diff options
Diffstat (limited to 'crypto/kerberosIV/doc')
-rw-r--r-- | crypto/kerberosIV/doc/Makefile.in | 78 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/ack.texi | 106 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/dir | 17 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/index.texi | 6 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/install.texi | 496 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/intro.texi | 41 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/kth-krb.texi | 303 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/latin1.tex | 95 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/problems.texi | 342 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/setup.texi | 905 | ||||
-rw-r--r-- | crypto/kerberosIV/doc/whatis.texi | 137 |
11 files changed, 0 insertions, 2526 deletions
diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in deleted file mode 100644 index bbf870e..0000000 --- a/crypto/kerberosIV/doc/Makefile.in +++ /dev/null @@ -1,78 +0,0 @@ -# $Id: Makefile.in,v 1.19 1999/09/28 12:35:11 assar Exp $ - -SHELL = /bin/sh - -srcdir = @srcdir@ -VPATH = @srcdir@ - -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs -MAKEINFO = @MAKEINFO@ -TEXI2DVI = texi2dvi -TEXI2HTML = texi2html - -prefix = @prefix@ -infodir = @infodir@ - -TEXI_SOURCES = ack.texi \ - index.texi \ - install.texi \ - intro.texi \ - kth-krb.texi \ - otp.texi \ - problems.texi \ - setup.texi \ - whatis.texi - -all: info - -install: all installdirs - if test -f kth-krb.info; then \ - $(INSTALL_DATA) kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \ - else \ - $(INSTALL_DATA) $(srcdir)/kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \ - fi - if test -f $(DESTDIR)$(infodir)/dir ; then :; else \ - $(INSTALL_DATA) $(srcdir)/dir $(DESTDIR)$(infodir)/dir; \ - fi - -if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \ - install-info --dir-file=$(DESTDIR)$(infodir)/dir $(DESTDIR)$(infodir)/kth-krb.info; \ - else \ - true; \ - fi - -uninstall: - rm -f $(DESTDIR)$(infodir)/kth-krb.info - -installdirs: - $(MKINSTALLDIRS) $(DESTDIR)$(infodir) - -info: kth-krb.info - -kth-krb.info: $(TEXI_SOURCES) - $(MAKEINFO) --no-split -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi - -dvi: kth-krb.dvi - -kth-krb.dvi: $(TEXI_SOURCES) - $(TEXI2DVI) $(srcdir)/kth-krb.texi - -html: kth-krb.html - -kth-krb.html: $(TEXI_SOURCES) - $(TEXI2HTML) $(srcdir)/kth-krb.texi - -clean: - rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr - -distclean: clean - -mostlyclean: clean - -maintainer-clean: clean - rm -f *.info* - -check: - -.PHONY: all install uninstall installdirs info dvi html clean distclean mostlyclean maintainer-clean check diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi deleted file mode 100644 index 327220c..0000000 --- a/crypto/kerberosIV/doc/ack.texi +++ /dev/null @@ -1,106 +0,0 @@ -@node Acknowledgments, Index, Resolving frequent problems, Top -@comment node-name, next, previous, up -@appendix Acknowledgments - -People from the MIT Athena project wrote the original code that this is -based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the -encryption functions and the calls to them. This was exported from the -US as the ``Bones'' release. Eric Young put back the calls and hooked -in his libdes, thereby creating the ``eBones'' release. -@cindex Bones -@cindex eBones - -The ``rcmd'' programs where initially developed at the University of -California at Berkeley and then hacked on by the FreeBSD and NetBSD -projects. - -Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and -@code{telnetd}. The authentication and encryption code of @code{telnet} -and @code{telnetd} was added by David Borman (then of Cray Research, -Inc). The encryption code was removed when this was exported and then -added back by Juha Eskelinen, @code{<esc@@magic.fi>}. - -The @code{popper} was also a Berkeley program initially. - -The @code{login} has the same origins but has received code written by -Wietse Venema at Eindhoven University of Technology, The Netherlands. - -@code{movemail} was (at least partially) written by Jonathan Kamens, -@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991, -1992, 1993, 1994 Free Software Foundation, Inc. - -@code{xnlock} was originally written by Dan Heller in 1985 for sunview. -The X version was written by him in 1990. - -Some of the functions in @file{libroken} also come from Berkeley by the -way of NetBSD/FreeBSD. - -The code to handle the dynamic loading of the AFS module for AIX is -copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover, -Germany. - -@code{editline} was written by Simmule Turner and Rich Salz. - -Bugfixes and code has been contributed by: -@table @asis -@item Derrick J Brashear -@code{<shadow@@dementia.org>} -@item Anders Gertz -@code{<gertz@@lysator.liu.se>} -@item Dejan Ilic -@code{<svedja@@lysator.liu.se>} -@item Kent Engström -@code{<kent@@lysator.liu.se>} -@item Simon Josefsson -@code{<jas@@pdc.kth.se>} -@item Robert Malmgren -@code{<rom@@incolumitas.se>} -@item Fredrik Ljungberg -@code{<flag@@astrogator.se>} -@item Joakim Fallsjö -@code{jfa@@pobox.se} -@item Lars Malinowsky -@code{<lama@@pdc.kth.se>} -@item Fabien Coelho -@code{<coelho@@cri.ensmp.fr>} -@item Chris Chiappa -@code{<griffon+@@cmu.edu>} -@item Gregory S. Stark -@code{<gsstark@@mit.edu>} -@item Love Hörnquist-Åstrand -@code{<lha@@stacken.kth.se>} -@item Daniel Staaf -@code{<d96-dst@@nada.kth.se>} -@item Magnus Ahltorp -@code{<map@@stacken.kth.se>} -@item Robert Burgess -@code{<rb@@stacken.kth.se>} -@item Lars Arvestad -@code{<arve@@nada.kth.se>} -@item Jörgen Wahlsten -@code{<wahlsten@@pathfinder.com>} -@item Daniel Staaf -@code{<d96-dst@@nada.kth.se>} -@item R Lindsay Todd -@code{<toddr@@rpi.edu>} -@item Åke Sandgren -@code{<ake@@cs.umu.se>} -@item Thomas Nyström -@code{<thn@@stacken.kth.se>} -@item and we hope that those not mentioned here will forgive us. -@end table - -Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English -language from this text. - -Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us -finish the documentation. - -This work was supported in part by SUNET and the Centre for Parallel -Computers at KTH. - -The port to Windows 95/NT was supported by the Computer Council at KTH -and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}. - -All the bugs were introduced by ourselves. - diff --git a/crypto/kerberosIV/doc/dir b/crypto/kerberosIV/doc/dir deleted file mode 100644 index 911f622..0000000 --- a/crypto/kerberosIV/doc/dir +++ /dev/null @@ -1,17 +0,0 @@ -$Id: dir,v 1.1 1997/06/12 16:15:21 joda Exp $ -This is the file .../info/dir, which contains the topmost node of the -Info hierarchy. The first time you invoke Info you start off -looking at that node, which is (dir)Top. - -File: dir Node: Top This is the top of the INFO tree - - This (the Directory node) gives a menu of major topics. - Typing "q" exits, "?" lists all Info commands, "d" returns here, - "h" gives a primer for first-timers, - "mEmacs<Return>" visits the Emacs topic, etc. - - In Emacs, you can click mouse button 2 on a menu item or cross reference - to select it. - -* Menu: - diff --git a/crypto/kerberosIV/doc/index.texi b/crypto/kerberosIV/doc/index.texi deleted file mode 100644 index ebe5d91..0000000 --- a/crypto/kerberosIV/doc/index.texi +++ /dev/null @@ -1,6 +0,0 @@ -@node Index, , Acknowledgments, Top -@comment node-name, next, previous, up -@unnumbered Index - -@printindex cp - diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi deleted file mode 100644 index 26d2abf..0000000 --- a/crypto/kerberosIV/doc/install.texi +++ /dev/null @@ -1,496 +0,0 @@ -@node Installing programs, How to set up a realm, What is Kerberos?, Top -@chapter Installing programs - -You have a choise to either build the distribution from source code or -to install binaries, if they are available for your machine. - -@c XXX - -We recommend building from sources, but using pre-compiled binaries -might be easier. If there are no binaries available for your machine or -you want to do some specific configuration, you will have to compile -from source. - -@menu -* Installing from source:: -* Installing a binary distribution:: -* Finishing the installation:: -* .klogin:: -* Authentication modules:: -@end menu - -@node Installing from source, Installing a binary distribution, Installing programs, Installing programs -@comment node-name, next, previous, up -@section Installing from source - -To build this software un-tar the distribution and run the -@code{configure} script. - -To compile successfully, you will need an ANSI C compiler, such as -@code{gcc}. Other compilers might also work, but setting the ``ANSI -compliance'' too high, might break in parts of the code, not to mention -the standard include files. - -To build in a separate build tree, run @code{configure} in the directory -where the tree should reside. You will need a Make that understands -VPATH correctly. GNU Make works fine. - -After building everything (which will take anywhere from a few minutes -to a long time), you can install everything in @file{/usr/athena} with -@kbd{make install} (running as root). It is possible to install in some -other place, but it isn't recommended. To do this you will have to run -@code{configure} with @samp{--prefix=/my/path}. - -If you need to change the default behavior, configure understands the -following options: - -@table @asis -@item @kbd{--enable-shared} -Create shared versions of the Kerberos libraries. Not really -recommended and might not work on all systems. - -@item @kbd{--with-ld-flags=}@var{flags} -This allows you to specify which extra flags to pass to @code{ld}. Since -this @emph{overrides} any choices made by configure, you should only use -this if you know what you are doing. - -@item @kbd{--with-cracklib=}@var{dir} -Use cracklib for password quality control in -@pindex kadmind -@code{kadmind}. This option requires -@cindex cracklib -cracklib with the patch from -@url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}. - -@item @kbd{--with-dictpath=}@var{dictpath} -This is the dictionary that cracklib should use. - -@item @kbd{--with-socks=}@var{dir} -@cindex firewall -@cindex socks -If you have to traverse a firewall and it uses the SocksV5 protocol -(@cite{RFC 1928}), you can build with socks-support. Point @var{dir} to -the directory where you have socks5 installed. For more information -about socks see @url{http://www.socks.nec.com/}. - -@item @kbd{--with-readline=}@var{dir} -@cindex readline -To enable history/line editing in @code{ftp} and @code{kadmin}, any -present version of readline will be used. If you have readline -installed but in a place where configure does not manage to find it, -you can use this option. The code also looks for @code{libedit}. If -there is no library at all, the bundled version of @code{editline} will -be used. - -@item @kbd{--with-mailspool=}@var{dir} -The configuration process tries to determine where your machine stores -its incoming mail. This is typically @file{/usr/spool/mail} or -@file{/var/mail}. If it does not work or you store your mail in some -unusual directory, this option can be used to specify where the mail -spool directory is located. This directory is only accessed by -@pindex popper -@code{popper}, and the mail check in -@pindex login -@code{login}. - -@item @kbd{--with-hesiod=}@var{dir} -@cindex Hesiod -Enable the Hesiod support in -@pindex push -@code{push}. With this option, it will try -to use the hesiod library to locate the mail post-office for the user. - -@c @item @kbd{--enable-random-mkey} -@c Do not use this option unless you think you know what you are doing. - -@item @kbd{--with-mkey=}@var{file} -Put the master key here, the default is @file{/.k}. - -@item @kbd{--with-db-dir=}@var{dir} -Where the kerberos database should be stored. The default is -@file{/var/kerberos}. - -@item @kbd{--without-berkeley-db} -If you have -@cindex Berkeley DB -Berkeley DB installed, it is preferred over -@c XXX -dbm. If you already are running Kerberos this option might be useful, -since there currently isn't an easy way to convert a dbm database to a -db one (you have to dump the old database and then load it with the new -binaries). - -@item @kbd{--without-afs-support} -Do not include AFS support. - -@item @kbd{--with-afsws=}@var{dir} -Where your AFS client installation resides. The default is -@file{/usr/afsws}. - -@item @kbd{--enable-rxkad} -Build the rxkad library. Normally automatically included if there is AFS. - -@item @kbd{--disable-dynamic-afs} -The AFS support in AIX consists of a shared library that is loaded at -runtime. This option disables this, and links with static system -calls. Doing this will make the built binaries crash on a machine that -doesn't have AFS in the kernel (for instance if the AFS module fails to -load at boot). - -@item @kbd{--with-mips-api=}@var{api} -This option enables creation of different types of binaries on Irix. -The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}. - -@item @kbd{--enable-legacy-kdestroy} -This compile-time option creates a @code{kdestroy} that does not destroy -any AFS tokens. - -@item @kbd{--disable-otp} -Do not build the OTP (@pxref{One-Time Passwords}) library and programs, -and do not include OTP support in the application programs. - -@item @kbd{--enable-match-subdomains} -Normally, the host @samp{host.domain} will be considered to be part of -the realm @samp{DOMAIN}. With this option will also enable hosts of the -form @samp{host.sub.domain}, @samp{host.sub1.sub2.domain}, and so on to -be considered part of the realm @samp{DOMAIN}. - -@item @kbd{--enable-osfc2} -Enable the use of enhanced C2 security on OSF/1. @xref{Digital SIA}. - -@item @kbd{--disable-mmap} -Do not use the mmap system call. Normally, configure detects if there -is a working mmap and it is only used if there is one. Only try this -option if it fails to work anyhow. - -@item @kbd{--disable-cat-manpages} -Do not install preformatted man pages. - -@c --with-des-quad-checksum - -@end table - -@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs -@comment node-name, next, previous, up -@section Installing a binary distribution - -The binary distribution is supposed to be installed in -@file{/usr/athena}, installing in some other place may work but is not -recommended. A symlink from @file{/usr/athena} to the install directory -should be fine. - -@node Finishing the installation, .klogin, Installing a binary distribution, Installing programs -@section Finishing the installation - -@pindex su -The only program that needs to be installed setuid to root is @code{su}. - -If -@pindex rlogin -@pindex rsh -@code{rlogin} and @code{rsh} are setuid to root they will fall back to -non-kerberised protocols if the kerberised ones fail for some -reason. The old protocols use reserved ports as security, and therefore -the programs have to be setuid to root. If you don't need this -functionality consider turning off the setuid bit. - -@pindex login -@code{login} does not have to be setuid, as it is always run by root -(users should use @code{su} rather than @code{login}). It will print a -helpful message when not setuid to root and run by a user. - -The programs intended to be run by users are located in -@file{/usr/athena/bin}. Inform your users to include -@file{/usr/athena/bin} in their paths, or copy or symlink the binaries -to some good place. The programs that you will want to use are: -@code{kauth}/@code{kinit}, -@pindex kauth -@pindex kinit -@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp}, -@pindex klist -@pindex kdestroy -@pindex kpasswd -@pindex ftp -@code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su}, -@pindex telnet -@pindex rcp -@pindex rsh -@pindex rlogin -@pindex su -@pindex xnlock -@pindex afslog -@pindex pagsh -@pindex rxtelnet -@pindex tenletxr -@pindex rxterm -@code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and -@code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh} -might also be useful. Administrators will want to use @code{kadmin} and -@code{ksrvutil}, which are located in @file{/usr/athena/sbin}. -@pindex kadmin -@pindex ksrvutil - -@code{telnetd} and @code{rlogind} assume that @code{login} is located in -@file{/usr/athena/bin} (or whatever path you used as -@samp{--prefix}). If for some reason you want to move @code{login}, you -will have to specify the new location with the @samp{-L} switch when -configuring -@pindex telnetd -telnetd -and -@pindex rlogind -rlogind -in @file{inetd.conf}. - -It should be possible to replace the system's default @code{login} with -the kerberised @code{login}. However some systems assume that login -performs some serious amount of magic that our login might not do (although -we've tried to do our best). So before replacing it on every machine, -try and see what happens. Another thing to try is to use one of the -authentication modules (@pxref{Authentication modules}) supplied. - -The @code{login} program that we use was in an earlier life the standard -login program from NetBSD. In order to use it with a lot of weird -systems, it has been ``enhanced'' with features from many other logins -(Solaris, SunOS, IRIX, AIX, and others). Some of these features are -actually useful and you might want to use them even on other systems. - -@table @file -@item /etc/fbtab -@pindex fbtab -@itemx /etc/logindevperm -@pindex logindevperm -Allows you to chown some devices when a user logs in on a certain -terminal. Commonly used to change the ownership of @file{/dev/mouse}, -@file{/dev/kbd}, and other devices when someone logs in on -@file{/dev/console}. - -@file{/etc/fbtab} is the SunOS file name and it is tried first. If -there is no such file then the Solaris file name -@file{/etc/logindevperm} is tried. -@item /etc/environment -@pindex environment -This file specifies what environment variables should be set when a user -logs in. (AIX-style) -@item /etc/default/login -@pindex default/login -Almost the same as @file{/etc/environment}, but the System V style. -@item /etc/login.access -@pindex login.access -Can be used to control who is allowed to login from where and on what -ttys. (From Wietse Venema) -@end table - -@menu -* .klogin:: -* Authentication modules:: -@end menu - -@node .klogin, Authentication modules, Finishing the installation, Installing programs -@comment node-name, next, previous, up - -Each user can have an authorization file @file{~@var{user}/.klogin} -@pindex .klogin -that -determines what principals can login as that user. It is similar to the -@file{~user/.rhosts} except that it does not use IP and privileged-port -based authentication. If this file does not exist, the user herself -@samp{user@@LOCALREALM} will be allowed to login. Supplementary local -realms (@pxref{Install the configuration files}) also apply here. If the -file exists, it should contain the additional principals that are to -be allowed to login as the local user @var{user}. - -This file is consulted by most of the daemons (@code{rlogind}, -@code{rshd}, @code{ftpd}, @code{telnetd}, @code{popper}, @code{kauthd}, and -@code{kxd}) -@pindex rlogind -@pindex rshd -@pindex ftpd -@pindex telnetd -@pindex popper -@pindex kauthd -@pindex kxd -to determine if the -principal requesting a service is allowed to receive it. It is also -used by -@pindex su -@code{su}, which is a good way of keeping an access control list (ACL) -on who is allowed to become root. Assuming that @file{~root/.klogin} -contains: - -@example -nisse.root@@FOO.SE -lisa.root@@FOO.SE -@end example - -both nisse and lisa will be able to su to root by entering the password -of their root instance. If that fails or if the user is not listed in -@file{~root/.klogin}, @code{su} falls back to the normal policy of who -is permitted to su. Also note that that nisse and lisa can login -with e.g. @code{telnet} as root provided that they have tickets for -their root instance. - -@node Authentication modules, , .klogin, Installing programs -@comment node-name, next, previous, up -@section Authentication modules -The problem of having different authentication mechanisms has been -recognised by several vendors, and several solutions has appeared. In -most cases these solutions involve some kind of shared modules that are -loaded at run-time. Modules for some of these systems can be found in -@file{lib/auth}. Presently there are modules for Digital's SIA, -Solaris' and Linux' PAM, and IRIX' @code{login} and @code{xdm} (in -@file{lib/auth/afskauthlib}). - -@menu -* Digital SIA:: -* IRIX:: -* PAM:: -@end menu - -@node Digital SIA, IRIX, Authentication modules, Authentication modules -@subsection Digital SIA - -To install the SIA module you will have to do the following: - -@itemize @bullet - -@item -Make sure @file{libsia_krb4.so} is available in -@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you -might want to put it in @file{/usr/shlib} or someplace else. If you do, -you'll have to edit @file{krb4_matrix.conf} to reflect the new location -(you will also have to do this if you installed in some other directory -than @file{/usr/athena}). If you built with shared libraries, you will -have to copy the shared @file{libkrb.so}, @file{libdes.so}, -@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can -find them (such as @file{/usr/shlib}). -@item -Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}. -@item -Apply @file{security.patch} to @file{/sbin/init.d/security}. -@item -Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and -@kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}. -@item -Digital thinks you should reboot your machine, but that really shouldn't -be necessary. It's usually sufficient just to run -@kbd{/sbin/init.d/security start} (and restart any applications that use -SIA, like @code{xdm}.) -@end itemize - -Users with local passwords (like @samp{root}) should be able to login -safely. - -When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't -passed along as it should (since xdm zaps the environment). Instead you -have to set @samp{KRBTKFILE} to the correct value in -@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to -@example -KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE -@end example -If you use CDE, @code{dtlogin} allows you to specify which additional -environment variables it should export. To add @samp{KRBTKFILE} to this -list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of -@samp{exportList}. You want to add something like: -@example -Dtlogin.exportList: KRBTKFILE -@end example - -@subsubheading Notes to users with Enhanced security - -Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two -different problems. C2 deals with local security, adds better control of -who can do what, auditing, and similar things. Kerberos deals with -network security. - -To make C2 security work with Kerberos you will have to do the -following. - -@itemize @bullet -@item -Replace all occurencies of @file{krb4_matrix.conf} with -@file{krb4+c2_matrix.conf} in the directions above. -@item -You must enable ``vouching'' in the @samp{default} database. This will -make the OSFC2 module trust other SIA modules, so you can login without -giving your C2 password. To do this use @samp{edauth} to edit the -default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a -@samp{d_accept_alternate_vouching} capability, if not already present. -@item -For each user that does @emph{not} have a local C2 password, you should -set the password expiration field to zero. You can do this for each -user, or in the @samp{default} table. To do this use @samp{edauth} to -set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. -@item -You also need to be aware that the shipped @file{login}, @file{rcp}, and -@file{rshd}, doesn't do any particular C2 magic (such as checking to -various forms of disabled accounts), so if you rely on those features, -you shouldn't use those programs. If you configure with -@samp{--enable-osfc2}, these programs will, however, set the login -UID. Still: use at your own risk. -@end itemize - -At present @samp{su} does not accept the vouching flag, so it will not -work as expected. - -Also, kerberised ftp will not work with C2 passwords. You can solve this -by using both Digital's ftpd and our on different ports. - -@strong{Remember}, if you do these changes you will get a system that -most certainly does @emph{not} fulfill the requirements of a C2 -system. If C2 is what you want, for instance if someone else is forcing -you to use it, you're out of luck. If you use enhanced security because -you want a system that is more secure than it would otherwise be, you -probably got an even more secure system. Passwords will not be sent in -the clear, for instance. - -@node IRIX, PAM, Digital SIA, Authentication modules -@subsection IRIX - -The IRIX support is a module that is compatible with Transarc's -@file{afskauthlib.so}. It should work with all programs that use this -library, this should include @file{login} and @file{xdm}. - -The interface is not very documented but it seems that you have to copy -@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to -@file{/usr/lib}, or build your @file{afskauthlib.so} statically. - -The @file{afskauthlib.so} itself is able to reside in -@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory -(wherever that is). - -IRIX 6.4 and newer seems to have all programs (including @file{xdm} and -@file{login}) in the N32 object format, whereas in older versions they -were O32. For it to work, the @file{afskauthlib.so} library has to be in -the same object format as the program that tries to load it. This might -require that you have to configure and build for O32 in addition to the -default N32. - -Appart from this it should ``just work'', there are no configuration -files. - -@node PAM, , IRIX, Authentication modules -@subsection PAM - -The PAM module was written more out of curiosity that anything else. It -has not been updated for quite a while, but it seems to mostly work on -both Linux and Solaris. - -To use this module you should: - -@itemize @bullet -@item -Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You -might actually want it on local disk, so @file{/lib/security} might be a -better place if @file{/usr/athena} is not local. -@item -Look at @file{pam.conf.add} for examples of what to add to -@file{/etc/pam.conf}. -@end itemize - -There is currently no support for changing kerberos passwords. Use -kpasswd instead. - -See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM -module at @* @url{ftp://ftp.dementia.org/pub/pam}. It has a lot more -features, and it is also more in line with other PAM modules. diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi deleted file mode 100644 index 7a28533..0000000 --- a/crypto/kerberosIV/doc/intro.texi +++ /dev/null @@ -1,41 +0,0 @@ -@node Introduction, What is Kerberos?, Top, Top -@comment node-name, next, previous, up -@chapter Introduction - -This is an attempt at documenting the Kerberos 4 distribution from -Kungliga Tekniska Högskolan (the Royal Institute of Technology in -Stockholm, Sweden). This distribution is based on eBones, but has been -improved in many ways. It is more portable, and several new features -have been added. It should run on any reasonably modern unix-like -system. - -In addition, some part compile and work on: - -@itemize @bullet -@item -OS/2 with EMX -@item -Windows 95/NT with gnu-win32 (with the proper amount of magic the -libraries should compile with Microsoft C as well) -@end itemize - -It should work on anything that is almost POSIX, has an ANSI C -compiler, a dbm library (for the server side), and BSD Sockets. - -A web-page is available at @url{http://www.pdc.kth.se/kth-krb/}. - -@heading Bug reports - -If you cannot build the programs or they do not behave as you think they -should, please send us a bug report. The bug report should be sent to -@code{<kth-krb-bugs@@pdc.kth.se>}. Please include information on what -machine and operating system (including version) you are running, what -you are trying to do, what happens, what you think should have happened, -an example for us to repeat, the output you get when trying the example, -and a patch for the problem if you have one. Please make any patches -with @code{diff -u} or @code{diff -c}. The more detailed the bug report -is, the easier it will be for us to reproduce, understand, and fix it. - -Suggestions, comments and other non bug reports are welcome. Send them -to @code{<kth-krb@@pdc.kth.se>}. - diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi deleted file mode 100644 index 7898dff..0000000 --- a/crypto/kerberosIV/doc/kth-krb.texi +++ /dev/null @@ -1,303 +0,0 @@ -\input texinfo @c -*- texinfo -*- -@c %**start of header -@c $Id: kth-krb.texi,v 1.80 1999/12/02 16:58:35 joda Exp $ -@c $FreeBSD$ -@setfilename kth-krb.info -@settitle KTH-KRB -@iftex -@afourpaper -@end iftex -@c some sensible characters, please? -@tex -\input latin1.tex -@end tex -@setchapternewpage on -@syncodeindex pg cp -@c %**end of header - -@ifinfo -@dircategory Kerberos -@direntry -* Kth-krb: (kth-krb). The Kerberos IV distribution from KTH -@end direntry -@end ifinfo - -@c title page -@titlepage -@title KTH-KRB -@subtitle Kerberos 4 from KTH -@subtitle For release 0.10. -@subtitle 1999 -@author Johan Danielsson -@author Assar Westerlund -@author last updated $Date: 1999/12/02 16:58:35 $ - -@def@copynext{@vskip 20pt plus 1fil@penalty-1000} -@def@copyrightstart{} -@def@copyrightend{} -@page -@copyrightstart -Copyright (c) 1995-1999 Kungliga Tekniska Högskolan -(Royal Institute of Technology, Stockholm, Sweden). -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. Neither the name of the Institute nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1995 Eric Young (eay@@mincom.oz.au) -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by Eric Young (eay@@mincom.oz.au) - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (c) 1983, 1990 The Regents of the University of California. -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the University of - California, Berkeley and its contributors. - -4. Neither the name of the University nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1990 by the Massachusetts Institute of Technology - -Export of this software from the United States of America is assumed -to require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - -@copynext - -Copyright 1987, 1989 by the Student Information Processing Board - of the Massachusetts Institute of Technology - -Permission to use, copy, modify, and distribute this software -and its documentation for any purpose and without fee is -hereby granted, provided that the above copyright notice -appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, -and that the names of M.I.T. and the M.I.T. S.I.P.B. not be -used in advertising or publicity pertaining to distribution -of the software without specific, written prior permission. -M.I.T. and the M.I.T. S.I.P.B. make no representations about -the suitability of this software for any purpose. It is -provided "as is" without express or implied warranty. - -@copynext - -Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - -This software is not subject to any license of the American Telephone -and Telegraph Company or of the Regents of the University of California. - -Permission is granted to anyone to use this software for any purpose on -any computer system, and to alter it and redistribute it freely, subject -to the following restrictions: - -1. The authors are not responsible for the consequences of use of this - software, no matter how awful, even if they arise from flaws in it. - -2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. Since few users ever read sources, - credits must appear in the documentation. - -3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. Since few users - ever read sources, credits must appear in the documentation. - -4. This notice may not be removed or altered. - -@copyrightend -@end titlepage - -@c Less filling! Tastes great! -@iftex -@parindent=0pt -@global@parskip 6pt plus 1pt -@global@chapheadingskip = 15pt plus 4pt minus 2pt -@global@secheadingskip = 12pt plus 3pt minus 2pt -@global@subsecheadingskip = 9pt plus 2pt minus 2pt -@end iftex -@ifinfo -@paragraphindent 0 -@end ifinfo - -@ifinfo -@node Top, Introduction, (dir), (dir) -@top KTH-krb -@end ifinfo - -@menu -* Introduction:: -* What is Kerberos?:: -* Installing programs:: -* How to set up a realm:: -* One-Time Passwords:: -* Resolving frequent problems:: -* Acknowledgments:: -* Index:: - -@detailmenu - --- The Detailed Node Listing --- - -Installing programs - -* Installing from source:: -* Installing a binary distribution:: -* Finishing the installation:: -* Authentication modules:: - -Finishing the installation - -* Authentication modules:: - -Authentication modules - -* Digital SIA:: -* IRIX:: -* PAM:: - -How to set up a realm - -* How to set up the kerberos server:: -* Install the client programs:: -* Install the kerberised services:: -* Install a slave kerberos server:: -* Cross-realm functionality :: - -How to set up the kerberos server - -* Choose a realm name:: -* Choose a kerberos server:: -* Install the configuration files:: -* Install the /etc/services:: -* Install the kerberos server:: -* Set up the server:: -* Add a few important principals:: -* Start the server:: -* Try to get tickets:: -* Create initial ACL for the admin server:: -* Start the admin server:: -* Add users to the database:: -* Automate the startup of the servers:: - -One-Time Passwords - -* What are one time passwords?:: -* When to use one time passwords?:: -* Configuring OTPs:: - -Resolving frequent problems - -* Problems compiling Kerberos:: -* Problems with firewalls:: -* Common error messages:: -* Is Kerberos year 2000 safe?:: - -@end detailmenu -@end menu - -@include intro.texi -@include whatis.texi -@include install.texi -@include setup.texi -@include otp.texi -@include problems.texi -@include ack.texi -@include index.texi - -@c @shortcontents -@contents - -@bye diff --git a/crypto/kerberosIV/doc/latin1.tex b/crypto/kerberosIV/doc/latin1.tex deleted file mode 100644 index e683dd2..0000000 --- a/crypto/kerberosIV/doc/latin1.tex +++ /dev/null @@ -1,95 +0,0 @@ -% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts. -% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12 -\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi} -\global\catcode`\^^a0=\active \global\let^^a0=~ % no-break space -\global\catcode`\^^a1=\active \global\def^^a1{!`} % inverted exclamation mark -\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}} % cent sign -\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}} % pound sign -% currency sign, yen sign, broken bar -\global\catcode`\^^a7=\active \global\let^^a7=\S % section sign -\global\catcode`\^^a8=\active \global\def^^a8{\"{}} % diaeresis -\global\catcode`\^^a9=\active \global\let^^a9=\copyright % copyright sign -% feminine ordinal indicator, left angle quotation mark -\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign -\global\catcode`\^^ad=\active \global\let^^ad=\- % soft hyphen -% registered trade mark sign -\global\catcode`\^^af=\active \global\def^^af{\={}} % macron -% ... -\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm} % plus minus -\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}} -\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}} -\global\catcode`\^^b4=\active \global\def^^b4{\'{}} % acute accent -\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu} % mu -\global\catcode`\^^b6=\active \global\let^^b6=\P % pilcroy -\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}} -\global\catcode`\^^b8=\active \global\def^^b8{\c{}} % cedilla -\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}} -% ... -\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}} -\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}} -\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}} -\global\catcode`\^^bf=\active \global\def^^bf{?`} % inverted question mark -\global\catcode`\^^c0=\active \global\def^^c0{\`A} -\global\catcode`\^^c1=\active \global\def^^c1{\'A} -\global\catcode`\^^c2=\active \global\def^^c2{\^A} -\global\catcode`\^^c3=\active \global\def^^c3{\~A} -\global\catcode`\^^c4=\active \global\def^^c4{\"A} % capital a with diaeresis -\global\catcode`\^^c5=\active \global\let^^c5=\AA % capital a with ring above -\global\catcode`\^^c6=\active \global\let^^c6=\AE -\global\catcode`\^^c7=\active \global\def^^c7{\c C} -\global\catcode`\^^c8=\active \global\def^^c8{\`E} -\global\catcode`\^^c9=\active \global\def^^c9{\'E} -\global\catcode`\^^ca=\active \global\def^^ca{\^E} -\global\catcode`\^^cb=\active \global\def^^cb{\"E} -\global\catcode`\^^cc=\active \global\def^^cc{\`I} -\global\catcode`\^^cd=\active \global\def^^cd{\'I} -\global\catcode`\^^ce=\active \global\def^^ce{\^I} -\global\catcode`\^^cf=\active \global\def^^cf{\"I} -% capital eth -\global\catcode`\^^d1=\active \global\def^^d1{\~N} -\global\catcode`\^^d2=\active \global\def^^d2{\`O} -\global\catcode`\^^d3=\active \global\def^^d3{\'O} -\global\catcode`\^^d4=\active \global\def^^d4{\^O} -\global\catcode`\^^d5=\active \global\def^^d5{\~O} -\global\catcode`\^^d6=\active \global\def^^d6{\"O} % capital o with diaeresis -\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign -\global\catcode`\^^d8=\active \global\let^^d8=\O -\global\catcode`\^^d9=\active \global\def^^d9{\`U} -\global\catcode`\^^da=\active \global\def^^da{\'U} -\global\catcode`\^^db=\active \global\def^^db{\^U} -\global\catcode`\^^dc=\active \global\def^^dc{\"U} -\global\catcode`\^^dd=\active \global\def^^dd{\'Y} -% capital thorn -\global\catcode`\^^df=\active \global\def^^df{\ss} -\global\catcode`\^^e0=\active \global\def^^e0{\`a} -\global\catcode`\^^e1=\active \global\def^^e1{\'a} -\global\catcode`\^^e2=\active \global\def^^e2{\^a} -\global\catcode`\^^e3=\active \global\def^^e3{\~a} -\global\catcode`\^^e4=\active \global\def^^e4{\"a} % small a with diaeresis -\global\catcode`\^^e5=\active \global\let^^e5=\aa % small a with ring above -\global\catcode`\^^e6=\active \global\let^^e6=\ae -\global\catcode`\^^e7=\active \global\def^^e7{\c c} -\global\catcode`\^^e8=\active \global\def^^e8{\`e} -\global\catcode`\^^e9=\active \global\def^^e9{\'e} -\global\catcode`\^^ea=\active \global\def^^ea{\^e} -\global\catcode`\^^eb=\active \global\def^^eb{\"e} -\global\catcode`\^^ec=\active \global\def^^ec{\`\i} -\global\catcode`\^^ed=\active \global\def^^ed{\'\i} -\global\catcode`\^^ee=\active \global\def^^ee{\^\i} -\global\catcode`\^^ef=\active \global\def^^ef{\"\i} -% small eth -\global\catcode`\^^f1=\active \global\def^^f1{\~n} -\global\catcode`\^^f2=\active \global\def^^f2{\`o} -\global\catcode`\^^f3=\active \global\def^^f3{\'o} -\global\catcode`\^^f4=\active \global\def^^f4{\^o} -\global\catcode`\^^f5=\active \global\def^^f5{\~o} -\global\catcode`\^^f6=\active \global\def^^f6{\"o} % small o with diaeresis -\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign -\global\catcode`\^^f8=\active \global\let^^f8=\o -\global\catcode`\^^f9=\active \global\def^^f9{\`u} -\global\catcode`\^^fa=\active \global\def^^fa{\'u} -\global\catcode`\^^fb=\active \global\def^^fb{\^u} -\global\catcode`\^^fc=\active \global\def^^fc{\"u} -\global\catcode`\^^fd=\active \global\def^^fd{\'y} -% capital thorn -\global\catcode`\^^ff=\active \global\def^^ff{\"y} diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi deleted file mode 100644 index d7a525f..0000000 --- a/crypto/kerberosIV/doc/problems.texi +++ /dev/null @@ -1,342 +0,0 @@ -@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top -@chapter Resolving frequent problems - -@menu -* Problems compiling Kerberos:: -* Problems with firewalls:: -* Common error messages:: -* Is Kerberos year 2000 safe?:: -@end menu - -@node Problems compiling Kerberos, Problems with firewalls, Resolving frequent problems, Resolving frequent problems -@section Problems compiling Kerberos - -Many compilers require a switch to become ANSI compliant. Since krb4 -is written in ANSI C it is necessary to specify the name of the compiler -to be used and the required switch to make it ANSI compliant. This is -most easily done when running configure using the @kbd{env} command. For -instance to build under HP-UX using the native compiler do: - -@cartouche -@example -datan$ env CC="cc -Ae" ./configure -@end example -@end cartouche - -@cindex GCC -In general @kbd{gcc} works. The following combinations have also been -verified to successfully compile the distribution: - -@table @asis - -@item @samp{HP-UX} -@kbd{cc -Ae} -@item @samp{Digital UNIX} -@kbd{cc -std1} -@item @samp{AIX} -@kbd{xlc} -@item @samp{Solaris 2.x} -@kbd{cc} (unbundled one) -@item @samp{IRIX} -@kbd{cc} - -@end table - -@subheading Linux problems - -The libc functions gethostby*() under RedHat4.2 can sometimes cause -core dumps. If you experience these problems make sure that the file -@file{/etc/nsswitch.conf} contains a hosts entry no more complex than -the line - -@cartouche -hosts: files dns -@end cartouche - -Some systems have lost @file{/usr/include/ndbm.h} which is necessary to -build krb4 correctly. There is a @file{ndbm.h.Linux} right next to -the source distribution. - -@cindex Linux -There has been reports of non-working @file{libdb} on some Linux -distributions. If that happens, use the @kbd{--without-berkeley-db} -when configuring. - -@subheading SunOS 5 (aka Solaris 2) problems - -@cindex SunOS 5 - -When building shared libraries and using some combinations of GNU gcc/ld -you better set the environment variable RUN_PATH to /usr/athena/lib -(your target libdir). If you don't, then you will have to set -LD_LIBRARY_PATH during runtime and the PAM module will not work. - -@subheading HP-UX problems - -@cindex HP-UX -The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all -systems. To make problems even worse, there is never an archive version -for static linking either. Therefore, when building ``truly portable'' -binaries first install GNU gdbm or Berkeley DB, and make sure that you -are linking against that library. - -@subheading Cray problems - -@kbd{rlogind} won't work on Crays until @code{forkpty()} has been -ported, in the mean time use @kbd{telnetd}. - -@subheading IRIX problems - -@cindex IRIX - -IRIX has three different ABI:s (Application Binary Interface), there's -an old 32 bit interface (known as O32, or just 32), a new 32 bit -interface (N32), and a 64 bit interface (64). O32 and N32 are both 32 -bits, but they have different calling conventions, and alignment -constraints, and similar. The N32 format is the default format from IRIX -6.4. - -You select ABI at compile time, and you can do this with the -@samp{--with-mips-abi} configure option. The valid arguments are -@samp{o32}, @samp{n32}, and @samp{64}, N32 is the default. Libraries for -the three different ABI:s are normally installed installed in different -directories (@samp{lib}, @samp{lib32}, and @samp{lib64}). If you want -more than one set of libraries you have to reconfigure and recompile for -each ABI, but you should probably install only N32 binaries. - -@cindex GCC -GCC had had some known problems with the different ABI:s. Old GCC could -only handle O32, newer GCC can handle N32, and 64, but not O32, but in -some versions of GCC the structure alignment was broken in N32. - -This confusion with different ABI:s can cause some trouble. For -instance, the @file{afskauthlib.so} library has to use the same ABI as -@file{xdm}, and @file{login}. The easiest way to check what ABI to use -is to run @samp{file} on @file{/usr/bin/X11/xdm}. - -@cindex AFS -Another problem that you might encounter if you run AFS is that Transarc -apparently doesn't support the 64-bit ABI, and because of this you can't -get tokens with a 64 bit application. If you really need to do this, -there is a kernel module that provides this functionality at -@url{ftp://ftp.pdc.kth.se/home/joda/irix-afs64.tar.gz}. - -@subheading AIX problems - -@cindex GCC -@kbd{gcc} version 2.7.2.* has a bug which makes it miscompile -@file{appl/telnet/telnetd/sys_term.c} (and possibily -@file{appl/bsd/forkpty.c}), if used with too much optimization. - -Some versions of the @kbd{xlc} preprocessor doesn't recognise the -(undocumented) @samp{-qnolm} option. If this option is passed to the -preprocessor (like via the configuration file @file{/etc/ibmcxx.cfg}, -configure will fail. - -The solution is to remove this option from the configuration file, -either globally, or for just the preprocessor: - -@example -$ cp /etc/ibmcxx.cfg /tmp -$ed /tmp/ibmcxx.cfg -8328 -/nolm - options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000,-qnolm -s/,-qnolm//p - options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000 -w -8321 -q -$ env CC=xlc CPP="xlc -E -F/tmp/ibmcxx.cfg" configure -@end example - -There is a bug in AFS 3.4 version 5.38 for AIX 4.3 that causes the -kernel to panic in some cases. There is a hack for this in @kbd{login}, -but other programs could be affected also. This seems to be fixed in -version 5.55. - -@subheading C2 problems - -@cindex C2 -The programs that checks passwords works with @file{passwd}, OTP, and -Kerberos paswords. This is problem if you use C2 security (or use some -other password database), that normally keeps passwords in some obscure -place. If you want to use Kerberos with C2 security you will have to -think about what kind of changes are necessary. See also the discussion -about Digital's SIA and C2 security, see @ref{Digital SIA}. - -@node Problems with firewalls, Common error messages, Problems compiling Kerberos, Resolving frequent problems -@section Problems with firewalls - -@cindex firewall -A firewall is a network device that filters out certain types of packets -going from one side of the firewall to the other. A firewall is supposed -to solve the same kinds of problems as Kerberos (basically hindering -unauthorised network use). The difference is that Kerberos tries to -authenticate users, while firewall splits the network in a `secure' -inside, and an `insecure' outside. - -Firewall people usually think that UDP is insecure, partly because many -`insecure' protocols use UDP. Since Kerberos by default uses UDP to send -and recieve packets, Kerberos and firewalls doesn't work very well -together. - -The symptoms of trying to use Kerberos behind a firewall is that you -can't get any tickets (@code{kinit} exits with the infamous @samp{Can't -send request} error message). - -There are a few ways to solve these problems: - -@itemize @bullet -@item -Convince your firewall administrator to open UDP port 750 or 88 for -incoming packets. This usually turns out to be difficult. -@item -Convince your firewall administrator to open TCP port 750 or 88 for -outgoing connections. This can be a lot easier, and might already be -enabled. -@item -Use TCP connections over some non-standard port. This requires that you -have to convince the administrator of the kerberos server to allow -connections on this port. -@item -@cindex HTTP -Use HTTP to get tickets. Since web-stuff has become almost infinitely -popular, many firewalls either has the HTTP port open, or has a HTTP -proxy. -@end itemize - -The last two methods might be considered to be offensive (since you are -not sending the `right' type of data in each port). You probably do best -in discussuing this with firewall administrator. - -For information on how to use other protocols when communication with -KDC, see @ref{Install the configuration files}. - -It is often the case that the firewall hides addresses on the `inside', -so it looks like all packets are coming from the firewall. Since address -of the client host is encoded in the ticket, this can cause trouble. If -you get errors like @samp{Incorrect network address}, when trying to use -the ticket, the problem is usually becuase the server you are trying to -talk to sees a different address than the KDC did. If you experience -this kind of trouble, the easiest way to solve them is probably to try -some other mechanism to fetch tickets. You might also be able to -convince the administrator of the server that the two different -addresses should be added to the @file{/etc/krb.equiv} file. - -@node Common error messages, Is Kerberos year 2000 safe?, Problems with firewalls, Resolving frequent problems -@section Common error messages - -These are some of the more obscure error messages you might encounter: - -@table @asis - -@item @samp{Time is out of bounds} - -The time on your machine differs from the time on either the kerberos -server or the machine you are trying to login to. If it isn't obvious -that this is the case, remember that all times are compared in UTC. - -On unix systems you usually can find out what the local time is by doing -@code{telnet machine daytime}. This time (again, usually is the keyword) -is with correction for time-zone and daylight savings. - -If you have problem keeping your clocks synchronized, consider using a -time keeping system such as NTP (see also the discussion in -@ref{Install the client programs}). - -@item @samp{Ticket issue date too far in the future} - -The time on the kerberos server is more than five minutes ahead of the -time on the server. - -@item @samp{Can't decode authenticator} - -This means that there is a mismatch between the service key in the -kerberos server and the service key file on the specific machine. -Either: -@itemize @bullet -@item -the server couldn't find a service key matching the request -@item -the service key (or version number) does not match the key the packet -was encrypted with -@end itemize - -@item @samp{Incorrect network address} - -The address in the ticket does not match the address you sent the -request from. This happens on systems with more than one network -address, either physically or logically. You can list addresses which -should be considered equal in @file{/etc/krb.equiv} on your servers. - -A note to programmers: a server should not pass @samp{*} as the instance -to @samp{krb_rd_req}. It should try to figure out on which interface the -request was received, for instance by using @samp{k_getsockinst}. - -If you change addresses on your computer you invalidate any tickets you -might have. The easiest way to fix this is to get new tickets with the -new address. - -@item @samp{Message integrity error} - -The packet is broken in some way: -@itemize @bullet -@item -the lengths does not match the size of the packet, or -@item -the checksum does not match the contents of the packet -@end itemize - -@item @samp{Can't send request} -There is some problem contacting the kerberos server. Either the server -is down, or it is using the wrong port (compare the entries for -@samp{kerberos-iv} in @file{/etc/services}). The client might also have -failed to guess what kerberos server to talk to (check -@file{/etc/krb.conf} and @file{/etc/krb.realms}). - -One reason you can't contact the kerberos server might be because you're -behind a firewall that doesn't allow kerberos packets to pass. For -possible solutions to this see the firewall section above. - -@item @samp{kerberos: socket: Unable to open socket...} - -The kerberos server has to open four sockets for each interface. If you -have a machine with lots of virtual interfaces, you run the risk of -running out of file descriptors. If that happens you will get this -error message. - -@item @samp{ftp: User foo access denied} - -This usually happens because the user's shell is not listed in -@file{/etc/shells}. Note that @kbd{ftpd} checks this file even on -systems where the system version does not and there is no -@file{/etc/shells}. - -@item @samp{Generic kerberos error} -This is a generic catch-all error message. - -@end table - -@node Is Kerberos year 2000 safe?, , Common error messages, Resolving frequent problems -@section Is Kerberos year 2000 safe? - -@cindex Year 2000 - -Yes. - -A somewhat longer answer is that we can't think of anything that can -break. The protocol itself doesn't use time stamps in textual form, the -two-digit year problems in the original MIT code has been fixed (this -was a problem mostly with log files). The FTP client had a bug in the -command `newer' (which fetches a file if it's newer than what you -already got). - -Another thing to look out for, but that isn't a Y2K problem per se, is -the expiration date of old principals. The MIT code set the default -expiration date for some new principals to 1999-12-31, so you might want -to check your database for things like this. - -Now, the Y2038 problem is something completely different (but the -authors should have retired by then, presumably growing rowanberrys in -some nice and warm place). diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi deleted file mode 100644 index 24a955d..0000000 --- a/crypto/kerberosIV/doc/setup.texi +++ /dev/null @@ -1,905 +0,0 @@ -@node How to set up a realm, One-Time Passwords, Installing programs, Top -@chapter How to set up a realm - -@quotation -@flushleft - Who willed you? or whose will stands but mine? - There's none protector of the realm but I. - Break up the gates, I'll be your warrantize. - Shall I be flouted thus by dunghill grooms? - --- King Henry VI, 6.1 -@end flushleft -@end quotation - -@menu -* How to set up the kerberos server:: -* Install the client programs:: -* Install the kerberised services:: -* Install a slave kerberos server:: -* Cross-realm functionality :: -@end menu - -@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm -@section How to set up the kerberos server - -@menu -* Choose a realm name:: -* Choose a kerberos server:: -* Install the configuration files:: -* Install the /etc/services:: -* Install the kerberos server:: -* Set up the server:: -* Add a few important principals:: -* Start the server:: -* Try to get tickets:: -* Create initial ACL for the admin server:: -* Start the admin server:: -* Add users to the database:: -* Automate the startup of the servers:: -@end menu - -@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server -@subsection Choose a realm name - -A -@cindex realm -realm is an administrative domain. Kerberos realms are usually -written in uppercase and consist of a Internet domain -name@footnote{Using lowercase characters in the realm name might break -in mysterious ways. This really should have been fixed, but has not.}. -Call your realm the same as your Internet domain name if you do not have -strong reasons for not doing so. It will make life easier for you and -everyone else. - -@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server -@subsection Choose a kerberos server - -You need to choose a machine to run the -@pindex kerberos -kerberos server program. If the kerberos database residing on this host -is compromised, your entire realm will be compromised. Therefore, this -machine must be as secure as possible. Preferably it should not run any -services other than Kerberos. The secure-minded administrator might -only allow logins on the console. - -This machine has also to be reliable. If it is down, you will not be -able to use any kerberised services unless you have also configured a -slave server (@pxref{Install a slave kerberos server}). - -Running the kerberos server requires very little CPU power and a small -amount of disk. An old PC with some hundreds of megabytes of free disk -space should do fine. Most of the disk space will be used for various -logs. - -@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server -@subsection Install the configuration files - -There are two important configuration files: @file{/etc/krb.conf} and -@file{/etc/krb.realms}. -@pindex krb.conf -@pindex krb.realms - -The @file{krb.conf} file determines which machines are servers for -different realms. The format of this file is: - -@example -THIS.REALM -SUPP.LOCAL.REALM -THIS.REALM kerberos.this.realm admin server -THIS.REALM kerberos-1.this.realm -SUPP.LOCAL.REALM kerberos.supp.local.realm admin server -ANOTHER.REALM kerberos.another.realm -@end example - -The first line defines the name of the local realm. The next few lines -optionally defines supplementary local realms. -@cindex supplementary local realms -The rest of the file -defines the names of the kerberos servers and the database -administration servers for all known realms. You can define any number -of kerberos slave servers similar to the one defined on line -four. Clients will try to contact servers in listed order. - -The @samp{admin server} clause at the first entry states that this is -the master server -@cindex master server -(the one to contact when modifying the database, such as changing -passwords). There should be only one such entry for each realm. - -In the original MIT Kerberos 4 (as in most others), the server -specification could only take the form of a host-name. To facilitate -having kerberos servers in odd places (such as behind a firewall), -support has been added for ports other than the default (750), and -protocols other than UDP. - -The formal syntax for an entry is now -@samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either -@samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to -talk to. Default value for @var{proto} is @samp{UDP} and for @var{port} -whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or -750 if undefined. If @var{proto} is @samp{HTTP}, the default port is -80. An @samp{http} entry may also be specified in URL format. - -If the information about a realm is missing from the @file{krb.conf} -file, or if the information is wrong, the following methods will be -tried in order. - -@enumerate -@item -If you have an SRV-record (@cite{RFC 2052}) for your realm it will be -used. This record should be of the form -@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is -either @samp{UDP}, @samp{TCP}, or @samp{HTTP}. (Note: the current -implementation does not look at priority or weight when deciding which -server to talk to.) -@item -If there isn't any SRV-record, it tries to find a TXT-record for the -same domain. The contents of the record should have the same format as the -host specification in @file{krb.conf}. (Note: this is a temporary -solution if your name server doesn't support SRV records. The clients -should work fine with SRV records, so if your name server supports them, -they are very much preferred.) -@item -If no valid kerberos server is found, it will try to talk UDP to the -service @samp{kerberos-iv} with fall-back to port 750 with -@samp{kerberos.@var{REALM}} (which is also assumed to be the master -server), and then @samp{kerberos-1.@var{REALM}}, -@samp{kerberos-2.@var{REALM}}, and so on. -@end enumerate - -SRV records have been supported in BIND since 4.9.5T2A. An example -would look like the following in the zone file: - -@example -kerberos-iv.udp.foo.se. 1M IN SRV 1 0 750 kerberos-1.foo.se. -kerberos-iv.udp.foo.se. 1M IN SRV 0 0 750 kerberos.foo.se. -@end example - -We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}} -pointing to your kerberos master server. - -The @file{krb.realms} file is used to find out what realm a particular -host belongs to. An example of this file could look like: - -@example -this.realm THIS.REALM -.this.realm THIS.REALM -foo.com SOME.OTHER.REALM -www.foo.com A.STRANGE.REALM -.foo.com FOO.REALM -@end example - -Entries starting with a dot are taken as the name of a domain. Entries -not starting with a dot are taken as a host-name. The first entry matched -is used. The entry for @samp{this.realm} is only necessary if there is a -host named @samp{this.realm}. - -If no matching realm is found in @file{krb.realms}, DNS is searched for -the correct realm. For example, if we are looking for host @samp{a.b.c}, -@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c} -and so on. The entry should be a TXT record containing the name of the -realm, such as: - -@example -krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" -@end example - -If this didn't help the domain name sans the first part in uppercase is -tried. - -The plain vanilla version of Kerberos doesn't have any fancy methods of -getting realms and servers so it is generally a good idea to keep -@file{krb.conf} and @file{krb.realms} up to date. - -In addition to these commonly used files, @file{/etc/krb.extra} -@pindex krb.extra -holds some things that are not normally used. It consists of a number of -@samp{@var{variable} = @var{value}} pairs, blank lines and lines -beginning with a hash (#) are ignored. - -The currently defined variables are: - -@table @samp -@item kdc_timeout -@cindex kdc_timeout -The time in seconds to wait for an answer from the KDC (the default is 4 -seconds). -@item kdc_timesync -@cindex kdc_timesync -This flag enables storing of the time differential to the KDC when -getting an initial ticket. This differential is used later on to compute -the correct time. This can help if your machine doesn't have a working -clock. -@item firewall_address -@cindex firewall_address -The IP address that hosts outside the firewall see when connecting from -within the firewall. If this is specified, the code will try to compute -the value for @samp{reverse_lsb_test}. -@item krb4_proxy -@cindex krb4_proxy -When getting tickets via HTTP, this specifies the proxy to use. The -default is to speak directly to the KDC. -@item krb_default_tkt_root -@cindex krb_default_tkt_root -The default prefix for ticket files. The default is @file{/tmp/tkt}. -Normally the uid or tty is appended to this prefix. -@item krb_default_keyfile -@cindex krb_default_keyfile -The file where the server keys are stored, the default is @file{/etc/srvtab}. -@item nat_in_use -@cindex nat_in_use -If the client is behind a Network Address Translator (NAT). -@cindex Network Address Translator -@cindex NAT -@item reverse_lsb_test -@cindex reverse_lsb_test -Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe}, -@code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of -the communicating hosts. This test can cause truble when using -firewalls. -@end table - -@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server -@subsection Updating /etc/services - -You should append or merge the contents of @file{services.append} to -your @file{/etc/services} files or NIS-map. Remove any unused factory -installed kerberos port definitions to avoid possible conflicts. -@pindex services - -Most of the programs will fall back to the default ports if the port -numbers are not found in @file{/etc/services}, but it is convenient to -have them there anyway. - -@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server -@subsection Install the kerberos server - -You should have already chosen the machine where you want to run the -kerberos server and the realm name. The machine should also be as -secure as possible (@pxref{Choose a kerberos server}) before installing -the kerberos server. In this example, we will install a kerberos server -for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}. - -@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server -@subsection Setup the server - -Login as root on the console of the kerberos server. Add -@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path. Create -the directory @file{/var/kerberos} (@kbd{mkdir /var/kerberos}), which is -where the database will be stored. Then, to create the database, run -@kbd{kdb_init}: -@pindex kdb_init - -@example -@cartouche -hemlig# mkdir /var/kerberos -hemlig# kdb_init -Realm name [default FOO.SE ]: -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. - -Enter Kerberos master password: -Verifying password -Enter Kerberos master password: -@end cartouche -@end example - -If you have set up the configuration files correctly, @kbd{kdb_init} -should choose the correct realm as the default, otherwise a (good) guess -is made. Enter the master password. - -This password will only be used for encrypting the kerberos database on -disk and for generating new random keys. You will not have to remember -it, only to type it again when you run @kbd{kstash}. Choose something -long and random. Now run @kbd{kstash} using the same password: -@pindex kstash - -@example -@cartouche -hemlig# kstash - -Enter Kerberos master password: - -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -Wrote master key to /.k -@end cartouche -@end example - -After entering the same master password it will be saved in the file -@file{/.k} and the kerberos server will read it when needed. Write down -the master password and put it in a sealed envelope in a safe, you might -need it if your disk crashes or should you want to set up a slave -server. - -@code{kdb_init} initializes the database with a few entries: - -@table @samp -@item krbtgt.@var{REALM} -The key used for authenticating to the kerberos server. - -@item changepw.kerberos -The key used for authenticating to the administrative server, i.e. when -adding users, changing passwords, and so on. - -@item default -This entry is copied to new items when these are added. Enter here the -values you want new entries to have, particularly the expiry date. - -@item K.M -This is the master key and it is only used to verify that the master key -that is saved un-encrypted in @file{/.k} is correct and corresponds to -this database. - -@end table - -@code{kstash} only reads the master password and writes it to -@file{/.k}. This enables the kerberos server to start without you -having to enter the master password. This file (@file{/.k}) is only -readable by root and resides on a ``secure'' machine. - -@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server -@subsection Add a few important principals - -Now the kerberos database has been created, containing only a few -principals. The next step is to add a few more so that you can test -that it works properly and so that you can administer your realm without -having to use the console on the kerberos server. Use @kbd{kdb_edit} -to edit the kerberos database directly on the server. -@pindex kdb_edit - -@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism -for editing the database. For normal purposes, use the @code{kadmin} -program (@pxref{Add users to the database}). - -The following example shows the adding of the principal -@samp{nisse.admin} into the kerberos database. This principal is used -by @samp{nisse} when administrating the kerberos database. Later on the -normal principal for @samp{nisse} will be created. Replace @samp{nisse} -and @samp{password} with your own username and password. - -@example -@cartouche -hemlig# kdb_edit -n -Opening database... -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -Previous or default values are in [brackets] , -enter return to leave the same, or new value. - -Principal name: <nisse> -Instance: <admin> - -<Not found>, Create [y] ? <> - -Principal: nisse, Instance: admin, kdc_key_ver: 1 -New Password: <password> -Verifying password -New Password: <password> - -Principal's new key version = 1 -Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <> -Max ticket lifetime (*5 minutes) [ 255 ] ? <> -Attributes [ 0 ] ? <> -Edit O.K. -Principal name: <> -@end cartouche -@end example - -@code{kdb_edit} will loop until you hit the @kbd{return} key at the -``Principal name'' prompt. Now you have added nisse as an administrator. - -@page - -@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server -@subsection Start the server - -@pindex kerberos -@example -@cartouche -hemlig# /usr/athena/libexec/kerberos & -Kerberos server starting -Sleep forever on error -Log file is /var/log/kerberos.log -Current Kerberos master key version is 1. - -Master key entered. BEWARE! - -Current Kerberos master key version is 1 -Local realm: FOO.SE -@end cartouche -@end example - -@node Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server -@subsection Try to get tickets - -You can now verify that these principals have been added and that the -server is working correctly. - -@pindex kinit -@example -@cartouche -hemlig# kinit -eBones International (hemlig.foo.se) -Kerberos Initialization -Kerberos name: <nisse.admin> -Password: <password> -@end cartouche -@end example - -If you do not get any error message from @code{kinit}, then everything -is working (otherwise, see @ref{Common error messages}). Use -@code{klist} to verify the tickets you acquired with @code{kinit}: - -@pindex klist -@example -@cartouche -hemlig# klist -Ticket file: /tmp/tkt0 -Principal: nisse.admin@@FOO.SE - -Issued Expires Principal -May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE -@end cartouche -@end example - -@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server -@subsection Create initial ACL for the admin server - -The admin server, @code{kadmind}, uses a series of files to determine who has -@pindex kadmind -the right to perform certain operations. The files are: -@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and -@file{admin_acl.mod}. Create these with @samp{nisse.admin@@FOO.SE} as -the contents. -@pindex admin_acl.add -@pindex admin_acl.get -@pindex admin_acl.del -@pindex admin_acl.mod - -@example -@cartouche -hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.add -hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.get -hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.mod -hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.del -@end cartouche -@end example - -Later on you may wish to add more users with administration -privileges. Make sure that you create both the administration principals -and add them to the admin server ACL. - -@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server -@subsection Start the admin server - -@pindex kadmind -@example -@cartouche -hemlig# /usr/athena/libexec/kadmind & -KADM Server KADM0.0A initializing -Please do not use 'kill -9' to kill this job, use a -regular kill instead - -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -@end cartouche -@end example - -@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server -@subsection Add users to the database - -Use the @code{kadmin} client to add users to the database: -@pindex kadmin - -@example -@cartouche -hemlig# kadmin -p nisse.admin -m -Welcome to the Kerberos Administration Program, version 2 -Type "help" if you need it. -admin: <add nisse> -Admin password: <nisse.admin's password> -Maximum ticket lifetime? (255) [Forever] -Attributes? [0x00] -Expiration date (enter yyyy-mm-dd) ? [Sat Jan 1 05:59:00 2000] -Password for nisse: -Verifying password Password for nisse: -nisse added to database. -@end cartouche -@end example - -Add whatever other users you want to have in the same way. Verify that -a user is in the database and check the database entry for that user: - -@example -@cartouche -admin: <get nisse> -Info in Database for nisse.: -Max Life: 255 (Forever) Exp Date: Sat Jan 1 05:59:59 2000 - -Attribs: 00 key: 0 0 -admin: <^D> -Cleaning up and exiting. -@end cartouche -@end example - -@node Automate the startup of the servers, , Add users to the database, How to set up the kerberos server -@subsection Automate the startup of the servers - -Add the lines that were used to start the kerberos server and the -admin server to your startup scripts (@file{/etc/rc} or similar). -@pindex rc - -@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm -@section Install the client programs - -Making a machine a kerberos client only requires a few steps. First you -might need to change the configuration files as with the kerberos -server. (@pxref{Install the configuration files} and @pxref{Install the -/etc/services}.) Also you need to make the programs in -@file{/usr/athena/bin} available. This can be done by adding the -@file{/usr/athena/bin} directory to the users' paths, by making symbolic -links, or even by copying the programs. - -You should also verify that the local time on the client is synchronised -with the time on the kerberos server by some means. The maximum allowed -time difference between the participating servers and a client is 5 -minutes. -@cindex NTP. -One good way to synchronize the time is NTP (Network Time Protocol), see -@url{http://www.eecis.udel.edu/~ntp/}. - -If you need to run the client programs on a machine where you do not -have root-access, you can hopefully just use the binaries and no -configuration will be needed. The heuristics used are mentioned above -(see @ref{Install the configuration files}). If this is not the case -and you need to have @file{krb.conf} and/or @file{krb.realms}, you can -copy them into a directory of your choice and -@pindex krb.conf -@pindex krb.realms -set the environment variable @var{KRBCONFDIR} to point at this -@cindex KRBCONFDIR -directory. - -To test the client functionality, run the @code{kinit} program: - -@example -@cartouche -foo$ kinit -eBones International (foo.foo.se) -Kerberos Initialization -Kerberos name: <nisse> -Password: <password> - -foo$ klist -Ticket file: /tmp/tkt4711 -Principal: nisse@@FOO.SE - -Issued Expires Principal -May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE -@end cartouche -@end example - -@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm -@section Install the kerberised services - -These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp}, -@code{rxtelnet}, and so on. -@pindex rsh -@pindex rlogin -@pindex telnet -@pindex ftp -@pindex rxtelnet - -First follow the steps mentioned in the prior section to make it a -client and verify its operation. Change @file{inetd.conf} next to use -the new daemons. Look at the file -@pindex inetd.conf -@file{etc/inetd.conf.changes} to see the changes that we recommend you -perform on @file{inetd.conf}. - -You should at this point decide what services you want to run on -each machine. - -@subsection rsh, rlogin, and rcp -@pindex rsh -@pindex rlogin -@pindex rcp - -These exist in kerberised versions and ``old-style'' versions. The -different versions use different port numbers, so you can choose none, -one, or both. If you do not want to use ``old-style'' r* services, you -can let the programs output the text ``Remote host requires Kerberos -authentication'' instead of just refusing connections to that port. -This is enabled with the @samp{-v} option. The kerberised services -exist in encrypted and non-encrypted versions. The encrypted services -have an ``e'' prepended to the name and the programs take @samp{-x} as an -option indicating encryption. - -Our recommendation is to only use the kerberised services and give -explanation messages for the old ports. - -@subsection telnet -@pindex telnet - -The telnet service always uses the same port and negotiates as to which -authentication method should be used. The @code{telnetd} program has -@pindex telnetd -an option ``-a user'' that only allows kerberised and authenticated -connections. If this is not included, it falls back to using clear text -passwords. For obvious reasons, we recommend that you enable this -option. If you want to use one-time passwords (@pxref{One-Time -Passwords}) you can use the ``-a otp'' option which will allow OTPs or -kerberised connections. - -@subsection ftp -@pindex ftp - -The ftp service works as telnet does, with just one port being used. By -default only kerberos authenticated connections are allowed. You can -specify additional levels that are thus allowed with these options: - -@table @asis -@item @kbd{-a otp} -Allow one-time passwords (@pxref{One-Time Passwords}). -@item @kbd{-a ftp} -Allow anonymous login (as user ``ftp'' or ``anonymous''). -@item @kbd{-a safe} -The same as @kbd{-a ftp}, for backwards compatibility. -@item @kbd{-a plain} -Allow clear-text passwords. -@item @kbd{-a none} -The same as @kbd{-a ftp -a plain}. -@item @kbd{-a user} -A no-op, also there for backwards compatibility reasons. -@end table - -When running anonymous ftp you should read the man page on @code{ftpd} -which explains how to set it up. - -@subsection pop -@pindex popper - -The Post Office Protocol (POP) is used to retrieve mail from the mail -hub. The @code{popper} program implements the standard POP3 protocol -and the kerberised KPOP. Use the @samp{-k} option to run the kerberos -version of the protocol. This service should only be run on your mail -hub. - -@subsection kx -@pindex kx - -@code{kx} allows you to run X over a kerberos-authenticated and -encrypted connection. This program is used by @code{rxtelnet}, -@code{tenletxr}, and @code{rxterm}. - -If you have some strange kind of operating system with X libraries that -do not allow you to use unix-sockets, you need to specify the @samp{-t} -@pindex kxd -option to @code{kxd}. Otherwise it should be sufficient by adding the -daemon in @file{inetd.conf}. - -@subsection kauth -@pindex kauth - -This service allows you to create tickets on a remote host. To -enable it just insert the corresponding line in @file{inetd.conf}. - -@section srvtabs -@pindex srvtab - -In the same way every user needs to have a password registered with -the kerberos server, every service needs to have a shared key with the -kerberos server. The service keys are stored in a file, usually called -@file{/etc/srvtab}. This file should not be readable to anyone but -root, in order to keep the key from being divulged. The name of this principal -in the kerberos database is usually the service name and the hostname. Examples -of such principals are @samp{pop.@var{hostname}} and -@samp{rcmd.@var{hostname}}. (rcmd comes from ``remote command''.) Here -is a list of the most commonly used srvtab types and what programs use them. - -@table @asis -@item rcmd.@var{hostname} -rsh, rcp, rlogin, telnet, kauth, su, kx -@item rcmd.kerberos -kprop -@item pop.@var{hostname} -popper, movemail, push -@item sample.@var{hostname} -sample_server, simple_server -@item changepw.kerberos -kadmin, kpasswd -@item krbtgt.@var{realm} -kerberos (not stored in any srvtab) -@item ftp.@var{hostname} -ftp (also tries with rcmd.@var{hostname}) -@item zephyr.zephyr -Zephyr -@item afs or afs.@var{cellname} -Andrew File System -@end table - -To create these keys you will use the the @code{ksrvutil} program. -Perform the -@pindex ksrvutil -following: - -@example -@cartouche -bar# ksrvutil -p nisse.admin get -Name [rcmd]: <> -Instance [bar]: <> -Realm [FOO.SE]: <> -Is this correct? (y,n) [y] <> -Add more keys? (y,n) [n] <> -Password for nisse.admin@@FOO.SE: <nisse.admin's password> -Written rcmd.bar -rcmd.bar@@FOO.SE -Old keyfile in /etc/srvtab.old. -@end cartouche -@end example - -@subsection Complete test of the kerberised services - -Obtain a ticket on one machine (@samp{foo}) and use it to login with a -kerberised service to a second machine (@samp{bar}). The test should -look like this if successful: - -@example -@cartouche -foo$ kinit nisse -eBones International (foo.foo.se) -Kerberos Initialization for "nisse" -Password: <nisse's password> -foo$ klist -Ticket file: /tmp/tkt4711 -Principal: nisse@@FOO.SE - -Issued Expires Principal -May 30 13:48:03 May 30 23:48:03 krbtgt.FOO.SE@@FOO.SE -foo$ telnet bar -Trying 17.17.17.17... -Connected to bar.foo.se -Escape character is '^]'. -[ Trying mutual KERBEROS4 ... ] -[ Kerberos V4 accepts you ] -[ Kerberos V4 challenge successful ] -bar$ -@end cartouche -@end example - -You can also try with @code{rsh}, @code{rcp}, @code{rlogin}, -@code{rlogin -x}, and some other commands to see that everything is -working all right. - -@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm -@section Install a slave kerberos server - -It is desirable to have at least one backup (slave) server in case the -master server fails. It is possible to have any number of such slave -servers but more than three usually doesn't buy much more redundancy. - -First select a good server machine. (@pxref{Choose a kerberos -server}). - -On the master, add a @samp{rcmd.kerberos} (note, it should be literally -``kerberos'') principal (using @samp{ksrvutil get}). The -@pindex kprop -@code{kprop} program, running on the master, will use this when -authenticating to the -@pindex kpropd -@code{kpropd} daemons running on the slave servers. The @code{kpropd} -on the slave will use its @samp{rcmd.hostname} key for authenticating -the connection from the master. Therefore, the slave needs to have this -key in its srvtab, and it of course also needs to have enough of the -configuration files to act as a server. See @ref{Install the kerberised -services} for information on how to do this. - -To summarize, the master should have a key for @samp{rcmd.kerberos} and -the slave one for @samp{rcmd.hostname}. - -The slave will need the same master key as you used at the master. - -On your master server, create a file, e.g. @file{/var/kerberos/slaves}, -that contains the hostnames of your kerberos slave servers. - -Start @code{kpropd} with @samp{kpropd -i} on your slave servers. - -On your master server, create a dump of the database and then propagate -it. - -@example -foo# kdb_util slave_dump /var/kerberos/slave_dump -foo# kprop -@end example - -You should now have copies of the database on your slave servers. You -can verify this by issuing @samp{kdb_util dump @var{file}} on your -slave servers, and comparing with the original file on the master -server. Note that the entries will not be in the same order. - -This procedure should be automated with a script run regularly by cron, -for instance once an hour. - -Since the master and slave servers will use copies of the same -database, they need to use the same master key. Add the master key on -the slave with @code{kstash}. (@pxref{Set up the server}) - -To start the kerberos server on slaves, you first have to copy the -master key from the master server. You can do this either by remembering -the master password and issuing @samp{kstash}, or you can just copy the -keyfile. Remember that if you copy the file, do so on a safe media, not -over the network. Good means include floppy or paper. Paper is better, -since it is easier to swallow afterwards. - -The kerberos server should be started with @samp{-s} on the slave -servers. This enables sanity checks, for example checking the time since -the last update from the master. - -All changes to the database are made by @code{kadmind} at the master, -and then propagated to the slaves, so you should @strong{not} run -@code{kadmind} on the slaves. - -Finally add the slave servers to -@file{/etc/krb.conf}. The clients will ask the servers in the order -specified by that file. - -Consider adding CNAMEs to your slave servers, see @ref{Install the -configuration files}. - -@node Cross-realm functionality , , Install a slave kerberos server, How to set up a realm -@section Cross-realm functionality - -Suppose you are residing in the realm @samp{MY.REALM}, how do you -authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in -@samp{MY.REALM} allows you to communicate with kerberised services in that -realm. However, the computer in the other realm does not have a secret -key shared with the kerberos server in your realm. - -It is possible to add a shared key between two realms that trust each -other. When a client program, such as @code{telnet}, finds that the -other computer is in a different realm, it will try to get a ticket -granting ticket for that other realm, but from the local kerberos -server. With that ticket granting ticket, it will then obtain service -tickets from the kerberos server in the other realm. - -To add this functionality you have to add a principal to each realm. The -principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and -@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different -principals should have the same key (and key version number). Remember -to transfer this key in a safe manner. This is all that is required. - -@page - -@example -@cartouche -blubb$ klist -Ticket file: /tmp/tkt3008 -Principal: joda@@NADA.KTH.SE - - Issued Expires Principal -Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE -blubb$ telnet agat.e.kth.se -Trying 130.237.48.12... -Connected to agat.e.kth.se. -Escape character is '^]'. -[ Trying mutual KERBEROS4 ... ] -[ Kerberos V4 accepts you ] -[ Kerberos V4 challenge successful ] -Last login: Sun Jun 2 20:51:50 from emma.pdc.kth.se - -agat$ exit -Connection closed by foreign host. -blubb$ klist -Ticket file: /tmp/tkt3008 -Principal: joda@@NADA.KTH.SE - - Issued Expires Principal -Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE -Jun 7 02:26:50 Jun 7 12:26:50 krbtgt.E.KTH.SE@@NADA.KTH.SE -Jun 7 02:26:51 Jun 7 12:26:51 rcmd.agat@@E.KTH.SE -@end cartouche -@end example diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi deleted file mode 100644 index 6721c23..0000000 --- a/crypto/kerberosIV/doc/whatis.texi +++ /dev/null @@ -1,137 +0,0 @@ -@node What is Kerberos?, Installing programs, Introduction, Top -@chapter What is Kerberos? - -@quotation -@flushleft - Now this Cerberus had three heads of dogs, - the tail of a dragon, and on his back the - heads of all sorts of snakes. - --- Pseudo-Apollodorus Library 2.5.12 -@end flushleft -@end quotation - -Kerberos is a system for authenticating users and services on a network. -It is built upon the assumption that the network is ``unsafe''. For -example, data sent over the network can be eavesdropped and altered, and -addresses can also be faked. Therefore they cannot be used for -authentication purposes. -@cindex authentication - -Kerberos is a trusted third-party service. That means that there is a -third party (the kerberos server) that is trusted by all the entities on -the network (users and services, usually called @dfn{principals}). All -principals share a secret password (or key) with the kerberos server and -this enables principals to verify that the messages from the kerberos -server are authentic. Thus trusting the kerberos server, users and -services can authenticate each other. - -@section Basic mechanism - -@ifinfo -@macro sub{arg} -<\arg\> -@end macro -@end ifinfo - -@tex -@def@xsub#1{$_{#1}$} -@global@let@sub=@xsub -@end tex - -In Kerberos, principals use @dfn{tickets} to prove that they are who -they claim to be. In the following example, @var{A} is the initiator of -the authentication exchange, usually a user, and @var{B} is the service -that @var{A} wishes to use. - -To obtain a ticket for a specific service, @var{A} sends a ticket -request to the kerberos server. The request basically contains @var{A}'s -and @var{B}'s names. The kerberos server checks that both @var{A} and -@var{B} are valid principals. - -Having verified the validity of the principals, it creates a packet -containing @var{A}'s and @var{B}'s names, @var{A}'s network address -(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime -of the ticket (@var{life}), and a secret @dfn{session key} -@cindex session key -(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key -(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this: -(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life}, -@var{K@sub{AB}}@}@var{K@sub{B}}). - -The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s -name, the current time, the lifetime of the ticket, and the session key, all -encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}}, -@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A} -decrypts the reply and retains it for later use. - -@sp 1 - -Before sending a message to @var{B}, @var{A} creates an authenticator -consisting of @var{A}'s name, @var{A}'s address, the current time, and a -``checksum'' chosen by @var{A}, all encrypted with the secret session -key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}}, -@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket -received from the kerberos server to @var{B}. Upon reception, @var{B} -decrypts the ticket using @var{B}'s secret key. Since the ticket -contains the session key that the authenticator was encrypted with, -@var{B} can now also decrypt the authenticator. To verify that @var{A} -really is @var{A}, @var{B} now has to compare the contents of the ticket -with that of the authenticator. If everything matches, @var{B} now -considers @var{A} as properly authenticated. - -@c (here we should have some more explanations) - -@section Different attacks - -@subheading Impersonating A - -An impostor, @var{C} could steal the authenticator and the ticket as it -is transmitted across the network, and use them to impersonate -@var{A}. The address in the ticket and the authenticator was added to -make it more difficult to perform this attack. To succeed @var{C} will -have to either use the same machine as @var{A} or fake the source -addresses of the packets. By including the time stamp in the -authenticator, @var{C} does not have much time in which to mount the -attack. - -@subheading Impersonating B - -@var{C} can masquerade @var{B}'s network address, and when @var{A} sends -her credentials, @var{C} just pretend to verify them. @var{C} can't -be sure that she is talking to @var{A}. - -@section Defense strategies - -It would be possible to add a @dfn{replay cache} -@cindex replay cache -to the server side. The idea is to save the authenticators sent during -the last few minutes, so that @var{B} can detect when someone is trying -to retransmit an already used message. This is somewhat impractical -(mostly regarding efficiency), and is not part of Kerberos 4; MIT -Kerberos 5 contains it. - -To authenticate @var{B}, @var{A} might request that @var{B} sends -something back that proves that @var{B} has access to the session -key. An example of this is the checksum that @var{A} sent as part of the -authenticator. One typical procedure is to add one to the checksum, -encrypt it with the session key and send it back to @var{A}. This is -called @dfn{mutual authentication}. - -The session key can also be used to add cryptographic checksums to the -messages sent between @var{A} and @var{B} (known as @dfn{message -integrity}). Encryption can also be added (@dfn{message -confidentiality}). This is probably the best approach in all cases. -@cindex integrity -@cindex confidentiality - -@section Further reading - -The original paper on Kerberos from 1988 is @cite{Kerberos: An -Authentication Service for Open Network Systems}, by Jennifer Steiner, -Clifford Neuman and Jeffrey I. Schiller. - -A less technical description can be found in @cite{Designing an -Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also -from 1988. - -These and several other documents can be found on our web-page. |