summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/doc
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/doc')
-rw-r--r--crypto/kerberosIV/doc/Makefile.in25
-rw-r--r--crypto/kerberosIV/doc/ack.texi26
-rw-r--r--crypto/kerberosIV/doc/dir17
-rw-r--r--crypto/kerberosIV/doc/install.texi64
-rw-r--r--crypto/kerberosIV/doc/intro.texi42
-rw-r--r--crypto/kerberosIV/doc/kth-krb.texi17
-rw-r--r--crypto/kerberosIV/doc/problems.texi147
-rw-r--r--crypto/kerberosIV/doc/setup.texi110
-rw-r--r--crypto/kerberosIV/doc/whatis.texi2
9 files changed, 350 insertions, 100 deletions
diff --git a/crypto/kerberosIV/doc/Makefile.in b/crypto/kerberosIV/doc/Makefile.in
index 5071e8e..8241c5d 100644
--- a/crypto/kerberosIV/doc/Makefile.in
+++ b/crypto/kerberosIV/doc/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.10 1997/05/06 03:05:55 joda Exp $
+# $Id: Makefile.in,v 1.18 1998/04/19 08:37:12 assar Exp $
SHELL = /bin/sh
@@ -6,7 +6,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
INSTALL = @INSTALL@
-INSTALL_DATA = $(INSTALL)
+INSTALL_DATA = @INSTALL_DATA@
MKINSTALLDIRS = @top_srcdir@/mkinstalldirs
MAKEINFO = @MAKEINFO@
TEXI2DVI = texi2dvi
@@ -19,26 +19,29 @@ all: info
install: all installdirs
if test -f kth-krb.info; then \
- $(INSTALL_DATA) kth-krb.info $(infodir)/kth-krb.info; \
+ $(INSTALL_DATA) kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
else \
- $(INSTALL_DATA) $(srcdir)/kth-krb.info $(infodir)/kth-krb.info; \
+ $(INSTALL_DATA) $(srcdir)/kth-krb.info $(DESTDIR)$(infodir)/kth-krb.info; \
fi
- if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \
- install-info --dir-file=$(infodir)/dir $(infodir)/kth-krb.info; \
+ if test -f $(DESTDIR)$(infodir)/dir ; then :; else \
+ $(INSTALL_DATA) $(srcdir)/dir $(DESTDIR)$(infodir)/dir; \
+ fi
+ -if $(SHELL) -c 'install-info --version' >/dev/null 2>&1; then \
+ install-info --dir-file=$(DESTDIR)$(infodir)/dir $(DESTDIR)$(infodir)/kth-krb.info; \
else \
true; \
fi
uninstall:
- rm -f $(infodir)/kth-krb.info
+ rm -f $(DESTDIR)$(infodir)/kth-krb.info
installdirs:
- $(MKINSTALLDIRS) $(infodir)
+ $(MKINSTALLDIRS) $(DESTDIR)$(infodir)
info: kth-krb.info
kth-krb.info: kth-krb.texi
- $(MAKEINFO) -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
+ $(MAKEINFO) --no-split -I$(srcdir) -o $@ $(srcdir)/kth-krb.texi
dvi: kth-krb.dvi
@@ -58,8 +61,8 @@ distclean: clean
mostlyclean: clean
maintainer-clean: clean
- rm -f kth-krb.info
+ rm -f *.info*
check:
-.PHONY: install all installdirs uninstall info dvi html clean check distclean mostlyclean maintainer-clean
+.PHONY: all install uninstall installdirs info dvi html clean distclean mostlyclean maintainer-clean check
diff --git a/crypto/kerberosIV/doc/ack.texi b/crypto/kerberosIV/doc/ack.texi
index 388f644..e5830d0 100644
--- a/crypto/kerberosIV/doc/ack.texi
+++ b/crypto/kerberosIV/doc/ack.texi
@@ -56,11 +56,35 @@ Bugfixes and code has been contributed by:
@item Robert Malmgren
@code{<rom@@incolumitas.se>}
@item Fredrik Ljungberg
-@code{<flag@@it.kth.se>}
+@code{<flag@@astrogator.se>}
+@item Joakim Fallsjö
+@code{jfa@@pobox.se}
@item Lars Malinowsky
@code{<lama@@pdc.kth.se>}
@item Fabien Coelho
@code{<coelho@@cri.ensmp.fr>}
+@item Chris Chiappa
+@code{<griffon+@@cmu.edu>}
+@item Gregory S. Stark
+@code{<gsstark@@mit.edu>}
+@item Love Hörnquist-Åstrand
+@code{<lha@@stacken.kth.se>}
+@item Daniel Staaf
+@code{<d96-dst@@nada.kth.se>}
+@item Magnus Ahltorp
+@code{<map@@stacken.kth.se>}
+@item Robert Burgess
+@code{<rb@@stacken.kth.se>}
+@item Lars Arvestad
+@code{<arve@@nada.kth.se>}
+@item Jörgen Wahlsten
+@code{<wahlsten@@pathfinder.com>}
+@item Daniel Staaf
+@code{<d96-dst@@nada.kth.se>}
+@item R Lindsay Todd
+@code{<toddr@@rpi.edu>}
+@item Åke Sandgren
+@code{<ake@@cs.umu.se>}
@item and we hope that those not mentioned here will forgive us.
@end table
diff --git a/crypto/kerberosIV/doc/dir b/crypto/kerberosIV/doc/dir
new file mode 100644
index 0000000..911f622
--- /dev/null
+++ b/crypto/kerberosIV/doc/dir
@@ -0,0 +1,17 @@
+$Id: dir,v 1.1 1997/06/12 16:15:21 joda Exp $
+This is the file .../info/dir, which contains the topmost node of the
+Info hierarchy. The first time you invoke Info you start off
+looking at that node, which is (dir)Top.
+
+File: dir Node: Top This is the top of the INFO tree
+
+ This (the Directory node) gives a menu of major topics.
+ Typing "q" exits, "?" lists all Info commands, "d" returns here,
+ "h" gives a primer for first-timers,
+ "mEmacs<Return>" visits the Emacs topic, etc.
+
+ In Emacs, you can click mouse button 2 on a menu item or cross reference
+ to select it.
+
+* Menu:
+
diff --git a/crypto/kerberosIV/doc/install.texi b/crypto/kerberosIV/doc/install.texi
index 240c04e..b893ae1 100644
--- a/crypto/kerberosIV/doc/install.texi
+++ b/crypto/kerberosIV/doc/install.texi
@@ -44,10 +44,15 @@ If you need to change the default behavior, configure understands the
following options:
@table @asis
-@item @kbd{--with-shared}
+@item @kbd{--enable-shared}
Create shared versions of the Kerberos libraries. Not really
recommended and might not work on all systems.
+@item @kbd{--with-ld-flags=}@var{flags}
+This allows you to specify which extra flags to pass to @code{ld}. Since
+this @emph{overrides} any choices made by configure, you should only use
+this if you know what you are doing.
+
@item @kbd{--with-cracklib=}@var{dir}
Use cracklib for password quality control in
@pindex kadmind
@@ -65,7 +70,7 @@ This is the dictionary that cracklib should use.
If you have to traverse a firewall and it uses the SocksV5 protocol
(@cite{RFC 1928}), you can build with socks-support. Point @var{dir} to
the directory where you have socks5 installed. For more information
-about socks see @kbd{http://www.socks.nec.com/}.
+about socks see @url{http://www.socks.nec.com/}.
@item @kbd{--with-readline=}@var{dir}
@cindex readline
@@ -102,6 +107,21 @@ dbm. If you already are running Kerberos this option might be useful,
since there currently isn't an easy way to convert a dbm database to a
db one (you have to dump the old database and then load it with the new
binaries).
+
+@item @kbd{--disable-shared-afs}
+The AFS support in AIX consists of a shared library that is loaded at
+runtime. This option disables this, and links with static system
+calls. Doing this will make the built binaries crash on a machine that
+doesn't have AFS in the kernel (for instance if the AFS module fails to
+load at boot).
+
+@item @kbd{--with-mips-api=api}
+This option enables creation of different types of binaries on Irix.
+The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}.
+
+@item @kbd{--enable-legacy-kdestroy}
+This compile-time option creates a @code{kdestroy} that does not destroy
+any AFS tokens.
@end table
@node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
@@ -181,7 +201,7 @@ the kerberised @code{login}. However some systems assume that login
performs some serious amount of magic that our login might not do (although
we've tried to do our best). So before replacing it on every machine,
try and see what happens. Another thing to try is to use one of the
-authentication modules (@xref{Authentication modules}) supplied.
+authentication modules (@pxref{Authentication modules}) supplied.
The @code{login} program that we use was in an earlier life the standard
login program from NetBSD. In order to use it with a lot of weird
@@ -249,7 +269,10 @@ Make sure @file{libsia_krb4.so} is available in
might want to put it in @file{/usr/shlib} or someplace else. If you do,
you'll have to edit @file{krb4_matrix.conf} to reflect the new location
(you will also have to do this if you installed in some other directory
-than @file{/usr/athena}).
+than @file{/usr/athena}). If you built with shared libraries, you will
+have to copy the shared @file{libkrb.so}, @file{libdes.so},
+@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can
+find them (such as @file{/usr/shlib}).
@item
Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}.
@item
@@ -260,7 +283,8 @@ Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and
@item
Digital thinks you should reboot your machine, but that really shouldn't
be necessary. It's usually sufficient just to run
-@kbd{/sbin/init.d/security start}.
+@kbd{/sbin/init.d/security start} (and restart any applications that use
+SIA, like @code{xdm}.)
@end itemize
Users with local passwords (like @samp{root}) should be able to login
@@ -273,9 +297,13 @@ have to set @samp{KRBTKFILE} to the correct value in
@example
KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
@end example
-
-There is currently no support for changing passwords. Use @file{kpasswd}
-instead.
+If you use CDE, @code{dtlogin} allows you to specify which additional
+environment variables it should export. To add @samp{KRBTKFILE} to this
+list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of
+@samp{exportList}. You want to add something like:
+@example
+Dtlogin.exportList: KRBTKFILE
+@end example
@subsubheading Notes to users with Enhanced security
@@ -300,16 +328,19 @@ default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
@item
For each user that does @emph{not} have a local C2 password, you should
set the password expiration field to zero. You can do this for each
-user, or in the @samp{default} table. To to this use @samp{edauth} to
+user, or in the @samp{default} table. To do this use @samp{edauth} to
set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
@item
-You should make sure that you use Digital's login rather than the one
-distributed by us. The easiest way to do this is to replace
-@file{/usr/athena/bin/login} with @file{/bin/login}.
+You also need to be aware that the shipped @file{login}, @file{rcp}, and
+@file{rshd}, doesn't do any particular C2 magic (such as checking to
+various forms of disabled accounts), so if you rely on those features,
+you shouldn't use those programs. If you configure with
+@samp{--enable-osfc2}, these programs will, however, set the login
+UID. Still: use at your own risk.
@end itemize
At present @samp{su} does not accept the vouching flag, so it will not
-work as expected.
+work as expected.
Also, kerberised ftp will not work with C2 passwords. You can solve this
by using both Digital's ftpd and our on different ports.
@@ -337,6 +368,13 @@ The @file{afskauthlib.so} itself is able to reside in
@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
(wherever that is).
+IRIX 6.4 and newer seems to have all programs (including @file{xdm} and
+@file{login}) in the N32 object format, whereas in older versions they
+were O32. For it to work, the @file{afskauthlib.so} library has to be in
+the same object format as the program that tries to load it. This might
+require that you have to configure and build for O32 in addition to the
+default N32.
+
Appart from this it should ``just work'', there are no configuration
files.
diff --git a/crypto/kerberosIV/doc/intro.texi b/crypto/kerberosIV/doc/intro.texi
index 830ca1a..7a28533 100644
--- a/crypto/kerberosIV/doc/intro.texi
+++ b/crypto/kerberosIV/doc/intro.texi
@@ -4,40 +4,12 @@
This is an attempt at documenting the Kerberos 4 distribution from
Kungliga Tekniska Högskolan (the Royal Institute of Technology in
-Stockholm, Sweden). This distribution is based on eBones, but has been
+Stockholm, Sweden). This distribution is based on eBones, but has been
improved in many ways. It is more portable, and several new features
-have been added. It currently runs on the following systems:
+have been added. It should run on any reasonably modern unix-like
+system.
-@itemize @bullet
-@item
-AIX 4.1, 4.2
-@item
-BSD/OS 2.0, 2.1
-@item
-Digital UNIX 3.2, 4.0
-@item
-HP-UX 9, 10
-@item
-IRIX 4.0, 5.2, 5.3, 6.1, 6.2, 6.3, 6.4
-@item
-Linux 1.3, 2.0
-@item
-NetBSD 1.2
-@item
-FreeBSD 2.2
-@item
-SunOS 4.1
-@item
-SunOS 5.4/5.5 (aka Solaris 2.4/2.5)
-@item
-Ultrix 4.4
-@item
-Cray UNICOS 9.
-@item
-Fujitsu UXP/V 4.1.
-@end itemize
-
-Some part compile and work on:
+In addition, some part compile and work on:
@itemize @bullet
@item
@@ -50,13 +22,13 @@ libraries should compile with Microsoft C as well)
It should work on anything that is almost POSIX, has an ANSI C
compiler, a dbm library (for the server side), and BSD Sockets.
-A web-page is available at @kbd{http://www.pdc.kth.se/kth-krb/}.
+A web-page is available at @url{http://www.pdc.kth.se/kth-krb/}.
@heading Bug reports
If you cannot build the programs or they do not behave as you think they
should, please send us a bug report. The bug report should be sent to
-@code{<kth-krb-bugs@@nada.kth.se>}. Please include information on what
+@code{<kth-krb-bugs@@pdc.kth.se>}. Please include information on what
machine and operating system (including version) you are running, what
you are trying to do, what happens, what you think should have happened,
an example for us to repeat, the output you get when trying the example,
@@ -65,5 +37,5 @@ with @code{diff -u} or @code{diff -c}. The more detailed the bug report
is, the easier it will be for us to reproduce, understand, and fix it.
Suggestions, comments and other non bug reports are welcome. Send them
-to @code{<kth-krb@@nada.kth.se>}.
+to @code{<kth-krb@@pdc.kth.se>}.
diff --git a/crypto/kerberosIV/doc/kth-krb.texi b/crypto/kerberosIV/doc/kth-krb.texi
index 8b26349..248b626 100644
--- a/crypto/kerberosIV/doc/kth-krb.texi
+++ b/crypto/kerberosIV/doc/kth-krb.texi
@@ -1,6 +1,6 @@
\input texinfo @c -*- texinfo -*-
@c %**start of header
-@c $Id: kth-krb.texi,v 1.71 1997/05/25 21:31:00 assar Exp $
+@c $Id: kth-krb.texi,v 1.77.2.1 1999/08/18 21:11:25 joda Exp $
@setfilename kth-krb.info
@settitle KTH-KRB
@iftex
@@ -14,27 +14,29 @@
@syncodeindex pg cp
@c %**end of header
+@ifinfo
@dircategory Kerberos
@direntry
* Kth-krb: (kth-krb). The Kerberos IV distribution from KTH
@end direntry
+@end ifinfo
@c title page
@titlepage
@title KTH-KRB
@subtitle Kerberos 4 from KTH
-@subtitle Edition -1.0, for version 0.9.5
-@subtitle 1997
+@subtitle For release 0.10.
+@subtitle 1999
@author Johan Danielsson
@author Assar Westerlund
-@author last updated $Date: 1997/05/25 21:31:00 $
+@author last updated $Date: 1999/08/18 21:11:25 $
@def@copynext{@vskip 20pt plus 1fil@penalty-1000}
@def@copyrightstart{}
@def@copyrightend{}
@page
@copyrightstart
-Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
@@ -230,6 +232,7 @@ to the following restrictions:
* Acknowledgments::
* Index::
+@detailmenu
--- The Detailed Node Listing ---
Installing programs
@@ -282,7 +285,11 @@ One-Time Passwords
Resolving frequent problems
* Problems compiling Kerberos::
+* Problems with firewalls::
* Common error messages::
+* Is Kerberos year 2000 safe?::
+
+@end detailmenu
@end menu
@include intro.texi
diff --git a/crypto/kerberosIV/doc/problems.texi b/crypto/kerberosIV/doc/problems.texi
index 9e3630e..7713d45 100644
--- a/crypto/kerberosIV/doc/problems.texi
+++ b/crypto/kerberosIV/doc/problems.texi
@@ -3,13 +3,15 @@
@menu
* Problems compiling Kerberos::
+* Problems with firewalls::
* Common error messages::
+* Is Kerberos year 2000 safe?::
@end menu
-@node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems
+@node Problems compiling Kerberos, Problems with firewalls, Resolving frequent problems, Resolving frequent problems
@section Problems compiling Kerberos
-Many compilers require a switch to become ANSI compliant. Since kth-krb
+Many compilers require a switch to become ANSI compliant. Since krb4
is written in ANSI C it is necessary to specify the name of the compiler
to be used and the required switch to make it ANSI compliant. This is
most easily done when running configure using the @kbd{env} command. For
@@ -41,8 +43,17 @@ verified to successfully compile the distribution:
@subheading Linux problems
+The libc functions gethostby*() under RedHat4.2 can sometimes cause
+core dumps. If you experience these problems make sure that the file
+@file{/etc/nsswitch.conf} contains a hosts entry no more complex than
+the line
+
+@cartouche
+hosts: files dns
+@end cartouche
+
Some systems have lost @file{/usr/include/ndbm.h} which is necessary to
-build kth-krb correctly. There is a @file{ndbm.h.Linux} right next to
+build krb4 correctly. There is a @file{ndbm.h.Linux} right next to
the source distribution.
There has been reports of non-working @file{libdb} on some Linux
@@ -64,10 +75,37 @@ ported, in the mean time use @kbd{telnetd}.
@subheading AIX problems
-@kbd{gcc} version 2.7.2.1 has a bug which makes it miscompile
+@kbd{gcc} version 2.7.2.* has a bug which makes it miscompile
@file{appl/telnet/telnetd/sys_term.c} (and possibily
@file{appl/bsd/forkpty.c}), if used with too much optimization.
+Some versions of the @kbd{xlc} preprocessor doesn't recognise the
+(undocumented) @samp{-qnolm} option. If this option is passed to the
+preprocessor (like via the configuration file @file{/etc/ibmcxx.cfg},
+configure will fail.
+
+The solution is to remove this option from the configuration file,
+either globally, or for just the preprocessor:
+
+@example
+$ cp /etc/ibmcxx.cfg /tmp
+$ed /tmp/ibmcxx.cfg
+8328
+/nolm
+ options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000,-qnolm
+s/,-qnolm//p
+ options = -D_AIX,-D_AIX32,-D_AIX41,-D_AIX43,-D_IBMR2,-D_POWER,-bpT:0x10000000,-bpD:0x20000000
+w
+8321
+q
+$ env CC=xlc CPP="xlc -E -F/tmp/ibmcxx.cfg" configure
+@end example
+
+There is a bug in AFS 3.4 version 5.38 for AIX 4.3 that causes the
+kernel to panic in some cases. There is a hack for this in @kbd{login},
+but other programs could be affected also. This seems to be fixed in
+version 5.55.
+
@subheading C2 problems
@cindex C2
@@ -78,7 +116,66 @@ place. If you want to use Kerberos with C2 security you will have to
think about what kind of changes are necessary. See also the discussion
about Digital's SIA and C2 security, see @ref{Digital SIA}.
-@node Common error messages, , Problems compiling Kerberos, Resolving frequent problems
+@node Problems with firewalls, Common error messages, Problems compiling Kerberos, Resolving frequent problems
+@section Problems with firewalls
+
+@cindex firewall
+A firewall is a network device that filters out certain types of packets
+going from one side of the firewall to the other. A firewall is supposed
+to solve the same kinds of problems as Kerberos (basically hindering
+unauthorised network use). The difference is that Kerberos tries to
+authenticate users, while firewall splits the network in a `secure'
+inside, and an `insecure' outside.
+
+Firewall people usually think that UDP is insecure, partly because many
+`insecure' protocols use UDP. Since Kerberos by default uses UDP to send
+and recieve packets, Kerberos and firewalls doesn't work very well
+together.
+
+The symptoms of trying to use Kerberos behind a firewall is that you
+can't get any tickets (@code{kinit} exits with the infamous @samp{Can't
+send request} error message).
+
+There are a few ways to solve these problems:
+
+@itemize @bullet
+@item
+Convince your firewall administrator to open UDP port 750 or 88 for
+incoming packets. This usually turns out to be difficult.
+@item
+Convince your firewall administrator to open TCP port 750 or 88 for
+outgoing connections. This can be a lot easier, and might already be
+enabled.
+@item
+Use TCP connections over some non-standard port. This requires that you
+have to convince the administrator of the kerberos server to allow
+connections on this port.
+@item
+@cindex HTTP
+Use HTTP to get tickets. Since web-stuff has become almost infinitely
+popular, many firewalls either has the HTTP port open, or has a HTTP
+proxy.
+@end itemize
+
+The last two methods might be considered to be offensive (since you are
+not sending the `right' type of data in each port). You probably do best
+in discussuing this with firewall administrator.
+
+For information on how to use other protocols when communication with
+KDC, see @ref{Install the configuration files}.
+
+It is often the case that the firewall hides addresses on the `inside',
+so it looks like all packets are coming from the firewall. Since address
+of the client host is encoded in the ticket, this can cause trouble. If
+you get errors like @samp{Incorrect network address}, when trying to use
+the ticket, the problem is usually becuase the server you are trying to
+talk to sees a different address than the KDC did. If you experience
+this kind of trouble, the easiest way to solve them is probably to try
+some other mechanism to fetch tickets. You might also be able to
+convince the administrator of the server that the two different
+addresses should be added to the @file{/etc/krb.equiv} file.
+
+@node Common error messages, Is Kerberos year 2000 safe?, Problems with firewalls, Resolving frequent problems
@section Common error messages
These are some of the more obscure error messages you might encounter:
@@ -149,8 +246,48 @@ is down, or it is using the wrong port (compare the entries for
failed to guess what kerberos server to talk to (check
@file{/etc/krb.conf} and @file{/etc/krb.realms}).
+One reason you can't contact the kerberos server might be because you're
+behind a firewall that doesn't allow kerberos packets to pass. For
+possible solutions to this see the firewall section above.
+
+@item @samp{kerberos: socket: Unable to open socket...}
+
+The kerberos server has to open four sockets for each interface. If you
+have a machine with lots of virtual interfaces, you run the risk of
+running out of file descriptors. If that happens you will get this
+error message.
+
+@item @samp{ftp: User foo access denied}
+
+This usually happens because the user's shell is not listed in
+@file{/etc/shells}. Note that @kbd{ftpd} checks this file even on
+systems where the system version does not and there is no
+@file{/etc/shells}.
+
@item @samp{Generic kerberos error}
This is a generic catch-all error message.
@end table
+@node Is Kerberos year 2000 safe?, , Common error messages, Resolving frequent problems
+@section Is Kerberos year 2000 safe?
+
+@cindex Year 2000
+
+Yes.
+
+A somewhat longer answer is that we can't think of anything that can
+break. The protocol itself doesn't use time stamps in textual form, the
+two-digit year problems in the original MIT code has been fixed (this
+was a problem mostly with log files). The FTP client had a bug in the
+command `newer' (which fetches a file if it's newer than what you
+already got).
+
+Another thing to look out for, but that isn't a Y2K problem per se, is
+the expiration date of old principals. The MIT code set the default
+expiration date for some new principals to 1999-12-31, so you might want
+to check your database for things like this.
+
+Now, the Y2038 problem is something completely different (but the
+authors should have retired by then, presumably growing rowanberrys in
+some nice and warm place).
diff --git a/crypto/kerberosIV/doc/setup.texi b/crypto/kerberosIV/doc/setup.texi
index 1b4b395..4d2d0ff 100644
--- a/crypto/kerberosIV/doc/setup.texi
+++ b/crypto/kerberosIV/doc/setup.texi
@@ -64,7 +64,7 @@ only allow logins on the console.
This machine has also to be reliable. If it is down, you will not be
able to use any kerberised services unless you have also configured a
-slave server (@xref{Install a slave kerberos server}).
+slave server (@pxref{Install a slave kerberos server}).
Running the kerberos server requires very little CPU power and a small
amount of disk. An old PC with some hundreds of megabytes of free disk
@@ -84,16 +84,19 @@ different realms. The format of this file is:
@example
THIS.REALM
+SUPP.LOCAL.REALM
THIS.REALM kerberos.this.realm admin server
THIS.REALM kerberos-1.this.realm
+SUPP.LOCAL.REALM kerberos.supp.local.realm admin server
ANOTHER.REALM kerberos.another.realm
@end example
-The first line defines the name of the local realm. Line two defines the
-name of the master kerberos server and the database administration
-server for this realm. You can define any number of kerberos slave
-servers similar to the one defined in line three. The clients will try
-to contact the servers in the order they are defined in @file{krb.conf}.
+The first line defines the name of the local realm. The next few lines
+optionally defines supplementary local realms. The rest of the file
+defines the names of the kerberos servers and the database
+administration servers for all known realms. You can define any number
+of kerberos slave servers similar to the one defined on line
+four. Clients will try to contact servers in listed order.
The @samp{admin server} clause at the first entry states that this is
the master server
@@ -109,10 +112,11 @@ protocols other than UDP.
The formal syntax for an entry is now
@samp{@var{[proto}/@var{]host[}:@var{port]}}. @var{proto} is either
-@samp{udp} or @samp{tcp}, and @var{port} is the port to talk to. Default
-value for @var{proto} is @samp{udp} and for @var{port} whatever
-@samp{kerberos-iv} is defined to be in @file{/etc/services} or 750 if
-undefined.
+@samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to
+talk to. Default value for @var{proto} is @samp{UDP} and for @var{port}
+whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or
+750 if undefined. If @var{proto} is @samp{HTTP}, the default port is
+80. An @samp{http} entry may also be specified in URL format.
If the information about a realm is missing from the @file{krb.conf}
file, or if the information is wrong, the following methods will be
@@ -123,8 +127,9 @@ tried in order.
If you have an SRV-record (@cite{RFC 2052}) for your realm it will be
used. This record should be of the form
@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is
-either @samp{udp} or @samp{tcp}. (Note: the current implementation does
-not look at priority or weight when deciding which server to talk to.)
+either @samp{UDP}, @samp{TCP}, or @samp{HTTP}. (Note: the current
+implementation does not look at priority or weight when deciding which
+server to talk to.)
@item
If there isn't any SRV-record, it tries to find a TXT-record for the
same domain. The contents of the record should have the same format as the
@@ -133,7 +138,7 @@ solution if your name server doesn't support SRV records. The clients
should work fine with SRV records, so if your name server supports them,
they are very much preferred.)
@item
-If no valid kerberos server is found, it will try to talk udp to the
+If no valid kerberos server is found, it will try to talk UDP to the
service @samp{kerberos-iv} with fall-back to port 750 with
@samp{kerberos.@var{REALM}} (which is also assumed to be the master
server), and then @samp{kerberos-1.@var{REALM}},
@@ -176,6 +181,42 @@ The plain vanilla version of Kerberos doesn't have any fancy methods of
getting realms and servers so it is generally a good idea to keep
@file{krb.conf} and @file{krb.realms} up to date.
+In addition to these commonly used files, @file{/etc/krb.extra}
+@pindex krb.extra
+holds some things that are not normally used. It consists of a number of
+@samp{@var{variable} = @var{value}} pairs, blank lines and lines
+beginning with a hash (#) are ignored.
+
+The currently defined variables are:
+
+@table @samp
+@item krb4_proxy
+@cindex krb4_proxy
+When getting tickets via HTTP, this specifies the proxy to use. The
+default is to speak directly to the KDC.
+@item kdc_time_sync
+@cindex kdc_time_sync
+This flag enables storing of the time differential to the KDC when
+getting an initial ticket. This differential is used later on to compute
+the correct time. This can help if your machine doesn't have a working
+clock.
+@item kdc_timeout
+@cindex kdc_timeout
+This allows you to change the default (4 seconds) timeout when talking
+to the KDC.
+@item reverse_lsb_test
+@cindex reverse_lsb_test
+Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe},
+@code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of
+the communicating hosts. This test can cause truble when using
+firewalls.
+@item firewall_address
+@cindex firewall_address
+The IP address that hosts outside the firewall see when connecting from
+within the firewall. If this is specified, the code will try to compute
+the value for @samp{reverse_lsb_test}.
+@end table
+
@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
@subsection Updating /etc/services
@@ -193,7 +234,7 @@ have them there anyway.
You should have already chosen the machine where you want to run the
kerberos server and the realm name. The machine should also be as
-secure as possible (@xref{Choose a kerberos server}) before installing
+secure as possible (@pxref{Choose a kerberos server}) before installing
the kerberos server. In this example, we will install a kerberos server
for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
@@ -285,7 +326,7 @@ to edit the kerberos database directly on the server.
@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism
for editing the database. For normal purposes, use the @code{kadmin}
-program (@xref{Add users to the database}).
+program (@pxref{Add users to the database}).
The following example shows the adding of the principal
@samp{nisse.admin} into the kerberos database. This principal is used
@@ -393,10 +434,10 @@ the contents.
@example
@cartouche
-hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.add
-hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.get
-hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.mod
-hemlig# echo "nisse.admin@@FOO.SE" > /var/kerberos/admin_acl.del
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.add
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.get
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.mod
+hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.del
@end cartouche
@end example
@@ -470,7 +511,7 @@ admin server to your startup scripts (@file{/etc/rc} or similar).
Making a machine a kerberos client only requires a few steps. First you
might need to change the configuration files as with the kerberos
-server. (@xref{Install the configuration files} and @ref{Install the
+server. (@pxref{Install the configuration files} and @pxref{Install the
/etc/services}.) Also you need to make the programs in
@file{/usr/athena/bin} available. This can be done by adding the
@file{/usr/athena/bin} directory to the users' paths, by making symbolic
@@ -482,7 +523,7 @@ time difference between the participating servers and a client is 5
minutes.
@cindex NTP.
One good way to synchronize the time is NTP (Network Time Protocol), see
-@code{http://www.eecis.udel.edu/~ntp/}.
+@url{http://www.eecis.udel.edu/~ntp/}.
If you need to run the client programs on a machine where you do not
have root-access, you can hopefully just use the binaries and no
@@ -563,7 +604,7 @@ authentication method should be used. The @code{telnetd} program has
an option ``-a user'' that only allows kerberised and authenticated
connections. If this is not included, it falls back to using clear text
passwords. For obvious reasons, we recommend that you enable this
-option. If you want to use one-time passwords (@xref{One-Time
+option. If you want to use one-time passwords (@pxref{One-Time
Passwords}) you can use the ``-a otp'' option which will allow OTPs or
kerberised connections.
@@ -576,7 +617,7 @@ specify additional levels that are thus allowed with these options:
@table @asis
@item @kbd{-a otp}
-Allow one-time passwords (@xref{One-Time Passwords}).
+Allow one-time passwords (@pxref{One-Time Passwords}).
@item @kbd{-a ftp}
Allow anonymous login (as user ``ftp'' or ``anonymous'').
@item @kbd{-a safe}
@@ -691,17 +732,28 @@ It is desirable to have at least one backup (slave) server in case the
master server fails. It is possible to have any number of such slave
servers but more than three usually doesn't buy much more redundancy.
-First select a good server machine. @xref{Choose a kerberos
-server}. Since the master and slave servers will use copies of the same
-database, they need to use the same master key.
+First select a good server machine. (@pxref{Choose a kerberos
+server}). Since the master and slave servers will use copies of the same
+database, they need to use the same master key. Add the master key on
+the slave with @code{kstash}. (@pxref{Set up the server})
-On the master, add a @samp{rcmd.kerberos} principal (using
-@samp{ksrvutil get}). The
+On the master, add a @samp{rcmd.kerberos} (note, it should be literally
+``kerberos'') principal (using @samp{ksrvutil get}). The
@pindex kprop
@code{kprop} program, running on the master, will use this when
authenticating to the
@pindex kpropd
-@code{kpropd} daemons running on the slave servers.
+@code{kpropd} daemons running on the slave servers. The @code{kpropd}
+on the slave will use its @samp{rcmd.hostname} key for authenticating
+the connection from the master. Therefore, the slave needs to have this
+key in its srvtab, and it of course also needs to have enough of the
+configuration files to act as a server. See @ref{Install the kerberised
+services} for information on how to do this.
+
+To summarize, the master should have a key for @samp{rcmd.kerberos} and
+the slave one for @samp{rcmd.hostname}.
+
+The slave will need the same master key as you used at the master.
On your master server, create a file, e.g. @file{/var/kerberos/slaves},
that contains the hostnames of your kerberos slave servers.
diff --git a/crypto/kerberosIV/doc/whatis.texi b/crypto/kerberosIV/doc/whatis.texi
index 16989bb..6721c23 100644
--- a/crypto/kerberosIV/doc/whatis.texi
+++ b/crypto/kerberosIV/doc/whatis.texi
@@ -96,7 +96,7 @@ attack.
@subheading Impersonating B
-@var{C} can hijack @var{B}'s network address, and when @var{A} sends
+@var{C} can masquerade @var{B}'s network address, and when @var{A} sends
her credentials, @var{C} just pretend to verify them. @var{C} can't
be sure that she is talking to @var{A}.
OpenPOWER on IntegriCloud