diff options
Diffstat (limited to 'crypto/heimdal/doc/kerberos4.texi')
| -rw-r--r-- | crypto/heimdal/doc/kerberos4.texi | 45 |
1 files changed, 2 insertions, 43 deletions
diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi index a474fcc..41a6508 100644 --- a/crypto/heimdal/doc/kerberos4.texi +++ b/crypto/heimdal/doc/kerberos4.texi @@ -4,18 +4,13 @@ @comment node-name, next, previous, up @chapter Kerberos 4 issues -The KDC has built-in version 4 support. It is not enabled by default, -see setup how to set it up. - -The KDC will also have kaserver emulation and be able to handle -AFS-clients that use @code{klog}. +Kerberos 4 KDC and KA server have been moved. For more about AFS, see the section @xref{AFS}. @menu * Principal conversion issues:: * Converting a version 4 database:: -* kaserver:: @end menu @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues @@ -59,7 +54,7 @@ principal exists in the database. The KDC will use @code{krb5_425_conv_principal_ext} to convert principals when handling to version 4 requests. -@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues +@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues @section Converting a version 4 database If you want to convert an existing version 4 database, the principal @@ -176,39 +171,3 @@ server: hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n @end example -@node kaserver, , Converting a version 4 database, Kerberos 4 issues -@section kaserver - -@subsection kaserver emulation - -The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 -server with pre-authentication using Rx as the on-wire protocol. The kdc -contains a minimalistic Rx implementation. - -There are three parts of the kaserver; KAA (Authentication), KAT (Ticket -Granting), and KAM (Maintenance). The KAA interface and KAT interface -both passes over DES encrypted data-blobs (just like the -Kerberos-protocol) and thus do not need any other protection. The KAM -interface uses @code{rxkad} (Kerberos authentication layer for Rx) for -security and data protection, and is used for example for changing -passwords. This part is not implemented in the kdc. - -Another difference between the ka-protocol and the Kerberos 4 protocol -is that the pass-phrase is salted with the cellname in the @code{string to -key} function in the ka-protocol, while in the Kerberos 4 protocol there -is no salting of the password at all. To make sure AFS-compatible keys -are added to each principals when they are created or their password are -changed, @samp{afs3-salt} should be added to -@samp{[kadmin]default_keys}. - -For more about AFS, see the section @xref{AFS}. - -@subsection Transarc AFS Windows client - -The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus -does not need a kaserver. The Windows client assumes that the Kerberos -server is on the same machine as the AFS-database server. If you do not -like to do that you can add a small program that runs on the database -servers that forward all kerberos requests to the real kerberos -server. A program that does this is @code{krb-forward} -(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}). |
