If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If the principal's name was null, or EOF was encountered, or the -name was longer than ANAME_SZ, TKT_FIL_FMT is returned. -.PP -The -.I tf_get_pinst -reads the principal's instance from a ticket file. -It should only be called after tf_init and tf_get_pname -have been called. -The principal's instance is filled into the -.I pinst -parameter. -If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If EOF was encountered, or the -name was longer than INST_SZ, TKT_FIL_FMT is returned. -Note that, unlike the principal name, the instance name may be null. -.PP -The -.I tf_get_cred -routine reads a CREDENTIALS record from a ticket file and -fills in the given structure. -It should only be called after -tf_init, tf_get_pname, and tf_get_pinst have been called. -If all goes well, KSUCCESS is returned. Possible error codes -are: -.nf -.sp -TKT_FIL_INI - tf_init wasn't called first -TKT_FIL_FMT - bad format -EOF - end of file encountered -.sp -.fi -.PP -.I tf_close -closes the ticket file and releases the lock on it. -.SH "SEE ALSO" -krb(3) -.SH DIAGNOSTICS -.SH BUGS -The ticket file routines have to be called in a certain order. -.SH AUTHORS -Jennifer Steiner, MIT Project Athena -.br -Bill Bryant, MIT Project Athena -.SH RESTRICTIONS -Copyright 1987 Massachusetts Institute of Technology |