diff options
Diffstat (limited to 'crypto/kerberosIV/doc')
| -rw-r--r-- | crypto/kerberosIV/doc/Makefile.in | 65 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/ack.texi | 80 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/index.texi | 6 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/install.texi | 368 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/intro.texi | 69 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/kth-krb.texi | 300 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/latin1.tex | 95 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/otp.texi | 127 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/problems.texi | 156 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/setup.texi | 794 | ||||
| -rw-r--r-- | crypto/kerberosIV/doc/whatis.texi | 137 |
11 files changed, 2197 insertions, 0 deletions
diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in new file mode 100644 index 0000000..5071e8e --- /dev/null +++ b/crypto/kerberosIV/doc/Makefile.in @@ -0,0 +1,65 @@ +# $Id: Makefile.in,v 1.10 1997/05/06 03:05:55 joda Exp $ + +SHELL = /bin/sh + +srcdir = @srcdir@ +VPATH = @srcdir@ + +INSTALL = @INSTALL@ +INSTALL_DATA = $(INSTALL) +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs +MAKEINFO = @MAKEINFO@ +TEXI2DVI = texi2dvi +TEXI2HTML = texi2html + +prefix = @prefix@ +infodir = @infodir@ + +all: info + +install: all installdirs + if test -f kth-krb.info; then \ + $(INSTALL_DATA) kth-krb.info $(infodir)/kth-krb.info; \ + else \ + $(INSTALL_DATA) $(srcdir)/kth-krb.info $(infodir)/kth-krb.info; \ + fi + if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \ + install-info --dir-file=$(infodir)/dir $(infodir)/kth-krb.info; \ + else \ + true; \ + fi + +uninstall: + rm -f $(infodir)/kth-krb.info + +installdirs: + $(MKINSTALLDIRS) $(infodir) + +info: kth-krb.info + +kth-krb.info: kth-krb.texi + $(MAKEINFO) -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi + +dvi: kth-krb.dvi + +kth-krb.dvi: kth-krb.texi + $(TEXI2DVI) $(srcdir)/kth-krb.texi + +html: kth-krb.html + +kth-krb.html: kth-krb.texi + $(TEXI2HTML) $(srcdir)/kth-krb.texi + +clean: + rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr + +distclean: clean + +mostlyclean: clean + +maintainer-clean: clean + rm -f kth-krb.info + +check: + +.PHONY: install all installdirs uninstall info dvi html clean check distclean mostlyclean maintainer-clean diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi new file mode 100644 index 0000000..388f644 --- /dev/null +++ b/crypto/kerberosIV/doc/ack.texi @@ -0,0 +1,80 @@ +@node Acknowledgments, Index, Resolving frequent problems, Top +@comment node-name, next, previous, up +@appendix Acknowledgments + +People from the MIT Athena project wrote the original code that this is +based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the +encryption functions and the calls to them. This was exported from the +US as the ``Bones'' release. Eric Young put back the calls and hooked +in his libdes, thereby creating the ``eBones'' release. +@cindex Bones +@cindex eBones + +The ``rcmd'' programs where initially developed at the University of +California at Berkeley and then hacked on by the FreeBSD and NetBSD +projects. + +Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and +@code{telnetd}. The authentication and encryption code of @code{telnet} +and @code{telnetd} was added by David Borman (then of Cray Research, +Inc). The encryption code was removed when this was exported and then +added back by Juha Eskelinen, @code{<esc@@magic.fi>}. + +The @code{popper} was also a Berkeley program initially. + +The @code{login} has the same origins but has received code written by +Wietse Venema at Eindhoven University of Technology, The Netherlands. + +@code{movemail} was (at least partially) written by Jonathan Kamens, +@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991, +1992, 1993, 1994 Free Software Foundation, Inc. + +@code{xnlock} was originally written by Dan Heller in 1985 for sunview. +The X version was written by him in 1990. + +Some of the functions in @file{libroken} also come from Berkeley by the +way of NetBSD/FreeBSD. + +The code to handle the dynamic loading of the AFS module for AIX is +copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover, +Germany. + +@code{editline} was written by Simmule Turner and Rich Salz. + +Bugfixes and code has been contributed by: +@table @asis +@item Derrick J Brashear +@code{<shadow@@dementia.org>} +@item Anders Gertz +@code{<gertz@@lysator.liu.se>} +@item Dejan Ilic +@code{<svedja@@lysator.liu.se>} +@item Kent Engström +@code{<kent@@lysator.liu.se>} +@item Simon Josefsson +@code{<jas@@pdc.kth.se>} +@item Robert Malmgren +@code{<rom@@incolumitas.se>} +@item Fredrik Ljungberg +@code{<flag@@it.kth.se>} +@item Lars Malinowsky +@code{<lama@@pdc.kth.se>} +@item Fabien Coelho +@code{<coelho@@cri.ensmp.fr>} +@item and we hope that those not mentioned here will forgive us. +@end table + +Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English +language from this text. + +Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us +finish the documentation. + +This work was supported in part by SUNET and the Centre for Parallel +Computers at KTH. + +The port to Windows 95/NT was supported by the Computer Council at KTH +and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}. + +All the bugs were introduced by ourselves. + diff --git a/crypto/kerberosIV/doc/index.texi b/crypto/kerberosIV/doc/index.texi new file mode 100644 index 0000000..ebe5d91 --- /dev/null +++ b/crypto/kerberosIV/doc/index.texi @@ -0,0 +1,6 @@ +@node Index, , Acknowledgments, Top +@comment node-name, next, previous, up +@unnumbered Index + +@printindex cp + diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi new file mode 100644 index 0000000..240c04e --- /dev/null +++ b/crypto/kerberosIV/doc/install.texi @@ -0,0 +1,368 @@ +@node Installing programs, How to set up a realm, What is Kerberos?, Top +@chapter Installing programs + +You have a choise to either build the distribution from source code or +to install binaries, if they are available for your machine. + +@c XXX + +We recommend building from sources, but using pre-compiled binaries +might be easier. If there are no binaries available for your machine or +you want to do some specific configuration, you will have to compile +from source. + +@menu +* Installing from source:: +* Installing a binary distribution:: +* Finishing the installation:: +* Authentication modules:: +@end menu + +@node Installing from source, Installing a binary distribution, Installing programs, Installing programs +@comment node-name, next, previous, up +@section Installing from source + +To build this software un-tar the distribution and run the +@code{configure} script. + +To compile successfully, you will need an ANSI C compiler, such as +@code{gcc}. Other compilers might also work, but setting the ``ANSI +compliance'' too high, might break in parts of the code, not to mention +the standard include files. + +To build in a separate build tree, run @code{configure} in the directory +where the tree should reside. You will need a Make that understands +VPATH correctly. GNU Make works fine. + +After building everything (which will take anywhere from a few minutes +to a long time), you can install everything in @file{/usr/athena} with +@kbd{make install} (running as root). It is possible to install in some +other place, but it isn't recommended. To do this you will have to run +@code{configure} with @samp{--prefix=/my/path}. + +If you need to change the default behavior, configure understands the +following options: + +@table @asis +@item @kbd{--with-shared} +Create shared versions of the Kerberos libraries. Not really +recommended and might not work on all systems. + +@item @kbd{--with-cracklib=}@var{dir} +Use cracklib for password quality control in +@pindex kadmind +@code{kadmind}. This option requires +@cindex cracklib +cracklib with the patch from +@code{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}. + +@item @kbd{--with-dictpath=}@var{dictpath} +This is the dictionary that cracklib should use. + +@item @kbd{--with-socks=}@var{dir} +@cindex firewall +@cindex socks +If you have to traverse a firewall and it uses the SocksV5 protocol +(@cite{RFC 1928}), you can build with socks-support. Point @var{dir} to +the directory where you have socks5 installed. For more information +about socks see @kbd{http://www.socks.nec.com/}. + +@item @kbd{--with-readline=}@var{dir} +@cindex readline +To enable history/line editing in @code{ftp} and @code{kadmin}, any +present version of readline will be used. If you have readline +installed but in a place where configure does not managed to find it, +you can use this option. The code also looks for @code{libedit}. If +there is no library at all, the bundled version of @code{editline} will +be used. + +@item @kbd{--with-mailspool=}@var{dir} +The configuration process tries to determine where your machine stores +its incoming mail. This is typically @file{/usr/spool/mail} or +@file{/var/mail}. If it does not work or you store your mail in some +unusual directory, this option can be used to specify where the mail +spool directory is located. This directory is only accessed by +@pindex popper +@code{popper}, and the mail check in +@pindex login +@code{login}. + +@c @item @kbd{--enable-random-mkey} +@c Do not use this option unless you think you know what you are doing. + +@item @kbd{--with-mkey=}@var{file} +Put the master key here, the default is @file{/.k}. + +@item @kbd{--without-berkeley-db} +If you have +@cindex Berkeley DB +Berkeley DB installed, it is preferred over +@c XXX +dbm. If you already are running Kerberos this option might be useful, +since there currently isn't an easy way to convert a dbm database to a +db one (you have to dump the old database and then load it with the new +binaries). +@end table + +@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs +@comment node-name, next, previous, up +@section Installing a binary distribution + +The binary distribution is supposed to be installed in +@file{/usr/athena}, installing in some other place may work but is not +recommended. A symlink from @file{/usr/athena} to the install directory +should be fine. + +@node Finishing the installation, Authentication modules, Installing a binary distribution, Installing programs +@section Finishing the installation + +@pindex su +The only program that needs to be installed setuid to root is @code{su}. + +If +@pindex rlogin +@pindex rsh +@code{rlogin} and @code{rsh} are setuid to root they will fall back to +non-kerberised protocols if the kerberised ones fail for some +reason. The old protocols use reserved ports as security, and therefore +the programs have to be setuid to root. If you don't need this +functionality consider turning off the setuid bit. + +@pindex login +@code{login} does not have to be setuid, as it is always run by root +(users should use @code{su} rather than @code{login}). It will print a +helpful message when not setuid to root and run by a user. + +The programs intended to be run by users are located in +@file{/usr/athena/bin}. Inform your users to include +@file{/usr/athena/bin} in their paths, or copy or symlink the binaries +to some good place. The programs that you will want to use are: +@code{kauth}/@code{kinit}, +@pindex kauth +@pindex kinit +@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp}, +@pindex klist +@pindex kdestroy +@pindex kpasswd +@pindex ftp +@code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su}, +@pindex telnet +@pindex rcp +@pindex rsh +@pindex rlogin +@pindex su +@pindex xnlock +@pindex afslog +@pindex pagsh +@pindex rxtelnet +@pindex tenletxr +@pindex rxterm +@code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and +@code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh} +might also be useful. Administrators will want to use @code{kadmin} and +@code{ksrvutil}, which are located in @file{/usr/athena/sbin}. +@pindex kadmin +@pindex ksrvutil + +@code{telnetd} and @code{rlogind} assume that @code{login} is located in +@file{/usr/athena/bin} (or whatever path you used as +@samp{--prefix}). If for some reason you want to move @code{login}, you +will have to specify the new location with the @samp{-L} switch when +configuring +@pindex telnetd +telnetd +and +@pindex rlogind +rlogind +in @file{inetd.conf}. + +It should be possible to replace the system's default @code{login} with +the kerberised @code{login}. However some systems assume that login +performs some serious amount of magic that our login might not do (although +we've tried to do our best). So before replacing it on every machine, +try and see what happens. Another thing to try is to use one of the +authentication modules (@xref{Authentication modules}) supplied. + +The @code{login} program that we use was in an earlier life the standard +login program from NetBSD. In order to use it with a lot of weird +systems, it has been ``enhanced'' with features from many other logins +(Solaris, SunOS, IRIX, AIX, and others). Some of these features are +actually useful and you might want to use them even on other systems. + +@table @file +@item /etc/fbtab +@pindex fbtab +@itemx /etc/logindevperm +@pindex logindevperm +Allows you to chown some devices when a user logs in on a certain +terminal. Commonly used to change the ownership of @file{/dev/mouse}, +@file{/dev/kbd}, and other devices when someone logs in on +@file{/dev/console}. + +@file{/etc/fbtab} is the SunOS file name and it is tried first. If +there is no such file then the Solaris file name +@file{/etc/logindevperm} is tried. +@item /etc/environment +@pindex environment +This file specifies what environment variables should be set when a user +logs in. (AIX-style) +@item /etc/default/login +@pindex default/login +Almost the same as @file{/etc/environment}, but the System V style. +@item /etc/login.access +@pindex login.access +Can be used to control who is allowed to login from where and on what +ttys. (From Wietse Venema) +@end table + +@menu +* Authentication modules:: +@end menu + +@node Authentication modules, , Finishing the installation, Installing programs +@comment node-name, next, previous, up +@section Authentication modules +The problem of having different authentication mechanisms has been +recognised by several vendors, and several solutions has appeared. In +most cases these solutions involve some kind of shared modules that are +loaded at run-time. Modules for some of these systems can be found in +@file{lib/auth}. Presently there are modules for Digital's SIA, Linux' +PAM (might also work on Solaris, when PAM gets supported), and IRIX' +@code{login} and @code{xdm} (in @file{lib/auth/afskauthlib}). + +@menu +* Digital SIA:: +* IRIX:: +* PAM:: +@end menu + +@node Digital SIA, IRIX, Authentication modules, Authentication modules +@subsection Digital SIA + +To install the SIA module you will have to do the following: + +@itemize @bullet + +@item +Make sure @file{libsia_krb4.so} is available in +@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you +might want to put it in @file{/usr/shlib} or someplace else. If you do, +you'll have to edit @file{krb4_matrix.conf} to reflect the new location +(you will also have to do this if you installed in some other directory +than @file{/usr/athena}). +@item +Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}. +@item +Apply @file{security.patch} to @file{/sbin/init.d/security}. +@item +Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and +@kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}. +@item +Digital thinks you should reboot your machine, but that really shouldn't +be necessary. It's usually sufficient just to run +@kbd{/sbin/init.d/security start}. +@end itemize + +Users with local passwords (like @samp{root}) should be able to login +safely. + +When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't +passed along as it should (since xdm zaps the environment). Instead you +have to set @samp{KRBTKFILE} to the correct value in +@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to +@example +KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE +@end example + +There is currently no support for changing passwords. Use @file{kpasswd} +instead. + +@subsubheading Notes to users with Enhanced security + +Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two +different problems. C2 deals with local security, adds better control of +who can do what, auditing, and similar things. Kerberos deals with +network security. + +To make C2 security work with Kerberos you will have to do the +following. + +@itemize @bullet +@item +Replace all occurencies of @file{krb4_matrix.conf} with +@file{krb4+c2_matrix.conf} in the directions above. +@item +You must enable ``vouching'' in the @samp{default} database. This will +make the OSFC2 module trust other SIA modules, so you can login without +giving your C2 password. To do this use @samp{edauth} to edit the +default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a +@samp{d_accept_alternate_vouching} capability, if not already present. +@item +For each user that does @emph{not} have a local C2 password, you should +set the password expiration field to zero. You can do this for each +user, or in the @samp{default} table. To to this use @samp{edauth} to +set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. +@item +You should make sure that you use Digital's login rather than the one +distributed by us. The easiest way to do this is to replace +@file{/usr/athena/bin/login} with @file{/bin/login}. +@end itemize + +At present @samp{su} does not accept the vouching flag, so it will not +work as expected. + +Also, kerberised ftp will not work with C2 passwords. You can solve this +by using both Digital's ftpd and our on different ports. + +@strong{Remember}, if you do these changes you will get a system that +most certainly does @emph{not} fulfill the requirements of a C2 +system. If C2 is what you want, for instance if someone else is forcing +you to use it, you're out of luck. If you use enhanced security because +you want a system that is more secure than it would otherwise be, you +probably got an even more secure system. Passwords will not be sent in +the clear, for instance. + +@node IRIX, PAM, Digital SIA, Authentication modules +@subsection IRIX + +The IRIX support is a module that is compatible with Transarc's +@file{afskauthlib.so}. It should work with all programs that use this +library, this should include @file{login} and @file{xdm}. + +The interface is not very documented but it seems that you have to copy +@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to +@file{/usr/lib}, or build your @file{afskauthlib.so} statically. + +The @file{afskauthlib.so} itself is able to reside in +@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory +(wherever that is). + +Appart from this it should ``just work'', there are no configuration +files. + +@node PAM, , IRIX, Authentication modules +@subsection PAM + +The PAM module was written more out of curiosity that anything else. It +has not been updated for quite a while, since none of us are using +Linux, and Solaris does not support PAM yet. We've had positive reports +from at least one person using the module, though. + +To use this module you should: + +@itemize @bullet +@item +Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You +might actually want it on local disk, so @file{/lib/security} might be a +better place if @file{/usr/athena} is not local. +@item +Look at @file{pam.conf.add} for examples of what to add to +@file{/etc/pam.conf}. +@end itemize + +There is currently no support for changing kerberos passwords. Use +kpasswd instead. + +See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM +module at @kbd{ftp://ftp.dementia.org/pub/pam}. It has a lot more +features, and it is also more in line with other PAM modules. diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi new file mode 100644 index 0000000..830ca1a --- /dev/null +++ b/crypto/kerberosIV/doc/intro.texi @@ -0,0 +1,69 @@ +@node Introduction, What is Kerberos?, Top, Top +@comment node-name, next, previous, up +@chapter Introduction + +This is an attempt at documenting the Kerberos 4 distribution from +Kungliga Tekniska Högskolan (the Royal Institute of Technology in +Stockholm, Sweden). This distribution is based on eBones, but has been +improved in many ways. It is more portable, and several new features +have been added. It currently runs on the following systems: + +@itemize @bullet +@item +AIX 4.1, 4.2 +@item +BSD/OS 2.0, 2.1 +@item +Digital UNIX 3.2, 4.0 +@item +HP-UX 9, 10 +@item +IRIX 4.0, 5.2, 5.3, 6.1, 6.2, 6.3, 6.4 +@item +Linux 1.3, 2.0 +@item +NetBSD 1.2 +@item +FreeBSD 2.2 +@item +SunOS 4.1 +@item +SunOS 5.4/5.5 (aka Solaris 2.4/2.5) +@item +Ultrix 4.4 +@item +Cray UNICOS 9. +@item +Fujitsu UXP/V 4.1. +@end itemize + +Some part compile and work on: + +@itemize @bullet +@item +OS/2 with EMX +@item +Windows 95/NT with gnu-win32 (with the proper amount of magic the +libraries should compile with Microsoft C as well) +@end itemize + +It should work on anything that is almost POSIX, has an ANSI C +compiler, a dbm library (for the server side), and BSD Sockets. + +A web-page is available at @kbd{http://www.pdc.kth.se/kth-krb/}. + +@heading Bug reports + +If you cannot build the programs or they do not behave as you think they +should, please send us a bug report. The bug report should be sent to +@code{<kth-krb-bugs@@nada.kth.se>}. Please include information on what +machine and operating system (including version) you are running, what +you are trying to do, what happens, what you think should have happened, +an example for us to repeat, the output you get when trying the example, +and a patch for the problem if you have one. Please make any patches +with @code{diff -u} or @code{diff -c}. The more detailed the bug report +is, the easier it will be for us to reproduce, understand, and fix it. + +Suggestions, comments and other non bug reports are welcome. Send them +to @code{<kth-krb@@nada.kth.se>}. + diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi new file mode 100644 index 0000000..8b26349 --- /dev/null +++ b/crypto/kerberosIV/doc/kth-krb.texi @@ -0,0 +1,300 @@ +\input texinfo @c -*- texinfo -*- +@c %**start of header +@c $Id: kth-krb.texi,v 1.71 1997/05/25 21:31:00 assar Exp $ +@setfilename kth-krb.info +@settitle KTH-KRB +@iftex +@afourpaper +@end iftex +@c some sensible characters, please? +@tex +\input latin1.tex +@end tex +@setchapternewpage on +@syncodeindex pg cp +@c %**end of header + +@dircategory Kerberos +@direntry +* Kth-krb: (kth-krb). The Kerberos IV distribution from KTH +@end direntry + +@c title page +@titlepage +@title KTH-KRB +@subtitle Kerberos 4 from KTH +@subtitle Edition -1.0, for version 0.9.5 +@subtitle 1997 +@author Johan Danielsson +@author Assar Westerlund +@author last updated $Date: 1997/05/25 21:31:00 $ + +@def@copynext{@vskip 20pt plus 1fil@penalty-1000} +@def@copyrightstart{} +@def@copyrightend{} +@page +@copyrightstart +Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by the Kungliga Tekniska + Högskolan and its contributors. + +4. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@copynext + +Copyright (C) 1995 Eric Young (eay@@mincom.oz.au) +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Eric Young (eay@@mincom.oz.au) + +THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@copynext + +Copyright (c) 1983, 1990 The Regents of the University of California. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by the University of + California, Berkeley and its contributors. + +4. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@copynext + +Copyright (C) 1990 by the Massachusetts Institute of Technology + +Export of this software from the United States of America is assumed +to require a specific license from the United States Government. +It is the responsibility of any person or organization contemplating +export to obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of M.I.T. not be used in advertising or publicity pertaining +to distribution of the software without specific, written prior +permission. M.I.T. makes no representations about the suitability of +this software for any purpose. It is provided "as is" without express +or implied warranty. + +@copynext + +Copyright 1987, 1989 by the Student Information Processing Board + of the Massachusetts Institute of Technology + +Permission to use, copy, modify, and distribute this software +and its documentation for any purpose and without fee is +hereby granted, provided that the above copyright notice +appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, +and that the names of M.I.T. and the M.I.T. S.I.P.B. not be +used in advertising or publicity pertaining to distribution +of the software without specific, written prior permission. +M.I.T. and the M.I.T. S.I.P.B. make no representations about +the suitability of this software for any purpose. It is +provided "as is" without express or implied warranty. + +@copynext + +Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. + +This software is not subject to any license of the American Telephone +and Telegraph Company or of the Regents of the University of California. + +Permission is granted to anyone to use this software for any purpose on +any computer system, and to alter it and redistribute it freely, subject +to the following restrictions: + +1. The authors are not responsible for the consequences of use of this + software, no matter how awful, even if they arise from flaws in it. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. Since few users ever read sources, + credits must appear in the documentation. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. Since few users + ever read sources, credits must appear in the documentation. + +4. This notice may not be removed or altered. + +@copyrightend +@end titlepage + +@c Less filling! Tastes great! +@iftex +@parindent=0pt +@global@parskip 6pt plus 1pt +@global@chapheadingskip = 15pt plus 4pt minus 2pt +@global@secheadingskip = 12pt plus 3pt minus 2pt +@global@subsecheadingskip = 9pt plus 2pt minus 2pt +@end iftex +@ifinfo +@paragraphindent 0 +@end ifinfo + +@ifinfo +@node Top, Introduction, (dir), (dir) +@top KTH-krb +@end ifinfo + +@menu +* Introduction:: +* What is Kerberos?:: +* Installing programs:: +* How to set up a realm:: +* One-Time Passwords:: +* Resolving frequent problems:: +* Acknowledgments:: +* Index:: + + --- The Detailed Node Listing --- + +Installing programs + +* Installing from source:: +* Installing a binary distribution:: +* Finishing the installation:: +* Authentication modules:: + +Finishing the installation + +* Authentication modules:: + +Authentication modules + +* Digital SIA:: +* IRIX:: +* PAM:: + +How to set up a realm + +* How to set up the kerberos server:: +* Install the client programs:: +* Install the kerberised services:: +* Install a slave kerberos server:: +* Cross-realm functionality :: + +How to set up the kerberos server + +* Choose a realm name:: +* Choose a kerberos server:: +* Install the configuration files:: +* Install the /etc/services:: +* Install the kerberos server:: +* Set up the server:: +* Add a few important principals:: +* Start the server:: +* Try to get tickets:: +* Create initial ACL for the admin server:: +* Start the admin server:: +* Add users to the database:: +* Automate the startup of the servers:: + +One-Time Passwords + +* What are one time passwords?:: +* When to use one time passwords?:: +* Configuring OTPs:: + +Resolving frequent problems + +* Problems compiling Kerberos:: +* Common error messages:: +@end menu + +@include intro.texi +@include whatis.texi +@include install.texi +@include setup.texi +@include otp.texi +@include problems.texi +@include ack.texi +@include index.texi + +@c @shortcontents +@contents + +@bye diff --git a/crypto/kerberosIV/doc/latin1.tex b/crypto/kerberosIV/doc/latin1.tex new file mode 100644 index 0000000..e683dd2 --- /dev/null +++ b/crypto/kerberosIV/doc/latin1.tex @@ -0,0 +1,95 @@ +% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts. +% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12 +\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi} +\global\catcode`\^^a0=\active \global\let^^a0=~ % no-break space +\global\catcode`\^^a1=\active \global\def^^a1{!`} % inverted exclamation mark +\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}} % cent sign +\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}} % pound sign +% currency sign, yen sign, broken bar +\global\catcode`\^^a7=\active \global\let^^a7=\S % section sign +\global\catcode`\^^a8=\active \global\def^^a8{\"{}} % diaeresis +\global\catcode`\^^a9=\active \global\let^^a9=\copyright % copyright sign +% feminine ordinal indicator, left angle quotation mark +\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign +\global\catcode`\^^ad=\active \global\let^^ad=\- % soft hyphen +% registered trade mark sign +\global\catcode`\^^af=\active \global\def^^af{\={}} % macron +% ... +\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm} % plus minus +\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}} +\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}} +\global\catcode`\^^b4=\active \global\def^^b4{\'{}} % acute accent +\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu} % mu +\global\catcode`\^^b6=\active \global\let^^b6=\P % pilcroy +\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}} +\global\catcode`\^^b8=\active \global\def^^b8{\c{}} % cedilla +\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}} +% ... +\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}} +\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}} +\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}} +\global\catcode`\^^bf=\active \global\def^^bf{?`} % inverted question mark +\global\catcode`\^^c0=\active \global\def^^c0{\`A} +\global\catcode`\^^c1=\active \global\def^^c1{\'A} +\global\catcode`\^^c2=\active \global\def^^c2{\^A} +\global\catcode`\^^c3=\active \global\def^^c3{\~A} +\global\catcode`\^^c4=\active \global\def^^c4{\"A} % capital a with diaeresis +\global\catcode`\^^c5=\active \global\let^^c5=\AA % capital a with ring above +\global\catcode`\^^c6=\active \global\let^^c6=\AE +\global\catcode`\^^c7=\active \global\def^^c7{\c C} +\global\catcode`\^^c8=\active \global\def^^c8{\`E} +\global\catcode`\^^c9=\active \global\def^^c9{\'E} +\global\catcode`\^^ca=\active \global\def^^ca{\^E} +\global\catcode`\^^cb=\active \global\def^^cb{\"E} +\global\catcode`\^^cc=\active \global\def^^cc{\`I} +\global\catcode`\^^cd=\active \global\def^^cd{\'I} +\global\catcode`\^^ce=\active \global\def^^ce{\^I} +\global\catcode`\^^cf=\active \global\def^^cf{\"I} +% capital eth +\global\catcode`\^^d1=\active \global\def^^d1{\~N} +\global\catcode`\^^d2=\active \global\def^^d2{\`O} +\global\catcode`\^^d3=\active \global\def^^d3{\'O} +\global\catcode`\^^d4=\active \global\def^^d4{\^O} +\global\catcode`\^^d5=\active \global\def^^d5{\~O} +\global\catcode`\^^d6=\active \global\def^^d6{\"O} % capital o with diaeresis +\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign +\global\catcode`\^^d8=\active \global\let^^d8=\O +\global\catcode`\^^d9=\active \global\def^^d9{\`U} +\global\catcode`\^^da=\active \global\def^^da{\'U} +\global\catcode`\^^db=\active \global\def^^db{\^U} +\global\catcode`\^^dc=\active \global\def^^dc{\"U} +\global\catcode`\^^dd=\active \global\def^^dd{\'Y} +% capital thorn +\global\catcode`\^^df=\active \global\def^^df{\ss} +\global\catcode`\^^e0=\active \global\def^^e0{\`a} +\global\catcode`\^^e1=\active \global\def^^e1{\'a} +\global\catcode`\^^e2=\active \global\def^^e2{\^a} +\global\catcode`\^^e3=\active \global\def^^e3{\~a} +\global\catcode`\^^e4=\active \global\def^^e4{\"a} % small a with diaeresis +\global\catcode`\^^e5=\active \global\let^^e5=\aa % small a with ring above +\global\catcode`\^^e6=\active \global\let^^e6=\ae +\global\catcode`\^^e7=\active \global\def^^e7{\c c} +\global\catcode`\^^e8=\active \global\def^^e8{\`e} +\global\catcode`\^^e9=\active \global\def^^e9{\'e} +\global\catcode`\^^ea=\active \global\def^^ea{\^e} +\global\catcode`\^^eb=\active \global\def^^eb{\"e} +\global\catcode`\^^ec=\active \global\def^^ec{\`\i} +\global\catcode`\^^ed=\active \global\def^^ed{\'\i} +\global\catcode`\^^ee=\active \global\def^^ee{\^\i} +\global\catcode`\^^ef=\active \global\def^^ef{\"\i} +% small eth +\global\catcode`\^^f1=\active \global\def^^f1{\~n} +\global\catcode`\^^f2=\active \global\def^^f2{\`o} +\global\catcode`\^^f3=\active \global\def^^f3{\'o} +\global\catcode`\^^f4=\active \global\def^^f4{\^o} +\global\catcode`\^^f5=\active \global\def^^f5{\~o} +\global\catcode`\^^f6=\active \global\def^^f6{\"o} % small o with diaeresis +\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign +\global\catcode`\^^f8=\active \global\let^^f8=\o +\global\catcode`\^^f9=\active \global\def^^f9{\`u} +\global\catcode`\^^fa=\active \global\def^^fa{\'u} +\global\catcode`\^^fb=\active \global\def^^fb{\^u} +\global\catcode`\^^fc=\active \global\def^^fc{\"u} +\global\catcode`\^^fd=\active \global\def^^fd{\'y} +% capital thorn +\global\catcode`\^^ff=\active \global\def^^ff{\"y} diff --git a/crypto/kerberosIV/doc/otp.texi b/crypto/kerberosIV/doc/otp.texi new file mode 100644 index 0000000..0a5929f --- /dev/null +++ b/crypto/kerberosIV/doc/otp.texi @@ -0,0 +1,127 @@ +@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top +@chapter One-Time Passwords + +@cindex OTP +@cindex One time passwords +There is also support for using @dfn{one time passwords} (OTP) in this +package. Specifically @code{login}, @code{ftpd}, and @code{popper} have +support for using them. + +@menu +* What are one time passwords?:: +* When to use one time passwords?:: +* Configuring OTPs:: +@end menu + +@node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords +@comment node-name, next, previous, up +@section What are one time passwords? + +One time passwords are, as the name implies, passwords that can only +be used once. This means that even if someone is eavesdropping on the +network, they will not be able to make use of the passwords they steal. + +The OTPs used in this package support @cite{RFC 1938}. This standard is +also backwards compatible with the well-known S/Key. There are lots of +programs for generating these on everything from HP 48's to Crays. +@cindex S/Key + +@node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords +@comment node-name, next, previous, up +@section When to use one time passwords? + +Why would you want to use OTPs instead of Kerberos? The advantage of +OTPs is that they don't require a computer to operate. You can print +out a list of passwords and take with you, or you could use your +calculator or hand-held computer to generate them. + +The downside is that they only protect you against passive attacks. +Only the initial connection is authenticated. After that, anyone can +eavesdrop on your session, so you should not send or view any sensitive +data (e.g. passwords) over a OTP-initiated link. You are also +vulnerable to active attacks where intruders try to take over your +TCP-session and/or introduce data in the middle of it. In other words, +they provide initial authentication, but neither integrity nor +confidentiality. + +The OTPs are generated from the tuple (@var{seed}, @var{sequence +number}, @var{pass-phrase}). The seed and the sequence number will be +printed as part of the @dfn{challenge} and you will have to generate the +corresponding password or pick it from a list. + +In conclusion, they are simple and can be used everywhere but don't +protect against all threats that Kerberos does. Use them when you can't +use Kerberos. + +@node Configuring OTPs, , When to use one time passwords?, One-Time Passwords +@comment node-name, next, previous, up +@section Configuring OTPs + +@heading Initializing + +To initialize your OTPs use the @code{otp} program. This program will +write an entry in a local file on this host with your current password +(in this case the 100th) and the corresponding seed (@samp{foobar}). +@pindex otp + +@example +@cartouche +datan:>otp 100 foobar +Pass-phrase: <pass-phrase> +Verifying password Pass-phrase: <pass-phrase> +@end cartouche +@end example + +@heading Generating + +To print out a list of them there is a program called +@code{otpprint}. +@pindex otpprint + +@example +@cartouche +datan:>otpprint 100 foobar +Pass-phrase: <pass-phrase> +91: SLAM BUY SUP DUSK SKY BEST +92: DEEM SIGH ROB RASH JUG MAT +93: DUET FISK HERS AREA TOLL SUP +94: WOW RAIN LEAK SARA MARK WING +95: COG YELL MILK CART ABE BAWL +96: GROW SILK GIST OMEN CAM ANNE +97: JAG QUAD NUT BEAT BHOY MAGI +98: ADAM USED GENE NIP EYE SIS +99: MY SUNG HERO AT DASH RAKE +100: CORN KNIT BOTH TOGO SOUL BOG +@end cartouche +@end example + +@heading Using the OTPs + +When you try to use one and have initialized a series of +one-time passwords for yourself you will get a challenge with the +algorithm being used, the sequence number, and the seed. Enter those in +your generator or find the corresponding password in your list. + +@example +@cartouche +login: assar +assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE> +@end cartouche +@end example + +The sequence number of the password will start at one less that the +number you gave to @code{otp} and decrease by one every time you use it. +You should try to keep track of which should be the current one so that +you can be assured that nobody has stolen some of your passwords and +used them. When the number has reached zero you need to acquire a new +series of passwords. + +Once you have initialized your series of passwords, you can always use +them at any password prompt where you get the challenge as shown above. + +@heading Configuring servers + +@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to +require one-time passwords when the connection has not been kerberos +authenticated. Check the man pages for these programs for the correct +options. diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi new file mode 100644 index 0000000..9e3630e --- /dev/null +++ b/crypto/kerberosIV/doc/problems.texi @@ -0,0 +1,156 @@ +@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top +@chapter Resolving frequent problems + +@menu +* Problems compiling Kerberos:: +* Common error messages:: +@end menu + +@node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems +@section Problems compiling Kerberos + +Many compilers require a switch to become ANSI compliant. Since kth-krb +is written in ANSI C it is necessary to specify the name of the compiler +to be used and the required switch to make it ANSI compliant. This is +most easily done when running configure using the @kbd{env} command. For +instance to build under HP-UX using the native compiler do: + +@cartouche +@example +datan$ env CC="cc -Ae" ./configure +@end example +@end cartouche + +In general @kbd{gcc} works. The following combinations have also been +verified to successfully compile the distribution: + +@table @asis + +@item @samp{HP-UX} +@kbd{cc -Ae} +@item @samp{Digital UNIX} +@kbd{cc -std1} +@item @samp{AIX} +@kbd{xlc} +@item @samp{Solaris 2.x} +@kbd{cc} (unbundled one) +@item @samp{IRIX} +@kbd{cc} + +@end table + +@subheading Linux problems + +Some systems have lost @file{/usr/include/ndbm.h} which is necessary to +build kth-krb correctly. There is a @file{ndbm.h.Linux} right next to +the source distribution. + +There has been reports of non-working @file{libdb} on some Linux +distributions. If that happens, use the @kbd{--without-berkeley-db} +when configuring. + +@subheading HP-UX problems + +The shared library @file{/usr/lib/libndbm.sl} doesn't exist on all +systems. To make problems even worse, there is never an archive version +for static linking either. Therefore, when building ``truly portable'' +binaries first install GNU gdbm or Berkeley DB, and make sure that you +are linking against that library. + +@subheading Cray problems + +@kbd{rlogind} won't work on Crays until @code{forkpty()} has been +ported, in the mean time use @kbd{telnetd}. + +@subheading AIX problems + +@kbd{gcc} version 2.7.2.1 has a bug which makes it miscompile +@file{appl/telnet/telnetd/sys_term.c} (and possibily +@file{appl/bsd/forkpty.c}), if used with too much optimization. + +@subheading C2 problems + +@cindex C2 +The programs that checks passwords works with @file{passwd}, OTP, and +Kerberos paswords. This is problem if you use C2 security (or use some +other password database), that normally keeps passwords in some obscure +place. If you want to use Kerberos with C2 security you will have to +think about what kind of changes are necessary. See also the discussion +about Digital's SIA and C2 security, see @ref{Digital SIA}. + +@node Common error messages, , Problems compiling Kerberos, Resolving frequent problems +@section Common error messages + +These are some of the more obscure error messages you might encounter: + +@table @asis + +@item @samp{Time is out of bounds} + +The time on your machine differs from the time on either the kerberos +server or the machine you are trying to login to. If it isn't obvious +that this is the case, remember that all times are compared in UTC. + +On unix systems you usually can find out what the local time is by doing +@code{telnet machine daytime}. This time (again, usually is the keyword) +is with correction for time-zone and daylight savings. + +If you have problem keeping your clocks synchronized, consider using a +time keeping system such as NTP (see also the discussion in +@ref{Install the client programs}). + +@item @samp{Ticket issue date too far in the future} + +The time on the kerberos server is more than five minutes ahead of the +time on the server. + +@item @samp{Can't decode authenticator} + +This means that there is a mismatch between the service key in the +kerberos server and the service key file on the specific machine. +Either: +@itemize @bullet +@item +the server couldn't find a service key matching the request +@item +the service key (or version number) does not match the key the packet +was encrypted with +@end itemize + +@item @samp{Incorrect network address} + +The address in the ticket does not match the address you sent the +request from. This happens on systems with more than one network +address, either physically or logically. You can list addresses which +should be considered equal in @file{/etc/krb.equiv} on your servers. + +A note to programmers: a server should not pass @samp{*} as the instance +to @samp{krb_rd_req}. It should try to figure out on which interface the +request was received, for instance by using @samp{k_getsockinst}. + +If you change addresses on your computer you invalidate any tickets you +might have. The easiest way to fix this is to get new tickets with the +new address. + +@item @samp{Message integrity error} + +The packet is broken in some way: +@itemize @bullet +@item +the lengths does not match the size of the packet, or +@item +the checksum does not match the contents of the packet +@end itemize + +@item @samp{Can't send request} +There is some problem contacting the kerberos server. Either the server +is down, or it is using the wrong port (compare the entries for +@samp{kerberos-iv} in @file{/etc/services}). The client might also have +failed to guess what kerberos server to talk to (check +@file{/etc/krb.conf} and @file{/etc/krb.realms}). + +@item @samp{Generic kerberos error} +This is a generic catch-all error message. + +@end table + diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi new file mode 100644 index 0000000..1b4b395 --- /dev/null +++ b/crypto/kerberosIV/doc/setup.texi @@ -0,0 +1,794 @@ +@node How to set up a realm, One-Time Passwords, Installing programs, Top +@chapter How to set up a realm + +@quotation +@flushleft + Who willed you? or whose will stands but mine? + There's none protector of the realm but I. + Break up the gates, I'll be your warrantize. + Shall I be flouted thus by dunghill grooms? + --- King Henry VI, 6.1 +@end flushleft +@end quotation + +@menu +* How to set up the kerberos server:: +* Install the client programs:: +* Install the kerberised services:: +* Install a slave kerberos server:: +* Cross-realm functionality :: +@end menu + +@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm +@section How to set up the kerberos server + +@menu +* Choose a realm name:: +* Choose a kerberos server:: +* Install the configuration files:: +* Install the /etc/services:: +* Install the kerberos server:: +* Set up the server:: +* Add a few important principals:: +* Start the server:: +* Try to get tickets:: +* Create initial ACL for the admin server:: +* Start the admin server:: +* Add users to the database:: +* Automate the startup of the servers:: +@end menu + +@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server +@subsection Choose a realm name + +A +@cindex realm +realm is an administrative domain. Kerberos realms are usually +written in uppercase and consist of a Internet domain +name@footnote{Using lowercase characters in the realm name might break +in mysterious ways. This really should have been fixed, but has not.}. +Call your realm the same as your Internet domain name if you do not have +strong reasons for not doing so. It will make life easier for you and +everyone else. + +@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server +@subsection Choose a kerberos server + +You need to choose a machine to run the +@pindex kerberos +kerberos server program. If the kerberos database residing on this host +is compromised, your entire realm will be compromised. Therefore, this +machine must be as secure as possible. Preferably it should not run any +services other than Kerberos. The secure-minded administrator might +only allow logins on the console. + +This machine has also to be reliable. If it is down, you will not be +able to use any kerberised services unless you have also configured a +slave server (@xref{Install a slave kerberos server}). + +Running the kerberos server requires very little CPU power and a small +amount of disk. An old PC with some hundreds of megabytes of free disk +space should do fine. Most of the disk space will be used for various +logs. + +@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server +@subsection Install the configuration files + +There are two important configuration files: @file{/etc/krb.conf} and +@file{/etc/krb.realms}. +@pindex krb.conf +@pindex krb.realms + +The @file{krb.conf} file determines which machines are servers for +different realms. The format of this file is: + +@example +THIS.REALM +THIS.REALM kerberos.this.realm admin server +THIS.REALM kerberos-1.this.realm +ANOTHER.REALM kerberos.another.realm +@end example + +The first line defines the name of the local realm. Line two defines the +name of the master kerberos server and the database administration +server for this realm. You can define any number of kerberos slave +servers similar to the one defined in line three. The clients will try +to contact the servers in the order they are defined in @file{krb.conf}. + +The @samp{admin server} clause at the first entry states that this is +the master server +@cindex master server +(the one to contact when modifying the database, such as changing +passwords). There should be only one such entry for each realm. + +In the original MIT Kerberos 4 (as in most others), the server +specification could only take the form of a host-name. To facilitate +having kerberos servers in odd places (such as behind a firewall), +support has been added for ports other than the default (750), and +protocols other than UDP. + +The formal syntax for an entry is now +@samp{@var{[proto}/@var{]host[}:@var{port]}}. @var{proto} is either +@samp{udp} or @samp{tcp}, and @var{port} is the port to talk to. Default +value for @var{proto} is @samp{udp} and for @var{port} whatever +@samp{kerberos-iv} is defined to be in @file{/etc/services} or 750 if +undefined. + +If the information about a realm is missing from the @file{krb.conf} +file, or if the information is wrong, the following methods will be +tried in order. + +@enumerate +@item +If you have an SRV-record (@cite{RFC 2052}) for your realm it will be +used. This record should be of the form +@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is +either @samp{udp} or @samp{tcp}. (Note: the current implementation does +not look at priority or weight when deciding which server to talk to.) +@item +If there isn't any SRV-record, it tries to find a TXT-record for the +same domain. The contents of the record should have the same format as the +host specification in @file{krb.conf}. (Note: this is a temporary +solution if your name server doesn't support SRV records. The clients +should work fine with SRV records, so if your name server supports them, +they are very much preferred.) +@item +If no valid kerberos server is found, it will try to talk udp to the +service @samp{kerberos-iv} with fall-back to port 750 with +@samp{kerberos.@var{REALM}} (which is also assumed to be the master +server), and then @samp{kerberos-1.@var{REALM}}, +@samp{kerberos-2.@var{REALM}}, and so on. +@end enumerate + +We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}} +pointing to your kerberos master server. + +The @file{krb.realms} file is used to find out what realm a particular +host belongs to. An example of this file could look like: + +@example +this.realm THIS.REALM +.this.realm THIS.REALM +foo.com SOME.OTHER.REALM +www.foo.com A.STRANGE.REALM +.foo.com FOO.REALM +@end example + +Entries starting with a dot are taken as the name of a domain. Entries +not starting with a dot are taken as a host-name. The first entry matched +is used. The entry for @samp{this.realm} is only necessary if there is a +host named @samp{this.realm}. + +If no matching realm is found in @file{krb.realms}, DNS is searched for +the correct realm. For example, if we are looking for host @samp{a.b.c}, +@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c} +and so on. The entry should be a TXT record containing the name of the +realm, such as: + +@example +krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" +@end example + +If this didn't help the domain name sans the first part in uppercase is +tried. + +The plain vanilla version of Kerberos doesn't have any fancy methods of +getting realms and servers so it is generally a good idea to keep +@file{krb.conf} and @file{krb.realms} up to date. + +@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server +@subsection Updating /etc/services + +You should append or merge the contents of @file{services.append} to +your @file{/etc/services} files or NIS-map. Remove any unused factory +installed kerberos port definitions to avoid possible conflicts. +@pindex services + +Most of the programs will fall back to the default ports if the port +numbers are not found in @file{/etc/services}, but it is convenient to +have them there anyway. + +@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server +@subsection Install the kerberos server + +You should have already chosen the machine where you want to run the +kerberos server and the realm name. The machine should also be as +secure as possible (@xref{Choose a kerberos server}) before installing +the kerberos server. In this example, we will install a kerberos server +for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}. + +@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server +@subsection Setup the server + +Login as root on the console of the kerberos server. Add +@file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path. Run +@kbd{kdb_init}: +@pindex kdb_init + +@example +@cartouche +hemlig# kdb_init +Realm name [default FOO.SE ]: +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. + +Enter Kerberos master password: +Verifying password +Enter Kerberos master password: +@end cartouche +@end example + +If you have set up the configuration files correctly, @kbd{kdb_init} +should choose the correct realm as the default, otherwise a (good) guess +is made. Enter the master password. + +This password will only be used for encrypting the kerberos database on +disk and for generating new random keys. You will not have to remember +it, only to type it again when you run @kbd{kstash}. Choose something +long and random. Now run @kbd{kstash} using the same password: +@pindex kstash + +@example +@cartouche +hemlig# kstash + +Enter Kerberos master password: + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +Wrote master key to /.k +@end cartouche +@end example + +After entering the same master password it will be saved in the file +@file{/.k} and the kerberos server will read it when needed. Write down +the master password and put it in a sealed envelope in a safe, you might +need it if your disk crashes or should you want to set up a slave +server. + +@code{kdb_init} initializes the database with a few entries: + +@table @samp +@item krbtgt.@var{REALM} +The key used for authenticating to the kerberos server. + +@item changepw.kerberos +The key used for authenticating to the administrative server, i.e. when +adding users, changing passwords, and so on. + +@item default +This entry is copied to new items when these are added. Enter here the +values you want new entries to have, particularly the expiry date. + +@item K.M +This is the master key and it is only used to verify that the master key +that is saved un-encrypted in @file{/.k} is correct and corresponds to +this database. + +@end table + +@code{kstash} only reads the master password and writes it to +@file{/.k}. This enables the kerberos server to start without you +having to enter the master password. This file (@file{/.k}) is only +readable by root and resides on a ``secure'' machine. + +@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server +@subsection Add a few important principals + +Now the kerberos database has been created, containing only a few +principals. The next step is to add a few more so that you can test +that it works properly and so that you can administer your realm without +having to use the console on the kerberos server. Use @kbd{kdb_edit} +to edit the kerberos database directly on the server. +@pindex kdb_edit + +@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism +for editing the database. For normal purposes, use the @code{kadmin} +program (@xref{Add users to the database}). + +The following example shows the adding of the principal +@samp{nisse.admin} into the kerberos database. This principal is used +by @samp{nisse} when administrating the kerberos database. Later on the +normal principal for @samp{nisse} will be created. Replace @samp{nisse} +and @samp{password} with your own username and password. + +@example +@cartouche +hemlig# kdb_edit -n +Opening database... +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: <nisse> +Instance: <admin> + +<Not found>, Create [y] ? <> + +Principal: nisse, Instance: admin, kdc_key_ver: 1 +New Password: <password> +Verifying password +New Password: <password> + +Principal's new key version = 1 +Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <> +Max ticket lifetime (*5 minutes) [ 255 ] ? <> +Attributes [ 0 ] ? <> +Edit O.K. +Principal name: <> +@end cartouche +@end example + +@code{kdb_edit} will loop until you hit the @kbd{return} key at the +``Principal name'' prompt. Now you have added nisse as an administrator. + +@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server +@subsection Start the server + +@pindex kerberos +@example +@cartouche +hemlig# /usr/athena/libexec/kerberos & +Kerberos server starting +Sleep forever on error +Log file is /var/log/kerberos.log +Current Kerberos master key version is 1. + +Master key entered. BEWARE! + +Current Kerberos master key version is 1 +Local realm: FOO.SE +@end cartouche +@end example + +@node Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server +@subsection Try to get tickets + +You can now verify that these principals have been added and that the +server is working correctly. + +@pindex kinit +@example +@cartouche +hemlig# kinit +eBones International (hemlig.foo.se) +Kerberos Initialization +Kerberos name: <nisse.admin> +Password: <password> +@end cartouche +@end example + +If you do not get any error message from @code{kinit}, then everything +is working (otherwise, see @ref{Common error messages}). Use +@code{klist} to verify the tickets you acquired with @code{kinit}: + +@pindex klist +@example +@cartouche +hemlig# klist +Ticket file: /tmp/tkt0 +Principal: nisse.admin@@FOO.SE + +Issued Expires Principal +May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE +@end cartouche +@end example + +@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server +@subsection Create initial ACL for the admin server + +The admin server, @code{kadmind}, uses a series of files to determine who has +@pindex kadmind +the right to perform certain operations. The files are: +@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and +@file{admin_acl.mod}. Create these with @samp{nisse.admin@@FOO.SE} as +the contents. +@pindex admin_acl.add +@pindex admin_acl.get +@pindex admin_acl.del +@pindex admin_acl.mod + +@example +@cartouche +hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.add +hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.get +hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.mod +hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.del +@end cartouche +@end example + +Later on you may wish to add more users with administration +privileges. Make sure that you create both the administration principals +and add them to the admin server ACL. + +@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server +@subsection Start the admin server + +@pindex kadmind +@example +@cartouche +hemlig# /usr/athena/libexec/kadmind & +KADM Server KADM0.0A initializing +Please do not use 'kill -9' to kill this job, use a +regular kill instead + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +@end cartouche +@end example + +@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server +@subsection Add users to the database + +Use the @code{kadmin} client to add users to the database: +@pindex kadmin + +@example +@cartouche +hemlig# kadmin -u nisse.admin -m +Welcome to the Kerberos Administration Program, version 2 +Type "help" if you need it. +admin: <add nisse> +Admin password: <nisse.admin's password> +Maximum ticket lifetime? (255) [Forever] +Attributes? [0x00] +Expiration date (enter yyyy-mm-dd) ? [Sat Jan 1 05:59:00 2000] +Password for nisse: +Verifying password Password for nisse: +nisse added to database. +@end cartouche +@end example + +Add whatever other users you want to have in the same way. Verify that +a user is in the database and check the database entry for that user: + +@example +@cartouche +admin: <get nisse> +Info in Database for nisse.: +Max Life: 255 (Forever) Exp Date: Sat Jan 1 05:59:59 2000 + +Attribs: 00 key: 0 0 +admin: <^D> +Cleaning up and exiting. +@end cartouche +@end example + +@node Automate the startup of the servers, , Add users to the database, How to set up the kerberos server +@subsection Automate the startup of the servers + +Add the lines that were used to start the kerberos server and the +admin server to your startup scripts (@file{/etc/rc} or similar). +@pindex rc + +@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm +@section Install the client programs + +Making a machine a kerberos client only requires a few steps. First you +might need to change the configuration files as with the kerberos +server. (@xref{Install the configuration files} and @ref{Install the +/etc/services}.) Also you need to make the programs in +@file{/usr/athena/bin} available. This can be done by adding the +@file{/usr/athena/bin} directory to the users' paths, by making symbolic +links, or even by copying the programs. + +You should also verify that the local time on the client is synchronised +with the time on the kerberos server by some means. The maximum allowed +time difference between the participating servers and a client is 5 +minutes. +@cindex NTP. +One good way to synchronize the time is NTP (Network Time Protocol), see +@code{http://www.eecis.udel.edu/~ntp/}. + +If you need to run the client programs on a machine where you do not +have root-access, you can hopefully just use the binaries and no +configuration will be needed. The heuristics used are mentioned above +(see @ref{Install the configuration files}). If this is not the case +and you need to have @file{krb.conf} and/or @file{krb.realms}, you can +copy them into a directory of your choice and +@pindex krb.conf +@pindex krb.realms +set the environment variable @var{KRBCONFDIR} to point at this +@cindex KRBCONFDIR +directory. + +To test the client functionality, run the @code{kinit} program: + +@example +@cartouche +foo$ kinit +eBones International (foo.foo.se) +Kerberos Initialization +Kerberos name: <nisse> +Password: <password> + +foo$ klist +Ticket file: /tmp/tkt4711 +Principal: nisse@@FOO.SE + +Issued Expires Principal +May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE +@end cartouche +@end example + +@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm +@section Install the kerberised services + +These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp}, +@code{rxtelnet}, and so on. +@pindex rsh +@pindex rlogin +@pindex telnet +@pindex ftp +@pindex rxtelnet + +First follow the steps mentioned in the prior section to make it a +client and verify its operation. Change @file{inetd.conf} next to use +the new daemons. Look at the file +@pindex inetd.conf +@file{etc/inetd.conf.changes} to see the changes that we recommend you +perform on @file{inetd.conf}. + +You should at this point decide what services you want to run on +each machine. + +@subsection rsh, rlogin, and rcp +@pindex rsh +@pindex rlogin +@pindex rcp + +These exist in kerberised versions and ``old-style'' versions. The +different versions use different port numbers, so you can choose none, +one, or both. If you do not want to use ``old-style'' r* services, you +can let the programs output the text ``Remote host requires Kerberos +authentication'' instead of just refusing connections to that port. +This is enabled with the @samp{-v} option. The kerberised services +exist in encrypted and non-encrypted versions. The encrypted services +have an ``e'' prepended to the name and the programs take @samp{-x} as an +option indicating encryption. + +Our recommendation is to only use the kerberised services and give +explanation messages for the old ports. + +@subsection telnet +@pindex telnet + +The telnet service always uses the same port and negotiates as to which +authentication method should be used. The @code{telnetd} program has +@pindex telnetd +an option ``-a user'' that only allows kerberised and authenticated +connections. If this is not included, it falls back to using clear text +passwords. For obvious reasons, we recommend that you enable this +option. If you want to use one-time passwords (@xref{One-Time +Passwords}) you can use the ``-a otp'' option which will allow OTPs or +kerberised connections. + +@subsection ftp +@pindex ftp + +The ftp service works as telnet does, with just one port being used. By +default only kerberos authenticated connections are allowed. You can +specify additional levels that are thus allowed with these options: + +@table @asis +@item @kbd{-a otp} +Allow one-time passwords (@xref{One-Time Passwords}). +@item @kbd{-a ftp} +Allow anonymous login (as user ``ftp'' or ``anonymous''). +@item @kbd{-a safe} +The same as @kbd{-a ftp}, for backwards compatibility. +@item @kbd{-a plain} +Allow clear-text passwords. +@item @kbd{-a none} +The same as @kbd{-a ftp -a plain}. +@item @kbd{-a user} +A no-op, also there for backwards compatibility reasons. +@end table + +When running anonymous ftp you should read the man page on @code{ftpd} +which explains how to set it up. + +@subsection pop +@pindex popper + +The Post Office Protocol (POP) is used to retrieve mail from the mail +hub. The @code{popper} program implements the standard POP3 protocol +and the kerberised KPOP. Use the @samp{-k} option to run the kerberos +version of the protocol. This service should only be run on your mail +hub. + +@subsection kx +@pindex kx + +@code{kx} allows you to run X over a kerberos-authenticated and +encrypted connection. This program is used by @code{rxtelnet}, +@code{tenletxr}, and @code{rxterm}. + +If you have some strange kind of operating system with X libraries that +do not allow you to use unix-sockets, you need to specify the @samp{-t} +@pindex kxd +option to @code{kxd}. Otherwise it should be sufficient by adding the +daemon in @file{inetd.conf}. + +@subsection kauth +@pindex kauth + +This service allows you to create tickets on a remote host. To +enable it just insert the corresponding line in @file{inetd.conf}. + +@section srvtabs +@pindex srvtab + +In the same way every user needs to have a password registered with +the kerberos server, every service needs to have a shared key with the +kerberos server. The service keys are stored in a file, usually called +@file{/etc/srvtab}. This file should not be readable to anyone but +root, in order to keep the key from being divulged. The name of this principal +in the kerberos database is usually the service and the host. The key +for the pop service is called @samp{pop.@var{hostname}}. The one for +rsh/rlogin/telnet is named @samp{rcmd.@var{hostname}}. (rcmd comes from +``remote command''). To create these keys you will use the the +@code{ksrvutil} program. Perform the +@pindex ksrvutil +following: + +@example +@cartouche +bar# ksrvutil -p nisse.admin get +Name [rcmd]: <> +Instance [bar]: <> +Realm [FOO.SE]: <> +Is this correct? (y,n) [y] <> +Add more keys? (y,n) [n] <> +Password for nisse.admin@@FOO.SE: <nisse.admin's password> +Written rcmd.bar +rcmd.bar@@FOO.SE +Old keyfile in /etc/srvtab.old. +@end cartouche +@end example + +@subsection Complete test of the kerberised services + +Obtain a ticket on one machine (@samp{foo}) and use it to login with a +kerberised service to a second machine (@samp{bar}). The test should +look like this if successful: + +@example +@cartouche +foo$ kinit nisse +eBones International (foo.foo.se) +Kerberos Initialization for "nisse" +Password: <nisse's password> +foo$ klist +Ticket file: /tmp/tkt4711 +Principal: nisse@@FOO.SE + +Issued Expires Principal +May 30 13:48:03 May 30 23:48:03 krbtgt.FOO.SE@@FOO.SE +foo$ telnet bar +Trying 17.17.17.17... +Connected to bar.foo.se +Escape character is '^]'. +[ Trying mutual KERBEROS4 ... ] +[ Kerberos V4 accepts you ] +[ Kerberos V4 challenge successful ] +bar$ +@end cartouche +@end example + +You can also try with @code{rsh}, @code{rcp}, @code{rlogin}, +@code{rlogin -x}, and some other commands to see that everything is +working all right. + +@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm +@section Install a slave kerberos server + +It is desirable to have at least one backup (slave) server in case the +master server fails. It is possible to have any number of such slave +servers but more than three usually doesn't buy much more redundancy. + +First select a good server machine. @xref{Choose a kerberos +server}. Since the master and slave servers will use copies of the same +database, they need to use the same master key. + +On the master, add a @samp{rcmd.kerberos} principal (using +@samp{ksrvutil get}). The +@pindex kprop +@code{kprop} program, running on the master, will use this when +authenticating to the +@pindex kpropd +@code{kpropd} daemons running on the slave servers. + +On your master server, create a file, e.g. @file{/var/kerberos/slaves}, +that contains the hostnames of your kerberos slave servers. + +Start @code{kpropd} with @samp{kpropd -i} on your slave servers. + +On your master server, create a dump of the database with @samp{kdb_util +slave_dump /var/kerberos/slave_dump}, and then run @code{kprop}. + +You should now have copies of the database on your slave servers. You +can verify this by issuing @samp{kdb_util dump @var{file}} on your +slave servers, and comparing with the original file on the master +server. Note that the entries will not be in the same order. + +This procedure should be automated with a script run regularly by cron, +for instance once an hour. + +To start the kerberos server on slaves, you first have to copy the +master key from the master server. You can do this either by remembering +the master password and issuing @samp{kstash}, or you can just copy the +keyfile. Remember that if you copy the file, do so on a safe media, not +over the network. Good means include floppy or paper. Paper is better, +since it is easier to swallow afterwards. + +The kerberos server should be started with @samp{-s} on the slave +servers. This enables sanity checks, for example checking the time since +the last update from the master. + +All changes to the database are made by @code{kadmind} at the master, +and then propagated to the slaves, so you should @strong{not} run +@code{kadmind} on the slaves. + +Finally add the slave servers to +@file{/etc/krb.conf}. The clients will ask the servers in the order +specified by that file. + +Consider adding CNAMEs to your slave servers, see @ref{Install the +configuration files}. + +@node Cross-realm functionality , , Install a slave kerberos server, How to set up a realm +@section Cross-realm functionality + +Suppose you are residing in the realm @samp{MY.REALM}, how do you +authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in +@samp{MY.REALM} allows you to communicate with kerberised services in that +realm. However, the computer in the other realm does not have a secret +key shared with the kerberos server in your realm. + +It is possible to add a shared key between two realms that trust each +other. When a client program, such as @code{telnet}, finds that the +other computer is in a different realm, it will try to get a ticket +granting ticket for that other realm, but from the local kerberos +server. With that ticket granting ticket, it will then obtain service +tickets from the kerberos server in the other realm. + +To add this functionality you have to add a principal to each realm. The +principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and +@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different +principals should have the same key (and key version number). Remember +to transfer this key in a safe manner. This is all that is required. + +@example +@cartouche +blubb$ klist +Ticket file: /tmp/tkt3008 +Principal: joda@@NADA.KTH.SE + + Issued Expires Principal +Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE +blubb$ telnet agat.e.kth.se +Trying 130.237.48.12... +Connected to agat.e.kth.se. +Escape character is '^]'. +[ Trying mutual KERBEROS4 ... ] +[ Kerberos V4 accepts you ] +[ Kerberos V4 challenge successful ] +Last login: Sun Jun 2 20:51:50 from emma.pdc.kth.se + +agat$ exit +Connection closed by foreign host. +blubb$ klist +Ticket file: /tmp/tkt3008 +Principal: joda@@NADA.KTH.SE + + Issued Expires Principal +Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE +Jun 7 02:26:50 Jun 7 12:26:50 krbtgt.E.KTH.SE@@NADA.KTH.SE +Jun 7 02:26:51 Jun 7 12:26:51 rcmd.agat@@E.KTH.SE +@end cartouche +@end example diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi new file mode 100644 index 0000000..16989bb --- /dev/null +++ b/crypto/kerberosIV/doc/whatis.texi @@ -0,0 +1,137 @@ +@node What is Kerberos?, Installing programs, Introduction, Top +@chapter What is Kerberos? + +@quotation +@flushleft + Now this Cerberus had three heads of dogs, + the tail of a dragon, and on his back the + heads of all sorts of snakes. + --- Pseudo-Apollodorus Library 2.5.12 +@end flushleft +@end quotation + +Kerberos is a system for authenticating users and services on a network. +It is built upon the assumption that the network is ``unsafe''. For +example, data sent over the network can be eavesdropped and altered, and +addresses can also be faked. Therefore they cannot be used for +authentication purposes. +@cindex authentication + +Kerberos is a trusted third-party service. That means that there is a +third party (the kerberos server) that is trusted by all the entities on +the network (users and services, usually called @dfn{principals}). All +principals share a secret password (or key) with the kerberos server and +this enables principals to verify that the messages from the kerberos +server are authentic. Thus trusting the kerberos server, users and +services can authenticate each other. + +@section Basic mechanism + +@ifinfo +@macro sub{arg} +<\arg\> +@end macro +@end ifinfo + +@tex +@def@xsub#1{$_{#1}$} +@global@let@sub=@xsub +@end tex + +In Kerberos, principals use @dfn{tickets} to prove that they are who +they claim to be. In the following example, @var{A} is the initiator of +the authentication exchange, usually a user, and @var{B} is the service +that @var{A} wishes to use. + +To obtain a ticket for a specific service, @var{A} sends a ticket +request to the kerberos server. The request basically contains @var{A}'s +and @var{B}'s names. The kerberos server checks that both @var{A} and +@var{B} are valid principals. + +Having verified the validity of the principals, it creates a packet +containing @var{A}'s and @var{B}'s names, @var{A}'s network address +(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime +of the ticket (@var{life}), and a secret @dfn{session key} +@cindex session key +(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key +(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this: +(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life}, +@var{K@sub{AB}}@}@var{K@sub{B}}). + +The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s +name, the current time, the lifetime of the ticket, and the session key, all +encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}}, +@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A} +decrypts the reply and retains it for later use. + +@sp 1 + +Before sending a message to @var{B}, @var{A} creates an authenticator +consisting of @var{A}'s name, @var{A}'s address, the current time, and a +``checksum'' chosen by @var{A}, all encrypted with the secret session +key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}}, +@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket +received from the kerberos server to @var{B}. Upon reception, @var{B} +decrypts the ticket using @var{B}'s secret key. Since the ticket +contains the session key that the authenticator was encrypted with, +@var{B} can now also decrypt the authenticator. To verify that @var{A} +really is @var{A}, @var{B} now has to compare the contents of the ticket +with that of the authenticator. If everything matches, @var{B} now +considers @var{A} as properly authenticated. + +@c (here we should have some more explanations) + +@section Different attacks + +@subheading Impersonating A + +An impostor, @var{C} could steal the authenticator and the ticket as it +is transmitted across the network, and use them to impersonate +@var{A}. The address in the ticket and the authenticator was added to +make it more difficult to perform this attack. To succeed @var{C} will +have to either use the same machine as @var{A} or fake the source +addresses of the packets. By including the time stamp in the +authenticator, @var{C} does not have much time in which to mount the +attack. + +@subheading Impersonating B + +@var{C} can hijack @var{B}'s network address, and when @var{A} sends +her credentials, @var{C} just pretend to verify them. @var{C} can't +be sure that she is talking to @var{A}. + +@section Defense strategies + +It would be possible to add a @dfn{replay cache} +@cindex replay cache +to the server side. The idea is to save the authenticators sent during +the last few minutes, so that @var{B} can detect when someone is trying +to retransmit an already used message. This is somewhat impractical +(mostly regarding efficiency), and is not part of Kerberos 4; MIT +Kerberos 5 contains it. + +To authenticate @var{B}, @var{A} might request that @var{B} sends +something back that proves that @var{B} has access to the session +key. An example of this is the checksum that @var{A} sent as part of the +authenticator. One typical procedure is to add one to the checksum, +encrypt it with the session key and send it back to @var{A}. This is +called @dfn{mutual authentication}. + +The session key can also be used to add cryptographic checksums to the +messages sent between @var{A} and @var{B} (known as @dfn{message +integrity}). Encryption can also be added (@dfn{message +confidentiality}). This is probably the best approach in all cases. +@cindex integrity +@cindex confidentiality + +@section Further reading + +The original paper on Kerberos from 1988 is @cite{Kerberos: An +Authentication Service for Open Network Systems}, by Jennifer Steiner, +Clifford Neuman and Jeffrey I. Schiller. + +A less technical description can be found in @cite{Designing an +Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also +from 1988. + +These and several other documents can be found on our web-page. |
