summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/doc
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/doc')
-rw-r--r--crypto/kerberosIV/doc/Makefile.in78
-rw-r--r--crypto/kerberosIV/doc/ack.texi106
-rw-r--r--crypto/kerberosIV/doc/dir17
-rw-r--r--crypto/kerberosIV/doc/index.texi6
-rw-r--r--crypto/kerberosIV/doc/install.texi496
-rw-r--r--crypto/kerberosIV/doc/intro.texi41
-rw-r--r--crypto/kerberosIV/doc/kth-krb.texi303
-rw-r--r--crypto/kerberosIV/doc/latin1.tex95
-rw-r--r--crypto/kerberosIV/doc/problems.texi342
-rw-r--r--crypto/kerberosIV/doc/setup.texi905
-rw-r--r--crypto/kerberosIV/doc/whatis.texi137
11 files changed, 0 insertions, 2526 deletions
diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in
deleted file mode 100644
index bbf870e..0000000
--- a/crypto/kerberosIV/doc/Makefile.in
+++ /dev/null
@@ -1,78 +0,0 @@
-# $Id: Makefile.in,v 1.19 1999/09/28 12:35:11 assar Exp $
-
-SHELL = /bin/sh
-
-srcdir = @srcdir@
-VPATH = @srcdir@
-
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
-MAKEINFO = @MAKEINFO@
-TEXI2DVI = texi2dvi
-TEXI2HTML = texi2html
-
-prefix = @prefix@
-infodir = @infodir@
-
-TEXI_SOURCES = ack.texi \
- index.texi \
- install.texi \
- intro.texi \
- kth-krb.texi \
- otp.texi \
- problems.texi \
- setup.texi \
- whatis.texi
-
-all: info
-
-install: all installdirs
- if test -f kth-krb.info; then \
- $(INSTALL_DATA) kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
- else \
- $(INSTALL_DATA) $(srcdir)/kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
- fi
- if test -f $(DESTDIR)$(infodir)/dir ; then :; else \
- $(INSTALL_DATA) $(srcdir)/dir $(DESTDIR)$(infodir)/dir; \
- fi
- -if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \
- install-info --dir-file=$(DESTDIR)$(infodir)/dir $(DESTDIR)$(infodir)/kth-krb.info; \
- else \
- true; \
- fi
-
-uninstall:
- rm -f $(DESTDIR)$(infodir)/kth-krb.info
-
-installdirs:
- $(MKINSTALLDIRS) $(DESTDIR)$(infodir)
-
-info: kth-krb.info
-
-kth-krb.info: $(TEXI_SOURCES)
- $(MAKEINFO) --no-split -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
-
-dvi: kth-krb.dvi
-
-kth-krb.dvi: $(TEXI_SOURCES)
- $(TEXI2DVI) $(srcdir)/kth-krb.texi
-
-html: kth-krb.html
-
-kth-krb.html: $(TEXI_SOURCES)
- $(TEXI2HTML) $(srcdir)/kth-krb.texi
-
-clean:
- rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr
-
-distclean: clean
-
-mostlyclean: clean
-
-maintainer-clean: clean
- rm -f *.info*
-
-check:
-
-.PHONY: all install uninstall installdirs info dvi html clean distclean mostlyclean maintainer-clean check
diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi
deleted file mode 100644
index 327220c..0000000
--- a/crypto/kerberosIV/doc/ack.texi
+++ /dev/null
@@ -1,106 +0,0 @@
-@node Acknowledgments, Index, Resolving frequent problems, Top
-@comment node-name, next, previous, up
-@appendix Acknowledgments
-
-People from the MIT Athena project wrote the original code that this is
-based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the
-encryption functions and the calls to them. This was exported from the
-US as the ``Bones'' release. Eric Young put back the calls and hooked
-in his libdes, thereby creating the ``eBones'' release.
-@cindex Bones
-@cindex eBones
-
-The ``rcmd'' programs where initially developed at the University of
-California at Berkeley and then hacked on by the FreeBSD and NetBSD
-projects.
-
-Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and
-@code{telnetd}. The authentication and encryption code of @code{telnet}
-and @code{telnetd} was added by David Borman (then of Cray Research,
-Inc). The encryption code was removed when this was exported and then
-added back by Juha Eskelinen, @code{<esc@@magic.fi>}.
-
-The @code{popper} was also a Berkeley program initially.
-
-The @code{login} has the same origins but has received code written by
-Wietse Venema at Eindhoven University of Technology, The Netherlands.
-
-@code{movemail} was (at least partially) written by Jonathan Kamens,
-@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991,
-1992, 1993, 1994 Free Software Foundation, Inc.
-
-@code{xnlock} was originally written by Dan Heller in 1985 for sunview.
-The X version was written by him in 1990.
-
-Some of the functions in @file{libroken} also come from Berkeley by the
-way of NetBSD/FreeBSD.
-
-The code to handle the dynamic loading of the AFS module for AIX is
-copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover,
-Germany.
-
-@code{editline} was written by Simmule Turner and Rich Salz.
-
-Bugfixes and code has been contributed by:
-@table @asis
-@item Derrick J Brashear
-@code{<shadow@@dementia.org>}
-@item Anders Gertz
-@code{<gertz@@lysator.liu.se>}
-@item Dejan Ilic
-@code{<svedja@@lysator.liu.se>}
-@item Kent Engström
-@code{<kent@@lysator.liu.se>}
-@item Simon Josefsson
-@code{<jas@@pdc.kth.se>}
-@item Robert Malmgren
-@code{<rom@@incolumitas.se>}
-@item Fredrik Ljungberg
-@code{<flag@@astrogator.se>}
-@item Joakim Fallsjö
-@code{jfa@@pobox.se}
-@item Lars Malinowsky
-@code{<lama@@pdc.kth.se>}
-@item Fabien Coelho
-@code{<coelho@@cri.ensmp.fr>}
-@item Chris Chiappa
-@code{<griffon+@@cmu.edu>}
-@item Gregory S. Stark
-@code{<gsstark@@mit.edu>}
-@item Love Hörnquist-Åstrand
-@code{<lha@@stacken.kth.se>}
-@item Daniel Staaf
-@code{<d96-dst@@nada.kth.se>}
-@item Magnus Ahltorp
-@code{<map@@stacken.kth.se>}
-@item Robert Burgess
-@code{<rb@@stacken.kth.se>}
-@item Lars Arvestad
-@code{<arve@@nada.kth.se>}
-@item Jörgen Wahlsten
-@code{<wahlsten@@pathfinder.com>}
-@item Daniel Staaf
-@code{<d96-dst@@nada.kth.se>}
-@item R Lindsay Todd
-@code{<toddr@@rpi.edu>}
-@item Åke Sandgren
-@code{<ake@@cs.umu.se>}
-@item Thomas Nyström
-@code{<thn@@stacken.kth.se>}
-@item and we hope that those not mentioned here will forgive us.
-@end table
-
-Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English
-language from this text.
-
-Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us
-finish the documentation.
-
-This work was supported in part by SUNET and the Centre for Parallel
-Computers at KTH.
-
-The port to Windows 95/NT was supported by the Computer Council at KTH
-and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}.
-
-All the bugs were introduced by ourselves.
-
diff --git a/crypto/kerberosIV/doc/dir b/crypto/kerberosIV/doc/dir
deleted file mode 100644
index 911f622..0000000
--- a/crypto/kerberosIV/doc/dir
+++ /dev/null
@@ -1,17 +0,0 @@
-$Id: dir,v 1.1 1997/06/12 16:15:21 joda Exp $
-This is the file .../info/dir, which contains the topmost node of the
-Info hierarchy. The first time you invoke Info you start off
-looking at that node, which is (dir)Top.
-
-File: dir Node: Top This is the top of the INFO tree
-
- This (the Directory node) gives a menu of major topics.
- Typing "q" exits, "?" lists all Info commands, "d" returns here,
- "h" gives a primer for first-timers,
- "mEmacs<Return>" visits the Emacs topic, etc.
-
- In Emacs, you can click mouse button 2 on a menu item or cross reference
- to select it.
-
-* Menu:
-
diff --git a/crypto/kerberosIV/doc/index.texi b/crypto/kerberosIV/doc/index.texi
deleted file mode 100644
index ebe5d91..0000000
--- a/crypto/kerberosIV/doc/index.texi
+++ /dev/null
@@ -1,6 +0,0 @@
-@node Index, , Acknowledgments, Top
-@comment node-name, next, previous, up
-@unnumbered Index
-
-@printindex cp
-
diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi
deleted file mode 100644
index 26d2abf..0000000
--- a/crypto/kerberosIV/doc/install.texi
+++ /dev/null
@@ -1,496 +0,0 @@
-@node Installing programs, How to set up a realm, What is Kerberos?, Top
-@chapter Installing programs
-
-You have a choise to either build the distribution from source code or
-to install binaries, if they are available for your machine.
-
-@c XXX
-
-We recommend building from sources, but using pre-compiled binaries
-might be easier. If there are no binaries available for your machine or
-you want to do some specific configuration, you will have to compile
-from source.
-
-@menu
-* Installing from source::
-* Installing a binary distribution::
-* Finishing the installation::
-* .klogin::
-* Authentication modules::
-@end menu
-
-@node Installing from source, Installing a binary distribution, Installing programs, Installing programs
-@comment node-name, next, previous, up
-@section Installing from source
-
-To build this software un-tar the distribution and run the
-@code{configure} script.
-
-To compile successfully, you will need an ANSI C compiler, such as
-@code{gcc}. Other compilers might also work, but setting the ``ANSI
-compliance'' too high, might break in parts of the code, not to mention
-the standard include files.
-
-To build in a separate build tree, run @code{configure} in the directory
-where the tree should reside. You will need a Make that understands
-VPATH correctly. GNU Make works fine.
-
-After building everything (which will take anywhere from a few minutes
-to a long time), you can install everything in @file{/usr/athena} with
-@kbd{make install} (running as root). It is possible to install in some
-other place, but it isn't recommended. To do this you will have to run
-@code{configure} with @samp{--prefix=/my/path}.
-
-If you need to change the default behavior, configure understands the
-following options:
-
-@table @asis
-@item @kbd{--enable-shared}
-Create shared versions of the Kerberos libraries. Not really
-recommended and might not work on all systems.
-
-@item @kbd{--with-ld-flags=}@var{flags}
-This allows you to specify which extra flags to pass to @code{ld}. Since
-this @emph{overrides} any choices made by configure, you should only use
-this if you know what you are doing.
-
-@item @kbd{--with-cracklib=}@var{dir}
-Use cracklib for password quality control in
-@pindex kadmind
-@code{kadmind}. This option requires
-@cindex cracklib
-cracklib with the patch from
-@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
-
-@item @kbd{--with-dictpath=}@var{dictpath}
-This is the dictionary that cracklib should use.
-
-@item @kbd{--with-socks=}@var{dir}
-@cindex firewall
-@cindex socks
-If you have to traverse a firewall and it uses the SocksV5 protocol
-(@cite{RFC 1928}), you can build with socks-support. Point @var{dir} to
-the directory where you have socks5 installed. For more information
-about socks see @url{http://www.socks.nec.com/}.
-
-@item @kbd{--with-readline=}@var{dir}
-@cindex readline
-To enable history/line editing in @code{ftp} and @code{kadmin}, any
-present version of readline will be used. If you have readline
-installed but in a place where configure does not manage to find it,
-you can use this option. The code also looks for @code{libedit}. If
-there is no library at all, the bundled version of @code{editline} will
-be used.
-
-@item @kbd{--with-mailspool=}@var{dir}
-The configuration process tries to determine where your machine stores
-its incoming mail. This is typically @file{/usr/spool/mail} or
-@file{/var/mail}. If it does not work or you store your mail in some
-unusual directory, this option can be used to specify where the mail
-spool directory is located. This directory is only accessed by
-@pindex popper
-@code{popper}, and the mail check in
-@pindex login
-@code{login}.
-
-@item @kbd{--with-hesiod=}@var{dir}
-@cindex Hesiod
-Enable the Hesiod support in
-@pindex push
-@code{push}. With this option, it will try
-to use the hesiod library to locate the mail post-office for the user.
-
-@c @item @kbd{--enable-random-mkey}
-@c Do not use this option unless you think you know what you are doing.
-
-@item @kbd{--with-mkey=}@var{file}
-Put the master key here, the default is @file{/.k}.
-
-@item @kbd{--with-db-dir=}@var{dir}
-Where the kerberos database should be stored. The default is
-@file{/var/kerberos}.
-
-@item @kbd{--without-berkeley-db}
-If you have
-@cindex Berkeley DB
-Berkeley DB installed, it is preferred over
-@c XXX
-dbm. If you already are running Kerberos this option might be useful,
-since there currently isn't an easy way to convert a dbm database to a
-db one (you have to dump the old database and then load it with the new
-binaries).
-
-@item @kbd{--without-afs-support}
-Do not include AFS support.
-
-@item @kbd{--with-afsws=}@var{dir}
-Where your AFS client installation resides. The default is
-@file{/usr/afsws}.
-
-@item @kbd{--enable-rxkad}
-Build the rxkad library. Normally automatically included if there is AFS.
-
-@item @kbd{--disable-dynamic-afs}
-The AFS support in AIX consists of a shared library that is loaded at
-runtime. This option disables this, and links with static system
-calls. Doing this will make the built binaries crash on a machine that
-doesn't have AFS in the kernel (for instance if the AFS module fails to
-load at boot).
-
-@item @kbd{--with-mips-api=}@var{api}
-This option enables creation of different types of binaries on Irix.
-The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}.
-
-@item @kbd{--enable-legacy-kdestroy}
-This compile-time option creates a @code{kdestroy} that does not destroy
-any AFS tokens.
-
-@item @kbd{--disable-otp}
-Do not build the OTP (@pxref{One-Time Passwords}) library and programs,
-and do not include OTP support in the application programs.
-
-@item @kbd{--enable-match-subdomains}
-Normally, the host @samp{host.domain} will be considered to be part of
-the realm @samp{DOMAIN}. With this option will also enable hosts of the
-form @samp{host.sub.domain}, @samp{host.sub1.sub2.domain}, and so on to
-be considered part of the realm @samp{DOMAIN}.
-
-@item @kbd{--enable-osfc2}
-Enable the use of enhanced C2 security on OSF/1. @xref{Digital SIA}.
-
-@item @kbd{--disable-mmap}
-Do not use the mmap system call. Normally, configure detects if there
-is a working mmap and it is only used if there is one. Only try this
-option if it fails to work anyhow.
-
-@item @kbd{--disable-cat-manpages}
-Do not install preformatted man pages.
-
-@c --with-des-quad-checksum
-
-@end table
-
-@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
-@comment node-name, next, previous, up
-@section Installing a binary distribution
-
-The binary distribution is supposed to be installed in
-@file{/usr/athena}, installing in some other place may work but is not
-recommended. A symlink from @file{/usr/athena} to the install directory
-should be fine.
-
-@node Finishing the installation, .klogin, Installing a binary distribution, Installing programs
-@section Finishing the installation
-
-@pindex su
-The only program that needs to be installed setuid to root is @code{su}.
-
-If
-@pindex rlogin
-@pindex rsh
-@code{rlogin} and @code{rsh} are setuid to root they will fall back to
-non-kerberised protocols if the kerberised ones fail for some
-reason. The old protocols use reserved ports as security, and therefore
-the programs have to be setuid to root. If you don't need this
-functionality consider turning off the setuid bit.
-
-@pindex login
-@code{login} does not have to be setuid, as it is always run by root
-(users should use @code{su} rather than @code{login}). It will print a
-helpful message when not setuid to root and run by a user.
-
-The programs intended to be run by users are located in
-@file{/usr/athena/bin}. Inform your users to include
-@file{/usr/athena/bin} in their paths, or copy or symlink the binaries
-to some good place. The programs that you will want to use are:
-@code{kauth}/@code{kinit},
-@pindex kauth
-@pindex kinit
-@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp},
-@pindex klist
-@pindex kdestroy
-@pindex kpasswd
-@pindex ftp
-@code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su},
-@pindex telnet
-@pindex rcp
-@pindex rsh
-@pindex rlogin
-@pindex su
-@pindex xnlock
-@pindex afslog
-@pindex pagsh
-@pindex rxtelnet
-@pindex tenletxr
-@pindex rxterm
-@code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and
-@code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh}
-might also be useful. Administrators will want to use @code{kadmin} and
-@code{ksrvutil}, which are located in @file{/usr/athena/sbin}.
-@pindex kadmin
-@pindex ksrvutil
-
-@code{telnetd} and @code{rlogind} assume that @code{login} is located in
-@file{/usr/athena/bin} (or whatever path you used as
-@samp{--prefix}). If for some reason you want to move @code{login}, you
-will have to specify the new location with the @samp{-L} switch when
-configuring
-@pindex telnetd
-telnetd
-and
-@pindex rlogind
-rlogind
-in @file{inetd.conf}.
-
-It should be possible to replace the system's default @code{login} with
-the kerberised @code{login}. However some systems assume that login
-performs some serious amount of magic that our login might not do (although
-we've tried to do our best). So before replacing it on every machine,
-try and see what happens. Another thing to try is to use one of the
-authentication modules (@pxref{Authentication modules}) supplied.
-
-The @code{login} program that we use was in an earlier life the standard
-login program from NetBSD. In order to use it with a lot of weird
-systems, it has been ``enhanced'' with features from many other logins
-(Solaris, SunOS, IRIX, AIX, and others). Some of these features are
-actually useful and you might want to use them even on other systems.
-
-@table @file
-@item /etc/fbtab
-@pindex fbtab
-@itemx /etc/logindevperm
-@pindex logindevperm
-Allows you to chown some devices when a user logs in on a certain
-terminal. Commonly used to change the ownership of @file{/dev/mouse},
-@file{/dev/kbd}, and other devices when someone logs in on
-@file{/dev/console}.
-
-@file{/etc/fbtab} is the SunOS file name and it is tried first. If
-there is no such file then the Solaris file name
-@file{/etc/logindevperm} is tried.
-@item /etc/environment
-@pindex environment
-This file specifies what environment variables should be set when a user
-logs in. (AIX-style)
-@item /etc/default/login
-@pindex default/login
-Almost the same as @file{/etc/environment}, but the System V style.
-@item /etc/login.access
-@pindex login.access
-Can be used to control who is allowed to login from where and on what
-ttys. (From Wietse Venema)
-@end table
-
-@menu
-* .klogin::
-* Authentication modules::
-@end menu
-
-@node .klogin, Authentication modules, Finishing the installation, Installing programs
-@comment node-name, next, previous, up
-
-Each user can have an authorization file @file{~@var{user}/.klogin}
-@pindex .klogin
-that
-determines what principals can login as that user. It is similar to the
-@file{~user/.rhosts} except that it does not use IP and privileged-port
-based authentication. If this file does not exist, the user herself
-@samp{user@@LOCALREALM} will be allowed to login. Supplementary local
-realms (@pxref{Install the configuration files}) also apply here. If the
-file exists, it should contain the additional principals that are to
-be allowed to login as the local user @var{user}.
-
-This file is consulted by most of the daemons (@code{rlogind},
-@code{rshd}, @code{ftpd}, @code{telnetd}, @code{popper}, @code{kauthd}, and
-@code{kxd})
-@pindex rlogind
-@pindex rshd
-@pindex ftpd
-@pindex telnetd
-@pindex popper
-@pindex kauthd
-@pindex kxd
-to determine if the
-principal requesting a service is allowed to receive it. It is also
-used by
-@pindex su
-@code{su}, which is a good way of keeping an access control list (ACL)
-on who is allowed to become root. Assuming that @file{~root/.klogin}
-contains:
-
-@example
-nisse.root@@FOO.SE
-lisa.root@@FOO.SE
-@end example
-
-both nisse and lisa will be able to su to root by entering the password
-of their root instance. If that fails or if the user is not listed in
-@file{~root/.klogin}, @code{su} falls back to the normal policy of who
-is permitted to su. Also note that that nisse and lisa can login
-with e.g. @code{telnet} as root provided that they have tickets for
-their root instance.
-
-@node Authentication modules, , .klogin, Installing programs
-@comment node-name, next, previous, up
-@section Authentication modules
-The problem of having different authentication mechanisms has been
-recognised by several vendors, and several solutions has appeared. In
-most cases these solutions involve some kind of shared modules that are
-loaded at run-time. Modules for some of these systems can be found in
-@file{lib/auth}. Presently there are modules for Digital's SIA,
-Solaris' and Linux' PAM, and IRIX' @code{login} and @code{xdm} (in
-@file{lib/auth/afskauthlib}).
-
-@menu
-* Digital SIA::
-* IRIX::
-* PAM::
-@end menu
-
-@node Digital SIA, IRIX, Authentication modules, Authentication modules
-@subsection Digital SIA
-
-To install the SIA module you will have to do the following:
-
-@itemize @bullet
-
-@item
-Make sure @file{libsia_krb4.so} is available in
-@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you
-might want to put it in @file{/usr/shlib} or someplace else. If you do,
-you'll have to edit @file{krb4_matrix.conf} to reflect the new location
-(you will also have to do this if you installed in some other directory
-than @file{/usr/athena}). If you built with shared libraries, you will
-have to copy the shared @file{libkrb.so}, @file{libdes.so},
-@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can
-find them (such as @file{/usr/shlib}).
-@item
-Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}.
-@item
-Apply @file{security.patch} to @file{/sbin/init.d/security}.
-@item
-Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and
-@kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}.
-@item
-Digital thinks you should reboot your machine, but that really shouldn't
-be necessary. It's usually sufficient just to run
-@kbd{/sbin/init.d/security start} (and restart any applications that use
-SIA, like @code{xdm}.)
-@end itemize
-
-Users with local passwords (like @samp{root}) should be able to login
-safely.
-
-When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't
-passed along as it should (since xdm zaps the environment). Instead you
-have to set @samp{KRBTKFILE} to the correct value in
-@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to
-@example
-KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
-@end example
-If you use CDE, @code{dtlogin} allows you to specify which additional
-environment variables it should export. To add @samp{KRBTKFILE} to this
-list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of
-@samp{exportList}. You want to add something like:
-@example
-Dtlogin.exportList: KRBTKFILE
-@end example
-
-@subsubheading Notes to users with Enhanced security
-
-Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two
-different problems. C2 deals with local security, adds better control of
-who can do what, auditing, and similar things. Kerberos deals with
-network security.
-
-To make C2 security work with Kerberos you will have to do the
-following.
-
-@itemize @bullet
-@item
-Replace all occurencies of @file{krb4_matrix.conf} with
-@file{krb4+c2_matrix.conf} in the directions above.
-@item
-You must enable ``vouching'' in the @samp{default} database. This will
-make the OSFC2 module trust other SIA modules, so you can login without
-giving your C2 password. To do this use @samp{edauth} to edit the
-default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
-@samp{d_accept_alternate_vouching} capability, if not already present.
-@item
-For each user that does @emph{not} have a local C2 password, you should
-set the password expiration field to zero. You can do this for each
-user, or in the @samp{default} table. To do this use @samp{edauth} to
-set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
-@item
-You also need to be aware that the shipped @file{login}, @file{rcp}, and
-@file{rshd}, doesn't do any particular C2 magic (such as checking to
-various forms of disabled accounts), so if you rely on those features,
-you shouldn't use those programs. If you configure with
-@samp{--enable-osfc2}, these programs will, however, set the login
-UID. Still: use at your own risk.
-@end itemize
-
-At present @samp{su} does not accept the vouching flag, so it will not
-work as expected.
-
-Also, kerberised ftp will not work with C2 passwords. You can solve this
-by using both Digital's ftpd and our on different ports.
-
-@strong{Remember}, if you do these changes you will get a system that
-most certainly does @emph{not} fulfill the requirements of a C2
-system. If C2 is what you want, for instance if someone else is forcing
-you to use it, you're out of luck. If you use enhanced security because
-you want a system that is more secure than it would otherwise be, you
-probably got an even more secure system. Passwords will not be sent in
-the clear, for instance.
-
-@node IRIX, PAM, Digital SIA, Authentication modules
-@subsection IRIX
-
-The IRIX support is a module that is compatible with Transarc's
-@file{afskauthlib.so}. It should work with all programs that use this
-library, this should include @file{login} and @file{xdm}.
-
-The interface is not very documented but it seems that you have to copy
-@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to
-@file{/usr/lib}, or build your @file{afskauthlib.so} statically.
-
-The @file{afskauthlib.so} itself is able to reside in
-@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
-(wherever that is).
-
-IRIX 6.4 and newer seems to have all programs (including @file{xdm} and
-@file{login}) in the N32 object format, whereas in older versions they
-were O32. For it to work, the @file{afskauthlib.so} library has to be in
-the same object format as the program that tries to load it. This might
-require that you have to configure and build for O32 in addition to the
-default N32.
-
-Appart from this it should ``just work'', there are no configuration
-files.
-
-@node PAM, , IRIX, Authentication modules
-@subsection PAM
-
-The PAM module was written more out of curiosity that anything else. It
-has not been updated for quite a while, but it seems to mostly work on
-both Linux and Solaris.
-
-To use this module you should:
-
-@itemize @bullet
-@item
-Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You
-might actually want it on local disk, so @file{/lib/security} might be a
-better place if @file{/usr/athena} is not local.
-@item
-Look at @file{pam.conf.add} for examples of what to add to
-@file{/etc/pam.conf}.
-@end itemize
-
-There is currently no support for changing kerberos passwords. Use
-kpasswd instead.
-
-See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM
-module at @* @url{ftp://ftp.dementia.org/pub/pam}. It has a lot more
-features, and it is also more in line with other PAM modules.
diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi
deleted file mode 100644
index 7a28533..0000000
--- a/crypto/kerberosIV/doc/intro.texi
+++ /dev/null
@@ -1,41 +0,0 @@
-@node Introduction, What is Kerberos?, Top, Top
-@comment node-name, next, previous, up
-@chapter Introduction
-
-This is an attempt at documenting the Kerberos 4 distribution from
-Kungliga Tekniska Högskolan (the Royal Institute of Technology in
-Stockholm, Sweden). This distribution is based on eBones, but has been
-improved in many ways. It is more portable, and several new features
-have been added. It should run on any reasonably modern unix-like
-system.
-
-In addition, some part compile and work on:
-
-@itemize @bullet
-@item
-OS/2 with EMX
-@item
-Windows 95/NT with gnu-win32 (with the proper amount of magic the
-libraries should compile with Microsoft C as well)
-@end itemize
-
-It should work on anything that is almost POSIX, has an ANSI C
-compiler, a dbm library (for the server side), and BSD Sockets.
-
-A web-page is available at @url{http://www.pdc.kth.se/kth-krb/}.
-
-@heading Bug reports
-
-If you cannot build the programs or they do not behave as you think they
-should, please send us a bug report. The bug report should be sent to
-@code{<kth-krb-bugs@@pdc.kth.se>}. Please include information on what
-machine and operating system (including version) you are running, what
-you are trying to do, what happens, what you think should have happened,
-an example for us to repeat, the output you get when trying the example,
-and a patch for the problem if you have one. Please make any patches
-with @code{diff -u} or @code{diff -c}. The more detailed the bug report
-is, the easier it will be for us to reproduce, understand, and fix it.
-
-Suggestions, comments and other non bug reports are welcome. Send them
-to @code{<kth-krb@@pdc.kth.se>}.
-
diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi
deleted file mode 100644
index 7898dff..0000000
--- a/crypto/kerberosIV/doc/kth-krb.texi
+++ /dev/null
@@ -1,303 +0,0 @@
-\input texinfo @c -*- texinfo -*-
-@c %**start of header
-@c $Id: kth-krb.texi,v 1.80 1999/12/02 16:58:35 joda Exp $
-@c $FreeBSD$
-@setfilename kth-krb.info
-@settitle KTH-KRB
-@iftex
-@afourpaper
-@end iftex
-@c some sensible characters, please?
-@tex
-\input latin1.tex
-@end tex
-@setchapternewpage on
-@syncodeindex pg cp
-@c %**end of header
-
-@ifinfo
-@dircategory Kerberos
-@direntry
-* Kth-krb: (kth-krb). The Kerberos IV distribution from KTH
-@end direntry
-@end ifinfo
-
-@c title page
-@titlepage
-@title KTH-KRB
-@subtitle Kerberos 4 from KTH
-@subtitle For release 0.10.
-@subtitle 1999
-@author Johan Danielsson
-@author Assar Westerlund
-@author last updated $Date: 1999/12/02 16:58:35 $
-
-@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
-@def@copyrightstart{}
-@def@copyrightend{}
-@page
-@copyrightstart
-Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
-(Royal Institute of Technology, Stockholm, Sweden).
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-3. Neither the name of the Institute nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-@copynext
-
-Copyright (C) 1995 Eric Young (eay@@mincom.oz.au)
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the copyright
- notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-3. All advertising materials mentioning features or use of this software
- must display the following acknowledgement:
- This product includes software developed by Eric Young (eay@@mincom.oz.au)
-
-THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-@copynext
-
-Copyright (c) 1983, 1990 The Regents of the University of California.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-3. All advertising materials mentioning features or use of this software
- must display the following acknowledgement:
- This product includes software developed by the University of
- California, Berkeley and its contributors.
-
-4. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-@copynext
-
-Copyright (C) 1990 by the Massachusetts Institute of Technology
-
-Export of this software from the United States of America is assumed
-to require a specific license from the United States Government.
-It is the responsibility of any person or organization contemplating
-export to obtain such a license before exporting.
-
-WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-distribute this software and its documentation for any purpose and
-without fee is hereby granted, provided that the above copyright
-notice appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation, and that
-the name of M.I.T. not be used in advertising or publicity pertaining
-to distribution of the software without specific, written prior
-permission. M.I.T. makes no representations about the suitability of
-this software for any purpose. It is provided "as is" without express
-or implied warranty.
-
-@copynext
-
-Copyright 1987, 1989 by the Student Information Processing Board
- of the Massachusetts Institute of Technology
-
-Permission to use, copy, modify, and distribute this software
-and its documentation for any purpose and without fee is
-hereby granted, provided that the above copyright notice
-appear in all copies and that both that copyright notice and
-this permission notice appear in supporting documentation,
-and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
-used in advertising or publicity pertaining to distribution
-of the software without specific, written prior permission.
-M.I.T. and the M.I.T. S.I.P.B. make no representations about
-the suitability of this software for any purpose. It is
-provided "as is" without express or implied warranty.
-
-@copynext
-
-Copyright 1992 Simmule Turner and Rich Salz. All rights reserved.
-
-This software is not subject to any license of the American Telephone
-and Telegraph Company or of the Regents of the University of California.
-
-Permission is granted to anyone to use this software for any purpose on
-any computer system, and to alter it and redistribute it freely, subject
-to the following restrictions:
-
-1. The authors are not responsible for the consequences of use of this
- software, no matter how awful, even if they arise from flaws in it.
-
-2. The origin of this software must not be misrepresented, either by
- explicit claim or by omission. Since few users ever read sources,
- credits must appear in the documentation.
-
-3. Altered versions must be plainly marked as such, and must not be
- misrepresented as being the original software. Since few users
- ever read sources, credits must appear in the documentation.
-
-4. This notice may not be removed or altered.
-
-@copyrightend
-@end titlepage
-
-@c Less filling! Tastes great!
-@iftex
-@parindent=0pt
-@global@parskip 6pt plus 1pt
-@global@chapheadingskip = 15pt plus 4pt minus 2pt
-@global@secheadingskip = 12pt plus 3pt minus 2pt
-@global@subsecheadingskip = 9pt plus 2pt minus 2pt
-@end iftex
-@ifinfo
-@paragraphindent 0
-@end ifinfo
-
-@ifinfo
-@node Top, Introduction, (dir), (dir)
-@top KTH-krb
-@end ifinfo
-
-@menu
-* Introduction::
-* What is Kerberos?::
-* Installing programs::
-* How to set up a realm::
-* One-Time Passwords::
-* Resolving frequent problems::
-* Acknowledgments::
-* Index::
-
-@detailmenu
- --- The Detailed Node Listing ---
-
-Installing programs
-
-* Installing from source::
-* Installing a binary distribution::
-* Finishing the installation::
-* Authentication modules::
-
-Finishing the installation
-
-* Authentication modules::
-
-Authentication modules
-
-* Digital SIA::
-* IRIX::
-* PAM::
-
-How to set up a realm
-
-* How to set up the kerberos server::
-* Install the client programs::
-* Install the kerberised services::
-* Install a slave kerberos server::
-* Cross-realm functionality ::
-
-How to set up the kerberos server
-
-* Choose a realm name::
-* Choose a kerberos server::
-* Install the configuration files::
-* Install the /etc/services::
-* Install the kerberos server::
-* Set up the server::
-* Add a few important principals::
-* Start the server::
-* Try to get tickets::
-* Create initial ACL for the admin server::
-* Start the admin server::
-* Add users to the database::
-* Automate the startup of the servers::
-
-One-Time Passwords
-
-* What are one time passwords?::
-* When to use one time passwords?::
-* Configuring OTPs::
-
-Resolving frequent problems
-
-* Problems compiling Kerberos::
-* Problems with firewalls::
-* Common error messages::
-* Is Kerberos year 2000 safe?::
-
-@end detailmenu
-@end menu
-
-@include intro.texi
-@include whatis.texi
-@include install.texi
-@include setup.texi
-@include otp.texi
-@include problems.texi
-@include ack.texi
-@include index.texi
-
-@c @shortcontents
-@contents
-
-@bye
diff --git a/crypto/kerberosIV/doc/latin1.tex b/crypto/kerberosIV/doc/latin1.tex
deleted file mode 100644
index e683dd2..0000000
--- a/crypto/kerberosIV/doc/latin1.tex
+++ /dev/null
@@ -1,95 +0,0 @@
-% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts.
-% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12
-\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi}
-\global\catcode`\^^a0=\active \global\let^^a0=~ % no-break space
-\global\catcode`\^^a1=\active \global\def^^a1{!`} % inverted exclamation mark
-\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}} % cent sign
-\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}} % pound sign
-% currency sign, yen sign, broken bar
-\global\catcode`\^^a7=\active \global\let^^a7=\S % section sign
-\global\catcode`\^^a8=\active \global\def^^a8{\"{}} % diaeresis
-\global\catcode`\^^a9=\active \global\let^^a9=\copyright % copyright sign
-% feminine ordinal indicator, left angle quotation mark
-\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign
-\global\catcode`\^^ad=\active \global\let^^ad=\- % soft hyphen
-% registered trade mark sign
-\global\catcode`\^^af=\active \global\def^^af{\={}} % macron
-% ...
-\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm} % plus minus
-\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}}
-\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}}
-\global\catcode`\^^b4=\active \global\def^^b4{\'{}} % acute accent
-\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu} % mu
-\global\catcode`\^^b6=\active \global\let^^b6=\P % pilcroy
-\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}}
-\global\catcode`\^^b8=\active \global\def^^b8{\c{}} % cedilla
-\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}}
-% ...
-\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}}
-\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}}
-\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}}
-\global\catcode`\^^bf=\active \global\def^^bf{?`} % inverted question mark
-\global\catcode`\^^c0=\active \global\def^^c0{\`A}
-\global\catcode`\^^c1=\active \global\def^^c1{\'A}
-\global\catcode`\^^c2=\active \global\def^^c2{\^A}
-\global\catcode`\^^c3=\active \global\def^^c3{\~A}
-\global\catcode`\^^c4=\active \global\def^^c4{\"A} % capital a with diaeresis
-\global\catcode`\^^c5=\active \global\let^^c5=\AA % capital a with ring above
-\global\catcode`\^^c6=\active \global\let^^c6=\AE
-\global\catcode`\^^c7=\active \global\def^^c7{\c C}
-\global\catcode`\^^c8=\active \global\def^^c8{\`E}
-\global\catcode`\^^c9=\active \global\def^^c9{\'E}
-\global\catcode`\^^ca=\active \global\def^^ca{\^E}
-\global\catcode`\^^cb=\active \global\def^^cb{\"E}
-\global\catcode`\^^cc=\active \global\def^^cc{\`I}
-\global\catcode`\^^cd=\active \global\def^^cd{\'I}
-\global\catcode`\^^ce=\active \global\def^^ce{\^I}
-\global\catcode`\^^cf=\active \global\def^^cf{\"I}
-% capital eth
-\global\catcode`\^^d1=\active \global\def^^d1{\~N}
-\global\catcode`\^^d2=\active \global\def^^d2{\`O}
-\global\catcode`\^^d3=\active \global\def^^d3{\'O}
-\global\catcode`\^^d4=\active \global\def^^d4{\^O}
-\global\catcode`\^^d5=\active \global\def^^d5{\~O}
-\global\catcode`\^^d6=\active \global\def^^d6{\"O} % capital o with diaeresis
-\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign
-\global\catcode`\^^d8=\active \global\let^^d8=\O
-\global\catcode`\^^d9=\active \global\def^^d9{\`U}
-\global\catcode`\^^da=\active \global\def^^da{\'U}
-\global\catcode`\^^db=\active \global\def^^db{\^U}
-\global\catcode`\^^dc=\active \global\def^^dc{\"U}
-\global\catcode`\^^dd=\active \global\def^^dd{\'Y}
-% capital thorn
-\global\catcode`\^^df=\active \global\def^^df{\ss}
-\global\catcode`\^^e0=\active \global\def^^e0{\`a}
-\global\catcode`\^^e1=\active \global\def^^e1{\'a}
-\global\catcode`\^^e2=\active \global\def^^e2{\^a}
-\global\catcode`\^^e3=\active \global\def^^e3{\~a}
-\global\catcode`\^^e4=\active \global\def^^e4{\"a} % small a with diaeresis
-\global\catcode`\^^e5=\active \global\let^^e5=\aa % small a with ring above
-\global\catcode`\^^e6=\active \global\let^^e6=\ae
-\global\catcode`\^^e7=\active \global\def^^e7{\c c}
-\global\catcode`\^^e8=\active \global\def^^e8{\`e}
-\global\catcode`\^^e9=\active \global\def^^e9{\'e}
-\global\catcode`\^^ea=\active \global\def^^ea{\^e}
-\global\catcode`\^^eb=\active \global\def^^eb{\"e}
-\global\catcode`\^^ec=\active \global\def^^ec{\`\i}
-\global\catcode`\^^ed=\active \global\def^^ed{\'\i}
-\global\catcode`\^^ee=\active \global\def^^ee{\^\i}
-\global\catcode`\^^ef=\active \global\def^^ef{\"\i}
-% small eth
-\global\catcode`\^^f1=\active \global\def^^f1{\~n}
-\global\catcode`\^^f2=\active \global\def^^f2{\`o}
-\global\catcode`\^^f3=\active \global\def^^f3{\'o}
-\global\catcode`\^^f4=\active \global\def^^f4{\^o}
-\global\catcode`\^^f5=\active \global\def^^f5{\~o}
-\global\catcode`\^^f6=\active \global\def^^f6{\"o} % small o with diaeresis
-\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign
-\global\catcode`\^^f8=\active \global\let^^f8=\o
-\global\catcode`\^^f9=\active \global\def^^f9{\`u}
-\global\catcode`\^^fa=\active \global\def^^fa{\'u}
-\global\catcode`\^^fb=\active \global\def^^fb{\^u}
-\global\catcode`\^^fc=\active \global\def^^fc{\"u}
-\global\catcode`\^^fd=\active \global\def^^fd{\'y}
-% capital thorn
-\global\catcode`\^^ff=\active \global\def^^ff{\"y}
diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
deleted file mode 100644
index d7a525f..0000000
--- a/crypto/kerberosIV/doc/problems.texi
+++ /dev/null
@@ -1,342 +0,0 @@
-@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top
-@chapter Resolving frequent problems
-
-@menu
-* Problems compiling Kerberos::
-* Problems with firewalls::
-* Common error messages::
-* Is Kerberos year 2000 safe?::
-@end menu
-
-@node Problems compiling Kerberos, Problems with firewalls, Resolving frequent problems, Resolving frequent problems
-@section Problems compiling Kerberos
-
-Many compilers require a switch to become ANSI compliant. Since krb4
-is written in ANSI C it is necessary to specify the name of the compiler
-to be used and the required switch to make it ANSI compliant. This is
-most easily done when running configure using the @kbd{env} command. For
-instance to build under HP-UX using the native compiler do:
-
-@cartouche
-@example
-datan$ env CC="cc -Ae" ./configure
-@end example
-@end cartouche
-
-@cindex GCC
-In general @kbd{gcc} works. The following combinations have also been
-verified to successfully compile the distribution:
-
-@table @asis
-
-@item @samp{HP-UX}
-@kbd{cc -Ae}
-@item @samp{Digital UNIX}
-@kbd{cc -std1}
-@item @samp{AIX}
-@kbd{xlc}
-@item @samp{Solaris 2.x}
-@kbd{cc} (unbundled one)
-@item @samp{IRIX}
-@kbd{cc}
-
-@end table
-
-@subheading Linux problems
-
-The libc functions gethostby*() under RedHat4.2 can sometimes cause
-core dumps. If you experience these problems make sure that the file
-@file{/etc/nsswitch.conf} contains a hosts entry no more complex than
-the line
-
-@cartouche
-hosts: files dns
-@end cartouche
-
-Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
-build krb4 correctly. There is a @file{ndbm.h.Linux} right next to
-the source distribution.
-
-@cindex Linux
-There has been reports of non-working @file{libdb} on some Linux
-distributions. If that happens, use the @kbd{--without-berkeley-db}
-when configuring.
-
-@subheading SunOS 5 (aka Solaris 2) problems
-
-@cindex SunOS 5
-
-When building shared libraries and using some combinations of GNU gcc/ld
-you better set the environment variable RUN_PATH to /usr/athena/lib
-(your target libdir). If you don't, then you will have to set
-LD_LIBRARY_PATH during runtime and the PAM module will not work.
-
-@subheading HP-UX problems
-
-@cindex HP-UX
-The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all
-systems. To make problems even worse, there is never an archive version
-for static linking either. Therefore, when building ``truly portable''
-binaries first install GNU gdbm or Berkeley DB, and make sure that you
-are linking against that library.
-
-@subheading Cray problems
-
-@kbd{rlogind} won't work on Crays until @code{forkpty()} has been
-ported, in the mean time use @kbd{telnetd}.
-
-@subheading IRIX problems
-
-@cindex IRIX
-
-IRIX has three different ABI:s (Application Binary Interface), there's
-an old 32 bit interface (known as O32, or just 32), a new 32 bit
-interface (N32), and a 64 bit interface (64). O32 and N32 are both 32
-bits, but they have different calling conventions, and alignment
-constraints, and similar. The N32 format is the default format from IRIX
-6.4.
-
-You select ABI at compile time, and you can do this with the
-@samp{--with-mips-abi} configure option. The valid arguments are
-@samp{o32}, @samp{n32}, and @samp{64}, N32 is the default. Libraries for
-the three different ABI:s are normally installed installed in different
-directories (@samp{lib}, @samp{lib32}, and @samp{lib64}). If you want
-more than one set of libraries you have to reconfigure and recompile for
-each ABI, but you should probably install only N32 binaries.
-
-@cindex GCC
-GCC had had some known problems with the different ABI:s. Old GCC could
-only handle O32, newer GCC can handle N32, and 64, but not O32, but in
-some versions of GCC the structure alignment was broken in N32.
-
-This confusion with different ABI:s can cause some trouble. For
-instance, the @file{afskauthlib.so} library has to use the same ABI as
-@file{xdm}, and @file{login}. The easiest way to check what ABI to use
-is to run @samp{file} on @file{/usr/bin/X11/xdm}.
-
-@cindex AFS
-Another problem that you might encounter if you run AFS is that Transarc
-apparently doesn't support the 64-bit ABI, and because of this you can't
-get tokens with a 64 bit application. If you really need to do this,
-there is a kernel module that provides this functionality at
-@url{ftp://ftp.pdc.kth.se/home/joda/irix-afs64.tar.gz}.
-
-@subheading AIX problems
-
-@cindex GCC
-@kbd{gcc} version 2.7.2.* has a bug which makes it miscompile
-@file{appl/telnet/telnetd/sys_term.c} (and possibily
-@file{appl/bsd/forkpty.c}), if used with too much optimization.
-
-Some versions of the @kbd{xlc} preprocessor doesn't recognise the
-(undocumented) @samp{-qnolm} option. If this option is passed to the
-preprocessor (like via the configuration file @file{/etc/ibmcxx.cfg},
-configure will fail.
-
-The solution is to remove this option from the configuration file,
-either globally, or for just the preprocessor:
-
-@example
-$ cp /etc/ibmcxx.cfg /tmp
-$ed /tmp/ibmcxx.cfg
-8328
-/nolm
- options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000,-qnolm
-s/,-qnolm//p
- options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000
-w
-8321
-q
-$ env CC=xlc CPP="xlc -E -F/tmp/ibmcxx.cfg" configure
-@end example
-
-There is a bug in AFS 3.4 version 5.38 for AIX 4.3 that causes the
-kernel to panic in some cases. There is a hack for this in @kbd{login},
-but other programs could be affected also. This seems to be fixed in
-version 5.55.
-
-@subheading C2 problems
-
-@cindex C2
-The programs that checks passwords works with @file{passwd}, OTP, and
-Kerberos paswords. This is problem if you use C2 security (or use some
-other password database), that normally keeps passwords in some obscure
-place. If you want to use Kerberos with C2 security you will have to
-think about what kind of changes are necessary. See also the discussion
-about Digital's SIA and C2 security, see @ref{Digital SIA}.
-
-@node Problems with firewalls, Common error messages, Problems compiling Kerberos, Resolving frequent problems
-@section Problems with firewalls
-
-@cindex firewall
-A firewall is a network device that filters out certain types of packets
-going from one side of the firewall to the other. A firewall is supposed
-to solve the same kinds of problems as Kerberos (basically hindering
-unauthorised network use). The difference is that Kerberos tries to
-authenticate users, while firewall splits the network in a `secure'
-inside, and an `insecure' outside.
-
-Firewall people usually think that UDP is insecure, partly because many
-`insecure' protocols use UDP. Since Kerberos by default uses UDP to send
-and recieve packets, Kerberos and firewalls doesn't work very well
-together.
-
-The symptoms of trying to use Kerberos behind a firewall is that you
-can't get any tickets (@code{kinit} exits with the infamous @samp{Can't
-send request} error message).
-
-There are a few ways to solve these problems:
-
-@itemize @bullet
-@item
-Convince your firewall administrator to open UDP port 750 or 88 for
-incoming packets. This usually turns out to be difficult.
-@item
-Convince your firewall administrator to open TCP port 750 or 88 for
-outgoing connections. This can be a lot easier, and might already be
-enabled.
-@item
-Use TCP connections over some non-standard port. This requires that you
-have to convince the administrator of the kerberos server to allow
-connections on this port.
-@item
-@cindex HTTP
-Use HTTP to get tickets. Since web-stuff has become almost infinitely
-popular, many firewalls either has the HTTP port open, or has a HTTP
-proxy.
-@end itemize
-
-The last two methods might be considered to be offensive (since you are
-not sending the `right' type of data in each port). You probably do best
-in discussuing this with firewall administrator.
-
-For information on how to use other protocols when communication with
-KDC, see @ref{Install the configuration files}.
-
-It is often the case that the firewall hides addresses on the `inside',
-so it looks like all packets are coming from the firewall. Since address
-of the client host is encoded in the ticket, this can cause trouble. If
-you get errors like @samp{Incorrect network address}, when trying to use
-the ticket, the problem is usually becuase the server you are trying to
-talk to sees a different address than the KDC did. If you experience
-this kind of trouble, the easiest way to solve them is probably to try
-some other mechanism to fetch tickets. You might also be able to
-convince the administrator of the server that the two different
-addresses should be added to the @file{/etc/krb.equiv} file.
-
-@node Common error messages, Is Kerberos year 2000 safe?, Problems with firewalls, Resolving frequent problems
-@section Common error messages
-
-These are some of the more obscure error messages you might encounter:
-
-@table @asis
-
-@item @samp{Time is out of bounds}
-
-The time on your machine differs from the time on either the kerberos
-server or the machine you are trying to login to. If it isn't obvious
-that this is the case, remember that all times are compared in UTC.
-
-On unix systems you usually can find out what the local time is by doing
-@code{telnet machine daytime}. This time (again, usually is the keyword)
-is with correction for time-zone and daylight savings.
-
-If you have problem keeping your clocks synchronized, consider using a
-time keeping system such as NTP (see also the discussion in
-@ref{Install the client programs}).
-
-@item @samp{Ticket issue date too far in the future}
-
-The time on the kerberos server is more than five minutes ahead of the
-time on the server.
-
-@item @samp{Can't decode authenticator}
-
-This means that there is a mismatch between the service key in the
-kerberos server and the service key file on the specific machine.
-Either:
-@itemize @bullet
-@item
-the server couldn't find a service key matching the request
-@item
-the service key (or version number) does not match the key the packet
-was encrypted with
-@end itemize
-
-@item @samp{Incorrect network address}
-
-The address in the ticket does not match the address you sent the
-request from. This happens on systems with more than one network
-address, either physically or logically. You can list addresses which
-should be considered equal in @file{/etc/krb.equiv} on your servers.
-
-A note to programmers: a server should not pass @samp{*} as the instance
-to @samp{krb_rd_req}. It should try to figure out on which interface the
-request was received, for instance by using @samp{k_getsockinst}.
-
-If you change addresses on your computer you invalidate any tickets you
-might have. The easiest way to fix this is to get new tickets with the
-new address.
-
-@item @samp{Message integrity error}
-
-The packet is broken in some way:
-@itemize @bullet
-@item
-the lengths does not match the size of the packet, or
-@item
-the checksum does not match the contents of the packet
-@end itemize
-
-@item @samp{Can't send request}
-There is some problem contacting the kerberos server. Either the server
-is down, or it is using the wrong port (compare the entries for
-@samp{kerberos-iv} in @file{/etc/services}). The client might also have
-failed to guess what kerberos server to talk to (check
-@file{/etc/krb.conf} and @file{/etc/krb.realms}).
-
-One reason you can't contact the kerberos server might be because you're
-behind a firewall that doesn't allow kerberos packets to pass. For
-possible solutions to this see the firewall section above.
-
-@item @samp{kerberos: socket: Unable to open socket...}
-
-The kerberos server has to open four sockets for each interface. If you
-have a machine with lots of virtual interfaces, you run the risk of
-running out of file descriptors. If that happens you will get this
-error message.
-
-@item @samp{ftp: User foo access denied}
-
-This usually happens because the user's shell is not listed in
-@file{/etc/shells}. Note that @kbd{ftpd} checks this file even on
-systems where the system version does not and there is no
-@file{/etc/shells}.
-
-@item @samp{Generic kerberos error}
-This is a generic catch-all error message.
-
-@end table
-
-@node Is Kerberos year 2000 safe?, , Common error messages, Resolving frequent problems
-@section Is Kerberos year 2000 safe?
-
-@cindex Year 2000
-
-Yes.
-
-A somewhat longer answer is that we can't think of anything that can
-break. The protocol itself doesn't use time stamps in textual form, the
-two-digit year problems in the original MIT code has been fixed (this
-was a problem mostly with log files). The FTP client had a bug in the
-command `newer' (which fetches a file if it's newer than what you
-already got).
-
-Another thing to look out for, but that isn't a Y2K problem per se, is
-the expiration date of old principals. The MIT code set the default
-expiration date for some new principals to 1999-12-31, so you might want
-to check your database for things like this.
-
-Now, the Y2038 problem is something completely different (but the
-authors should have retired by then, presumably growing rowanberrys in
-some nice and warm place).
diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi
deleted file mode 100644
index 24a955d..0000000
--- a/crypto/kerberosIV/doc/setup.texi
+++ /dev/null
@@ -1,905 +0,0 @@
-@node How to set up a realm, One-Time Passwords, Installing programs, Top
-@chapter How to set up a realm
-
-@quotation
-@flushleft
- Who willed you? or whose will stands but mine?
- There's none protector of the realm but I.
- Break up the gates, I'll be your warrantize.
- Shall I be flouted thus by dunghill grooms?
- --- King Henry VI, 6.1
-@end flushleft
-@end quotation
-
-@menu
-* How to set up the kerberos server::
-* Install the client programs::
-* Install the kerberised services::
-* Install a slave kerberos server::
-* Cross-realm functionality ::
-@end menu
-
-@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm
-@section How to set up the kerberos server
-
-@menu
-* Choose a realm name::
-* Choose a kerberos server::
-* Install the configuration files::
-* Install the /etc/services::
-* Install the kerberos server::
-* Set up the server::
-* Add a few important principals::
-* Start the server::
-* Try to get tickets::
-* Create initial ACL for the admin server::
-* Start the admin server::
-* Add users to the database::
-* Automate the startup of the servers::
-@end menu
-
-@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server
-@subsection Choose a realm name
-
-A
-@cindex realm
-realm is an administrative domain. Kerberos realms are usually
-written in uppercase and consist of a Internet domain
-name@footnote{Using lowercase characters in the realm name might break
-in mysterious ways. This really should have been fixed, but has not.}.
-Call your realm the same as your Internet domain name if you do not have
-strong reasons for not doing so. It will make life easier for you and
-everyone else.
-
-@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server
-@subsection Choose a kerberos server
-
-You need to choose a machine to run the
-@pindex kerberos
-kerberos server program. If the kerberos database residing on this host
-is compromised, your entire realm will be compromised. Therefore, this
-machine must be as secure as possible. Preferably it should not run any
-services other than Kerberos. The secure-minded administrator might
-only allow logins on the console.
-
-This machine has also to be reliable. If it is down, you will not be
-able to use any kerberised services unless you have also configured a
-slave server (@pxref{Install a slave kerberos server}).
-
-Running the kerberos server requires very little CPU power and a small
-amount of disk. An old PC with some hundreds of megabytes of free disk
-space should do fine. Most of the disk space will be used for various
-logs.
-
-@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server
-@subsection Install the configuration files
-
-There are two important configuration files: @file{/etc/krb.conf} and
-@file{/etc/krb.realms}.
-@pindex krb.conf
-@pindex krb.realms
-
-The @file{krb.conf} file determines which machines are servers for
-different realms. The format of this file is:
-
-@example
-THIS.REALM
-SUPP.LOCAL.REALM
-THIS.REALM kerberos.this.realm admin server
-THIS.REALM kerberos-1.this.realm
-SUPP.LOCAL.REALM kerberos.supp.local.realm admin server
-ANOTHER.REALM kerberos.another.realm
-@end example
-
-The first line defines the name of the local realm. The next few lines
-optionally defines supplementary local realms.
-@cindex supplementary local realms
-The rest of the file
-defines the names of the kerberos servers and the database
-administration servers for all known realms. You can define any number
-of kerberos slave servers similar to the one defined on line
-four. Clients will try to contact servers in listed order.
-
-The @samp{admin server} clause at the first entry states that this is
-the master server
-@cindex master server
-(the one to contact when modifying the database, such as changing
-passwords). There should be only one such entry for each realm.
-
-In the original MIT Kerberos 4 (as in most others), the server
-specification could only take the form of a host-name. To facilitate
-having kerberos servers in odd places (such as behind a firewall),
-support has been added for ports other than the default (750), and
-protocols other than UDP.
-
-The formal syntax for an entry is now
-@samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either
-@samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to
-talk to. Default value for @var{proto} is @samp{UDP} and for @var{port}
-whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or
-750 if undefined. If @var{proto} is @samp{HTTP}, the default port is
-80. An @samp{http} entry may also be specified in URL format.
-
-If the information about a realm is missing from the @file{krb.conf}
-file, or if the information is wrong, the following methods will be
-tried in order.
-
-@enumerate
-@item
-If you have an SRV-record (@cite{RFC 2052}) for your realm it will be
-used. This record should be of the form
-@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is
-either @samp{UDP}, @samp{TCP}, or @samp{HTTP}. (Note: the current
-implementation does not look at priority or weight when deciding which
-server to talk to.)
-@item
-If there isn't any SRV-record, it tries to find a TXT-record for the
-same domain. The contents of the record should have the same format as the
-host specification in @file{krb.conf}. (Note: this is a temporary
-solution if your name server doesn't support SRV records. The clients
-should work fine with SRV records, so if your name server supports them,
-they are very much preferred.)
-@item
-If no valid kerberos server is found, it will try to talk UDP to the
-service @samp{kerberos-iv} with fall-back to port 750 with
-@samp{kerberos.@var{REALM}} (which is also assumed to be the master
-server), and then @samp{kerberos-1.@var{REALM}},
-@samp{kerberos-2.@var{REALM}}, and so on.
-@end enumerate
-
-SRV records have been supported in BIND since 4.9.5T2A. An example
-would look like the following in the zone file:
-
-@example
-kerberos-iv.udp.foo.se. 1M IN SRV 1 0 750 kerberos-1.foo.se.
-kerberos-iv.udp.foo.se. 1M IN SRV 0 0 750 kerberos.foo.se.
-@end example
-
-We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}}
-pointing to your kerberos master server.
-
-The @file{krb.realms} file is used to find out what realm a particular
-host belongs to. An example of this file could look like:
-
-@example
-this.realm THIS.REALM
-.this.realm THIS.REALM
-foo.com SOME.OTHER.REALM
-www.foo.com A.STRANGE.REALM
-.foo.com FOO.REALM
-@end example
-
-Entries starting with a dot are taken as the name of a domain. Entries
-not starting with a dot are taken as a host-name. The first entry matched
-is used. The entry for @samp{this.realm} is only necessary if there is a
-host named @samp{this.realm}.
-
-If no matching realm is found in @file{krb.realms}, DNS is searched for
-the correct realm. For example, if we are looking for host @samp{a.b.c},
-@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c}
-and so on. The entry should be a TXT record containing the name of the
-realm, such as:
-
-@example
-krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE"
-@end example
-
-If this didn't help the domain name sans the first part in uppercase is
-tried.
-
-The plain vanilla version of Kerberos doesn't have any fancy methods of
-getting realms and servers so it is generally a good idea to keep
-@file{krb.conf} and @file{krb.realms} up to date.
-
-In addition to these commonly used files, @file{/etc/krb.extra}
-@pindex krb.extra
-holds some things that are not normally used. It consists of a number of
-@samp{@var{variable} = @var{value}} pairs, blank lines and lines
-beginning with a hash (#) are ignored.
-
-The currently defined variables are:
-
-@table @samp
-@item kdc_timeout
-@cindex kdc_timeout
-The time in seconds to wait for an answer from the KDC (the default is 4
-seconds).
-@item kdc_timesync
-@cindex kdc_timesync
-This flag enables storing of the time differential to the KDC when
-getting an initial ticket. This differential is used later on to compute
-the correct time. This can help if your machine doesn't have a working
-clock.
-@item firewall_address
-@cindex firewall_address
-The IP address that hosts outside the firewall see when connecting from
-within the firewall. If this is specified, the code will try to compute
-the value for @samp{reverse_lsb_test}.
-@item krb4_proxy
-@cindex krb4_proxy
-When getting tickets via HTTP, this specifies the proxy to use. The
-default is to speak directly to the KDC.
-@item krb_default_tkt_root
-@cindex krb_default_tkt_root
-The default prefix for ticket files. The default is @file{/tmp/tkt}.
-Normally the uid or tty is appended to this prefix.
-@item krb_default_keyfile
-@cindex krb_default_keyfile
-The file where the server keys are stored, the default is @file{/etc/srvtab}.
-@item nat_in_use
-@cindex nat_in_use
-If the client is behind a Network Address Translator (NAT).
-@cindex Network Address Translator
-@cindex NAT
-@item reverse_lsb_test
-@cindex reverse_lsb_test
-Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe},
-@code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of
-the communicating hosts. This test can cause truble when using
-firewalls.
-@end table
-
-@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
-@subsection Updating /etc/services
-
-You should append or merge the contents of @file{services.append} to
-your @file{/etc/services} files or NIS-map. Remove any unused factory
-installed kerberos port definitions to avoid possible conflicts.
-@pindex services
-
-Most of the programs will fall back to the default ports if the port
-numbers are not found in @file{/etc/services}, but it is convenient to
-have them there anyway.
-
-@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server
-@subsection Install the kerberos server
-
-You should have already chosen the machine where you want to run the
-kerberos server and the realm name. The machine should also be as
-secure as possible (@pxref{Choose a kerberos server}) before installing
-the kerberos server. In this example, we will install a kerberos server
-for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
-
-@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server
-@subsection Setup the server
-
-Login as root on the console of the kerberos server. Add
-@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path. Create
-the directory @file{/var/kerberos} (@kbd{mkdir /var/kerberos}), which is
-where the database will be stored. Then, to create the database, run
-@kbd{kdb_init}:
-@pindex kdb_init
-
-@example
-@cartouche
-hemlig# mkdir /var/kerberos
-hemlig# kdb_init
-Realm name [default FOO.SE ]:
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-
-Enter Kerberos master password:
-Verifying password
-Enter Kerberos master password:
-@end cartouche
-@end example
-
-If you have set up the configuration files correctly, @kbd{kdb_init}
-should choose the correct realm as the default, otherwise a (good) guess
-is made. Enter the master password.
-
-This password will only be used for encrypting the kerberos database on
-disk and for generating new random keys. You will not have to remember
-it, only to type it again when you run @kbd{kstash}. Choose something
-long and random. Now run @kbd{kstash} using the same password:
-@pindex kstash
-
-@example
-@cartouche
-hemlig# kstash
-
-Enter Kerberos master password:
-
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-Wrote master key to /.k
-@end cartouche
-@end example
-
-After entering the same master password it will be saved in the file
-@file{/.k} and the kerberos server will read it when needed. Write down
-the master password and put it in a sealed envelope in a safe, you might
-need it if your disk crashes or should you want to set up a slave
-server.
-
-@code{kdb_init} initializes the database with a few entries:
-
-@table @samp
-@item krbtgt.@var{REALM}
-The key used for authenticating to the kerberos server.
-
-@item changepw.kerberos
-The key used for authenticating to the administrative server, i.e. when
-adding users, changing passwords, and so on.
-
-@item default
-This entry is copied to new items when these are added. Enter here the
-values you want new entries to have, particularly the expiry date.
-
-@item K.M
-This is the master key and it is only used to verify that the master key
-that is saved un-encrypted in @file{/.k} is correct and corresponds to
-this database.
-
-@end table
-
-@code{kstash} only reads the master password and writes it to
-@file{/.k}. This enables the kerberos server to start without you
-having to enter the master password. This file (@file{/.k}) is only
-readable by root and resides on a ``secure'' machine.
-
-@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server
-@subsection Add a few important principals
-
-Now the kerberos database has been created, containing only a few
-principals. The next step is to add a few more so that you can test
-that it works properly and so that you can administer your realm without
-having to use the console on the kerberos server. Use @kbd{kdb_edit}
-to edit the kerberos database directly on the server.
-@pindex kdb_edit
-
-@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism
-for editing the database. For normal purposes, use the @code{kadmin}
-program (@pxref{Add users to the database}).
-
-The following example shows the adding of the principal
-@samp{nisse.admin} into the kerberos database. This principal is used
-by @samp{nisse} when administrating the kerberos database. Later on the
-normal principal for @samp{nisse} will be created. Replace @samp{nisse}
-and @samp{password} with your own username and password.
-
-@example
-@cartouche
-hemlig# kdb_edit -n
-Opening database...
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-Previous or default values are in [brackets] ,
-enter return to leave the same, or new value.
-
-Principal name: <nisse>
-Instance: <admin>
-
-<Not found>, Create [y] ? <>
-
-Principal: nisse, Instance: admin, kdc_key_ver: 1
-New Password: <password>
-Verifying password
-New Password: <password>
-
-Principal's new key version = 1
-Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <>
-Max ticket lifetime (*5 minutes) [ 255 ] ? <>
-Attributes [ 0 ] ? <>
-Edit O.K.
-Principal name: <>
-@end cartouche
-@end example
-
-@code{kdb_edit} will loop until you hit the @kbd{return} key at the
-``Principal name'' prompt. Now you have added nisse as an administrator.
-
-@page
-
-@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server
-@subsection Start the server
-
-@pindex kerberos
-@example
-@cartouche
-hemlig# /usr/athena/libexec/kerberos &
-Kerberos server starting
-Sleep forever on error
-Log file is /var/log/kerberos.log
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-
-Current Kerberos master key version is 1
-Local realm: FOO.SE
-@end cartouche
-@end example
-
-@node Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server
-@subsection Try to get tickets
-
-You can now verify that these principals have been added and that the
-server is working correctly.
-
-@pindex kinit
-@example
-@cartouche
-hemlig# kinit
-eBones International (hemlig.foo.se)
-Kerberos Initialization
-Kerberos name: <nisse.admin>
-Password: <password>
-@end cartouche
-@end example
-
-If you do not get any error message from @code{kinit}, then everything
-is working (otherwise, see @ref{Common error messages}). Use
-@code{klist} to verify the tickets you acquired with @code{kinit}:
-
-@pindex klist
-@example
-@cartouche
-hemlig# klist
-Ticket file: /tmp/tkt0
-Principal: nisse.admin@@FOO.SE
-
-Issued Expires Principal
-May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE
-@end cartouche
-@end example
-
-@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server
-@subsection Create initial ACL for the admin server
-
-The admin server, @code{kadmind}, uses a series of files to determine who has
-@pindex kadmind
-the right to perform certain operations. The files are:
-@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and
-@file{admin_acl.mod}. Create these with @samp{nisse.admin@@FOO.SE} as
-the contents.
-@pindex admin_acl.add
-@pindex admin_acl.get
-@pindex admin_acl.del
-@pindex admin_acl.mod
-
-@example
-@cartouche
-hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.add
-hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.get
-hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.mod
-hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.del
-@end cartouche
-@end example
-
-Later on you may wish to add more users with administration
-privileges. Make sure that you create both the administration principals
-and add them to the admin server ACL.
-
-@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server
-@subsection Start the admin server
-
-@pindex kadmind
-@example
-@cartouche
-hemlig# /usr/athena/libexec/kadmind &
-KADM Server KADM0.0A initializing
-Please do not use 'kill -9' to kill this job, use a
-regular kill instead
-
-Current Kerberos master key version is 1.
-
-Master key entered. BEWARE!
-@end cartouche
-@end example
-
-@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server
-@subsection Add users to the database
-
-Use the @code{kadmin} client to add users to the database:
-@pindex kadmin
-
-@example
-@cartouche
-hemlig# kadmin -p nisse.admin -m
-Welcome to the Kerberos Administration Program, version 2
-Type "help" if you need it.
-admin: <add nisse>
-Admin password: <nisse.admin's password>
-Maximum ticket lifetime? (255) [Forever]
-Attributes? [0x00]
-Expiration date (enter yyyy-mm-dd) ? [Sat Jan 1 05:59:00 2000]
-Password for nisse:
-Verifying password Password for nisse:
-nisse added to database.
-@end cartouche
-@end example
-
-Add whatever other users you want to have in the same way. Verify that
-a user is in the database and check the database entry for that user:
-
-@example
-@cartouche
-admin: <get nisse>
-Info in Database for nisse.:
-Max Life: 255 (Forever) Exp Date: Sat Jan 1 05:59:59 2000
-
-Attribs: 00 key: 0 0
-admin: <^D>
-Cleaning up and exiting.
-@end cartouche
-@end example
-
-@node Automate the startup of the servers, , Add users to the database, How to set up the kerberos server
-@subsection Automate the startup of the servers
-
-Add the lines that were used to start the kerberos server and the
-admin server to your startup scripts (@file{/etc/rc} or similar).
-@pindex rc
-
-@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm
-@section Install the client programs
-
-Making a machine a kerberos client only requires a few steps. First you
-might need to change the configuration files as with the kerberos
-server. (@pxref{Install the configuration files} and @pxref{Install the
-/etc/services}.) Also you need to make the programs in
-@file{/usr/athena/bin} available. This can be done by adding the
-@file{/usr/athena/bin} directory to the users' paths, by making symbolic
-links, or even by copying the programs.
-
-You should also verify that the local time on the client is synchronised
-with the time on the kerberos server by some means. The maximum allowed
-time difference between the participating servers and a client is 5
-minutes.
-@cindex NTP.
-One good way to synchronize the time is NTP (Network Time Protocol), see
-@url{http://www.eecis.udel.edu/~ntp/}.
-
-If you need to run the client programs on a machine where you do not
-have root-access, you can hopefully just use the binaries and no
-configuration will be needed. The heuristics used are mentioned above
-(see @ref{Install the configuration files}). If this is not the case
-and you need to have @file{krb.conf} and/or @file{krb.realms}, you can
-copy them into a directory of your choice and
-@pindex krb.conf
-@pindex krb.realms
-set the environment variable @var{KRBCONFDIR} to point at this
-@cindex KRBCONFDIR
-directory.
-
-To test the client functionality, run the @code{kinit} program:
-
-@example
-@cartouche
-foo$ kinit
-eBones International (foo.foo.se)
-Kerberos Initialization
-Kerberos name: <nisse>
-Password: <password>
-
-foo$ klist
-Ticket file: /tmp/tkt4711
-Principal: nisse@@FOO.SE
-
-Issued Expires Principal
-May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE
-@end cartouche
-@end example
-
-@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm
-@section Install the kerberised services
-
-These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp},
-@code{rxtelnet}, and so on.
-@pindex rsh
-@pindex rlogin
-@pindex telnet
-@pindex ftp
-@pindex rxtelnet
-
-First follow the steps mentioned in the prior section to make it a
-client and verify its operation. Change @file{inetd.conf} next to use
-the new daemons. Look at the file
-@pindex inetd.conf
-@file{etc/inetd.conf.changes} to see the changes that we recommend you
-perform on @file{inetd.conf}.
-
-You should at this point decide what services you want to run on
-each machine.
-
-@subsection rsh, rlogin, and rcp
-@pindex rsh
-@pindex rlogin
-@pindex rcp
-
-These exist in kerberised versions and ``old-style'' versions. The
-different versions use different port numbers, so you can choose none,
-one, or both. If you do not want to use ``old-style'' r* services, you
-can let the programs output the text ``Remote host requires Kerberos
-authentication'' instead of just refusing connections to that port.
-This is enabled with the @samp{-v} option. The kerberised services
-exist in encrypted and non-encrypted versions. The encrypted services
-have an ``e'' prepended to the name and the programs take @samp{-x} as an
-option indicating encryption.
-
-Our recommendation is to only use the kerberised services and give
-explanation messages for the old ports.
-
-@subsection telnet
-@pindex telnet
-
-The telnet service always uses the same port and negotiates as to which
-authentication method should be used. The @code{telnetd} program has
-@pindex telnetd
-an option ``-a user'' that only allows kerberised and authenticated
-connections. If this is not included, it falls back to using clear text
-passwords. For obvious reasons, we recommend that you enable this
-option. If you want to use one-time passwords (@pxref{One-Time
-Passwords}) you can use the ``-a otp'' option which will allow OTPs or
-kerberised connections.
-
-@subsection ftp
-@pindex ftp
-
-The ftp service works as telnet does, with just one port being used. By
-default only kerberos authenticated connections are allowed. You can
-specify additional levels that are thus allowed with these options:
-
-@table @asis
-@item @kbd{-a otp}
-Allow one-time passwords (@pxref{One-Time Passwords}).
-@item @kbd{-a ftp}
-Allow anonymous login (as user ``ftp'' or ``anonymous'').
-@item @kbd{-a safe}
-The same as @kbd{-a ftp}, for backwards compatibility.
-@item @kbd{-a plain}
-Allow clear-text passwords.
-@item @kbd{-a none}
-The same as @kbd{-a ftp -a plain}.
-@item @kbd{-a user}
-A no-op, also there for backwards compatibility reasons.
-@end table
-
-When running anonymous ftp you should read the man page on @code{ftpd}
-which explains how to set it up.
-
-@subsection pop
-@pindex popper
-
-The Post Office Protocol (POP) is used to retrieve mail from the mail
-hub. The @code{popper} program implements the standard POP3 protocol
-and the kerberised KPOP. Use the @samp{-k} option to run the kerberos
-version of the protocol. This service should only be run on your mail
-hub.
-
-@subsection kx
-@pindex kx
-
-@code{kx} allows you to run X over a kerberos-authenticated and
-encrypted connection. This program is used by @code{rxtelnet},
-@code{tenletxr}, and @code{rxterm}.
-
-If you have some strange kind of operating system with X libraries that
-do not allow you to use unix-sockets, you need to specify the @samp{-t}
-@pindex kxd
-option to @code{kxd}. Otherwise it should be sufficient by adding the
-daemon in @file{inetd.conf}.
-
-@subsection kauth
-@pindex kauth
-
-This service allows you to create tickets on a remote host. To
-enable it just insert the corresponding line in @file{inetd.conf}.
-
-@section srvtabs
-@pindex srvtab
-
-In the same way every user needs to have a password registered with
-the kerberos server, every service needs to have a shared key with the
-kerberos server. The service keys are stored in a file, usually called
-@file{/etc/srvtab}. This file should not be readable to anyone but
-root, in order to keep the key from being divulged. The name of this principal
-in the kerberos database is usually the service name and the hostname. Examples
-of such principals are @samp{pop.@var{hostname}} and
-@samp{rcmd.@var{hostname}}. (rcmd comes from ``remote command''.) Here
-is a list of the most commonly used srvtab types and what programs use them.
-
-@table @asis
-@item rcmd.@var{hostname}
-rsh, rcp, rlogin, telnet, kauth, su, kx
-@item rcmd.kerberos
-kprop
-@item pop.@var{hostname}
-popper, movemail, push
-@item sample.@var{hostname}
-sample_server, simple_server
-@item changepw.kerberos
-kadmin, kpasswd
-@item krbtgt.@var{realm}
-kerberos (not stored in any srvtab)
-@item ftp.@var{hostname}
-ftp (also tries with rcmd.@var{hostname})
-@item zephyr.zephyr
-Zephyr
-@item afs or afs.@var{cellname}
-Andrew File System
-@end table
-
-To create these keys you will use the the @code{ksrvutil} program.
-Perform the
-@pindex ksrvutil
-following:
-
-@example
-@cartouche
-bar# ksrvutil -p nisse.admin get
-Name [rcmd]: <>
-Instance [bar]: <>
-Realm [FOO.SE]: <>
-Is this correct? (y,n) [y] <>
-Add more keys? (y,n) [n] <>
-Password for nisse.admin@@FOO.SE: <nisse.admin's password>
-Written rcmd.bar
-rcmd.bar@@FOO.SE
-Old keyfile in /etc/srvtab.old.
-@end cartouche
-@end example
-
-@subsection Complete test of the kerberised services
-
-Obtain a ticket on one machine (@samp{foo}) and use it to login with a
-kerberised service to a second machine (@samp{bar}). The test should
-look like this if successful:
-
-@example
-@cartouche
-foo$ kinit nisse
-eBones International (foo.foo.se)
-Kerberos Initialization for "nisse"
-Password: <nisse's password>
-foo$ klist
-Ticket file: /tmp/tkt4711
-Principal: nisse@@FOO.SE
-
-Issued Expires Principal
-May 30 13:48:03 May 30 23:48:03 krbtgt.FOO.SE@@FOO.SE
-foo$ telnet bar
-Trying 17.17.17.17...
-Connected to bar.foo.se
-Escape character is '^]'.
-[ Trying mutual KERBEROS4 ... ]
-[ Kerberos V4 accepts you ]
-[ Kerberos V4 challenge successful ]
-bar$
-@end cartouche
-@end example
-
-You can also try with @code{rsh}, @code{rcp}, @code{rlogin},
-@code{rlogin -x}, and some other commands to see that everything is
-working all right.
-
-@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm
-@section Install a slave kerberos server
-
-It is desirable to have at least one backup (slave) server in case the
-master server fails. It is possible to have any number of such slave
-servers but more than three usually doesn't buy much more redundancy.
-
-First select a good server machine. (@pxref{Choose a kerberos
-server}).
-
-On the master, add a @samp{rcmd.kerberos} (note, it should be literally
-``kerberos'') principal (using @samp{ksrvutil get}). The
-@pindex kprop
-@code{kprop} program, running on the master, will use this when
-authenticating to the
-@pindex kpropd
-@code{kpropd} daemons running on the slave servers. The @code{kpropd}
-on the slave will use its @samp{rcmd.hostname} key for authenticating
-the connection from the master. Therefore, the slave needs to have this
-key in its srvtab, and it of course also needs to have enough of the
-configuration files to act as a server. See @ref{Install the kerberised
-services} for information on how to do this.
-
-To summarize, the master should have a key for @samp{rcmd.kerberos} and
-the slave one for @samp{rcmd.hostname}.
-
-The slave will need the same master key as you used at the master.
-
-On your master server, create a file, e.g. @file{/var/kerberos/slaves},
-that contains the hostnames of your kerberos slave servers.
-
-Start @code{kpropd} with @samp{kpropd -i} on your slave servers.
-
-On your master server, create a dump of the database and then propagate
-it.
-
-@example
-foo# kdb_util slave_dump /var/kerberos/slave_dump
-foo# kprop
-@end example
-
-You should now have copies of the database on your slave servers. You
-can verify this by issuing @samp{kdb_util dump @var{file}} on your
-slave servers, and comparing with the original file on the master
-server. Note that the entries will not be in the same order.
-
-This procedure should be automated with a script run regularly by cron,
-for instance once an hour.
-
-Since the master and slave servers will use copies of the same
-database, they need to use the same master key. Add the master key on
-the slave with @code{kstash}. (@pxref{Set up the server})
-
-To start the kerberos server on slaves, you first have to copy the
-master key from the master server. You can do this either by remembering
-the master password and issuing @samp{kstash}, or you can just copy the
-keyfile. Remember that if you copy the file, do so on a safe media, not
-over the network. Good means include floppy or paper. Paper is better,
-since it is easier to swallow afterwards.
-
-The kerberos server should be started with @samp{-s} on the slave
-servers. This enables sanity checks, for example checking the time since
-the last update from the master.
-
-All changes to the database are made by @code{kadmind} at the master,
-and then propagated to the slaves, so you should @strong{not} run
-@code{kadmind} on the slaves.
-
-Finally add the slave servers to
-@file{/etc/krb.conf}. The clients will ask the servers in the order
-specified by that file.
-
-Consider adding CNAMEs to your slave servers, see @ref{Install the
-configuration files}.
-
-@node Cross-realm functionality , , Install a slave kerberos server, How to set up a realm
-@section Cross-realm functionality
-
-Suppose you are residing in the realm @samp{MY.REALM}, how do you
-authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
-@samp{MY.REALM} allows you to communicate with kerberised services in that
-realm. However, the computer in the other realm does not have a secret
-key shared with the kerberos server in your realm.
-
-It is possible to add a shared key between two realms that trust each
-other. When a client program, such as @code{telnet}, finds that the
-other computer is in a different realm, it will try to get a ticket
-granting ticket for that other realm, but from the local kerberos
-server. With that ticket granting ticket, it will then obtain service
-tickets from the kerberos server in the other realm.
-
-To add this functionality you have to add a principal to each realm. The
-principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and
-@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different
-principals should have the same key (and key version number). Remember
-to transfer this key in a safe manner. This is all that is required.
-
-@page
-
-@example
-@cartouche
-blubb$ klist
-Ticket file: /tmp/tkt3008
-Principal: joda@@NADA.KTH.SE
-
- Issued Expires Principal
-Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE
-blubb$ telnet agat.e.kth.se
-Trying 130.237.48.12...
-Connected to agat.e.kth.se.
-Escape character is '^]'.
-[ Trying mutual KERBEROS4 ... ]
-[ Kerberos V4 accepts you ]
-[ Kerberos V4 challenge successful ]
-Last login: Sun Jun 2 20:51:50 from emma.pdc.kth.se
-
-agat$ exit
-Connection closed by foreign host.
-blubb$ klist
-Ticket file: /tmp/tkt3008
-Principal: joda@@NADA.KTH.SE
-
- Issued Expires Principal
-Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE
-Jun 7 02:26:50 Jun 7 12:26:50 krbtgt.E.KTH.SE@@NADA.KTH.SE
-Jun 7 02:26:51 Jun 7 12:26:51 rcmd.agat@@E.KTH.SE
-@end cartouche
-@end example
diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi
deleted file mode 100644
index 6721c23..0000000
--- a/crypto/kerberosIV/doc/whatis.texi
+++ /dev/null
@@ -1,137 +0,0 @@
-@node What is Kerberos?, Installing programs, Introduction, Top
-@chapter What is Kerberos?
-
-@quotation
-@flushleft
- Now this Cerberus had three heads of dogs,
- the tail of a dragon, and on his back the
- heads of all sorts of snakes.
- --- Pseudo-Apollodorus Library 2.5.12
-@end flushleft
-@end quotation
-
-Kerberos is a system for authenticating users and services on a network.
-It is built upon the assumption that the network is ``unsafe''. For
-example, data sent over the network can be eavesdropped and altered, and
-addresses can also be faked. Therefore they cannot be used for
-authentication purposes.
-@cindex authentication
-
-Kerberos is a trusted third-party service. That means that there is a
-third party (the kerberos server) that is trusted by all the entities on
-the network (users and services, usually called @dfn{principals}). All
-principals share a secret password (or key) with the kerberos server and
-this enables principals to verify that the messages from the kerberos
-server are authentic. Thus trusting the kerberos server, users and
-services can authenticate each other.
-
-@section Basic mechanism
-
-@ifinfo
-@macro sub{arg}
-<\arg\>
-@end macro
-@end ifinfo
-
-@tex
-@def@xsub#1{$_{#1}$}
-@global@let@sub=@xsub
-@end tex
-
-In Kerberos, principals use @dfn{tickets} to prove that they are who
-they claim to be. In the following example, @var{A} is the initiator of
-the authentication exchange, usually a user, and @var{B} is the service
-that @var{A} wishes to use.
-
-To obtain a ticket for a specific service, @var{A} sends a ticket
-request to the kerberos server. The request basically contains @var{A}'s
-and @var{B}'s names. The kerberos server checks that both @var{A} and
-@var{B} are valid principals.
-
-Having verified the validity of the principals, it creates a packet
-containing @var{A}'s and @var{B}'s names, @var{A}'s network address
-(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime
-of the ticket (@var{life}), and a secret @dfn{session key}
-@cindex session key
-(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key
-(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this:
-(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life},
-@var{K@sub{AB}}@}@var{K@sub{B}}).
-
-The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s
-name, the current time, the lifetime of the ticket, and the session key, all
-encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}},
-@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A}
-decrypts the reply and retains it for later use.
-
-@sp 1
-
-Before sending a message to @var{B}, @var{A} creates an authenticator
-consisting of @var{A}'s name, @var{A}'s address, the current time, and a
-``checksum'' chosen by @var{A}, all encrypted with the secret session
-key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}},
-@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket
-received from the kerberos server to @var{B}. Upon reception, @var{B}
-decrypts the ticket using @var{B}'s secret key. Since the ticket
-contains the session key that the authenticator was encrypted with,
-@var{B} can now also decrypt the authenticator. To verify that @var{A}
-really is @var{A}, @var{B} now has to compare the contents of the ticket
-with that of the authenticator. If everything matches, @var{B} now
-considers @var{A} as properly authenticated.
-
-@c (here we should have some more explanations)
-
-@section Different attacks
-
-@subheading Impersonating A
-
-An impostor, @var{C} could steal the authenticator and the ticket as it
-is transmitted across the network, and use them to impersonate
-@var{A}. The address in the ticket and the authenticator was added to
-make it more difficult to perform this attack. To succeed @var{C} will
-have to either use the same machine as @var{A} or fake the source
-addresses of the packets. By including the time stamp in the
-authenticator, @var{C} does not have much time in which to mount the
-attack.
-
-@subheading Impersonating B
-
-@var{C} can masquerade @var{B}'s network address, and when @var{A} sends
-her credentials, @var{C} just pretend to verify them. @var{C} can't
-be sure that she is talking to @var{A}.
-
-@section Defense strategies
-
-It would be possible to add a @dfn{replay cache}
-@cindex replay cache
-to the server side. The idea is to save the authenticators sent during
-the last few minutes, so that @var{B} can detect when someone is trying
-to retransmit an already used message. This is somewhat impractical
-(mostly regarding efficiency), and is not part of Kerberos 4; MIT
-Kerberos 5 contains it.
-
-To authenticate @var{B}, @var{A} might request that @var{B} sends
-something back that proves that @var{B} has access to the session
-key. An example of this is the checksum that @var{A} sent as part of the
-authenticator. One typical procedure is to add one to the checksum,
-encrypt it with the session key and send it back to @var{A}. This is
-called @dfn{mutual authentication}.
-
-The session key can also be used to add cryptographic checksums to the
-messages sent between @var{A} and @var{B} (known as @dfn{message
-integrity}). Encryption can also be added (@dfn{message
-confidentiality}). This is probably the best approach in all cases.
-@cindex integrity
-@cindex confidentiality
-
-@section Further reading
-
-The original paper on Kerberos from 1988 is @cite{Kerberos: An
-Authentication Service for Open Network Systems}, by Jennifer Steiner,
-Clifford Neuman and Jeffrey I. Schiller.
-
-A less technical description can be found in @cite{Designing an
-Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also
-from 1988.
-
-These and several other documents can be found on our web-page.
OpenPOWER on IntegriCloud