summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/etc
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/etc')
-rw-r--r--crypto/kerberosIV/etc/README41
-rw-r--r--crypto/kerberosIV/etc/default.login47
-rw-r--r--crypto/kerberosIV/etc/fbtab15
-rw-r--r--crypto/kerberosIV/etc/hosts.equiv1
-rw-r--r--crypto/kerberosIV/etc/inetd.conf.changes33
-rw-r--r--crypto/kerberosIV/etc/krb.conf56
-rw-r--r--crypto/kerberosIV/etc/krb.equiv14
-rw-r--r--crypto/kerberosIV/etc/krb.realms51
-rw-r--r--crypto/kerberosIV/etc/login.access54
-rw-r--r--crypto/kerberosIV/etc/services.append22
10 files changed, 334 insertions, 0 deletions
diff --git a/crypto/kerberosIV/etc/README b/crypto/kerberosIV/etc/README
new file mode 100644
index 0000000..68865ec
--- /dev/null
+++ b/crypto/kerberosIV/etc/README
@@ -0,0 +1,41 @@
+
+ How to update your files in the /etc directory!
+
+/etc/services (all machines)
+
+ The contents of services.append can probably just be appended to
+your local file. If you use NIS (YP) you need to do this on the NIS
+master. Delete and duplicate definitions to prevent inconsistencies.
+
+/etc/krb.conf (all machines)
+
+ Create a krb.conf file by substituting MY.REALM.NAME with your
+domain name. If you create a domain name alias (CNAME) kerberos.domain
+pointing to your master server, unconfigured clients will have a
+chance to find your realm.
+
+ It is no longer necessary to put each and every realm in
+krb.{conf,realms}. If the domain name matches your realm name and you
+have a CNAME kerberos.REALMNAME pointing at your kerberos server other
+sites will find your realm even if it is not listed in krb.conf.
+*** Please add this CNAME to your local DNS ***
+
+/etc/krb.realms (all machines)
+
+ Substitue MY.REALM.NAME in krb.realms with your domain name.
+ Not strictly necessary when domain and realm names match.
+
+/etc/inetd.conf (all machines supporting incoming telnet, rsh etc.)
+
+ Comment out the lines starting with shell, login and telnet and
+append inetd.conf.changes. Be carefull to check that there are no
+additional old entries of kshell, ekshell, klogin and eklogin left.
+
+ The -v option to rshd and rlogin turns off that service and echo
+an informational message to the user.
+
+/etc/srvtab
+
+ With 'ksrvutil get' you can add entries to the Kerberos database and
+put the service keys into your srvtab file.
+
diff --git a/crypto/kerberosIV/etc/default.login b/crypto/kerberosIV/etc/default.login
new file mode 100644
index 0000000..f01b2ee
--- /dev/null
+++ b/crypto/kerberosIV/etc/default.login
@@ -0,0 +1,47 @@
+#
+# Sample /etc/default/login file, read by the login program
+#
+# For more info consult SysV login(1)
+#
+# Most things are environment variables.
+# HZ and TZ are set only if they are still uninitialized.
+
+# This really variable TZ
+#TIMEZONE=EST5EDT
+
+#HZ=100
+
+# File size limit, se ulimit(2).
+# Note that the limit must be specified in units of 512-byte blocks.
+#ULIMIT=0
+
+# If CONSOLE is set, root can only login on that device.
+# When not set root can log in on any device.
+#CONSOLE=/dev/console
+
+# PASSREQ determines if login requires a password.
+PASSREQ=YES
+
+# ALTSHELL, really set SHELL=/bin/bash or other shell
+# Extension: when ALTSHELL=YES, we set the SHELL variable even if it is /bin/sh
+ALTSHELL=YES
+
+# Default PATH
+#PATH=/usr/bin:
+
+# Default PATH for root user
+#SUPATH=/usr/sbin:/usr/bin
+
+# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
+# abandoning a login session.
+#
+#TIMEOUT=300
+
+# Use this for default umask(2) value
+#UMASK=022
+
+# Sleeptime between failed logins
+# SLEEPTIME
+
+# Maximum number of failed login attempts, well the user can always reconnect
+# MAXTRYS
diff --git a/crypto/kerberosIV/etc/fbtab b/crypto/kerberosIV/etc/fbtab
new file mode 100644
index 0000000..3e21376
--- /dev/null
+++ b/crypto/kerberosIV/etc/fbtab
@@ -0,0 +1,15 @@
+# Sample /etc/fbtab file read by the login program
+# This file can also be called /etc/logindevperm.
+
+# Use this to give away devices to the console user. The group of the
+# devices is set to the owner's group specified in /etc/passwd.
+#
+# First column specifies the console device.
+#
+# Second the mode bits of the given away devices
+#
+# Third is a : separated list of devices to give away
+
+# console mode devices
+/dev/console 0600 /dev/console:/dev/mouse
+/dev/console 0600 /dev/floppy
diff --git a/crypto/kerberosIV/etc/hosts.equiv b/crypto/kerberosIV/etc/hosts.equiv
new file mode 100644
index 0000000..2fbb50c
--- /dev/null
+++ b/crypto/kerberosIV/etc/hosts.equiv
@@ -0,0 +1 @@
+localhost
diff --git a/crypto/kerberosIV/etc/inetd.conf.changes b/crypto/kerberosIV/etc/inetd.conf.changes
new file mode 100644
index 0000000..a9721a0
--- /dev/null
+++ b/crypto/kerberosIV/etc/inetd.conf.changes
@@ -0,0 +1,33 @@
+#
+# $Id: inetd.conf.changes,v 1.12 1996/10/27 11:58:02 bg Exp $
+#
+# Turn off vanilla rshd and rlogind with an informational message.
+# If you really want this security problem remove the '-v' option!
+shell stream tcp nowait root /usr/athena/libexec/rshd rshd -l -L -v
+login stream tcp nowait root /usr/athena/libexec/rlogind rlogind -l -v
+#
+# Kerberos rsh
+kshell stream tcp nowait root /usr/athena/libexec/rshd rshd -L -k
+ekshell stream tcp nowait root /usr/athena/libexec/rshd rshd -L -k -x
+ekshell2 stream tcp nowait root /usr/athena/libexec/rshd rshd -L -k -x
+#
+# Kerberos rlogin
+klogin stream tcp nowait root /usr/athena/libexec/rlogind rlogind -k
+eklogin stream tcp nowait root /usr/athena/libexec/rlogind rlogind -k -x
+#
+# Kerberized telnet and ftp, consider adding '-a user' to
+# disallow cleartext passwords to both telnetd and ftpd.
+telnet stream tcp nowait root /usr/athena/libexec/telnetd telnetd -a none
+ftp stream tcp nowait root /usr/athena/libexec/ftpd ftpd -a none
+#
+# Kerberized POP. Server principal is pop.hostname, *not* rcmd.hostname!
+#kpop stream tcp nowait root /usr/athena/libexec/popper popper -k
+#
+# Old POP3 with passwords in clear (not recommended, uses cleartext passwords)
+#pop3 stream tcp nowait root /usr/athena/libexec/popper popper
+#
+# Kauthd, support for putting tickets on other machines in a secure fashion.
+kauth stream tcp nowait root /usr/athena/libexec/kauthd kauthd
+#
+# Encrypted X connections
+kx stream tcp nowait root /usr/athena/libexec/kxd kxd
diff --git a/crypto/kerberosIV/etc/krb.conf b/crypto/kerberosIV/etc/krb.conf
new file mode 100644
index 0000000..6114c85
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.conf
@@ -0,0 +1,56 @@
+MY.REALM.NAME
+MY.REALM.NAME kerberos.MY.REALM.NAME admin server
+SICS.SE kerberos.sics.se admin server
+NADA.KTH.SE kerberos.nada.kth.se admin server
+NADA.KTH.SE sysman.nada.kth.se
+NADA.KTH.SE server.nada.kth.se
+ADMIN.KTH.SE ulysses.admin.kth.se admin server
+ADMIN.KTH.SE graziano.admin.kth.se
+ADMIN.KTH.SE montano.admin.kth.se
+BION.KTH.SE chaplin.bion.kth.se admin server
+DSV.SU.SE ssi.dsv.su.se admin server
+DSV.SU.SE vall.dsv.su.se
+E.KTH.SE heimdal.e.kth.se admin server
+E.KTH.SE elixir.e.kth.se
+E.KTH.SE malt.e.kth.se
+IT.KTH.SE gaia.it.kth.se
+IT.KTH.SE isolde.it.kth.se
+IT.KTH.SE tristan.it.kth.se
+KTH.SE kth.se admin server
+ML.KVA.SE gustava.ml.kva.se admin server
+PI.SE liszt.adm.pi.se admin server
+STACKEN.KTH.SE linnea.stacken.kth.se admin server
+STACKEN.KTH.SE marcel.stacken.kth.se
+STACKEN.KTH.SE sune.stacken.kth.se
+SUNET.SE bar.pilsnet.sunet.se admin server
+CYGNUS.COM kerberos.cygnus.com admin server
+CYGNUS.COM kerberos-1.cygnus.com
+CYGNUS.COM dumb.cygnus.com
+DEVO.CYGNUS.COM dumber.cygnus.com admin server
+MIRKWOOD.CYGNUS.COM mirkwood.cygnus.com admin server
+KITHRUP.COM KITHRUP.COM admin server
+ATHENA.MIT.EDU kerberos.mit.edu admin server
+ATHENA.MIT.EDU kerberos-1.mit.edu
+ATHENA.MIT.EDU kerberos-2.mit.edu
+ATHENA.MIT.EDU kerberos-3.mit.edu
+LCS.MIT.EDU kerberos.lcs.mit.edu admin server
+SMS_TEST.MIT.EDU dodo.mit.edu admin server
+LS.MIT.EDU ls.mit.edu admin server
+IFS.UMICH.EDU kerberos.ifs.umich.edu
+CS.WASHINGTON.EDU hawk.cs.washington.edu
+CS.WASHINGTON.EDU aspen.cs.washington.edu
+CS.BERKELEY.EDU okeeffe.berkeley.edu
+SOUP.MIT.EDU soup.mit.edu admin server
+TELECOM.MIT.EDU bitsy.mit.edu
+MEDIA.MIT.EDU kerberos.media.mit.edu
+NEAR.NET kerberos.near.net
+CATS.UCSC.EDU mehitabel.ucsc.edu admin server
+CATS.UCSC.EDU ucsch.ucsc.edu
+WATCH.MIT.EDU kerberos.watch.mit.edu admin server
+TELEBIT.COM napa.telebit.com. admin server
+ARMADILLO.COM monad.armadillo.com admin server
+TOAD.COM toad.com admin server
+ZEN.ORG zen.org admin server
+LLOYD.COM harry.lloyd.com admin server
+EPRI.COM kerberos.epri.com admin server
+EPRI.COM kerberos-2.epri.com
diff --git a/crypto/kerberosIV/etc/krb.equiv b/crypto/kerberosIV/etc/krb.equiv
new file mode 100644
index 0000000..6205c1f
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.equiv
@@ -0,0 +1,14 @@
+# List of host with multiple adresses.
+#
+193.10.156.253 130.237.232.44 193.10.156.252 # scws scws-fddi scws-2.
+193.10.156.250 130.237.232.15 # salmon-sp salmon.
+#
+# new krb.equiv syntax for all of SP.
+#
+193.10.156.0/24 193.10.157.0/24 \ # syk-X.pdc.kth.se syk-X-hps.pdc.kth.se
+130.237.232.31 130.237.232.32 \ # syk-0101-fddi syk-0201-fddi
+130.237.232.38 130.237.232.39 \ # syk-0115-fddi syk-0116-fddi
+130.237.232.33 130.237.232.34 \ # syk-0301-fddi syk-0401-fddi
+130.237.232.35 130.237.232.36 \ # syk-0501-fddi syk-0601-fddi
+130.237.232.37 130.237.230.66 \ # syk-0602-fddi syk-0602-fcs
+130.237.230.36 # syk-0606-hippi.
diff --git a/crypto/kerberosIV/etc/krb.realms b/crypto/kerberosIV/etc/krb.realms
new file mode 100644
index 0000000..85e955a
--- /dev/null
+++ b/crypto/kerberosIV/etc/krb.realms
@@ -0,0 +1,51 @@
+.MY.REALM.NAME MY.REALM.NAME
+sics.se SICS.SE
+.sics.se SICS.SE
+nada.kth.se NADA.KTH.SE
+pdc.kth.se NADA.KTH.SE
+.hydro.kth.se NADA.KTH.SE
+.math.kth.se NADA.KTH.SE
+.mech.kth.se NADA.KTH.SE
+.nada.kth.se NADA.KTH.SE
+.pdc.kth.se NADA.KTH.SE
+.sans.kth.se NADA.KTH.SE
+.admin.kth.se ADMIN.KTH.SE
+.e.kth.se E.KTH.SE
+.electrum.kth.se IT.KTH.SE
+.it.kth.se IT.KTH.SE
+.sth.sunet.se SUNET.SE
+.pilsnet.sunet.se SUNET.SE
+.sunet.se SUNET.SE
+.ml.kva.se ML.KVA.SE
+pi.se PI.SE
+.pi.se PI.SE
+.adm.pi.se PI.SE
+.stacken.kth.se STACKEN.KTH.SE
+kth.se KTH.SE
+.kth.se KTH.SE
+.bion.kth.se BION.KTH.SE
+.dsv.su.se DSV.SU.SE
+.MIT.EDU ATHENA.MIT.EDU
+.MIT.EDU. ATHENA.MIT.EDU
+MIT.EDU ATHENA.MIT.EDU
+DODO.MIT.EDU SMS_TEST.MIT.EDU
+.UCSC.EDU CATS.UCSC.EDU
+.UCSC.EDU. CATS.UCSC.EDU
+CYGNUS.COM CYGNUS.COM
+.CYGNUS.COM CYGNUS.COM
+MIRKWOOD.CYGNUS.COM MIRKWOOD.CYGNUS.COM
+KITHRUP.COM KITHRUP.COM
+.KITHRUP.COM KITHRUP.COM
+.berkeley.edu EECS.BERKELEY.EDU
+.CS.berkeley.edu EECS.BERKELEY.EDU
+.MIT.EDU ATHENA.MIT.EDU
+.mit.edu ATHENA.MIT.EDU
+.BSDI.COM BSDI.COM
+ARMADILLO.COM ARMADILLO.COM
+.ARMADILLO.COM ARMADILLO.COM
+ZEN.ORG ZEN.ORG
+.ZEN.ORG ZEN.ORG
+toad.com TOAD.COM
+.toad.com TOAD.COM
+lloyd.com LLOYD.COM
+.lloyd.com LLOYD.COM
diff --git a/crypto/kerberosIV/etc/login.access b/crypto/kerberosIV/etc/login.access
new file mode 100644
index 0000000..f811616
--- /dev/null
+++ b/crypto/kerberosIV/etc/login.access
@@ -0,0 +1,54 @@
+# Sample /etc/login.access file read by the login program
+#
+# Login access control table.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination. The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# permission : users : origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches) or LOCAL (matches any string that does not contain a "."
+# character).
+#
+# If you run NIS you can use @netgroupname in host or user patterns; this
+# even works for @usergroup@@hostgroup patterns. Weird.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Only groups are matched in which users are explicitly
+# listed: the program does not look at a user's primary group id value.
+#
+##############################################################################
+#
+# Disallow console logins to all but a few accounts.
+#
+-:ALL EXCEPT wheel shutdown sync:console
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
diff --git a/crypto/kerberosIV/etc/services.append b/crypto/kerberosIV/etc/services.append
new file mode 100644
index 0000000..8101e72
--- /dev/null
+++ b/crypto/kerberosIV/etc/services.append
@@ -0,0 +1,22 @@
+#
+# Kerberos
+#
+# $Id: services.append,v 1.11 1996/10/18 15:25:17 bg Exp $
+#
+kerberos-sec 88/udp # Kerberos secondary port UDP
+kerberos-sec 88/tcp # Kerberos secondary port TCP
+klogin 543/tcp # Kerberos authenticated rlogin
+kshell 544/tcp krcmd # and remote shell
+ekshell 545/tcp # Kerberos encrypted remote shell -kfall
+ekshell2 2106/tcp # What U of Colorado @ Boulder uses?
+kerberos-iv 750/udp kerberos kdc # Kerberos authentication--udp
+kerberos-iv 750/tcp kerberos kdc # Kerberos authentication--tcp
+kerberos_master 751/udp # Kerberos authentication
+kerberos_master 751/tcp # Kerberos authentication
+krb_prop 754/tcp # Kerberos slave propagation
+kpop 1109/tcp # Pop with Kerberos
+eklogin 2105/tcp # Kerberos encrypted rlogin
+rkinit 2108/tcp # Kerberos remote kinit
+kx 2111/tcp # X over kerberos
+kip 2112/tcp # IP over kerberos
+kauth 2120/tcp # Remote kauth
OpenPOWER on IntegriCloud