Provide a rudimentary man page for this, based mostly on the README.PATCH.

2 files changed, 61 insertions, 2 deletions

diff --git a/eBones/usr.sbin/fix_kdb_keys/Makefile b/eBones/usr.sbin/fix_kdb_keys/Makefile
index 6cbdd16..d02d694 100644
--- a/eBones/usr.sbin/fix_kdb_keys/Makefile
+++ b/eBones/usr.sbin/fix_kdb_keys/Makefile
@@ -1,10 +1,10 @@
 #	From: @(#)Makefile	5.2 (Berkeley) 3/5/91
-#	$Id: Makefile,v 1.7 1995/09/26 06:20:18 mark Exp $
+#	$Id: Makefile,v 1.1 1996/02/21 21:39:54 ache Exp $
 
 PROG=   fix_kdb_keys
 CFLAGS+=-DKERBEROS -DDEBUG
 DPADD=	${LIBKDB} ${LIBKRB} ${LIBDES}
 LDADD=	-L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -L${DESOBJDIR} -ldes
-NOMAN=  YES
+MAN8=	fix_kdb_keys.8
 
 .include <bsd.prog.mk>
diff --git a/eBones/usr.sbin/fix_kdb_keys/fix_kdb_keys.8 b/eBones/usr.sbin/fix_kdb_keys/fix_kdb_keys.8
new file mode 100644
index 0000000..4bc4d62
--- /dev/null
+++ b/eBones/usr.sbin/fix_kdb_keys/fix_kdb_keys.8
@@ -0,0 +1,59 @@
+.\" $Id$
+.\" Copyright 1989 by the Massachusetts Institute of Technology.
+.\"
+.\" For copying and distribution information,
+.\" please see the file <Copyright.MIT>.
+.\"
+.TH FIX_KDB_KEYS 8 "Kerberos Version 4.0" "MIT Project Athena"
+.SH NAME
+fix_kdb_keys \- Secure Kerberos database by properly randomising keys
+.SH SYNOPSIS
+fix_kdb_keys
+.SH DESCRIPTION
+If you built your Kerberos database before receiving this distribution,
+the keys were randomly generated using the vulnerable version of
+the Kerberos random number generator. Therefore it is possible for
+an attacker to mount an attack to guess these values. If an attacker
+can determine the key for the 
+.I krbtgt
+ticket, they can construct tickets claiming to be any Kerberos
+principal. Similarly if an attacker can obtain the
+.I changepw.kerberos
+key, they can change anyone's password.
+.PP
+This distribution has been patched to use the improved
+.IR des_new_random_key()
+routines instead of the old and cryptographically suspect
+.IR des_random_key().
+.PP
+The primary difference is that
+.IR des_random_key()
+uses a seeding
+technique which is predictable and therefore vulnerable. While
+.IR des_new_random_key()
+uses a feedback mechanism based on the Data Encryption Standard
+(DES) and is seeded with a secret (and therefore unknown to an
+attacker) value. This value is the secret database master key.
+.PP
+Running
+.I fix_kdb_keys
+on the KDC server will change these critical keys to new
+values using the newer random number generator. IMPORTANT: When this
+is done, all outstanding ticket granting tickets will
+immediately become invalid. This will be disruptive to your user
+community. It is recommended that this is done late at night or early
+in the morning before most users have logged in. Alternatively
+pre-announce a definitive time when you will run the program and
+inform the users that they will have to get new tickets at that time
+(using either
+.I kinit
+or simply by logging out and then in again).
+.SH DIAGNOSTICS
+Many, and descriptive.
+.SH FILES
+.TP 20n
+/etc/kerberosIV/principal.db
+DBM file containing database
+.TP
+/etc/kerberosIV/master_key
+Master key cache file.