diff options
Diffstat (limited to 'crypto/kerberosIV/man')
27 files changed, 5669 insertions, 270 deletions
diff --git a/crypto/kerberosIV/man/Makefile b/crypto/kerberosIV/man/Makefile new file mode 100644 index 0000000..6e6442a --- /dev/null +++ b/crypto/kerberosIV/man/Makefile @@ -0,0 +1,11 @@ +# +# *** THIS FILE IS NORMALLY OVERWRITTEN BY CONFIGURE *** +# +# +# $Id: Makefile,v 1.3 1997/09/09 15:06:35 bg Exp $ + +all: + $(MAKE) -f Makefile.in cat + +clean: + rm -f *.cat[1358] *~ diff --git a/crypto/kerberosIV/man/Makefile.in b/crypto/kerberosIV/man/Makefile.in index a1b6e74..c4941b1 100644 --- a/crypto/kerberosIV/man/Makefile.in +++ b/crypto/kerberosIV/man/Makefile.in @@ -7,82 +7,139 @@ SHELL = /bin/sh INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs prefix = @prefix@ mandir = @mandir@ -transform=@program_transform_name@ -EXECSUFFIX=@EXECSUFFIX@ +transform = @program_transform_name@ -MANRX = .*\.\([0-9]\) +disable_cat_manpages = @disable_cat_manpages@ + +# You need a BSD44 system or groff to create the manpages +NROFF_MAN = groff -mandoc -Tascii +#NROFF_MAN = nroff -man +.SUFFIXES: .1 .cat1 .3 .cat3 .5 .cat5 .8 .cat8 +.1.cat1: ; $(NROFF_MAN) $< > $@ +.3.cat3: ; $(NROFF_MAN) $< > $@ +.5.cat5: ; $(NROFF_MAN) $< > $@ +.8.cat8: ; $(NROFF_MAN) $< > $@ + + +MANRX = \(.*\)\.\([0-9]\) CATRX = \(.*\)\.cat\([0-9]\) CATSUFFIX=@CATSUFFIX@ -MAN1 = afslog.1 kauth.1 ftp.1 kdestroy.1 kinit.1 kpasswd.1 \ - login.1 rlogin.1 su.1 kerberos.1 klist.1 ksrvtgt.1 pagsh.1 \ - rcp.1 rsh.1 telnet.1 kx.1 rxterm.1 rxtelnet.1 tenletxr.1 \ - des.1 movemail.1 \ - otp.1 otpprint.1 +MAN1 = afslog.1 des.1 ftp.1 kauth.1 kdestroy.1 \ + kerberos.1 kinit.1 klist.1 kpasswd.1 ksrvtgt.1 \ + kx.1 login.1 movemail.1 otp.1 otpprint.1 pagsh.1 \ + rcp.1 rlogin.1 rsh.1 rxtelnet.1 rxterm.1 su.1 \ + telnet.1 tenletxr.1 -CAT1 = afslog.cat1 kauth.cat1 ftp.cat1 login.cat1 \ - pagsh.cat1 rcp.cat1 rlogin.cat1 rsh.cat1 su.cat1 telnet.cat1 kx.cat1 \ - rxterm.cat1 rxtelnet.cat1 tenletxr.cat1 movemail.cat1 \ - otp.cat1 otpprint.cat1 +CAT1 = afslog.cat1 des.cat1 ftp.cat1 kauth.cat1 kdestroy.cat1 \ + kerberos.cat1 kinit.cat1 klist.cat1 kpasswd.cat1 ksrvtgt.cat1 \ + kx.cat1 login.cat1 movemail.cat1 otp.cat1 otpprint.cat1 pagsh.cat1 \ + rcp.cat1 rlogin.cat1 rsh.cat1 rxtelnet.cat1 rxterm.cat1 su.cat1 \ + telnet.cat1 tenletxr.cat1 -MAN3 = acl_check.3 kafs.3 kerberos.3 krb_set_tkt_string.3 des_crypt.3 \ - krb_realmofhost.3 kuserok.3 getusershell.3 krb_sendauth.3 \ - tf_util.3 +MAN3 = acl_check.3 des_crypt.3 kafs.3 \ + kerberos.3 krb_realmofhost.3 krb_sendauth.3 \ + krb_set_tkt_string.3 kuserok.3 tf_util.3 \ + ../lib/editline/editline.3 -CAT3 = getusershell.cat3 kafs.cat3 +# getusershell.3 -MAN5 = krb.conf.5 krb.realms.5 krb.equiv.5 login.access.5 ftpusers.5 +CAT3 = acl_check.cat3 des_crypt.cat3 kafs.cat3 \ + kerberos.cat3 krb_realmofhost.cat3 krb_sendauth.cat3 \ + krb_set_tkt_string.cat3 kuserok.cat3 tf_util.cat3 \ + ../lib/editline/editline.cat3 -CAT5 = login.access.cat5 krb.equiv.cat5 ftpusers.cat5 +# getusershell.cat3 -MAN8 = ext_srvtab.8 kdb_destroy.8 kdb_util.8 ksrvutil.8 telnetd.8 rlogind.8 \ - kadmin.8 kdb_edit.8 kstash.8 kadmind.8 kdb_init.8 rshd.8 kauthd.8 \ - popper.8 kxd.8 kerberos.8 +MAN5 = ftpusers.5 krb.conf.5 krb.equiv.5 krb.extra.5 \ + krb.realms.5 login.access.5 -CAT8 = ftpd.cat8 rshd.cat8 telnetd.cat8 ksrvutil.cat8 rlogind.cat8 \ - kauthd.cat8 kprop.cat8 kpropd.cat8 kxd.cat8 kerberos.cat8 +CAT5 = ftpusers.cat5 krb.conf.cat5 krb.equiv.cat5 \ + krb.realms.cat5 login.access.cat5 -all: +MAN8 = ext_srvtab.8 ftpd.8 kadmin.8 kadmind.8 kauthd.8 \ + kdb_destroy.8 kdb_edit.8 kdb_init.8 kdb_util.8 \ + kerberos.8 kprop.8 kpropd.8 ksrvutil.8 kstash.8 \ + kxd.8 popper.8 rlogind.8 rshd.8 telnetd.8 \ + ../appl/push/push.8 -cat: $(CAT1) $(CAT3) $(CAT5) $(CAT8) +CAT8 = ext_srvtab.cat8 ftpd.cat8 kadmin.cat8 kadmind.cat8 kauthd.cat8 \ + kdb_destroy.cat8 kdb_edit.cat8 kdb_init.cat8 kdb_util.cat8 \ + kerberos.cat8 kprop.cat8 kpropd.cat8 ksrvutil.cat8 kstash.cat8 \ + kxd.cat8 popper.cat8 rlogind.cat8 rshd.cat8 telnetd.cat8 \ + ../appl/push/push.cat8 -%.cat1: %.1 - `grog -Tascii $<` > $@ -%.cat3: %.3 - `grog -Tascii $<` > $@ -%.cat5: %.5 - `grog -Tascii $<` > $@ -%.cat8: %.8 - `grog -Tascii $<` > $@ +all: +cat: $(CAT1) $(CAT3) $(CAT5) $(CAT8) Wall: install: all - for x in man1 man3 man5 man8 cat1 cat3 cat5 cat8; do \ - $(MKINSTALLDIRS) $(mandir)/$$x; done - (cd $(srcdir); \ - for x in $(MAN1) $(MAN3) $(MAN5) $(MAN8); do \ - s=`echo $$x | sed 's!$(MANRX)!\1!'` ; \ - $(INSTALL_DATA) $$x $(mandir)/man$$s; done ;\ - for x in $(CAT1) $(CAT3) $(CAT5) $(CAT8); do \ + for x in man1 man3 man5 man8; do \ + $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$$x; done + if test "$(disable_cat_manpages)" != "yes"; then \ + for x in cat1 cat3 cat5 cat8; do \ + $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/$$x; done \ + fi + @(cd $(srcdir); \ + for x in $(MAN1) $(MAN8); do \ + f=`basename $$x`; \ + b=`echo $$f | sed 's!$(MANRX)!\1!'`; \ + s=`echo $$x | sed 's!$(MANRX)!\2!'` ; \ + m=`echo $$b | sed '$(transform)'`.$$s; \ + echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$m";\ + $(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$m; done ;\ + for x in $(MAN3) $(MAN5); do \ + f=`basename $$x`; \ + s=`echo $$f | sed 's!$(MANRX)!\2!'` ; \ + echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$f";\ + $(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/man$$s/$$f; done ;\ + if test "$(disable_cat_manpages)" != "yes"; then \ + for x in $(CAT1) $(CAT8); do \ + if test -f $$x; then \ + f=`basename $$x`; \ + b=`echo $$f | sed 's!$(CATRX)!\1!'`; \ s=`echo $$x | sed 's!$(CATRX)!\2!'`; \ - b=`echo $$x | sed 's!$(CATRX)!\1!'`; \ - $(INSTALL_DATA) $$x $(mandir)/cat$$s/$$b.$(CATSUFFIX);\ - done ) + m=`echo $$b | sed '$(transform)'`; \ + echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX)";\ + $(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX);\ + fi; done ;\ + for x in $(CAT3) $(CAT5); do \ + if test -f $$x; then \ + f=`basename $$x`; \ + s=`echo $$f | sed 's!$(CATRX)!\2!'`; \ + b=`echo $$f | sed 's!$(CATRX)!\1!'`; \ + echo "$(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX)";\ + $(INSTALL_DATA) $$x $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX);\ + fi; done; fi ) uninstall: - for x in $(MAN1) $(MAN3) $(MAN5) $(MAN8); do \ - s=`echo $$x | sed 's!$(MANRX)!\1!'` ; \ - rm -f $(mandir)/man$$s/$$x; done - for x in $(CAT1) $(CAT3) $(CAT5) $(CAT8); do \ + for x in $(MAN1) $(MAN8); do \ + f=`basename $$x`; \ + b=`echo $$f | sed 's!$(MANRX)!\1!'`; \ + s=`echo $$x | sed 's!$(MANRX)!\2!'` ; \ + m=`echo $$b | sed '$(transform)'`.$$s; \ + rm -f $(DESTDIR)$(mandir)/man$$s/$$m; done + for x in $(MAN3) $(MAN5); do \ + f=`basename $$x`; \ + s=`echo $$f | sed 's!$(MANRX)!\2!'` ; \ + rm -f $(DESTDIR)$(mandir)/man$$s/$$f; done + for x in $(CAT1) $(CAT8); do \ + f=`basename $$x`; \ + b=`echo $$f | sed 's!$(CATRX)!\1!'`; \ s=`echo $$x | sed 's!$(CATRX)!\2!'`; \ + m=`echo $$b | sed '$(transform)'`; \ + rm -f $(DESTDIR)$(mandir)/cat$$s/$$m.$(CATSUFFIX); done + for x in $(CAT3) $(CAT5); do \ + f=`basename $$x`; \ + s=`echo $$f | sed 's!$(CATRX)!\2!'`; \ b=`echo $$x | sed 's!$(CATRX)!\1!'`; \ - rm -f $(mandir)/cat$$s/$$b.$(CATSUFFIX); done + rm -f $(DESTDIR)$(mandir)/cat$$s/$$b.$(CATSUFFIX); done clean: @@ -91,5 +148,6 @@ mostlyclean: clean distclean: rm -f Makefile *~ -realclean: +realclean: distclean +.PHONY: all cat Wall install uninstall clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/man/afslog.1 b/crypto/kerberosIV/man/afslog.1 new file mode 100644 index 0000000..625f831 --- /dev/null +++ b/crypto/kerberosIV/man/afslog.1 @@ -0,0 +1,72 @@ +.\" $Id: afslog.1,v 1.3 1998/06/30 15:28:48 assar Exp $ +.\" +.Dd April 27, 1996 +.Dt AFSLOG 1 +.Os KTH-KRB +.Sh NAME +.Nm afslog +.Nd +obtains AFS tokens for specified cells +.Sh SYNOPSIS +.Nm +.Op Fl d +.Op Fl c Ar cell +.Op Fl k Ar realm +.Op Fl p Pa path +.Op Fl unlog +.Op Fl createuser +.Op Ar args +.Sh DESCRIPTION +The +.Nm +command obtains AFS tokens, +.Ar args +are either a name of a cell or a pathnames of a file in the cell to +get tokens for. If an argument is +.Li . +or +.Li .. +or contains a slash it is assumed to be a pathname. Otherwise it is +assumed to be a name of a cell or a prefix thereof. +.Pp +The +.Fl c +and +.Fl p +flags can be used to resolve ambiguities. +.Pp +.Nm +might fail to guess the Kerberos realm to get tickets for (for +instance if the volume location servers of the cell does not reside in +the kerberos realm that holds the AFS service key, and the correct +realm isn't the same as the cell name or the local realm (I didn't say +this was a common problem)). Anyway, the +.Fl k +can be used to give a hint. It should not be used unless there is a +problem, since all tickets will be taken from the specified realm and +this is not (usually) what you want. +.Pp +.Fl createuser +means that +.Nm +should try to run +.Nm pts +to create a remote user principal in another cell. +.Fl d +can be used for debugging. +.Pp +If the +.Fl unlog +flag is given any tokens are removed and all other arguments are ignored. +.Sh SEE ALSO +.Xr kauth 1 , +.Xr kafs 3 +.Sh BUGS +It should be able to handle the MIT Athena +.Nm aklog +flags +.Fl hosts , +.Fl zsubs , +and +.Fl noprdb , +but does not. diff --git a/crypto/kerberosIV/man/ftp.1 b/crypto/kerberosIV/man/ftp.1 new file mode 100644 index 0000000..e5c21f0 --- /dev/null +++ b/crypto/kerberosIV/man/ftp.1 @@ -0,0 +1,1193 @@ +.\" $NetBSD: ftp.1,v 1.11 1995/09/08 01:06:24 tls Exp $ +.\" +.\" Copyright (c) 1985, 1989, 1990, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)ftp.1 8.3 (Berkeley) 10/9/94 +.\" +.Dd April 27, 1996 +.Dt FTP 1 +.Os BSD 4.2 +.Sh NAME +.Nm ftp +.Nd +.Tn ARPANET +file transfer program +.Sh SYNOPSIS +.Nm ftp +.Op Fl t +.Op Fl v +.Op Fl d +.Op Fl i +.Op Fl n +.Op Fl g +.Op Fl p +.Op Ar host +.Sh DESCRIPTION +.Nm Ftp +is the user interface to the +.Tn ARPANET +standard File Transfer Protocol. +The program allows a user to transfer files to and from a +remote network site. +.Pp +Modifications has been made so that it almost follows the ftpsec +Internet draft. +.Pp +Options may be specified at the command line, or to the +command interpreter. +.Bl -tag -width flag +.It Fl t +Enables packet tracing. +.It Fl v +Verbose option forces +.Nm ftp +to show all responses from the remote server, as well +as report on data transfer statistics. +.It Fl n +Restrains +.Nm ftp +from attempting \*(Lqauto-login\*(Rq upon initial connection. +If auto-login is enabled, +.Nm ftp +will check the +.Pa .netrc +(see below) file in the user's home directory for an entry describing +an account on the remote machine. +If no entry exists, +.Nm ftp +will prompt for the remote machine login name (default is the user +identity on the local machine), and, if necessary, prompt for a password +and an account with which to login. +.It Fl i +Turns off interactive prompting during +multiple file transfers. +.It Fl p +Turn on passive mode. +.It Fl d +Enables debugging. +.It Fl g +Disables file name globbing. +.El +.Pp +The client host with which +.Nm ftp +is to communicate may be specified on the command line. +If this is done, +.Nm ftp +will immediately attempt to establish a connection to an +.Tn FTP +server on that host; otherwise, +.Nm ftp +will enter its command interpreter and await instructions +from the user. +When +.Nm ftp +is awaiting commands from the user the prompt +.Ql ftp> +is provided to the user. +The following commands are recognized +by +.Nm ftp : +.Bl -tag -width Fl +.It Ic \&! Op Ar command Op Ar args +Invoke an interactive shell on the local machine. +If there are arguments, the first is taken to be a command to execute +directly, with the rest of the arguments as its arguments. +.It Ic \&$ Ar macro-name Op Ar args +Execute the macro +.Ar macro-name +that was defined with the +.Ic macdef +command. +Arguments are passed to the macro unglobbed. +.It Ic account Op Ar passwd +Supply a supplemental password required by a remote system for access +to resources once a login has been successfully completed. +If no argument is included, the user will be prompted for an account +password in a non-echoing input mode. +.It Ic append Ar local-file Op Ar remote-file +Append a local file to a file on the remote machine. +If +.Ar remote-file +is left unspecified, the local file name is used in naming the +remote file after being altered by any +.Ic ntrans +or +.Ic nmap +setting. +File transfer uses the current settings for +.Ic type , +.Ic format , +.Ic mode , +and +.Ic structure . +.It Ic ascii +Set the file transfer +.Ic type +to network +.Tn ASCII . +This is the default type. +.It Ic bell +Arrange that a bell be sounded after each file transfer +command is completed. +.It Ic binary +Set the file transfer +.Ic type +to support binary image transfer. +.It Ic bye +Terminate the +.Tn FTP +session with the remote server +and exit +.Nm ftp . +An end of file will also terminate the session and exit. +.It Ic case +Toggle remote computer file name case mapping during +.Ic mget +commands. +When +.Ic case +is on (default is off), remote computer file names with all letters in +upper case are written in the local directory with the letters mapped +to lower case. +.It Ic \&cd Ar remote-directory +Change the working directory on the remote machine +to +.Ar remote-directory . +.It Ic cdup +Change the remote machine working directory to the parent of the +current remote machine working directory. +.It Ic chmod Ar mode file-name +Change the permission modes of the file +.Ar file-name +on the remote +sytem to +.Ar mode . +.It Ic close +Terminate the +.Tn FTP +session with the remote server, and +return to the command interpreter. +Any defined macros are erased. +.It Ic \&cr +Toggle carriage return stripping during +ascii type file retrieval. +Records are denoted by a carriage return/linefeed sequence +during ascii type file transfer. +When +.Ic \&cr +is on (the default), carriage returns are stripped from this +sequence to conform with the +.Ux +single linefeed record +delimiter. +Records on +.Pf non\- Ns Ux +remote systems may contain single linefeeds; +when an ascii type transfer is made, these linefeeds may be +distinguished from a record delimiter only when +.Ic \&cr +is off. +.It Ic delete Ar remote-file +Delete the file +.Ar remote-file +on the remote machine. +.It Ic debug Op Ar debug-value +Toggle debugging mode. +If an optional +.Ar debug-value +is specified it is used to set the debugging level. +When debugging is on, +.Nm ftp +prints each command sent to the remote machine, preceded +by the string +.Ql \-\-> +.It Xo +.Ic dir +.Op Ar remote-directory +.Op Ar local-file +.Xc +Print a listing of the directory contents in the +directory, +.Ar remote-directory , +and, optionally, placing the output in +.Ar local-file . +If interactive prompting is on, +.Nm ftp +will prompt the user to verify that the last argument is indeed the +target local file for receiving +.Ic dir +output. +If no directory is specified, the current working +directory on the remote machine is used. +If no local +file is specified, or +.Ar local-file +is +.Fl , +output comes to the terminal. +.It Ic disconnect +A synonym for +.Ar close . +.It Ic form Ar format +Set the file transfer +.Ic form +to +.Ar format . +The default format is \*(Lqfile\*(Rq. +.It Ic get Ar remote-file Op Ar local-file +Retrieve the +.Ar remote-file +and store it on the local machine. +If the local +file name is not specified, it is given the same +name it has on the remote machine, subject to +alteration by the current +.Ic case , +.Ic ntrans , +and +.Ic nmap +settings. +The current settings for +.Ic type , +.Ic form , +.Ic mode , +and +.Ic structure +are used while transferring the file. +.It Ic glob +Toggle filename expansion for +.Ic mdelete , +.Ic mget +and +.Ic mput . +If globbing is turned off with +.Ic glob , +the file name arguments +are taken literally and not expanded. +Globbing for +.Ic mput +is done as in +.Xr csh 1 . +For +.Ic mdelete +and +.Ic mget , +each remote file name is expanded +separately on the remote machine and the lists are not merged. +Expansion of a directory name is likely to be +different from expansion of the name of an ordinary file: +the exact result depends on the foreign operating system and ftp server, +and can be previewed by doing +.Ql mls remote-files \- . +As a security measure, remotely globbed files that starts with +.Sq / +or contains +.Sq ../ , +will not be automatically received. If you have interactive prompting +turned off, these filenames will be ignored. Note: +.Ic mget +and +.Ic mput +are not meant to transfer +entire directory subtrees of files. +That can be done by +transferring a +.Xr tar 1 +archive of the subtree (in binary mode). +.It Ic hash +Toggle hash-sign (``#'') printing for each data block +transferred. +The size of a data block is 1024 bytes. +.It Ic help Op Ar command +Print an informative message about the meaning of +.Ar command . +If no argument is given, +.Nm ftp +prints a list of the known commands. +.It Ic idle Op Ar seconds +Set the inactivity timer on the remote server to +.Ar seconds +seconds. +If +.Ar seconds +is omitted, the current inactivity timer is printed. +.It Ic lcd Op Ar directory +Change the working directory on the local machine. +If +no +.Ar directory +is specified, the user's home directory is used. +.It Xo +.Ic \&ls +.Op Ar remote-directory +.Op Ar local-file +.Xc +Print a listing of the contents of a +directory on the remote machine. +The listing includes any system-dependent information that the server +chooses to include; for example, most +.Ux +systems will produce +output from the command +.Ql ls \-l . +(See also +.Ic nlist . ) +If +.Ar remote-directory +is left unspecified, the current working directory is used. +If interactive prompting is on, +.Nm ftp +will prompt the user to verify that the last argument is indeed the +target local file for receiving +.Ic \&ls +output. +If no local file is specified, or if +.Ar local-file +is +.Sq Fl , +the output is sent to the terminal. +.It Ic macdef Ar macro-name +Define a macro. +Subsequent lines are stored as the macro +.Ar macro-name ; +a null line (consecutive newline characters +in a file or +carriage returns from the terminal) terminates macro input mode. +There is a limit of 16 macros and 4096 total characters in all +defined macros. +Macros remain defined until a +.Ic close +command is executed. +The macro processor interprets `$' and `\e' as special characters. +A `$' followed by a number (or numbers) is replaced by the +corresponding argument on the macro invocation command line. +A `$' followed by an `i' signals that macro processor that the +executing macro is to be looped. +On the first pass `$i' is +replaced by the first argument on the macro invocation command line, +on the second pass it is replaced by the second argument, and so on. +A `\e' followed by any character is replaced by that character. +Use the `\e' to prevent special treatment of the `$'. +.It Ic mdelete Op Ar remote-files +Delete the +.Ar remote-files +on the remote machine. +.It Ic mdir Ar remote-files local-file +Like +.Ic dir , +except multiple remote files may be specified. +If interactive prompting is on, +.Nm ftp +will prompt the user to verify that the last argument is indeed the +target local file for receiving +.Ic mdir +output. +.It Ic mget Ar remote-files +Expand the +.Ar remote-files +on the remote machine +and do a +.Ic get +for each file name thus produced. +See +.Ic glob +for details on the filename expansion. +Resulting file names will then be processed according to +.Ic case , +.Ic ntrans , +and +.Ic nmap +settings. +Files are transferred into the local working directory, +which can be changed with +.Ql lcd directory ; +new local directories can be created with +.Ql "\&! mkdir directory" . +.It Ic mkdir Ar directory-name +Make a directory on the remote machine. +.It Ic mls Ar remote-files local-file +Like +.Ic nlist , +except multiple remote files may be specified, +and the +.Ar local-file +must be specified. +If interactive prompting is on, +.Nm ftp +will prompt the user to verify that the last argument is indeed the +target local file for receiving +.Ic mls +output. +.It Ic mode Op Ar mode-name +Set the file transfer +.Ic mode +to +.Ar mode-name . +The default mode is \*(Lqstream\*(Rq mode. +.It Ic modtime Ar file-name +Show the last modification time of the file on the remote machine. +.It Ic mput Ar local-files +Expand wild cards in the list of local files given as arguments +and do a +.Ic put +for each file in the resulting list. +See +.Ic glob +for details of filename expansion. +Resulting file names will then be processed according to +.Ic ntrans +and +.Ic nmap +settings. +.It Ic newer Ar file-name +Get the file only if the modification time of the remote file is more +recent that the file on the current system. +If the file does not +exist on the current system, the remote file is considered +.Ic newer . +Otherwise, this command is identical to +.Ar get . +.It Xo +.Ic nlist +.Op Ar remote-directory +.Op Ar local-file +.Xc +Print a list of the files in a +directory on the remote machine. +If +.Ar remote-directory +is left unspecified, the current working directory is used. +If interactive prompting is on, +.Nm ftp +will prompt the user to verify that the last argument is indeed the +target local file for receiving +.Ic nlist +output. +If no local file is specified, or if +.Ar local-file +is +.Fl , +the output is sent to the terminal. +.It Ic nmap Op Ar inpattern outpattern +Set or unset the filename mapping mechanism. +If no arguments are specified, the filename mapping mechanism is unset. +If arguments are specified, remote filenames are mapped during +.Ic mput +commands and +.Ic put +commands issued without a specified remote target filename. +If arguments are specified, local filenames are mapped during +.Ic mget +commands and +.Ic get +commands issued without a specified local target filename. +This command is useful when connecting to a +.No non\- Ns Ux +remote computer +with different file naming conventions or practices. +The mapping follows the pattern set by +.Ar inpattern +and +.Ar outpattern . +.Op Ar Inpattern +is a template for incoming filenames (which may have already been +processed according to the +.Ic ntrans +and +.Ic case +settings). +Variable templating is accomplished by including the +sequences `$1', `$2', ..., `$9' in +.Ar inpattern . +Use `\\' to prevent this special treatment of the `$' character. +All other characters are treated literally, and are used to determine the +.Ic nmap +.Op Ar inpattern +variable values. +For example, given +.Ar inpattern +$1.$2 and the remote file name "mydata.data", $1 would have the value +"mydata", and $2 would have the value "data". +The +.Ar outpattern +determines the resulting mapped filename. +The sequences `$1', `$2', ...., `$9' are replaced by any value resulting +from the +.Ar inpattern +template. +The sequence `$0' is replace by the original filename. +Additionally, the sequence +.Ql Op Ar seq1 , Ar seq2 +is replaced by +.Op Ar seq1 +if +.Ar seq1 +is not a null string; otherwise it is replaced by +.Ar seq2 . +For example, the command +.Pp +.Bd -literal -offset indent -compact +nmap $1.$2.$3 [$1,$2].[$2,file] +.Ed +.Pp +would yield +the output filename "myfile.data" for input filenames "myfile.data" and +"myfile.data.old", "myfile.file" for the input filename "myfile", and +"myfile.myfile" for the input filename ".myfile". +Spaces may be included in +.Ar outpattern , +as in the example: `nmap $1 sed "s/ *$//" > $1' . +Use the `\e' character to prevent special treatment +of the `$','[','[', and `,' characters. +.It Ic ntrans Op Ar inchars Op Ar outchars +Set or unset the filename character translation mechanism. +If no arguments are specified, the filename character +translation mechanism is unset. +If arguments are specified, characters in +remote filenames are translated during +.Ic mput +commands and +.Ic put +commands issued without a specified remote target filename. +If arguments are specified, characters in +local filenames are translated during +.Ic mget +commands and +.Ic get +commands issued without a specified local target filename. +This command is useful when connecting to a +.No non\- Ns Ux +remote computer +with different file naming conventions or practices. +Characters in a filename matching a character in +.Ar inchars +are replaced with the corresponding character in +.Ar outchars . +If the character's position in +.Ar inchars +is longer than the length of +.Ar outchars , +the character is deleted from the file name. +.It Ic open Ar host Op Ar port +Establish a connection to the specified +.Ar host +.Tn FTP +server. +An optional port number may be supplied, +in which case, +.Nm ftp +will attempt to contact an +.Tn FTP +server at that port. +If the +.Ic auto-login +option is on (default), +.Nm ftp +will also attempt to automatically log the user in to +the +.Tn FTP +server (see below). +.It Ic passive +Toggle passive mode. If passive mode is turned on +(default is off), the ftp client will +send a +.Dv PASV +command for all data connections instead of the usual +.Dv PORT +command. The +.Dv PASV +command requests that the remote server open a port for the data connection +and return the address of that port. The remote server listens on that +port and the client connects to it. When using the more traditional +.Dv PORT +command, the client listens on a port and sends that address to the remote +server, who connects back to it. Passive mode is useful when using +.Nm ftp +through a gateway router or host that controls the directionality of +traffic. +(Note that though ftp servers are required to support the +.Dv PASV +command by RFC 1123, some do not.) +.It Ic prompt +Toggle interactive prompting. +Interactive prompting +occurs during multiple file transfers to allow the +user to selectively retrieve or store files. +If prompting is turned off (default is on), any +.Ic mget +or +.Ic mput +will transfer all files, and any +.Ic mdelete +will delete all files. +.It Ic proxy Ar ftp-command +Execute an ftp command on a secondary control connection. +This command allows simultaneous connection to two remote ftp +servers for transferring files between the two servers. +The first +.Ic proxy +command should be an +.Ic open , +to establish the secondary control connection. +Enter the command "proxy ?" to see other ftp commands executable on the +secondary connection. +The following commands behave differently when prefaced by +.Ic proxy : +.Ic open +will not define new macros during the auto-login process, +.Ic close +will not erase existing macro definitions, +.Ic get +and +.Ic mget +transfer files from the host on the primary control connection +to the host on the secondary control connection, and +.Ic put , +.Ic mput , +and +.Ic append +transfer files from the host on the secondary control connection +to the host on the primary control connection. +Third party file transfers depend upon support of the ftp protocol +.Dv PASV +command by the server on the secondary control connection. +.It Ic put Ar local-file Op Ar remote-file +Store a local file on the remote machine. +If +.Ar remote-file +is left unspecified, the local file name is used +after processing according to any +.Ic ntrans +or +.Ic nmap +settings +in naming the remote file. +File transfer uses the +current settings for +.Ic type , +.Ic format , +.Ic mode , +and +.Ic structure . +.It Ic pwd +Print the name of the current working directory on the remote +machine. +.It Ic quit +A synonym for +.Ic bye . +.It Ic quote Ar arg1 arg2 ... +The arguments specified are sent, verbatim, to the remote +.Tn FTP +server. +.It Ic recv Ar remote-file Op Ar local-file +A synonym for get. +.It Ic reget Ar remote-file Op Ar local-file +Reget acts like get, except that if +.Ar local-file +exists and is +smaller than +.Ar remote-file , +.Ar local-file +is presumed to be +a partially transferred copy of +.Ar remote-file +and the transfer +is continued from the apparent point of failure. +This command +is useful when transferring very large files over networks that +are prone to dropping connections. +.It Ic remotehelp Op Ar command-name +Request help from the remote +.Tn FTP +server. +If a +.Ar command-name +is specified it is supplied to the server as well. +.It Ic remotestatus Op Ar file-name +With no arguments, show status of remote machine. +If +.Ar file-name +is specified, show status of +.Ar file-name +on remote machine. +.It Xo +.Ic rename +.Op Ar from +.Op Ar to +.Xc +Rename the file +.Ar from +on the remote machine, to the file +.Ar to . +.It Ic reset +Clear reply queue. +This command re-synchronizes command/reply sequencing with the remote +ftp server. +Resynchronization may be necessary following a violation of the ftp protocol +by the remote server. +.It Ic restart Ar marker +Restart the immediately following +.Ic get +or +.Ic put +at the +indicated +.Ar marker . +On +.Ux +systems, marker is usually a byte +offset into the file. +.It Ic rmdir Ar directory-name +Delete a directory on the remote machine. +.It Ic runique +Toggle storing of files on the local system with unique filenames. +If a file already exists with a name equal to the target +local filename for a +.Ic get +or +.Ic mget +command, a ".1" is appended to the name. +If the resulting name matches another existing file, +a ".2" is appended to the original name. +If this process continues up to ".99", an error +message is printed, and the transfer does not take place. +The generated unique filename will be reported. +Note that +.Ic runique +will not affect local files generated from a shell command +(see below). +The default value is off. +.It Ic send Ar local-file Op Ar remote-file +A synonym for put. +.It Ic sendport +Toggle the use of +.Dv PORT +commands. +By default, +.Nm ftp +will attempt to use a +.Dv PORT +command when establishing +a connection for each data transfer. +The use of +.Dv PORT +commands can prevent delays +when performing multiple file transfers. +If the +.Dv PORT +command fails, +.Nm ftp +will use the default data port. +When the use of +.Dv PORT +commands is disabled, no attempt will be made to use +.Dv PORT +commands for each data transfer. +This is useful +for certain +.Tn FTP +implementations which do ignore +.Dv PORT +commands but, incorrectly, indicate they've been accepted. +.It Ic site Ar arg1 arg2 ... +The arguments specified are sent, verbatim, to the remote +.Tn FTP +server as a +.Dv SITE +command. +.It Ic size Ar file-name +Return size of +.Ar file-name +on remote machine. +.It Ic status +Show the current status of +.Nm ftp . +.It Ic struct Op Ar struct-name +Set the file transfer +.Ar structure +to +.Ar struct-name . +By default \*(Lqstream\*(Rq structure is used. +.It Ic sunique +Toggle storing of files on remote machine under unique file names. +Remote ftp server must support ftp protocol +.Dv STOU +command for +successful completion. +The remote server will report unique name. +Default value is off. +.It Ic system +Show the type of operating system running on the remote machine. +.It Ic tenex +Set the file transfer type to that needed to +talk to +.Tn TENEX +machines. +.It Ic trace +Toggle packet tracing. +.It Ic type Op Ar type-name +Set the file transfer +.Ic type +to +.Ar type-name . +If no type is specified, the current type +is printed. +The default type is network +.Tn ASCII . +.It Ic umask Op Ar newmask +Set the default umask on the remote server to +.Ar newmask . +If +.Ar newmask +is omitted, the current umask is printed. +.It Xo +.Ic user Ar user-name +.Op Ar password +.Op Ar account +.Xc +Identify yourself to the remote +.Tn FTP +server. +If the +.Ar password +is not specified and the server requires it, +.Nm ftp +will prompt the user for it (after disabling local echo). +If an +.Ar account +field is not specified, and the +.Tn FTP +server +requires it, the user will be prompted for it. +If an +.Ar account +field is specified, an account command will +be relayed to the remote server after the login sequence +is completed if the remote server did not require it +for logging in. +Unless +.Nm ftp +is invoked with \*(Lqauto-login\*(Rq disabled, this +process is done automatically on initial connection to +the +.Tn FTP +server. +.It Ic verbose +Toggle verbose mode. +In verbose mode, all responses from +the +.Tn FTP +server are displayed to the user. +In addition, +if verbose is on, when a file transfer completes, statistics +regarding the efficiency of the transfer are reported. +By default, +verbose is on. +.It Ic ? Op Ar command +A synonym for help. +.El +.Pp +The following command can be used with ftpsec-aware servers. +.Bl -tag -width Fl +.It Xo +.Ic prot +.Ar clear | +.Ar safe | +.Ar confidential | +.Ar private +.Xc +Set the data protection level to the requested level. +.El +.Pp +The following command can be used with ftp servers that has +implemented the KAUTH site command. +.Bl -tag -width Fl +.It Ic kauth Op Ar principal +Obtain remote tickets. +.El +.Pp +Command arguments which have embedded spaces may be quoted with +quote `"' marks. +.Sh ABORTING A FILE TRANSFER +To abort a file transfer, use the terminal interrupt key +(usually Ctrl-C). +Sending transfers will be immediately halted. +Receiving transfers will be halted by sending a ftp protocol +.Dv ABOR +command to the remote server, and discarding any further data received. +The speed at which this is accomplished depends upon the remote +server's support for +.Dv ABOR +processing. +If the remote server does not support the +.Dv ABOR +command, an +.Ql ftp> +prompt will not appear until the remote server has completed +sending the requested file. +.Pp +The terminal interrupt key sequence will be ignored when +.Nm ftp +has completed any local processing and is awaiting a reply +from the remote server. +A long delay in this mode may result from the ABOR processing described +above, or from unexpected behavior by the remote server, including +violations of the ftp protocol. +If the delay results from unexpected remote server behavior, the local +.Nm ftp +program must be killed by hand. +.Sh FILE NAMING CONVENTIONS +Files specified as arguments to +.Nm ftp +commands are processed according to the following rules. +.Bl -enum +.It +If the file name +.Sq Fl +is specified, the +.Ar stdin +(for reading) or +.Ar stdout +(for writing) is used. +.It +If the first character of the file name is +.Sq \&| , +the +remainder of the argument is interpreted as a shell command. +.Nm Ftp +then forks a shell, using +.Xr popen 3 +with the argument supplied, and reads (writes) from the stdout +(stdin). +If the shell command includes spaces, the argument +must be quoted; e.g. +\*(Lq" ls -lt"\*(Rq. +A particularly +useful example of this mechanism is: \*(Lqdir more\*(Rq. +.It +Failing the above checks, if ``globbing'' is enabled, +local file names are expanded +according to the rules used in the +.Xr csh 1 ; +c.f. the +.Ic glob +command. +If the +.Nm ftp +command expects a single local file (.e.g. +.Ic put ) , +only the first filename generated by the "globbing" operation is used. +.It +For +.Ic mget +commands and +.Ic get +commands with unspecified local file names, the local filename is +the remote filename, which may be altered by a +.Ic case , +.Ic ntrans , +or +.Ic nmap +setting. +The resulting filename may then be altered if +.Ic runique +is on. +.It +For +.Ic mput +commands and +.Ic put +commands with unspecified remote file names, the remote filename is +the local filename, which may be altered by a +.Ic ntrans +or +.Ic nmap +setting. +The resulting filename may then be altered by the remote server if +.Ic sunique +is on. +.El +.Sh FILE TRANSFER PARAMETERS +The FTP specification specifies many parameters which may +affect a file transfer. +The +.Ic type +may be one of \*(Lqascii\*(Rq, \*(Lqimage\*(Rq (binary), +\*(Lqebcdic\*(Rq, and \*(Lqlocal byte size\*(Rq (for +.Tn PDP Ns -10's +and +.Tn PDP Ns -20's +mostly). +.Nm Ftp +supports the ascii and image types of file transfer, +plus local byte size 8 for +.Ic tenex +mode transfers. +.Pp +.Nm Ftp +supports only the default values for the remaining +file transfer parameters: +.Ic mode , +.Ic form , +and +.Ic struct . +.Sh THE .netrc FILE +The +.Pa .netrc +file contains login and initialization information +used by the auto-login process. +It resides in the user's home directory. +The following tokens are recognized; they may be separated by spaces, +tabs, or new-lines: +.Bl -tag -width password +.It Ic machine Ar name +Identify a remote machine +.Ar name . +The auto-login process searches the +.Pa .netrc +file for a +.Ic machine +token that matches the remote machine specified on the +.Nm ftp +command line or as an +.Ic open +command argument. +Once a match is made, the subsequent +.Pa .netrc +tokens are processed, +stopping when the end of file is reached or another +.Ic machine +or a +.Ic default +token is encountered. +.It Ic default +This is the same as +.Ic machine +.Ar name +except that +.Ic default +matches any name. +There can be only one +.Ic default +token, and it must be after all +.Ic machine +tokens. +This is normally used as: +.Pp +.Dl default login anonymous password user@site +.Pp +thereby giving the user +.Ar automatic +anonymous ftp login to +machines not specified in +.Pa .netrc . +This can be overridden +by using the +.Fl n +flag to disable auto-login. +.It Ic login Ar name +Identify a user on the remote machine. +If this token is present, the auto-login process will initiate +a login using the specified +.Ar name . +.It Ic password Ar string +Supply a password. +If this token is present, the auto-login process will supply the +specified string if the remote server requires a password as part +of the login process. +Note that if this token is present in the +.Pa .netrc +file for any user other +than +.Ar anonymous , +.Nm ftp +will abort the auto-login process if the +.Pa .netrc +is readable by +anyone besides the user. +.It Ic account Ar string +Supply an additional account password. +If this token is present, the auto-login process will supply the +specified string if the remote server requires an additional +account password, or the auto-login process will initiate an +.Dv ACCT +command if it does not. +.It Ic macdef Ar name +Define a macro. +This token functions like the +.Nm ftp +.Ic macdef +command functions. +A macro is defined with the specified name; its contents begin with the +next +.Pa .netrc +line and continue until a null line (consecutive new-line +characters) is encountered. +If a macro named +.Ic init +is defined, it is automatically executed as the last step in the +auto-login process. +.El +.Sh ENVIRONMENT +.Nm Ftp +utilizes the following environment variables. +.Bl -tag -width Fl +.It Ev HOME +For default location of a +.Pa .netrc +file, if one exists. +.It Ev SHELL +For default shell. +.El +.Sh SEE ALSO +.Xr ftpd 8 , +.%T RFC2228 +.Sh HISTORY +The +.Nm ftp +command appeared in +.Bx 4.2 . +.Sh BUGS +Correct execution of many commands depends upon proper behavior +by the remote server. +.Pp +An error in the treatment of carriage returns +in the +.Bx 4.2 +ascii-mode transfer code +has been corrected. +This correction may result in incorrect transfers of binary files +to and from +.Bx 4.2 +servers using the ascii type. +Avoid this problem by using the binary image type. diff --git a/crypto/kerberosIV/man/ftpd.8 b/crypto/kerberosIV/man/ftpd.8 new file mode 100644 index 0000000..c51de1c --- /dev/null +++ b/crypto/kerberosIV/man/ftpd.8 @@ -0,0 +1,473 @@ +.\" $NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $ +.\" +.\" Copyright (c) 1985, 1988, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 +.\" +.Dd April 19, 1997 +.Dt FTPD 8 +.Os BSD 4.2 +.Sh NAME +.Nm ftpd +.Nd +Internet File Transfer Protocol server +.Sh SYNOPSIS +.Nm ftpd +.Op Fl a Ar authmode +.Op Fl dilv +.Op Fl g Ar umask +.Op Fl p Ar port +.Op Fl T Ar maxtimeout +.Op Fl t Ar timeout +.Op Fl u Ar default umask +.Sh DESCRIPTION +.Nm Ftpd +is the +Internet File Transfer Protocol +server process. The server uses the +.Tn TCP +protocol +and listens at the port specified in the +.Dq ftp +service specification; see +.Xr services 5 . +.Pp +Available options: +.Bl -tag -width Ds +.It Fl a +Select the level of authentication required. Kerberised login can not +be turned off. The default is to only allow kerberised login. Other +possibilities can be turned on by giving a string of comma separated +flags as argument to +.Fl a . +Recognised flags are: +.Bl -tag -width plain +.It Ar plain +Allow logging in with plaintext password. The password can be a(n) OTP +or an ordinary password. +.It Ar otp +Same as +.Ar plain , +but only OTP is allowed. +.It Ar ftp +Allow anonymous login. +.El + +The following combination modes exists for backwards compatibility: +.Bl -tag -width plain +.It Ar none +Same as +.Ar plain,ftp . +.It Ar safe +Same as +.Ar ftp . +.It Ar user +Ignored. +.El +.It Fl d +Debugging information is written to the syslog using LOG_FTP. +.It Fl g +Anonymous users will get a umask of +.Ar umask . +.It Fl i +Open a socket and wait for a connection. This is mainly used for +debugging when ftpd isn't started by inetd. +.It Fl l +Each successful and failed +.Xr ftp 1 +session is logged using syslog with a facility of LOG_FTP. +If this option is specified twice, the retrieve (get), store (put), append, +delete, make directory, remove directory and rename operations and +their filename arguments are also logged. +.It Fl p +Use +.Ar port +(a service name or number) instead of the default +.Ar ftp/tcp . +.It Fl T +A client may also request a different timeout period; +the maximum period allowed may be set to +.Ar timeout +seconds with the +.Fl T +option. +The default limit is 2 hours. +.It Fl t +The inactivity timeout period is set to +.Ar timeout +seconds (the default is 15 minutes). +.It Fl u +Set the initial umask to something else than the default 027. +.It Fl v +Verbose mode. +.El +.Pp +The file +.Pa /etc/nologin +can be used to disable ftp access. +If the file exists, +.Nm +displays it and exits. +If the file +.Pa /etc/ftpwelcome +exists, +.Nm +prints it before issuing the +.Dq ready +message. +If the file +.Pa /etc/motd +exists, +.Nm +prints it after a successful login. +.Pp +The ftp server currently supports the following ftp requests. +The case of the requests is ignored. +.Bl -column "Request" -offset indent +.It Request Ta "Description" +.It ABOR Ta "abort previous command" +.It ACCT Ta "specify account (ignored)" +.It ALLO Ta "allocate storage (vacuously)" +.It APPE Ta "append to a file" +.It CDUP Ta "change to parent of current working directory" +.It CWD Ta "change working directory" +.It DELE Ta "delete a file" +.It HELP Ta "give help information" +.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" +.It MKD Ta "make a directory" +.It MDTM Ta "show last modification time of file" +.It MODE Ta "specify data transfer" Em mode +.It NLST Ta "give name list of files in directory" +.It NOOP Ta "do nothing" +.It PASS Ta "specify password" +.It PASV Ta "prepare for server-to-server transfer" +.It PORT Ta "specify data connection port" +.It PWD Ta "print the current working directory" +.It QUIT Ta "terminate session" +.It REST Ta "restart incomplete transfer" +.It RETR Ta "retrieve a file" +.It RMD Ta "remove a directory" +.It RNFR Ta "specify rename-from file name" +.It RNTO Ta "specify rename-to file name" +.It SITE Ta "non-standard commands (see next section)" +.It SIZE Ta "return size of file" +.It STAT Ta "return status of server" +.It STOR Ta "store a file" +.It STOU Ta "store a file with a unique name" +.It STRU Ta "specify data transfer" Em structure +.It SYST Ta "show operating system type of server system" +.It TYPE Ta "specify data transfer" Em type +.It USER Ta "specify user name" +.It XCUP Ta "change to parent of current working directory (deprecated)" +.It XCWD Ta "change working directory (deprecated)" +.It XMKD Ta "make a directory (deprecated)" +.It XPWD Ta "print the current working directory (deprecated)" +.It XRMD Ta "remove a directory (deprecated)" +.El +.Pp +The following commands are specified by RFC2228. +.Bl -column Request -offset indent +.It AUTH Ta "authentication/security mechanism" +.It ADAT Ta "authentication/security data" +.It PROT Ta "data channel protection level" +.It PBSZ Ta "protection buffer size" +.It MIC Ta "integrity protected command" +.It CONF Ta "confidentiality protected command" +.It ENC Ta "privacy protected command" +.It CCC Ta "clear command channel" +.El +.Pp +The following non-standard or +.Tn UNIX +specific commands are supported +by the +SITE request. +.Pp +.Bl -column Request -offset indent +.It UMASK Ta change umask, (e.g. +.Ic "SITE UMASK 002" ) +.It IDLE Ta set idle-timer, (e.g. +.Ic "SITE IDLE 60" ) +.It CHMOD Ta change mode of a file (e.g. +.Ic "SITE CHMOD 755 filename" ) +.It FIND Ta quickly find a specific file with GNU +.Xr locate 1 . +.It HELP Ta give help information. +.El +.Pp +The following Kerberos related site commands are understood. +.Bl -column Request -offset indent +.It KAUTH Ta obtain remote tickets. +.It KLIST Ta show remote tickets +.El +.Pp +The remaining ftp requests specified in Internet RFC 959 +are +recognized, but not implemented. +MDTM and SIZE are not specified in RFC 959, but will appear in the +next updated FTP RFC. +.Pp +The ftp server will abort an active file transfer only when the +ABOR +command is preceded by a Telnet "Interrupt Process" (IP) +signal and a Telnet "Synch" signal in the command Telnet stream, +as described in Internet RFC 959. +If a +STAT +command is received during a data transfer, preceded by a Telnet IP +and Synch, transfer status will be returned. +.Pp +.Nm Ftpd +interprets file names according to the +.Dq globbing +conventions used by +.Xr csh 1 . +This allows users to utilize the metacharacters +.Dq Li \&*?[]{}~ . +.Pp +.Nm Ftpd +authenticates users according to these rules. +.Pp +.Bl -enum -offset indent +.It +If Kerberos authentication is used, the user must pass valid tickets +and the principal must be allowed to login as the remote user. +.It +The login name must be in the password data base, and not have a null +password (if kerberos is used the password field is not checked). In +this case a password must be provided by the client before any file +operations may be performed. If the user has an OTP key, the response +from a successful USER command will include an OTP challenge. The +client may choose to respond with a PASS command giving either a +standard password or an OTP one-time password. The server will +automatically determine which type of password it has been given and +attempt to authenticate accordingly. See +.Xr otp 1 +for more information on OTP authentication. +.It +The login name must not appear in the file +.Pa /etc/ftpusers . +.It +The user must have a standard shell returned by +.Xr getusershell 3 . +.It +If the user name appears in the file +.Pa /etc/ftpchroot +the session's root will be changed to the user's login directory by +.Xr chroot 2 +as for an +.Dq anonymous +or +.Dq ftp +account (see next item). However, the user must still supply a password. +This feature is intended as a compromise between a fully anonymous account +and a fully privileged account. The account should also be set up as for an +anonymous account. +.It +If the user name is +.Dq anonymous +or +.Dq ftp , +an +anonymous ftp account must be present in the password +file (user +.Dq ftp ) . +In this case the user is allowed +to log in by specifying any password (by convention an email address for +the user should be used as the password). +.El +.Pp +In the last case, +.Nm ftpd +takes special measures to restrict the client's access privileges. +The server performs a +.Xr chroot 2 +to the home directory of the +.Dq ftp +user. +In order that system security is not breached, it is recommended +that the +.Dq ftp +subtree be constructed with care, consider following these guidelines +for anonymous ftp. + +In general all files should be owned by +.Dq root , +and have non-write permissions (644 or 755 depending on the kind of +file). No files should be owned or writable by +.Dq ftp +(possibly with exception for the +.Pa ~ftp/incoming , +as specified below). +.Bl -tag -width "~ftp/pub" -offset indent +.It Pa ~ftp +The +.Dq ftp +homedirectory should be owned by root. +.It Pa ~ftp/bin +The directory for external programs (such as +.Xr ls 1 ) . +These programs must either be statically linked, or you must setup an +environment for dynamic linking when running chrooted. +These programs will be used if present: +.Bl -tag -width "locate" -offset indent +.It ls +Used when listing files. +.It compress +When retrieving a filename that ends in +.Pa .Z , +and that file isn't present, +.Nm +will try to find the filename without +.Pa .Z +and compress it on the fly. +.It gzip +Same as compress, just with files ending in +.Pa .gz . +.It gtar +Enables retrieval of whole directories as files ending in +.Pa .tar . +Can also be combined with compression. You must use GNU Tar (or some +other that supports the +.Fl z +and +.Fl Z +flags). +.It locate +Will enable ``fast find'' with the +.Ic SITE FIND +command. You must also create a +.Pa locatedb +file in +.Pa ~ftp/etc . +.El +.It Pa ~ftp/etc +If you put copies of the +.Xr passwd 5 +and +.Xr group 5 +files here, ls will be able to produce owner names rather than +numbers. Remember to remove any passwords from these files. + +The file +.Pa motd , +if present, will be printed after a successful login. +.It Pa ~ftp/dev +Put a copy of +.Xr /dev/null 7 +here. +.It Pa ~ftp/pub +Traditional place to put whatever you want to make public. +.El + +If you want guests to be able to upload files, create a +.Pa ~ftp/incoming +directory owned by +.Dq root , +and group +.Dq ftp +with mode 730 (make sure +.Dq ftp +is member of group +.Dq ftp ) . +The following restrictions apply to anonymous users: +.Bl -bullet +.It +Directories created will have mode 700. +.It +Uploaded files will be created with an umask of 777, if not changed +with the +.Fl g +option. +.It +These command are not accessible: +.Ic DELE , RMD , RNTO , RNFR , +.Ic SITE UMASK , +and +.Ic SITE CHMOD . +.It +Filenames must start with an alpha-numeric character, and consist of +alpha-numeric characters or any of the following: +.Li \&+ +(plus), +.Li \&- +(minus), +.Li \&= +(equal), +.Li \&_ +(underscore), +.Li \&. +(period), and +.Li \&, +(comma). +.El +.Sh FILES +.Bl -tag -width /etc/ftpwelcome -compact +.It Pa /etc/ftpusers +Access list for users. +.It Pa /etc/ftpchroot +List of normal users who should be chroot'd. +.It Pa /etc/ftpwelcome +Welcome notice. +.It Pa /etc/motd +Welcome notice after login. +.It Pa /etc/nologin +Displayed and access refused. +.It Pa ~/.klogin +Login access for Kerberos. +.El +.Sh SEE ALSO +.Xr ftp 1 , +.Xr otp 1 , +.Xr getusershell 3 , +.Xr ftpusers 5 , +.Xr syslogd 8 , +.Sh STANDARDS +.Bl -tag -compact -width "RFC 1938" +.It Cm RFC 959 +FTP PROTOCOL SPECIFICATION +.It Cm RFC 1938 +OTP Specification +.It Cm RFC 2228 +FTP Security Extensions. +.Sh BUGS +The server must run as the super-user +to create sockets with privileged port numbers. It maintains +an effective user id of the logged in user, reverting to +the super-user only when binding addresses to sockets. The +possible security holes have been extensively +scrutinized, but are possibly incomplete. +.Sh HISTORY +The +.Nm +command appeared in +.Bx 4.2 . diff --git a/crypto/kerberosIV/man/ftpusers.5 b/crypto/kerberosIV/man/ftpusers.5 new file mode 100644 index 0000000..dfd66f9 --- /dev/null +++ b/crypto/kerberosIV/man/ftpusers.5 @@ -0,0 +1,38 @@ +.\" $Id: ftpusers.5,v 1.2 1997/05/07 20:11:11 joda Exp $ +.\" +.Dd May 7, 1997 +.Dt FTPUSERS 5 +.Os KTH-KRB +.Sh NAME +.Pa /etc/ftpusers +.Nd +FTP access list file. +.Sh DESCRIPTION +.Pa /etc/ftpusers +contains a list of users that should be allowed or denied FTP +access. Each line contains a user, optionally followed by +.Dq allow +(anything but +.Dq allow +is ignored). The semi-user +.Dq * +matches any user. Users that has an explicit +.Dq allow , +or that does not match any line, are allowed access. Anyone else is +denied access. + +Note that this is compatible with the old format, where this file +contained a list of users that should be denied access. +.Sh EXAMPLES +This will deny anyone but +.Dq foo +and +.Dq bar +to use FTP: +.Bd -literal +foo allow +bar allow +* +.Ed +.Sh SEE ALSO +.Xr ftpd 8 diff --git a/crypto/kerberosIV/man/kadmin.8 b/crypto/kerberosIV/man/kadmin.8 index 3139b25..afd9126 100644 --- a/crypto/kerberosIV/man/kadmin.8 +++ b/crypto/kerberosIV/man/kadmin.8 @@ -1,176 +1,140 @@ -.\" $Id: kadmin.8,v 1.4 1997/04/02 21:09:53 assar Exp $ +.\" $Id: kadmin.8,v 1.6 1998/12/18 16:56:29 assar Exp $ .\" Copyright 1989 by the Massachusetts Institute of Technology. .\" .\" For copying and distribution information, .\" please see the file <mit-copyright.h>. .\" -.TH KADMIN 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmin \- network utility for Kerberos database administration -.SH SYNOPSIS -.B kadmin [-u user] [-r default_realm] [-m] [-t] -.SH DESCRIPTION -This utility provides a unified administration interface to -the -Kerberos -master database. -Kerberos -administrators -use -.I kadmin -to register new users and services to the master database, -and to change information about existing database entries. -For instance, an administrator can use -.I kadmin -to change a user's -Kerberos -password. -A Kerberos administrator is a user with an ``admin'' instance -whose name appears on one of the Kerberos administration access control -lists. If the \-u option is used, -.I user -will be used as the administrator instead of the local user. -If the \-r option is used, -.I default_realm -will be used as the default realm for transactions. Otherwise, -the local realm will be used by default. -If the \-m option is used, multiple requests will be permitted -on only one entry of the admin password. Some sites won't -support this option. The \-t option is used to tell kadmin to use the -existing ticket file instead of creating a new one. +.Dd February 3, 1998 +.Dt KADMIN 8 +.Os "KTH-KRB" +.Sh NAME +.Nm kadmin +.Nd +network utility for Kerberos database administration +.Sh SYNOPSIS +.Nm +.Op Fl p Ar principal +.Op Fl u Ar username +.Op Fl r Ar realm +.Op Fl m +.Op Fl T Ar timeout +.Op Fl t +.Op Fl -version +.Op Fl h +.Op Fl -help +.Ar [command] +.Sh DESCRIPTION +This utility provides a unified administration interface to the +Kerberos master database. Kerberos administrators use +.Nm +to register new users and services to the master database, and to +change information about existing database entries, such as changing a +user's Kerberos password. A Kerberos administrator is a user with an +.Dq admin +instance whose name appears on one of the Kerberos administration +access control lists. +.Pp +Supported options: +.Bl -tag -width Ds +.It Fl p Ar principal +This is the adminstrator principal to use when talking to the Kadmin +server. The default is taken from the users environment. +.It Fl r Ar realm +This is the default realm to use for transactions. Default is the +local realm. +.It Fl u Ar username +This is similar to +.Fl p , +but specifies a name, that gets appended with a +.Dq admin +instance. +.It Fl T Ar timeout +To prevent someone from walking up to an unguarded terminal and doing +malicious things, administrator tickets are destroyed after a period +of inactivity. This flag changes the timeout from the default of one +minute. A timeout of zero seconds disables this functionality. +.It Fl m +Historically +.Nm +destroyed tickets after every command; this flag used to stop this +behaviour (only destroying tickets upon exit). Now it's just a synonym +for +.Fl T Ar 0 . +.It Fl t +Use existing tickets (if any are available), this also disbles +timeout, and doesn't destroy any tickets upon exit. + +These tickets have to be for the changepw.kerberos service. Use +.Nm kinit -p +to acquire them. +.El +.Pp The -.I kadmin +.Nm program communicates over the network with the -.I kadmind +.Nm kadmind program, which runs on the machine housing the Kerberos master -database. -The -.I kadmind -creates new entries and makes modifications to the database. - +database, and does the actual modifications to the database. +.Pp When you enter the -.I kadmin -command, -the program displays a message that welcomes you and explains -how to ask for help. -Then -.I kadmin -waits for you to enter commands (which are described below). -It then asks you for your -.I admin -password before accessing the database. - +.Nm +command, the program displays a message that welcomes you and explains +how to ask for help. Then +.Nm +waits for you to enter commands (which are described below). It then +asks you for your administrator's password before accessing the +database. +.Pp All commands can be abbreviated as long as they are unique. Some short versions of the commands are also recognized for backwards compatibility. - -Use the -.I add_new_key -(or -.I ank -for short) -command to register a new principal -with the master database. -The command requires one argument, -the principal's name. The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's -new password. If no realm is specified, -the local realm is used unless another was -given on the commandline with the \-r flag. -If no instance is -specified, a null instance is used. If -a realm other than the default realm is specified, -you will need to supply your admin password for -the other realm. - -Use the -.I change_password (cpw) -to change a principal's -Kerberos +.Pp +Recognised commands: +.Bl -tag -width Ds +.It add_new_key Ar principal +Creates a new principal in the Kerberos database. You give the name of +the new principal as an argument. You will then be asked for a maximum +ticket lifetime, attributes, the expiration date of the principal, and +finally the password of the principal. +.It change_password Ar principal +Changes a principal's password. You will be prompted for the new password. -The command requires one argument, -the principal's -name. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's new password. -The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. - -Use the -.I change_key (ckey) -if you have a need to change the raw key of a particular principal. -In other words, if you do not want to input a DES key instead of a -password that will get converted into a DES key. - -Use the -.I change_admin_password (cap) -to change your -.I admin -instance password. -This command requires no arguments. -It prompts you for your old -.I admin -password, then prompts you twice to enter the new -.I admin -password. If this is your first command, -the default realm is used. Otherwise, the realm -used in the last command is used. - -Use the -.I del_entry (del) -to remove an entry from the kerberos database. - -Use the -.I mod_entry (mod) -to modify a particular entry, for example to change the expire date. - -Use the -.I destroy_tickets (dest) -command to destroy your admin tickets explicitly. - -Use the -.I list_requests (lr) -command to get a list of possible commands. - -Use the -.I help -command to display -.IR kadmin's -various help messages. -If entered without an argument, -.I help -displays a general help message. -You can get detailed information on specific -.I kadmin -commands -by entering -.I help -.IR command_name . - -To quit the program, type -.IR quit . - -.SH BUGS -The user interface is primitive, and the command names could be better. - -.SH "SEE ALSO" -kerberos(1), kadmind(8), kpasswd(1), ksrvutil(8) -.br -``A Subsystem Utilities Package for UNIX'' by Ken Raeburn -.SH AUTHORS +.It change_key Ar principal +This is the same as change_password, but the password is given as a +raw DES key (for the few occations when you need this). +.It change_admin_password +Changes your own admin password. It will prompt you for you old and +new passwords. +.It del_entry Ar principal +Removes principal from the database. +.It get_entry Ar principal +Show various information for the given principal. Note that the key is +shown as zeros. +.It mod_entry Ar principal +Modifies a particular entry, for instance to change the expiration +date. +.It destroy_tickets +Destroys your admin tickets explicitly. +.It quit +Obvious. +.El +.\".Sh ENVIRONMENT +.\".Sh FILES +.\".Sh EXAMPLES +.\".Sh DIAGNOSTICS +.Sh SEE ALSO +.Xr kerberos 1 , +.Xr kadmind 8 , +.Xr kpasswd 1 , +.Xr kinit 1 , +.Xr ksrvutil 8 +.\".Sh STANDARDS +.\".Sh HISTORY +.Sh AUTHORS Jeffrey I. Schiller, MIT Project Athena -.br +.Pp Emanuel Jay Berkenbilt, MIT Project Athena +.Sh BUGS +The user interface is primitive, and the command names could be +better. diff --git a/crypto/kerberosIV/man/kadmind.8 b/crypto/kerberosIV/man/kadmind.8 index 477511b..9924d48 100644 --- a/crypto/kerberosIV/man/kadmind.8 +++ b/crypto/kerberosIV/man/kadmind.8 @@ -1,4 +1,4 @@ -.\" $Id: kadmind.8,v 1.4 1997/04/02 21:09:53 assar Exp $ +.\" $Id: kadmind.8,v 1.5 1998/06/13 00:30:08 assar Exp $ .\" Copyright 1989 by the Massachusetts Institute of Technology. .\" .\" For copying and distribution information, @@ -23,6 +23,8 @@ kadmind \- network daemon for Kerberos database administration .B \-d dbname ] [ .B \-a acldir +] [ +.B \-i address ] .SH DESCRIPTION .I kadmind @@ -77,6 +79,13 @@ option is specified, prints out a short summary of the permissible control arguments, and then exits. .PP +If the +.B \-i +option is specified, +.I kadmind +will only listen on that particular address and not on all configured +addresses of the host, which is the default. +.PP When performing requests on behalf of clients, .I kadmind checks access control lists (ACLs) to determine the authorization of the client diff --git a/crypto/kerberosIV/man/kafs.3 b/crypto/kerberosIV/man/kafs.3 index 041fd23..4a7b5ef 100644 --- a/crypto/kerberosIV/man/kafs.3 +++ b/crypto/kerberosIV/man/kafs.3 @@ -1,24 +1,22 @@ -.\" $Id: kafs.3,v 1.1 1997/05/07 21:49:02 joda Exp $ +.\" $Id: kafs.3,v 1.3 1998/06/30 15:41:52 assar Exp $ .\" .Dd May 7, 1997 .Os KTH-KRB .Dt KAFS 3 .Sh NAME .Nm k_hasafs , -.Nm k_afsklog , -.Nm k_afsklog_uid , .Nm k_pioctl , .Nm k_unlog , .Nm k_setpag , -.Nm k_afs_cell_of_file +.Nm k_afs_cell_of_file , +.Nm krb_afslog , +.Nm krb_afslog_uid +\" .Nm krb5_afslog , +\" .Nm krb5_afslog_uid .Nd AFS library .Sh SYNOPSIS .Fd #include <kafs.h> .Ft int -.Fn k_afsklog "char *cell" "char *realm" -.Ft int -.Fn k_afsklog_uid "char *cell" "char *realm" "uid_t uid" -.Ft int .Fn k_afs_cell_of_file "const char *path" "char *cell" "int len" .Ft int .Fn k_hasafs @@ -28,6 +26,14 @@ .Fn k_setpag .Ft int .Fn k_unlog +.Ft int +.Fn krb_afslog "char *cell" "char *realm" +.Ft int +.Fn krb_afslog_uid "char *cell" "char *realm" "uid_t uid" +\" .Ft krb5_error_code +\" .Fn krb5_afslog_uid "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" "uid_t uid" +\" .Ft krb5_error_code +\" .Fn krb5_afslog "krb5_context context" "krb5_ccache id" "const char *cell" "krb5_const_realm realm" .Sh DESCRIPTION .Fn k_hasafs initializes some library internal structures, and tests for the @@ -36,9 +42,9 @@ called before .Fn k_hasafs is called, or if it fails. -.Fn k_afsklog , +.Fn krb_afslog , and -.Fn k_afsklog_uid +.Fn krb_afslog_uid obtains new tokens (and possibly tickets) for the specified .Fa cell and @@ -53,14 +59,29 @@ is .Dv NULL , the function tries to guess what realm to use. Unless you have some good knowledge of what cell or realm to use, you should pass .Dv NULL . -.Fn k_afsklog +.Fn krb_afslog will use the real user-id for the .Dv ViceId field in the token, -.Fn k_afsklog_uid +.Fn krb_afslog_uid will use .Fa uid . +\" .Fn krb5_afslog , +\" and +\" .Fn krb5_afslog_uid +\" are the Kerberos 5 equivalents of +\" .Fn krb_afslog , +\" and +\" .Fn krb_afslog_uid . +\" The extra arguments are the ubiquitous context, and the cache id where +\" to store any obtained tickets. Since AFS servers normally can't handle +\" Kerberos 5 tickets directly, these functions will first obtain version +\" 5 tickets for the requested cells, and then convert them to version 4 +\" tickets, that can be stashed in the kernel. To convert tickets the +\" .Fn krb524_convert_creds_kdc +\" function will be used. + .Fn k_afs_cell_of_file will in .Fa cell @@ -81,12 +102,24 @@ initializes a new PAG. .Fn k_unlog removes destroys all tokens in the current PAG. +.Sh ENVIRONMENT +The following environment variable affect the mode of operation of +.Nm kafs : +.Bl -tag +.It Ev AFS_SYSCALL +Normally, +.Nm kafs +will try to figure out the correct system call(s) that are used by AFS +by itself. If it does not manage to do that, or does it incorrectly, +you can set this variable to the system call number or list of system +call numbers that should be used. +.El .Sh RETURN VALUES .Fn k_hasafs returns 1 if AFS is present in the kernel, 0 otherwise. -.Fn k_afsklog +.Fn krb_afslog and -.Fn k_afsklog_uid +.Fn krb_afslog_uid returns 0 on success, or a kerberos error number on failure. .Fn k_afs_cell_of_file , .Fn k_pioctl , @@ -104,8 +137,8 @@ if (k_hasafs()) { char cell[64]; k_setpag(); if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0) - k_afsklog(cell, 0); - k_afsklog(0, 0); + krb_afslog(cell, NULL); + krb_afslog(NULL, NULL); } .Ed .Sh ERRORS @@ -119,4 +152,7 @@ usually (depending on the operating system) receive a SIGSYS signal. .%J AFS-3 Programmer's Reference .%T File Server/Cache Manager Interface .%D 1991 -.Re
\ No newline at end of file +.Re +.Sh BUGS +.Ev AFS_SYSCALL +has no effect under AIX. diff --git a/crypto/kerberosIV/man/kauth.1 b/crypto/kerberosIV/man/kauth.1 index cc71b29..2efb709 100644 --- a/crypto/kerberosIV/man/kauth.1 +++ b/crypto/kerberosIV/man/kauth.1 @@ -1,4 +1,4 @@ -.\" $Id: kauth.1,v 1.1 1996/05/04 01:49:34 d91-jda Exp $ +.\" $Id: kauth.1,v 1.3 1998/06/30 15:29:17 assar Exp $ .\" .Dd May 4, 1996 .Dt KAUTH 1 @@ -47,7 +47,8 @@ User on the remote host that should own the ticket file. .It Fl t Ticket file on remote host. .It Fl l -Lifetime of tickets i minutes +Lifetime of tickets in minutes. A value of -1 is used for maximum +ticket lifetime. .It Fl f Srvtab to get service keys from. Default is .Pa /etc/srvtab . @@ -60,6 +61,7 @@ AFS cell to get tokens for, default is your local cell. .El .Sh SEE ALSO .Xr kinit 1 , -.Xr kauthd 8 +.Xr kauthd 8 , +.Xr kafs 3 .Sh BUGS There is no help-switch. diff --git a/crypto/kerberosIV/man/kdestroy.1 b/crypto/kerberosIV/man/kdestroy.1 index 66ffd39..c7797c0 100644 --- a/crypto/kerberosIV/man/kdestroy.1 +++ b/crypto/kerberosIV/man/kdestroy.1 @@ -1,4 +1,4 @@ -.\" $Id: kdestroy.1,v 1.3 1996/06/12 21:29:16 bg Exp $ +.\" $Id: kdestroy.1,v 1.4 1999/06/15 13:29:32 bg Exp $ .\" Copyright 1989 by the Massachusetts Institute of Technology. .\" .\" For copying and distribution information, @@ -65,9 +65,17 @@ runs without displaying the status message. will not make your terminal beep if it fails to destroy the tickets. .TP .B \-t -.I kdestroy -will not remove any afs-tokens. Without this flag the tokens -associated with the current PAG is destroyed. +destroy tickets only and keep all AFS tokens. +.TP +.B \-u +unlog, i.e remove any AFS tokens associated with the current PAG +but leave the ticket file alone. +.PP +If neither +.B \-t +nor +.B \-u +is given, both tickets and AFS tokens are destroyed. .SH FILES KRBTKFILE environment variable if set, otherwise .br diff --git a/crypto/kerberosIV/man/kerberos.1 b/crypto/kerberosIV/man/kerberos.1 index aced5a5..4968822 100644 --- a/crypto/kerberosIV/man/kerberos.1 +++ b/crypto/kerberosIV/man/kerberos.1 @@ -1,4 +1,4 @@ -.\" $Id: kerberos.1,v 1.2 1996/06/12 21:29:16 bg Exp $ +.\" $Id: kerberos.1,v 1.3 1997/11/07 12:37:34 bg Exp $ .\" Copyright 1989 by the Massachusetts Institute of Technology. .\" .\" For copying and distribution information, @@ -171,13 +171,13 @@ Kerberos supports the following network services: .IR rlogin , .IR rsh , +.IR rcp , +.IR pop , +.IR ftp , +.IR telnet , +.IR AFS and -.IR rcp . -Other services are being worked on, -such as the -.IR pop -mail system and NFS (network file system), -but are not yet available. +.IR NFS. .SH "SEE ALSO" kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3), diff --git a/crypto/kerberosIV/man/kerberos.8 b/crypto/kerberosIV/man/kerberos.8 index 6a64c57..5d89635 100644 --- a/crypto/kerberosIV/man/kerberos.8 +++ b/crypto/kerberosIV/man/kerberos.8 @@ -1,6 +1,6 @@ -.\" $Id: kerberos.8,v 1.1 1996/11/14 22:14:55 assar Exp $ +.\" $Id: kerberos.8,v 1.4 1997/09/26 17:55:23 joda Exp $ .\" -.Dd November 14, 1996 +.Dd September 26, 1997 .Dt KERBEROS 8 .Os KTH-KRB .Sh NAME @@ -8,12 +8,14 @@ .Nd The kerberos daemon .Sh SYNPOSIS .Nm -.Op Fl snm -.Op Fl p Ar pause +.Op Fl mns .Op Fl a Ar max age +.Op Fl i Ar address .Op Fl l Ar log +.Op Fl p Ar pause +.Op Fl P Ar portspec .Op Fl r Ar realm -.Ar database +.Op Ar database .Sh DESCRIPTION This is the .Nm @@ -21,24 +23,170 @@ daemon. .Pp Options: .Bl -tag -width -ident -.It Fl s -Set slave parameters. This will enable check to see if data is -getting too stale relative to the master. -.It Fl n -Do not check max age. -.It Fl m -Run manually and prompt for master key. -.It Fl p -Pause for -.Ar pause -before dying. .It Fl a Set the .Ar max age before the database is considered stale. +.It Fl i +Only listen on +.Ar address . +Normally, the kerberos server listens on all addresses of all +interfaces. .It Fl l Write the log to .Ar log +.It Fl m +Run manually and prompt for master key. +.It Fl n +Do not check max age. +.It Fl p +Pause for +.Ar pause +before dying. +.It Fl P +Listen to the ports specified by +.Ar portspec . +This should be a white-space separated list of port specificatios. A +port specification follows the format: +.Ar port Ns Op / Ns Ar protocol . +The +.Ar port +can be either a symbolic port name (from +.Pa /etc/services), or a number; +.Ar protocol can be either +.Li udp , +or +.Li tcp . +If left out, the KDC will listen to both UDP and TCP sockets on the +specified port. +.br +The special string +.Li + +mean that the default set of ports (TCP and UDP on ports 88 and 750) +should be included. .It Fl r Run as a server for realm .Ar realm +.It Fl s +Set slave parameters. This will enable check to see if data is +getting too stale relative to the master. +.El + +If no +.Ar database +is given a default datbase will be used, normally +.Pa /var/kerberos/principal . +.Sh DIAGNOSTICS + +The server logs several messages in a log file +.Pf ( Pa /var/run/kerberos.log +by default). The logging mechanism opens and closes the log file for +each message, so you can safely rename the log file when the server is +running. +.Ss Operational messages +These are normal messages that you will see in the log. They might be +followed by some error message. +.Bl -tag -width xxxxx +.It Li Getting key for Ar REALM +The server fetched the key for +.Sq krbtgt.REALM +for the specific +realm. You will see this at startup, and for every attempt to use +cross realm authentication. +.It Xo Li Starting Kerberos for +.Ar REALM +.Li (kvno Ar kvno ) +.Xc +You will see this also if you start with +.Fl m . +.It Xo Li AS REQ +.Ar name.instance@REALM +.Li for +.Ar sname.sinstance +.Li from +.Ar ip-number +.Xc +An initial (password authenticated) request was received. +.It Xo Li APPL REQ +.Ar name.instance@REALM +.Li for +.Ar sname.sinstance +.Li from Ar ip-number +.Xc +A tgt-based request for a ticket was made. +.El + +.Ss Error messages +These messages reflects misconfigured clients, invalid requests, or +possibly attepted attacks. +.Bl -tag -width xxxxx +.It Li UNKNOWN Ar name.instance +The server received a request with an unknown principal. This is most +likely because someone typed the wrong name at a login prompt. It +could also be someone trying to get a list of possible users. +.It Xo Li Unknown realm Ar REALM +.Li from Ar ip-number +.Xc +There isn't a principal for +.Sq krbtgt.REALM +in the database. +.It Xo Li Can't hop realms: Ar REALM1 +.Li -> Ar REALM2 +.Xc +There was a request for a ticket for another realm. This might be +because of a misconfigured client. +.It Li Principal not unique Ar name.instance +There is more than one entry for this principal in the database. This +is not very good. +.It Li Null key Ar name.instance +Someone tried to use a principal that for some reason doesn't have a +key. +.It Xo Li Incorrect master key version for +.Ar name.instance +.Li : Ar number +.Li (should be Ar number ) +.Xc +The principal has it's key encrypted with the wrong master key. +.It Xo Li Principal Ar name.instance +.Li expired at Ar date +.Xc +The principal's key has expired. +.It Li krb_rd_req from Ar ip-number : error-message +The message couldn't be decoded properly. The error message will give +you further hints. You will see this if someone is trying to use +expired tickets. +.It Xo Li Unknown message type: Ar number +.Li from Ar ip-number +.Xc +The message received was not one that is understood by this server. +.It Li Can't authorize password changed based on TGT +Someone tried to get a +.Sq changepw.kerberos +via a tgt exchange. This is +because of a broken client, or possibly an attack. +.It Li KRB protocol version mismatch ( Ar number ) +The server received a request with an unknown version number. +.El + +.Ss Fatal error messages +The following messages indicate problems when starting the server. +.Bl -tag -width xxxxx +.It Li Database unavailable! +There was some problem reading the database. +.It Li Database currently being updated! +Someone is currently updating the database (possibly via krop). +.It Li Database out of date! +The database is older than the maximum age specified. +.It Li Couldn't get master key. +The master key file wasn't found or the file is damaged. +.It Li Can't verify master key. +The key in the keyfile doesn't match the current databse. +.It Li Ticket granting ticket service unknown +The database doesn't contain a +.Sq krbtgt.REALM +for the local realm. +.El + +.Sh SEE ALSO +.Xr kprop 8 , +.Xr kpropd 8 diff --git a/crypto/kerberosIV/man/kpasswd.1 b/crypto/kerberosIV/man/kpasswd.1 new file mode 100644 index 0000000..ad0c858 --- /dev/null +++ b/crypto/kerberosIV/man/kpasswd.1 @@ -0,0 +1,85 @@ +.\" $Id: kpasswd.1,v 1.2 1996/06/12 21:29:21 bg Exp $ +.\" Copyright 1989 by the Massachusetts Institute of Technology. +.\" +.\" For copying and distribution information, +.\" please see the file <mit-copyright.h>. +.\" +.TH KPASSWD 1 "Kerberos Version 4.0" "MIT Project Athena" +.FM mit +.SH NAME +kpasswd \- change a user's Kerberos password +.SH SYNOPSIS +.B kpasswd +[ +.B \-h +] [ +.B \-n +.I name +] [ +.B \-i +.I instance +] [ +.B \-r +.I realm +] [ +\-u +.IR username[.instance][@realm] ] +.SH DESCRIPTION +The +.I kpasswd +command is used to change a Kerberos principal's password. +.PP +If the +.I \-h +option is specified, a brief summary of the options is printed, and +.I kpasswd +then exits. +.PP +If the +.I \-n +option is specified, +.I name +is used as the principal name rather than the username of the user +running +.IR kpasswd . +(This is determined from the ticket file if it exists; +otherwise, it is determined from the unix user id.) +.PP +If the +.I \-i +option is specified, +.I instance +is used as the instance rather than a null instance. +.PP +If the +.I \-r +option is specified, +.I realm +is used as the realm rather than the local realm. +.PP +If the +.I \-u +option is specified, a fully qualified kerberos +principal can be given. +.PP + +The utility prompts for the current Kerberos password (printing +the name of the principal for which it intends to change the password), +which is verified by the Kerberos server. If the old password is +correct, the user is prompted twice for the new password. A message is +printed indicating the success or failure of the password changing +operation. + +.SH BUGS + +.I kpasswd +does not handle names, instances, or realms with special +characters in them when the -n, -i, or -r options are used. Any +valid fullname is accepted, however, if the -u option is used. + +If the principal whose password you are trying to change does +not exist, you will not be told until after you have entered the +old password. + +.SH SEE ALSO +kerberos(1), kinit(1), passwd(1), kadmin(8) diff --git a/crypto/kerberosIV/man/krb.conf.5 b/crypto/kerberosIV/man/krb.conf.5 index b122b9c..5c15468 100644 --- a/crypto/kerberosIV/man/krb.conf.5 +++ b/crypto/kerberosIV/man/krb.conf.5 @@ -1,4 +1,4 @@ -.\" $Id: krb.conf.5,v 1.2 1996/06/12 21:29:21 bg Exp $ +.\" $Id: krb.conf.5,v 1.3 1999/06/15 15:36:46 bg Exp $ .\" Copyright 1989 by the Massachusetts Institute of Technology. .\" .\" For copying and distribution information, @@ -9,23 +9,34 @@ /etc/krb.conf \- Kerberos configuration file .SH DESCRIPTION .I krb.conf -contains configuration information describing the Kerberos realm and the +contains configuration information describing the Kerberos realm(s) and the Kerberos key distribution center (KDC) servers for known realms. .PP .I krb.conf -contains the name of the local realm in the first -line, followed by lines indicating realm/host -entries. The first token is a realm name, and the second is the hostname -of a host running a KDC for that realm. -The words "admin server" following the hostname indicate that -the host also provides an administrative database server. +starts with a definition of the local realm on the first line, this is +followed by any number lines defining supplementary local realms. The +rest of the file consists of lines indicating realm/host entries. The +first token is a realm name, and the second is a server specification +of a host running a KDC for that realm. The words "admin server" +following the hostname indicate that the host also provides an +administrative database server. + +To be able to communicate with the KDC through a firewall it is +sometimes necessary to tunnel requests over HTTP or TCP. Tunnel +protocols and port numbers are specified in the server specification +using the syntax [(udp|tcp|http)/]hostname[:port]. + For example: .nf .in +1i -ATHENA.MIT.EDU -ATHENA.MIT.EDU kerberos-1.mit.edu admin server -ATHENA.MIT.EDU kerberos-2.mit.edu -LCS.MIT.EDU kerberos.lcs.mit.edu admin server +SICS.SE +NADA.KTH.SE +SICS.SE tcp/kerberos.sics.se:88 admin server +NADA.KTH.SE kerberos.nada.kth.se admin server +NADA.KTH.SE kerberos-1.nada.kth.se +NADA.KTH.SE kerberos-2.nada.kth.se +NADA.KTH.SE http/kerberos-3.nada.kth.se +KTH.SE kerberos.kth.se admin server .in -1i .SH SEE ALSO krb.realms(5), krb_get_krbhst(3), krb_get_lrealm(3) diff --git a/crypto/kerberosIV/man/krb.extra.5 b/crypto/kerberosIV/man/krb.extra.5 new file mode 100644 index 0000000..7c3140a --- /dev/null +++ b/crypto/kerberosIV/man/krb.extra.5 @@ -0,0 +1,42 @@ +.\" $Id: krb.extra.5,v 1.1.2.1 1999/07/22 03:16:36 assar Exp $ +.\" +.Dd June 24, 1999 +.Dt KRB.EXTRA 5 +.Os KTH-KRB +.Sh NAME +.Nm krb.extra +.Nd +Kerberos misc configuration file +.Sh DESCRIPTION +.Nm +contains a number of settings that are used by the kerberos library, +or directly by applications. Each line in the file consists of a +variable, an equal sign, and a value. Lines beginning with hash are +ignored. +.Pp +Currently defined variables are: +.Bl -tag -width foo +.It kdc_timeout +time in seconds to wait for an answer from the KDC (default is 4 +seconds) +.It kdc_timesync +if this is enabled, the time differential between the client and the +KDC will be stored, and used later on when computing the correct time; +this is useful if the client's clock is drifting +.It firewall_address +the outside address of the firewall; this is used in some places to +compute a direction bit, and this might break if the server has a +different idea about which address to use then the client +.It krb4_proxy +address of a web-proxy to use when connecting to the KDC via HTTP +.El +.Sh EXAMPLES +.Bd -literal +# this is a comment +kdc_timesync = yes +firewall_address = 10.0.0.1 +.Ed +.Sh SEE ALSO +.Xr krb.equiv 5 , +.Xr krb.conf 5 , +.Xr krb.realms 5 diff --git a/crypto/kerberosIV/man/login.1 b/crypto/kerberosIV/man/login.1 new file mode 100644 index 0000000..b05a6a4 --- /dev/null +++ b/crypto/kerberosIV/man/login.1 @@ -0,0 +1,160 @@ +.\" Copyright (c) 1980, 1990, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)login.1 8.1 (Berkeley) 6/9/93 +.\" +.Dd June 9, 1993 +.Dt LOGIN 1 +.Os BSD 4 +.Sh NAME +.Nm login +.Nd log into the computer +.Sh SYNOPSIS +.Nm login +.Op Fl fp +.Op Fl h Ar hostname +.Op Ar user +.Sh DESCRIPTION +.Sy Note: +this manual page describes the original login program for +NetBSD. Everything in here might not be true. +.Pp +The +.Nm login +utility logs users (and pseudo-users) into the computer system. +.Pp +If no user is specified, or if a user is specified and authentication +of the user fails, +.Nm login +prompts for a user name. +Authentication of users is done via passwords. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl f +The +.Fl f +option is used when a user name is specified to indicate that proper +authentication has already been done and that no password need be +requested. +This option may only be used by the super-user or when an already +logged in user is logging in as themselves. +.It Fl h +The +.Fl h +option specifies the host from which the connection was received. +It is used by various daemons such as +.Xr telnetd 8 . +This option may only be used by the super-user. +.It Fl p +By default, +.Nm login +discards any previous environment. +The +.Fl p +option disables this behavior. +.El +.Pp +If the file +.Pa /etc/nologin +exists, +.Nm login +dislays its contents to the user and exits. +This is used by +.Xr shutdown 8 +to prevent users from logging in when the system is about to go down. +.Pp +If the file +.Pa /etc/fbtab +exists, +.Nm login +changes the protection and ownership of certain devices specified in this +file. +.Pp +Immediately after logging a user in, +.Nm login +displays the system copyright notice, the date and time the user last +logged in, the message of the day as well as other information. +If the file +.Dq Pa .hushlogin +exists in the user's home directory, all of these messages are suppressed. +This is to simplify logins for non-human users, such as +.Xr uucp 1 . +.Nm Login +then records an entry in the +.Xr wtmp 5 +and +.Xr utmp 5 +files and executes the user's command interpretor. +.Pp +Login enters information into the environment (see +.Xr environ 7 ) +specifying the user's home directory (HOME), command interpreter (SHELL), +search path (PATH), terminal type (TERM) and user name (both LOGNAME and +USER). +.Pp +The standard shells, +.Xr csh 1 +and +.Xr sh 1 , +do not fork before executing the +.Nm login +utility. +.Sh FILES +.Bl -tag -width /var/mail/userXXX -compact +.It Pa /etc/fbtab +changes device protections +.It Pa /etc/motd +message-of-the-day +.It Pa /etc/nologin +disallows logins +.It Pa /var/run/utmp +current logins +.It Pa /var/log/wtmp +login account records +.It Pa /var/mail/user +system mailboxes +.It Pa \&.hushlogin +makes login quieter +.El +.Sh SEE ALSO +.Xr chpass 1 , +.Xr passwd 1 , +.Xr rlogin 1 , +.Xr getpass 3 , +.Xr fbtab 5 , +.Xr utmp 5 , +.Xr environ 7 +.Sh HISTORY +A +.Nm login +appeared in +.At v6 . diff --git a/crypto/kerberosIV/man/login.access.5 b/crypto/kerberosIV/man/login.access.5 new file mode 100644 index 0000000..28d423c --- /dev/null +++ b/crypto/kerberosIV/man/login.access.5 @@ -0,0 +1,50 @@ +.\" this is comment +.Dd April 30, 1994 +.Dt SKEY.ACCESS 5 +.Os FreeBSD 1.2 +.Sh NAME +.Nm login.access +.Nd Login access control table +.Sh DESCRIPTION +The +.Nm login.access +file specifies (user, host) combinations and/or (user, tty) +combinations for which a login will be either accepted or refused. +.Pp +When someone logs in, the +.Nm login.access +is scanned for the first entry that +matches the (user, host) combination, or, in case of non-networked +logins, the first entry that matches the (user, tty) combination. The +permissions field of that table entry determines whether the login will +be accepted or refused. +.Pp +Each line of the login access control table has three fields separated by a +":" character: permission : users : origins + +The first field should be a "+" (access granted) or "-" (access denied) +character. The second field should be a list of one or more login names, +group names, or ALL (always matches). The third field should be a list +of one or more tty names (for non-networked logins), host names, domain +names (begin with "."), host addresses, internet network numbers (end +with "."), ALL (always matches) or LOCAL (matches any string that does +not contain a "." character). If you run NIS you can use @netgroupname +in host or user patterns. + +The EXCEPT operator makes it possible to write very compact rules. + +The group file is searched only when a name does not match that of the +logged-in user. Only groups are matched in which users are explicitly +listed: the program does not look at a user's primary group id value. +.Sh FILES +.Bl -tag -width /etc/login.access -compact +.It Pa /etc/login.access +The +.Nm login.access +file resides in +.Pa /etc . +.El +.Sh SEE ALSO +.Xr login 1 +.Sh AUTHOR +Guido van Rooij diff --git a/crypto/kerberosIV/man/pagsh.1 b/crypto/kerberosIV/man/pagsh.1 new file mode 100644 index 0000000..cd95f8b --- /dev/null +++ b/crypto/kerberosIV/man/pagsh.1 @@ -0,0 +1,22 @@ +.\" $Id: pagsh.1,v 1.1 1996/04/27 23:03:35 d91-jda Exp $ +.\" +.Dd April 27, 1996 +.Dt PAGSH 1 +.Os KTH-KRB +.Sh NAME +.Nm pagsh +.Nd +execute a command without authentication +.Sh SYNOPSIS +.Nm pagsh +.Op Oo Fl c Oc Nm command Ar args +.Sh DESCRIPTION +Starts a new subprocess that is detached from any Kerberos ticket +cache and AFS tokens. Without +.Nm command +a new shell is started. +.Sh ENVIRONMENT +.Bl -tag -width Fl +.It Ev $SHELL +Default shell. +.El diff --git a/crypto/kerberosIV/man/rcp.1 b/crypto/kerberosIV/man/rcp.1 new file mode 100644 index 0000000..cc5efd0 --- /dev/null +++ b/crypto/kerberosIV/man/rcp.1 @@ -0,0 +1,161 @@ +.\" $NetBSD: rcp.1,v 1.5 1995/03/21 08:19:04 cgd Exp $ +.\" +.\" Copyright (c) 1983, 1990, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)rcp.1 8.1 (Berkeley) 5/31/93 +.\" +.Dd May 31, 1993 +.Dt RCP 1 +.Os BSD 4.3r +.Sh NAME +.Nm rcp +.Nd remote file copy +.Sh SYNOPSIS +.Nm rcp +.Op Fl Kpx +.Op Fl k Ar realm +.Ar file1 file2 +.Nm rcp +.Op Fl Kprx +.Op Fl k Ar realm +.Ar file ... +.Ar directory +.Sh DESCRIPTION +.Nm Rcp +copies files between machines. Each +.Ar file +or +.Ar directory +argument is either a remote file name of the +form ``rname@rhost:path'', or a local file name (containing no `:' characters, +or a `/' before any `:'s). +.Pp +.Bl -tag -width flag +.It Fl K +The +.Fl K +option turns off all Kerberos authentication. +.It Fl k +The +.Fl k +option requests +.Nm rcp +to obtain tickets +for the remote host in realm +.Ar realm +instead of the remote host's realm as determined by +.Xr krb_realmofhost 3 . +.It Fl p +The +.Fl p +option causes +.Nm rcp +to attempt to preserve (duplicate) in its copies the modification +times and modes of the source files, ignoring the +.Ar umask . +By default, the mode and owner of +.Ar file2 +are preserved if it already existed; otherwise the mode of the source file +modified by the +.Xr umask 2 +on the destination host is used. +.It Fl r +If any of the source files are directories, +.Nm rcp +copies each subtree rooted at that name; in this case +the destination must be a directory. +.It Fl x +The +.Fl x +option turns on +.Tn DES +encryption for all data passed by +.Nm rcp . +This may impact response time and +.Tn CPU +utilization, but provides +increased security. +.El +.Pp +If +.Ar path +is not a full path name, it is interpreted relative to +the login directory of the specified user +.Ar ruser +on +.Ar rhost , +or your current user name if no other remote user name is specified. +A +.Ar path +on a remote host may be quoted (using \e, ", or \(aa) +so that the metacharacters are interpreted remotely. +.Pp +.Nm Rcp +does not prompt for passwords; it performs remote execution +via +.Xr rsh 1 , +and requires the same authorization. +.Pp +.Nm Rcp +handles third party copies, where neither source nor target files +are on the current machine. +.Sh SEE ALSO +.Xr cp 1 , +.Xr ftp 1 , +.Xr rsh 1 , +.Xr rlogin 1 +.Sh HISTORY +The +.Nm rcp +command appeared in +.Bx 4.2 . +The version of +.Nm rcp +described here +has been reimplemented with Kerberos in +.Bx 4.3 Reno . +.Sh BUGS +Doesn't detect all cases where the target of a copy might +be a file in cases where only a directory should be legal. +.Pp +Is confused by any output generated by commands in a +.Pa \&.login , +.Pa \&.profile , +or +.Pa \&.cshrc +file on the remote host. +.Pp +The destination user and hostname may have to be specified as +``rhost.rname'' when the destination machine is running the +.Bx 4.2 +version of +.Nm rcp . diff --git a/crypto/kerberosIV/man/rlogin.1 b/crypto/kerberosIV/man/rlogin.1 new file mode 100644 index 0000000..3e1fd8d --- /dev/null +++ b/crypto/kerberosIV/man/rlogin.1 @@ -0,0 +1,190 @@ +.\" $NetBSD: rlogin.1,v 1.3 1995/03/21 07:58:37 cgd Exp $ +.\" +.\" Copyright (c) 1983, 1990, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)rlogin.1 8.1 (Berkeley) 6/6/93 +.\" +.Dd June 6, 1993 +.Dt RLOGIN 1 +.Os BSD 4.2 +.Sh NAME +.Nm rlogin +.Nd remote login +.Sh SYNOPSIS +.Ar rlogin +.Op Fl 8EKLdx +.Op Fl e Ar char +.Op Fl k Ar realm +.Op Fl l Ar username +.Op Fl p Ar portnumber +.Ar host +.Sh DESCRIPTION +.Nm Rlogin +starts a terminal session on a remote host +.Ar host . +.Pp +.Nm Rlogin +first attempts to use the Kerberos authorization mechanism, described below. +If the remote host does not supporting Kerberos the standard Berkeley +.Pa rhosts +authorization mechanism is used. +The options are as follows: +.Bl -tag -width flag +.It Fl 8 +The +.Fl 8 +option allows an eight-bit input data path at all times; otherwise +parity bits are stripped except when the remote side's stop and start +characters are other than +^S/^Q . +.It Fl E +The +.Fl E +option stops any character from being recognized as an escape character. +When used with the +.Fl 8 +option, this provides a completely transparent connection. +.It Fl K +The +.Fl K +option turns off all Kerberos authentication. +.It Fl L +The +.Fl L +option allows the rlogin session to be run in ``litout'' (see +.Xr tty 4 ) +mode. +.It Fl d +The +.Fl d +option turns on socket debugging (see +.Xr setsockopt 2 ) +on the TCP sockets used for communication with the remote host. +.It Fl e +The +.Fl e +option allows user specification of the escape character, which is +``~'' by default. +This specification may be as a literal character, or as an octal +value in the form \ennn. +.It Fl k +The +.FL k +option requests rlogin to obtain tickets for the remote host +in realm +.Ar realm +instead of the remote host's realm as determined by +.Xr krb_realmofhost 3 . +.It Fl x +The +.Fl x +option turns on +.Tn DES +encryption for all data passed via the +rlogin session. +This may impact response time and +.Tn CPU +utilization, but provides +increased security. +.It Fl D +Use the TCP nodelay option (see setsockopt(2)). +.It Fl p portnumber +Specifies the port number to connect to on the remote host. +.El +.Pp +A line of the form ``<escape char>.'' disconnects from the remote host. +Similarly, the line ``<escape char>^Z'' will suspend the +.Nm rlogin +session, and ``<escape char><delayed-suspend char>'' suspends the +send portion of the rlogin, but allows output from the remote system. +By default, the tilde (``~'') character is the escape character, and +normally control-Y (``^Y'') is the delayed-suspend character. +.Pp +All echoing takes place at the remote site, so that (except for delays) +the +.Nm rlogin +is transparent. +Flow control via ^S/^Q and flushing of input and output on interrupts +are handled properly. +.Sh KERBEROS AUTHENTICATION +Each user may have a private authorization list in the file +.Pa .klogin +in their home directory. +Each line in this file should contain a Kerberos principal name of the +form +.Ar principal.instance@realm . +If the originating user is authenticated to one of the principals named +in +.Pa .klogin , +access is granted to the account. +The principal +.Ar accountname.@localrealm +is granted access if +there is no +.Pa .klogin +file. +Otherwise a login and password will be prompted for on the remote machine +as in +.Xr login 1 . +To avoid certain security problems, the +.Pa .klogin +file must be owned by +the remote user. +.Pp +If Kerberos authentication fails, a warning message is printed and the +standard Berkeley +.Nm rlogin +is used instead. +.Sh ENVIRONMENT +The following environment variable is utilized by +.Nm rlogin : +.Bl -tag -width TERM +.It Ev TERM +Determines the user's terminal type. +.El +.Sh SEE ALSO +.Xr rsh 1 , +.Xr kerberos 3 , +.Xr krb_sendauth 3 , +.Xr krb_realmofhost 3 +.Sh HISTORY +The +.Nm rlogin +command appeared in +.Bx 4.2 . +.Sh BUGS +.Nm Rlogin +will be replaced by +.Xr telnet 1 +in the near future. +.Pp +More of the environment should be propagated. diff --git a/crypto/kerberosIV/man/rlogind.8 b/crypto/kerberosIV/man/rlogind.8 new file mode 100644 index 0000000..bc99529 --- /dev/null +++ b/crypto/kerberosIV/man/rlogind.8 @@ -0,0 +1,178 @@ +.\" Copyright (c) 1983, 1989, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)rlogind.8 8.1 (Berkeley) 6/4/93 +.\" +.Dd August 25, 1996 +.Dt RLOGIND 8 +.Os BSD 4.2 +.Sh NAME +.Nm rlogind +.Nd remote login server +.Sh SYNOPSIS +.Nm rlogind +.Op Fl ailnkvxD +.Op Fl p Ar portnumber +.Op Fl L Ar /bin/login +.Sh DESCRIPTION +.Nm Rlogind +is the server for the +.Xr rlogin 1 +program. The server provides a remote login facility with +kerberos-based authentication or traditional pseudo-authentication with +privileged port numbers from trusted hosts. +.Pp +Options supported by +.Nm rlogind : +.Bl -tag -width Ds +.It Fl a +No-op. For backwards compatibility. Hostnames are always verified. +.It Fl l +Prevent any authentication based on the user's +.Dq Pa .rhosts +file, unless the user is logging in as the superuser. +.It Fl n +Disable keep-alive messages. +.It Fl k +Enable kerberos authentication. +.It Fl i +Do not expect to be spawned by inetd and create a socket and listen on +it yourself. +.It Fl p portnumber +Specifies the port number it should listen on in case the +.It Fl i +flag has been given. +.It Fl v +Vacuous, echo "Remote host requires Kerberos authentication" and exit. +.It Fl x +Provides an encrypted communications channel. This options requires the +.Fl k +flag. +.It Fl L pathname +Specify pathname to an alternative login program. +.It Fl D +Use the TCP nodelay option (see setsockopt(2)). +.El +.Pp +When a service request is received, +.Nm rlogind +verifies the kerberos ticket supplied by the user. +.Pp +For non-kerberised connections, the following protocol is initiated: +.Bl -enum +.It +The server checks the client's source port. +If the port is not in the range 512-1023, the server +aborts the connection. +.It +The server checks the client's source address +and requests the corresponding host name (see +.Xr gethostbyaddr 3 , +.Xr hosts 5 +and +.Xr named 8 ) . +If the hostname cannot be determined, +the dot-notation representation of the host address is used. +The addresses for the hostname are requested, +verifying that the name and address correspond. +Normal authentication is bypassed if the address verification fails. +.El +.Pp +Once the source port and address have been checked, +.Nm rlogind +proceeds with the authentication process described in +.Xr rshd 8 . +.Pp +It then allocates a pseudo terminal (see +.Xr pty 4 ) , +and manipulates file descriptors so that the slave +half of the pseudo terminal becomes the +.Em stdin , +.Em stdout , +and +.Em stderr +for a login process. +The login process is an instance of the +.Xr login 1 +program, invoked with the +.Fl f +option if authentication has succeeded. +If automatic authentication fails, the user is +prompted to log in as if on a standard terminal line. +.Pp +The parent of the login process manipulates the master side of +the pseudo terminal, operating as an intermediary +between the login process and the client instance of the +.Xr rlogin +program. In normal operation, the packet protocol described +in +.Xr pty 4 +is invoked to provide +.Ql ^S/^Q +type facilities and propagate +interrupt signals to the remote programs. The login process +propagates the client terminal's baud rate and terminal type, +as found in the environment variable, +.Ql Ev TERM ; +see +.Xr environ 7 . +The screen or window size of the terminal is requested from the client, +and window size changes from the client are propagated to the pseudo terminal. +.Pp +Transport-level keepalive messages are enabled unless the +.Fl n +option is present. +The use of keepalive messages allows sessions to be timed out +if the client crashes or becomes unreachable. +.Sh DIAGNOSTICS +All initial diagnostic messages are indicated +by a leading byte with a value of 1, +after which any network connections are closed. +If there are no errors before +.Xr login +is invoked, a null byte is returned as in indication of success. +.Bl -tag -width Ds +.It Sy Try again. +A +.Xr fork +by the server failed. +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr ruserok 3 , +.Xr rshd 8 +.Sh BUGS +A more extensible protocol should be used. +.Sh HISTORY +The +.Nm +command appeared in +.Bx 4.2 . diff --git a/crypto/kerberosIV/man/rsh.1 b/crypto/kerberosIV/man/rsh.1 new file mode 100644 index 0000000..5d79faf --- /dev/null +++ b/crypto/kerberosIV/man/rsh.1 @@ -0,0 +1,182 @@ +.\" Copyright (c) 1983, 1990 The Regents of the University of California. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)rsh.1 6.10 (Berkeley) 7/24/91 +.\" $Id: rsh.1,v 1.1.1.1 1995/10/23 11:20:27 d91-jda Exp $ +.\" +.Dd July 24, 1991 +.Dt RSH 1 +.Os BSD 4.2 +.Sh NAME +.Nm rsh +.Nd remote shell +.Sh SYNOPSIS +.Nm rsh +.Op Fl Kdnx +.Op Fl k Ar realm +.Op Fl l Ar username +.Ar host +.Op command +.Sh DESCRIPTION +.Nm Rsh +executes +.Ar command +on +.Ar host . +.Pp +.Nm Rsh +copies its standard input to the remote command, the standard +output of the remote command to its standard output, and the +standard error of the remote command to its standard error. +Interrupt, quit and terminate signals are propagated to the remote +command; +.Nm rsh +normally terminates when the remote command does. +The options are as follows: +.Bl -tag -width flag +.It Fl K +The +.Fl K +option turns off all Kerberos authentication. +.It Fl d +The +.Fl d +option turns on socket debugging (using +.Xr setsockopt 2 ) +on the +.Tn TCP +sockets used for communication with the remote host. +.It Fl k +The +.Fl k +option causes +.Nm rsh +to obtain tickets for the remote host in +.Ar realm +instead of the remote host's realm as determined by +.Xr krb_realmofhost 3 . +.It Fl l +By default, the remote username is the same as the local username. +The +.Fl l +option allows the remote name to be specified. +Kerberos authentication is used, and authorization is determined +as in +.Xr rlogin 1 . +.It Fl n +The +.Fl n +option redirects input from the special device +.Pa /dev/null +(see the +.Sx BUGS +section of this manual page). +.It Fl x +The +.Fl x +option turns on +.Tn DES +encryption for all data exchange. +This may introduce a significant delay in response time. +.El +.Pp +If no +.Ar command +is specified, you will be logged in on the remote host using +.Xr rlogin 1 . +.Pp +Shell metacharacters which are not quoted are interpreted on local machine, +while quoted metacharacters are interpreted on the remote machine. +For example, the command +.Pp +.Dl rsh otherhost cat remotefile >> localfile +.Pp +appends the remote file +.Ar remotefile +to the local file +.Ar localfile , +while +.Pp +.Dl rsh otherhost cat remotefile \&">>\&" other_remotefile +.Pp +appends +.Ar remotefile +to +.Ar other_remotefile . +.\" .Pp +.\" Many sites specify a large number of host names as commands in the +.\" directory /usr/hosts. +.\" If this directory is included in your search path, you can use the +.\" shorthand ``host command'' for the longer form ``rsh host command''. +.Sh FILES +.Bl -tag -width /etc/hosts -compact +.It Pa /etc/hosts +.El +.Sh SEE ALSO +.Xr rlogin 1 , +.Xr kerberos 3 , +.Xr krb_sendauth 3 , +.Xr krb_realmofhost 3 +.Sh HISTORY +The +.Nm rsh +command appeared in +.Bx 4.2 . +.Sh BUGS +If you are using +.Xr csh 1 +and put a +.Nm rsh +in the background without redirecting its input away from the terminal, +it will block even if no reads are posted by the remote command. +If no input is desired you should redirect the input of +.Nm rsh +to +.Pa /dev/null +using the +.Fl n +option. +.Pp +You cannot run an interactive command +(like +.Xr rogue 6 +or +.Xr vi 1 ) +using +.Nm rsh ; +use +.Xr rlogin 1 +instead. +.Pp +Stop signals stop the local +.Nm rsh +process only; this is arguably wrong, but currently hard to fix for reasons +too complicated to explain here. diff --git a/crypto/kerberosIV/man/rshd.8 b/crypto/kerberosIV/man/rshd.8 new file mode 100644 index 0000000..8bd661f --- /dev/null +++ b/crypto/kerberosIV/man/rshd.8 @@ -0,0 +1,221 @@ +.\" Copyright (c) 1983, 1989, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)rshd.8 8.1 (Berkeley) 6/4/93 +.\" +.Dd August 25, 1996 +.Dt RSHD 8 +.Os BSD 4.2 +.Sh NAME +.Nm rshd +.Nd remote shell server +.Sh SYNOPSIS +.Nm rshd +.Op Fl ailnkvxLP +.Op Fl p Ar portnumber +.Sh DESCRIPTION +The +.Nm rshd +server +is the server for the +.Xr rcmd 3 +routine and, consequently, for the +.Xr rsh 1 +program. The server provides remote execution facilities with +kerberos-based authentication or traditional pseudo-authentication +with privileged port numbers from trusted hosts. +.Pp +The +.Nm rshd +server +listens for service requests at the port indicated in +the ``cmd'' service specification; see +.Xr services 5 . +When a service request is received +.Nm rshd +verifies the kerberos ticket supplied by the user. +.Pp +For non-kerberised connections, the following protocol is initiated: +.Bl -enum +.It +The server checks the client's source port. +If the port is not in the range 512-1023, the server +aborts the connection. +.It +The server reads characters from the socket up +to a null (`\e0') byte. The resultant string is +interpreted as an +.Tn ASCII +number, base 10. +.It +If the number received in step 2 is non-zero, +it is interpreted as the port number of a secondary +stream to be used for the +.Em stderr . +A second connection is then created to the specified +port on the client's machine. The source port of this +second connection is also in the range 512-1023. +.It +The server checks the client's source address +and requests the corresponding host name (see +.Xr gethostbyaddr 3 , +.Xr hosts 5 +and +.Xr named 8 ) . +If the hostname cannot be determined, +the dot-notation representation of the host address is used. +The addresses for the hostname are requested, +verifying that the name and address correspond. +If address verification fails, the connection is aborted +with the message, ``Host address mismatch.'' +.It +A null terminated user name of at most 16 characters +is retrieved on the initial socket. This user name +is interpreted as the user identity on the +.Em client Ns 's +machine. +.It +A null terminated user name of at most 16 characters +is retrieved on the initial socket. This user name +is interpreted as a user identity to use on the +.Sy server Ns 's +machine. +.It +A null terminated command to be passed to a +shell is retrieved on the initial socket. The length of +the command is limited by the upper bound on the size of +the system's argument list. +.It +.Nm Rshd +then validates the user using +.Xr ruserok 3 , +which uses the file +.Pa /etc/hosts.equiv +and the +.Pa .rhosts +file found in the user's home directory. The +.Fl l +option prevents +.Xr ruserok 3 +from doing any validation based on the user's ``.rhosts'' file, +unless the user is the superuser. +.It +If the file +.Pa /etc/nologin +exists and the user is not the superuser, +the connection is closed. +.It +A null byte is returned on the initial socket +and the command line is passed to the normal login +shell of the user. The +shell inherits the network connections established +by +.Nm rshd . +.El +.Pp +Transport-level keepalive messages are enabled unless the +.Fl n +option is present. +The use of keepalive messages allows sessions to be timed out +if the client crashes or becomes unreachable. +.Pp +The +.Fl L +option causes all successful accesses to be logged to +.Xr syslogd 8 +as +.Li auth.info +messages. +.Bl -tag -width Ds +.It Fl k +Enable kerberos authentication. +.It Fl i +Do not expect to be spawned by inetd and create a socket and listen on +it yourself. +.It Fl p portnumber +Specifies the port number it should listen on in case the +.It Fl i +flag has been given. +.It Fl v +Vacuous, echo "Remote host requires Kerberos authentication" and exit. +.It Fl x +Provides an encrypted communications channel. This option requires the +.Fl k +flag. +.It Fl P +AFS only! Doesn't put the remote proccess in a new PAG. +.El +.Sh DIAGNOSTICS +Except for the last one listed below, +all diagnostic messages +are returned on the initial socket, +after which any network connections are closed. +An error is indicated by a leading byte with a value of +1 (0 is returned in step 10 above upon successful completion +of all the steps prior to the execution of the login shell). +.Bl -tag -width indent +.It Sy Locuser too long. +The name of the user on the client's machine is +longer than 16 characters. +.It Sy Ruser too long. +The name of the user on the remote machine is +longer than 16 characters. +.It Sy Command too long . +The command line passed exceeds the size of the argument +list (as configured into the system). +.It Sy Login incorrect. +No password file entry for the user name existed. +.It Sy Remote directory. +The +.Xr chdir +command to the home directory failed. +.It Sy Permission denied. +The authentication procedure described above failed. +.It Sy Can't make pipe. +The pipe needed for the +.Em stderr , +wasn't created. +.It Sy Can't fork; try again. +A +.Xr fork +by the server failed. +.It Sy <shellname>: ... +The user's login shell could not be started. This message is returned +on the connection associated with the +.Em stderr , +and is not preceded by a flag byte. +.El +.Sh SEE ALSO +.Xr rsh 1 , +.Xr rcmd 3 , +.Xr ruserok 3 +.Sh BUGS +A more extensible protocol (such as Telnet) should be used. diff --git a/crypto/kerberosIV/man/su.1 b/crypto/kerberosIV/man/su.1 new file mode 100644 index 0000000..78d5c8d --- /dev/null +++ b/crypto/kerberosIV/man/su.1 @@ -0,0 +1,189 @@ +.\" Copyright (c) 1988, 1990 The Regents of the University of California. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" from: @(#)su.1 6.12 (Berkeley) 7/29/91 +.\" $Id: su.1,v 1.3 1996/02/11 23:56:09 d91-jda Exp $ +.\" +.Dd July 29, 1991 +.Dt SU 1 +.Os +.Sh NAME +.Nm su +.Nd substitute user identity +.Sh SYNOPSIS +.Nm su +.Op Fl Kflmi +.Op Ar login Op Ar "shell arguments" +.Sh DESCRIPTION +.Nm Su +requests the Kerberos password for +.Ar login +(or for +.Dq Ar login Ns .root , +if no login is provided), and switches to +that user and group ID after obtaining a Kerberos ticket granting ticket. +A shell is then executed, and any additional +.Ar "shell arguments" +after the login name +are passed to the shell. +.Nm Su +will resort to the local password file to find the password for +.Ar login +if there is a Kerberos error. +If +.Nm su +is executed by root, no password is requested and a shell +with the appropriate user ID is executed; no additional Kerberos tickets +are obtained. +.Pp +Alternately, if the user enters the password "s/key", they will be +authenticated using the S/Key one-time password system as described in +.Xr skey 1 . +S/Key is a Trademark of Bellcore. +.Pp +By default, the environment is unmodified with the exception of +.Ev USER , +.Ev HOME , +and +.Ev SHELL . +.Ev HOME +and +.Ev SHELL +are set to the target login's default values. +.Ev USER +is set to the target login, unless the target login has a user ID of 0, +in which case it is unmodified. +The invoked shell is the target login's. +This is the traditional behavior of +.Nm su . +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl K +Do not attempt to use Kerberos to authenticate the user. +.It Fl f +If the invoked shell is +.Xr csh 1 , +this option prevents it from reading the +.Dq Pa .cshrc +file. +.It Fl l +Simulate a full login. +The environment is discarded except for +.Ev HOME , +.Ev SHELL , +.Ev PATH , +.Ev TERM , +and +.Ev USER . +.Ev HOME +and +.Ev SHELL +are modified as above. +.Ev USER +is set to the target login. +.Ev PATH +is set to +.Dq Pa /bin:/usr/bin . +.Ev TERM +is imported from your current environment. +The invoked shell is the target login's, and +.Nm su +will change directory to the target login's home directory. +.It Fl m +Leave the environment unmodified. +The invoked shell is your login shell, and no directory changes are made. +As a security precaution, if the target user's shell is a non-standard +shell (as defined by +.Xr getusershell 3 ) +and the caller's real uid is +non-zero, +.Nm su +will fail. +.It Fl i +If the kerberos root instance is not root any other value can be passed +using this switch. +.El +.Pp +The +.Fl l +and +.Fl m +options are mutually exclusive; the last one specified +overrides any previous ones. +.Pp +Only users mentioned in +.Dq Pa ~root/.klogin +(or in group 0 when not doing kerberos) can +.Nm su +to +.Dq root . +.Pp +By default (unless the prompt is reset by a startup file) the super-user +prompt is set to +.Dq Sy \&# +to remind one of its awesome power. +.Sh SEE ALSO +.Xr csh 1 , +.Xr login 1 , +.Xr sh 1 , +.Xr skey 1 , +.Xr kinit 1 , +.Xr kerberos 1 , +.Xr passwd 5 , +.Xr group 5 , +.Xr environ 7 +.Sh ENVIRONMENT +Environment variables used by +.Nm su : +.Bl -tag -width HOME +.It Ev HOME +Default home directory of real user ID unless modified as +specified above. +.It Ev PATH +Default search path of real user ID unless modified as specified above. +.It Ev TERM +Provides terminal type which may be retained for the substituted +user ID. +.It Ev USER +The user ID is always the effective ID (the target user ID) after an +.Nm su +unless the user ID is 0 (root). +.El +.Sh HISTORY +A +.Nm +command appeared in +.At v7 . +The version described +here is an adaptation of the +.Tn MIT +Athena Kerberos command. diff --git a/crypto/kerberosIV/man/telnet.1 b/crypto/kerberosIV/man/telnet.1 new file mode 100644 index 0000000..2b3198e --- /dev/null +++ b/crypto/kerberosIV/man/telnet.1 @@ -0,0 +1,1369 @@ +.\" Copyright (c) 1983, 1990, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)telnet.1 8.6 (Berkeley) 6/1/94 +.\" +.Dd June 1, 1994 +.Dt TELNET 1 +.Os BSD 4.2 +.Sh NAME +.Nm telnet +.Nd user interface to the +.Tn TELNET +protocol +.Sh SYNOPSIS +.Nm telnet +.Op Fl 78EFKLacdfrx +.Op Fl S Ar tos +.Op Fl X Ar authtype +.Op Fl e Ar escapechar +.Op Fl k Ar realm +.Op Fl l Ar user +.Op Fl n Ar tracefile +.Oo +.Ar host +.Op port +.Oc +.Sh DESCRIPTION +The +.Nm telnet +command +is used to communicate with another host using the +.Tn TELNET +protocol. +If +.Nm telnet +is invoked without the +.Ar host +argument, it enters command mode, +indicated by its prompt +.Pq Nm telnet\&> . +In this mode, it accepts and executes the commands listed below. +If it is invoked with arguments, it performs an +.Ic open +command with those arguments. +.Pp +Options: +.Bl -tag -width indent +.It Fl 8 +Specifies an 8-bit data path. This causes an attempt to +negotiate the +.Dv TELNET BINARY +option on both input and output. +.It Fl 7 +Do not try to negotiate +.Dv TELNET BINARY +option. +.It Fl E +Stops any character from being recognized as an escape character. +.It Fl F +If Kerberos V5 authentication is being used, the +.Fl F +option allows the local credentials to be forwarded +to the remote system, including any credentials that +have already been forwarded into the local environment. +.It Fl K +Specifies no automatic login to the remote system. +.It Fl L +Specifies an 8-bit data path on output. This causes the +BINARY option to be negotiated on output. +.It Fl S Ar tos +Sets the IP type-of-service (TOS) option for the telnet +connection to the value +.Ar tos, +which can be a numeric TOS value +or, on systems that support it, a symbolic +TOS name found in the /etc/iptos file. +.It Fl X Ar atype +Disables the +.Ar atype +type of authentication. +.It Fl a +Attempt automatic login. +Currently, this sends the user name via the +.Ev USER +variable +of the +.Ev ENVIRON +option if supported by the remote system. +The name used is that of the current user as returned by +.Xr getlogin 2 +if it agrees with the current user ID, +otherwise it is the name associated with the user ID. +.It Fl c +Disables the reading of the user's +.Pa \&.telnetrc +file. (See the +.Ic toggle skiprc +command on this man page.) +.It Fl d +Sets the initial value of the +.Ic debug +toggle to +.Dv TRUE +.It Fl e Ar escape char +Sets the initial +.Nm +.Nm telnet +escape character to +.Ar escape char. +If +.Ar escape char +is omitted, then +there will be no escape character. +.It Fl f +If Kerberos V5 authentication is being used, the +.Fl f +option allows the local credentials to be forwarded to the remote system. +.ne 1i +.It Fl k Ar realm +If Kerberos authentication is being used, the +.Fl k +option requests that telnet obtain tickets for the remote host in +realm realm instead of the remote host's realm, as determined +by +.Xr krb_realmofhost 3 . +.It Fl l Ar user +When connecting to the remote system, if the remote system +understands the +.Ev ENVIRON +option, then +.Ar user +will be sent to the remote system as the value for the variable USER. +This option implies the +.Fl a +option. +This option may also be used with the +.Ic open +command. +.It Fl n Ar tracefile +Opens +.Ar tracefile +for recording trace information. +See the +.Ic set tracefile +command below. +.It Fl r +Specifies a user interface similar to +.Xr rlogin 1 . +In this +mode, the escape character is set to the tilde (~) character, +unless modified by the -e option. +.It Fl x +Turns on encryption of the data stream if possible. This is +currently the default and when it fails a warning is issued. +.It Ar host +Indicates the official name, an alias, or the Internet address +of a remote host. +.It Ar port +Indicates a port number (address of an application). If a number is +not specified, the default +.Nm telnet +port is used. +.El +.Pp +When in rlogin mode, a line of the form ~. disconnects from the +remote host; ~ is the telnet escape character. +Similarly, the line ~^Z suspends the telnet session. +The line ~^] escapes to the normal telnet escape prompt. +.Pp +Once a connection has been opened, +.Nm telnet +will attempt to enable the +.Dv TELNET LINEMODE +option. +If this fails, then +.Nm telnet +will revert to one of two input modes: +either \*(Lqcharacter at a time\*(Rq +or \*(Lqold line by line\*(Rq +depending on what the remote system supports. +.Pp +When +.Dv LINEMODE +is enabled, character processing is done on the +local system, under the control of the remote system. When input +editing or character echoing is to be disabled, the remote system +will relay that information. The remote system will also relay +changes to any special characters that happen on the remote +system, so that they can take effect on the local system. +.Pp +In \*(Lqcharacter at a time\*(Rq mode, most +text typed is immediately sent to the remote host for processing. +.Pp +In \*(Lqold line by line\*(Rq mode, all text is echoed locally, +and (normally) only completed lines are sent to the remote host. +The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used +to turn off and on the local echo +(this would mostly be used to enter passwords +without the password being echoed). +.Pp +If the +.Dv LINEMODE +option is enabled, or if the +.Ic localchars +toggle is +.Dv TRUE +(the default for \*(Lqold line by line\*(Lq; see below), +the user's +.Ic quit , +.Ic intr , +and +.Ic flush +characters are trapped locally, and sent as +.Tn TELNET +protocol sequences to the remote side. +If +.Dv LINEMODE +has ever been enabled, then the user's +.Ic susp +and +.Ic eof +are also sent as +.Tn TELNET +protocol sequences, +and +.Ic quit +is sent as a +.Dv TELNET ABORT +instead of +.Dv BREAK +There are options (see +.Ic toggle +.Ic autoflush +and +.Ic toggle +.Ic autosynch +below) +which cause this action to flush subsequent output to the terminal +(until the remote host acknowledges the +.Tn TELNET +sequence) and flush previous terminal input +(in the case of +.Ic quit +and +.Ic intr ) . +.Pp +While connected to a remote host, +.Nm telnet +command mode may be entered by typing the +.Nm telnet +\*(Lqescape character\*(Rq (initially \*(Lq^]\*(Rq). +When in command mode, the normal terminal editing conventions are available. +.Pp +The following +.Nm telnet +commands are available. +Only enough of each command to uniquely identify it need be typed +(this is also true for arguments to the +.Ic mode , +.Ic set , +.Ic toggle , +.Ic unset , +.Ic slc , +.Ic environ , +and +.Ic display +commands). +.Pp +.Bl -tag -width "mode type" +.It Ic auth Ar argument ... +The auth command manipulates the information sent through the +.Dv TELNET AUTHENTICATE +option. Valid arguments for the +auth command are as follows: +.Bl -tag -width "disable type" +.It Ic disable Ar type +Disables the specified type of authentication. To +obtain a list of available types, use the +.Ic auth disable \&? +command. +.It Ic enable Ar type +Enables the specified type of authentication. To +obtain a list of available types, use the +.Ic auth enable \&? +command. +.It Ic status +Lists the current status of the various types of +authentication. +.El +.It Ic close +Close a +.Tn TELNET +session and return to command mode. +.It Ic display Ar argument ... +Displays all, or some, of the +.Ic set +and +.Ic toggle +values (see below). +.It Ic encrypt Ar argument ... +The encrypt command manipulates the information sent through the +.Dv TELNET ENCRYPT +option. +.Pp +Note: Because of export controls, the +.Dv TELNET ENCRYPT +option is not supported outside of the United States and Canada. +.Pp +Valid arguments for the encrypt command are as follows: +.Bl -tag -width Ar +.It Ic disable Ar type Ic [input|output] +Disables the specified type of encryption. If you +omit the input and output, both input and output +are disabled. To obtain a list of available +types, use the +.Ic encrypt disable \&? +command. +.It Ic enable Ar type Ic [input|output] +Enables the specified type of encryption. If you +omit input and output, both input and output are +enabled. To obtain a list of available types, use the +.Ic encrypt enable \&? +command. +.It Ic input +This is the same as the +.Ic encrypt start input +command. +.It Ic -input +This is the same as the +.Ic encrypt stop input +command. +.It Ic output +This is the same as the +.Ic encrypt start output +command. +.It Ic -output +This is the same as the +.Ic encrypt stop output +command. +.It Ic start Ic [input|output] +Attempts to start encryption. If you omit +.Ic input +and +.Ic output, +both input and output are enabled. To +obtain a list of available types, use the +.Ic encrypt enable \&? +command. +.It Ic status +Lists the current status of encryption. +.It Ic stop Ic [input|output] +Stops encryption. If you omit input and output, +encryption is on both input and output. +.It Ic type Ar type +Sets the default type of encryption to be used +with later +.Ic encrypt start +or +.Ic encrypt stop +commands. +.El +.It Ic environ Ar arguments... +The +.Ic environ +command is used to manipulate the +the variables that my be sent through the +.Dv TELNET ENVIRON +option. +The initial set of variables is taken from the users +environment, with only the +.Ev DISPLAY +and +.Ev PRINTER +variables being exported by default. +The +.Ev USER +variable is also exported if the +.Fl a +or +.Fl l +options are used. +.br +Valid arguments for the +.Ic environ +command are: +.Bl -tag -width Fl +.It Ic define Ar variable value +Define the variable +.Ar variable +to have a value of +.Ar value. +Any variables defined by this command are automatically exported. +The +.Ar value +may be enclosed in single or double quotes so +that tabs and spaces may be included. +.It Ic undefine Ar variable +Remove +.Ar variable +from the list of environment variables. +.It Ic export Ar variable +Mark the variable +.Ar variable +to be exported to the remote side. +.It Ic unexport Ar variable +Mark the variable +.Ar variable +to not be exported unless +explicitly asked for by the remote side. +.It Ic list +List the current set of environment variables. +Those marked with a +.Cm * +will be sent automatically, +other variables will only be sent if explicitly requested. +.It Ic \&? +Prints out help information for the +.Ic environ +command. +.El +.It Ic logout +Sends the +.Dv TELNET LOGOUT +option to the remote side. +This command is similar to a +.Ic close +command; however, if the remote side does not support the +.Dv LOGOUT +option, nothing happens. +If, however, the remote side does support the +.Dv LOGOUT +option, this command should cause the remote side to close the +.Tn TELNET +connection. +If the remote side also supports the concept of +suspending a user's session for later reattachment, +the logout argument indicates that you +should terminate the session immediately. +.It Ic mode Ar type +.Ar Type +is one of several options, depending on the state of the +.Tn TELNET +session. +The remote host is asked for permission to go into the requested mode. +If the remote host is capable of entering that mode, the requested +mode will be entered. +.Bl -tag -width Ar +.It Ic character +Disable the +.Dv TELNET LINEMODE +option, or, if the remote side does not understand the +.Dv LINEMODE +option, then enter \*(Lqcharacter at a time\*(Lq mode. +.It Ic line +Enable the +.Dv TELNET LINEMODE +option, or, if the remote side does not understand the +.Dv LINEMODE +option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode. +.It Ic isig Pq Ic \-isig +Attempt to enable (disable) the +.Dv TRAPSIG +mode of the +.Dv LINEMODE +option. +This requires that the +.Dv LINEMODE +option be enabled. +.It Ic edit Pq Ic \-edit +Attempt to enable (disable) the +.Dv EDIT +mode of the +.Dv LINEMODE +option. +This requires that the +.Dv LINEMODE +option be enabled. +.It Ic softtabs Pq Ic \-softtabs +Attempt to enable (disable) the +.Dv SOFT_TAB +mode of the +.Dv LINEMODE +option. +This requires that the +.Dv LINEMODE +option be enabled. +.ne 1i +.It Ic litecho Pq Ic \-litecho +Attempt to enable (disable) the +.Dv LIT_ECHO +mode of the +.Dv LINEMODE +option. +This requires that the +.Dv LINEMODE +option be enabled. +.It Ic \&? +Prints out help information for the +.Ic mode +command. +.El +.It Xo +.Ic open Ar host +.Oo Op Fl l +.Ar user +.Oc Ns Oo Fl +.Ar port Oc +.Xc +Open a connection to the named host. +If no port number +is specified, +.Nm telnet +will attempt to contact a +.Tn TELNET +server at the default port. +The host specification may be either a host name (see +.Xr hosts 5 ) +or an Internet address specified in the \*(Lqdot notation\*(Rq (see +.Xr inet 3 ) . +The +.Op Fl l +option may be used to specify the user name +to be passed to the remote system via the +.Ev ENVIRON +option. +When connecting to a non-standard port, +.Nm telnet +omits any automatic initiation of +.Tn TELNET +options. When the port number is preceded by a minus sign, +the initial option negotiation is done. +After establishing a connection, the file +.Pa \&.telnetrc +in the +users home directory is opened. Lines beginning with a # are +comment lines. Blank lines are ignored. Lines that begin +without white space are the start of a machine entry. The +first thing on the line is the name of the machine that is +being connected to. The rest of the line, and successive +lines that begin with white space are assumed to be +.Nm telnet +commands and are processed as if they had been typed +in manually to the +.Nm telnet +command prompt. +.It Ic quit +Close any open +.Tn TELNET +session and exit +.Nm telnet . +An end of file (in command mode) will also close a session and exit. +.It Ic send Ar arguments +Sends one or more special character sequences to the remote host. +The following are the arguments which may be specified +(more than one argument may be specified at a time): +.Pp +.Bl -tag -width escape +.It Ic abort +Sends the +.Dv TELNET ABORT +(Abort +processes) +sequence. +.It Ic ao +Sends the +.Dv TELNET AO +(Abort Output) sequence, which should cause the remote system to flush +all output +.Em from +the remote system +.Em to +the user's terminal. +.It Ic ayt +Sends the +.Dv TELNET AYT +(Are You There) +sequence, to which the remote system may or may not choose to respond. +.It Ic brk +Sends the +.Dv TELNET BRK +(Break) sequence, which may have significance to the remote +system. +.It Ic ec +Sends the +.Dv TELNET EC +(Erase Character) +sequence, which should cause the remote system to erase the last character +entered. +.It Ic el +Sends the +.Dv TELNET EL +(Erase Line) +sequence, which should cause the remote system to erase the line currently +being entered. +.It Ic eof +Sends the +.Dv TELNET EOF +(End Of File) +sequence. +.It Ic eor +Sends the +.Dv TELNET EOR +(End of Record) +sequence. +.It Ic escape +Sends the current +.Nm telnet +escape character (initially \*(Lq^\*(Rq). +.It Ic ga +Sends the +.Dv TELNET GA +(Go Ahead) +sequence, which likely has no significance to the remote system. +.It Ic getstatus +If the remote side supports the +.Dv TELNET STATUS +command, +.Ic getstatus +will send the subnegotiation to request that the server send +its current option status. +.ne 1i +.It Ic ip +Sends the +.Dv TELNET IP +(Interrupt Process) sequence, which should cause the remote +system to abort the currently running process. +.It Ic nop +Sends the +.Dv TELNET NOP +(No OPeration) +sequence. +.It Ic susp +Sends the +.Dv TELNET SUSP +(SUSPend process) +sequence. +.It Ic synch +Sends the +.Dv TELNET SYNCH +sequence. +This sequence causes the remote system to discard all previously typed +(but not yet read) input. +This sequence is sent as +.Tn TCP +urgent +data (and may not work if the remote system is a +.Bx 4.2 +system -- if +it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal). +.It Ic do Ar cmd +.It Ic dont Ar cmd +.It Ic will Ar cmd +.It Ic wont Ar cmd +Sends the +.Dv TELNET DO +.Ar cmd +sequence. +.Ar Cmd +can be either a decimal number between 0 and 255, +or a symbolic name for a specific +.Dv TELNET +command. +.Ar Cmd +can also be either +.Ic help +or +.Ic \&? +to print out help information, including +a list of known symbolic names. +.It Ic \&? +Prints out help information for the +.Ic send +command. +.El +.It Ic set Ar argument value +.It Ic unset Ar argument value +The +.Ic set +command will set any one of a number of +.Nm telnet +variables to a specific value or to +.Dv TRUE . +The special value +.Ic off +turns off the function associated with +the variable, this is equivalent to using the +.Ic unset +command. +The +.Ic unset +command will disable or set to +.Dv FALSE +any of the specified functions. +The values of variables may be interrogated with the +.Ic display +command. +The variables which may be set or unset, but not toggled, are +listed here. In addition, any of the variables for the +.Ic toggle +command may be explicitly set or unset using +the +.Ic set +and +.Ic unset +commands. +.Bl -tag -width escape +.It Ic ayt +If +.Tn TELNET +is in localchars mode, or +.Dv LINEMODE +is enabled, and the status character is typed, a +.Dv TELNET AYT +sequence (see +.Ic send ayt +preceding) is sent to the +remote host. The initial value for the "Are You There" +character is the terminal's status character. +.It Ic echo +This is the value (initially \*(Lq^E\*(Rq) which, when in +\*(Lqline by line\*(Rq mode, toggles between doing local echoing +of entered characters (for normal processing), and suppressing +echoing of entered characters (for entering, say, a password). +.It Ic eof +If +.Nm telnet +is operating in +.Dv LINEMODE +or \*(Lqold line by line\*(Rq mode, entering this character +as the first character on a line will cause this character to be +sent to the remote system. +The initial value of the eof character is taken to be the terminal's +.Ic eof +character. +.It Ic erase +If +.Nm telnet +is in +.Ic localchars +mode (see +.Ic toggle +.Ic localchars +below), +.Sy and +if +.Nm telnet +is operating in \*(Lqcharacter at a time\*(Rq mode, then when this +character is typed, a +.Dv TELNET EC +sequence (see +.Ic send +.Ic ec +above) +is sent to the remote system. +The initial value for the erase character is taken to be +the terminal's +.Ic erase +character. +.It Ic escape +This is the +.Nm telnet +escape character (initially \*(Lq^[\*(Rq) which causes entry +into +.Nm telnet +command mode (when connected to a remote system). +.It Ic flushoutput +If +.Nm telnet +is in +.Ic localchars +mode (see +.Ic toggle +.Ic localchars +below) +and the +.Ic flushoutput +character is typed, a +.Dv TELNET AO +sequence (see +.Ic send +.Ic ao +above) +is sent to the remote host. +The initial value for the flush character is taken to be +the terminal's +.Ic flush +character. +.It Ic forw1 +.It Ic forw2 +If +.Tn TELNET +is operating in +.Dv LINEMODE , +these are the +characters that, when typed, cause partial lines to be +forwarded to the remote system. The initial value for +the forwarding characters are taken from the terminal's +eol and eol2 characters. +.It Ic interrupt +If +.Nm telnet +is in +.Ic localchars +mode (see +.Ic toggle +.Ic localchars +below) +and the +.Ic interrupt +character is typed, a +.Dv TELNET IP +sequence (see +.Ic send +.Ic ip +above) +is sent to the remote host. +The initial value for the interrupt character is taken to be +the terminal's +.Ic intr +character. +.It Ic kill +If +.Nm telnet +is in +.Ic localchars +mode (see +.Ic toggle +.Ic localchars +below), +.Ic and +if +.Nm telnet +is operating in \*(Lqcharacter at a time\*(Rq mode, then when this +character is typed, a +.Dv TELNET EL +sequence (see +.Ic send +.Ic el +above) +is sent to the remote system. +The initial value for the kill character is taken to be +the terminal's +.Ic kill +character. +.It Ic lnext +If +.Nm telnet +is operating in +.Dv LINEMODE +or \*(Lqold line by line\*(Lq mode, then this character is taken to +be the terminal's +.Ic lnext +character. +The initial value for the lnext character is taken to be +the terminal's +.Ic lnext +character. +.It Ic quit +If +.Nm telnet +is in +.Ic localchars +mode (see +.Ic toggle +.Ic localchars +below) +and the +.Ic quit +character is typed, a +.Dv TELNET BRK +sequence (see +.Ic send +.Ic brk +above) +is sent to the remote host. +The initial value for the quit character is taken to be +the terminal's +.Ic quit +character. +.It Ic reprint +If +.Nm telnet +is operating in +.Dv LINEMODE +or \*(Lqold line by line\*(Lq mode, then this character is taken to +be the terminal's +.Ic reprint +character. +The initial value for the reprint character is taken to be +the terminal's +.Ic reprint +character. +.It Ic rlogin +This is the rlogin escape character. +If set, the normal +.Tn TELNET +escape character is ignored unless it is +preceded by this character at the beginning of a line. +This character, at the beginning of a line followed by +a "." closes the connection; when followed by a ^Z it +suspends the telnet command. The initial state is to +disable the rlogin escape character. +.It Ic start +If the +.Dv TELNET TOGGLE-FLOW-CONTROL +option has been enabled, +then this character is taken to +be the terminal's +.Ic start +character. +The initial value for the kill character is taken to be +the terminal's +.Ic start +character. +.It Ic stop +If the +.Dv TELNET TOGGLE-FLOW-CONTROL +option has been enabled, +then this character is taken to +be the terminal's +.Ic stop +character. +The initial value for the kill character is taken to be +the terminal's +.Ic stop +character. +.It Ic susp +If +.Nm telnet +is in +.Ic localchars +mode, or +.Dv LINEMODE +is enabled, and the +.Ic suspend +character is typed, a +.Dv TELNET SUSP +sequence (see +.Ic send +.Ic susp +above) +is sent to the remote host. +The initial value for the suspend character is taken to be +the terminal's +.Ic suspend +character. +.ne 1i +.It Ic tracefile +This is the file to which the output, caused by +.Ic netdata +or +.Ic option +tracing being +.Dv TRUE , +will be written. If it is set to +.Dq Fl , +then tracing information will be written to standard output (the default). +.It Ic worderase +If +.Nm telnet +is operating in +.Dv LINEMODE +or \*(Lqold line by line\*(Lq mode, then this character is taken to +be the terminal's +.Ic worderase +character. +The initial value for the worderase character is taken to be +the terminal's +.Ic worderase +character. +.It Ic \&? +Displays the legal +.Ic set +.Pq Ic unset +commands. +.El +.It Ic slc Ar state +The +.Ic slc +command (Set Local Characters) is used to set +or change the state of the the special +characters when the +.Dv TELNET LINEMODE +option has +been enabled. Special characters are characters that get +mapped to +.Tn TELNET +commands sequences (like +.Ic ip +or +.Ic quit ) +or line editing characters (like +.Ic erase +and +.Ic kill ) . +By default, the local special characters are exported. +.Bl -tag -width Fl +.It Ic check +Verify the current settings for the current special characters. +The remote side is requested to send all the current special +character settings, and if there are any discrepancies with +the local side, the local side will switch to the remote value. +.It Ic export +Switch to the local defaults for the special characters. The +local default characters are those of the local terminal at +the time when +.Nm telnet +was started. +.It Ic import +Switch to the remote defaults for the special characters. +The remote default characters are those of the remote system +at the time when the +.Tn TELNET +connection was established. +.It Ic \&? +Prints out help information for the +.Ic slc +command. +.El +.It Ic status +Show the current status of +.Nm telnet . +This includes the peer one is connected to, as well +as the current mode. +.It Ic toggle Ar arguments ... +Toggle (between +.Dv TRUE +and +.Dv FALSE ) +various flags that control how +.Nm telnet +responds to events. +These flags may be set explicitly to +.Dv TRUE +or +.Dv FALSE +using the +.Ic set +and +.Ic unset +commands listed above. +More than one argument may be specified. +The state of these flags may be interrogated with the +.Ic display +command. +Valid arguments are: +.Bl -tag -width Ar +.It Ic authdebug +Turns on debugging information for the authentication code. +.It Ic autoflush +If +.Ic autoflush +and +.Ic localchars +are both +.Dv TRUE , +then when the +.Ic ao , +or +.Ic quit +characters are recognized (and transformed into +.Tn TELNET +sequences; see +.Ic set +above for details), +.Nm telnet +refuses to display any data on the user's terminal +until the remote system acknowledges (via a +.Dv TELNET TIMING MARK +option) +that it has processed those +.Tn TELNET +sequences. +The initial value for this toggle is +.Dv TRUE +if the terminal user had not +done an "stty noflsh", otherwise +.Dv FALSE +(see +.Xr stty 1 ) . +.It Ic autodecrypt +When the +.Dv TELNET ENCRYPT +option is negotiated, by +default the actual encryption (decryption) of the data +stream does not start automatically. The autoencrypt +(autodecrypt) command states that encryption of the +output (input) stream should be enabled as soon as +possible. +.sp +.Pp +Note: Because of export controls, the +.Dv TELNET ENCRYPT +option is not supported outside the United States and Canada. +.It Ic autologin +If the remote side supports the +.Dv TELNET AUTHENTICATION +option +.Tn TELNET +attempts to use it to perform automatic authentication. If the +.Dv AUTHENTICATION +option is not supported, the user's login +name are propagated through the +.Dv TELNET ENVIRON +option. +This command is the same as specifying +.Ar a +option on the +.Ic open +command. +.It Ic autosynch +If +.Ic autosynch +and +.Ic localchars +are both +.Dv TRUE , +then when either the +.Ic intr +or +.Ic quit +characters is typed (see +.Ic set +above for descriptions of the +.Ic intr +and +.Ic quit +characters), the resulting +.Tn TELNET +sequence sent is followed by the +.Dv TELNET SYNCH +sequence. +This procedure +.Ic should +cause the remote system to begin throwing away all previously +typed input until both of the +.Tn TELNET +sequences have been read and acted upon. +The initial value of this toggle is +.Dv FALSE . +.It Ic binary +Enable or disable the +.Dv TELNET BINARY +option on both input and output. +.It Ic inbinary +Enable or disable the +.Dv TELNET BINARY +option on input. +.It Ic outbinary +Enable or disable the +.Dv TELNET BINARY +option on output. +.It Ic crlf +If this is +.Dv TRUE , +then carriage returns will be sent as +.Li <CR><LF> . +If this is +.Dv FALSE , +then carriage returns will be send as +.Li <CR><NUL> . +The initial value for this toggle is +.Dv FALSE . +.It Ic crmod +Toggle carriage return mode. +When this mode is enabled, most carriage return characters received from +the remote host will be mapped into a carriage return followed by +a line feed. +This mode does not affect those characters typed by the user, only +those received from the remote host. +This mode is not very useful unless the remote host +only sends carriage return, but never line feed. +The initial value for this toggle is +.Dv FALSE . +.It Ic debug +Toggles socket level debugging (useful only to the +.Ic super user ) . +The initial value for this toggle is +.Dv FALSE . +.It Ic encdebug +Turns on debugging information for the encryption code. +.It Ic localchars +If this is +.Dv TRUE , +then the +.Ic flush , +.Ic interrupt , +.Ic quit , +.Ic erase , +and +.Ic kill +characters (see +.Ic set +above) are recognized locally, and transformed into (hopefully) appropriate +.Tn TELNET +control sequences +(respectively +.Ic ao , +.Ic ip , +.Ic brk , +.Ic ec , +and +.Ic el ; +see +.Ic send +above). +The initial value for this toggle is +.Dv TRUE +in \*(Lqold line by line\*(Rq mode, +and +.Dv FALSE +in \*(Lqcharacter at a time\*(Rq mode. +When the +.Dv LINEMODE +option is enabled, the value of +.Ic localchars +is ignored, and assumed to always be +.Dv TRUE . +If +.Dv LINEMODE +has ever been enabled, then +.Ic quit +is sent as +.Ic abort , +and +.Ic eof and +.B suspend +are sent as +.Ic eof and +.Ic susp , +see +.Ic send +above). +.It Ic netdata +Toggles the display of all network data (in hexadecimal format). +The initial value for this toggle is +.Dv FALSE . +.It Ic options +Toggles the display of some internal +.Nm telnet +protocol processing (having to do with +.Tn TELNET +options). +The initial value for this toggle is +.Dv FALSE . +.ne 1i +.It Ic prettydump +When the +.Ic netdata +toggle is enabled, if +.Ic prettydump +is enabled the output from the +.Ic netdata +command will be formatted in a more user readable format. +Spaces are put between each character in the output, and the +beginning of any +.Tn TELNET +escape sequence is preceded by a '*' to aid in locating them. +.It Ic skiprc +When the skiprc toggle is +.Dv TRUE , +.Tn TELNET +skips the reading of the +.Pa \&.telnetrc +file in the users home +directory when connections are opened. The initial +value for this toggle is +.Dv FALSE. +.It Ic termdata +Toggles the display of all terminal data (in hexadecimal format). +The initial value for this toggle is +.Dv FALSE . +.It Ic verbose_encrypt +When the +.Ic verbose_encrypt +toggle is +.Dv TRUE , +.Tn TELNET +prints out a message each time encryption is enabled or +disabled. The initial value for this toggle is +.Dv FALSE. +Note: Because of export controls, data encryption +is not supported outside of the United States and Canada. +.It Ic \&? +Displays the legal +.Ic toggle +commands. +.El +.It Ic z +Suspend +.Nm telnet . +This command only works when the user is using the +.Xr csh 1 . +.It Ic \&! Op Ar command +Execute a single command in a subshell on the local +system. If +.Ic command +is omitted, then an interactive +subshell is invoked. +.It Ic \&? Op Ar command +Get help. With no arguments, +.Nm telnet +prints a help summary. +If a command is specified, +.Nm telnet +will print the help information for just that command. +.El +.Sh ENVIRONMENT +.Nm Telnet +uses at least the +.Ev HOME , +.Ev SHELL , +.Ev DISPLAY , +and +.Ev TERM +environment variables. +Other environment variables may be propagated +to the other side via the +.Dv TELNET ENVIRON +option. +.Sh FILES +.Bl -tag -width ~/.telnetrc -compact +.It Pa ~/.telnetrc +user customized telnet startup values +.El +.Sh HISTORY +The +.Nm Telnet +command appeared in +.Bx 4.2 . +.Sh NOTES +.Pp +On some remote systems, echo has to be turned off manually when in +\*(Lqold line by line\*(Rq mode. +.Pp +In \*(Lqold line by line\*(Rq mode or +.Dv LINEMODE +the terminal's +.Ic eof +character is only recognized (and sent to the remote system) +when it is the first character on a line. diff --git a/crypto/kerberosIV/man/telnetd.8 b/crypto/kerberosIV/man/telnetd.8 new file mode 100644 index 0000000..b26d8dd --- /dev/null +++ b/crypto/kerberosIV/man/telnetd.8 @@ -0,0 +1,527 @@ +.\" Copyright (c) 1983, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)telnetd.8 8.4 (Berkeley) 6/1/94 +.\" +.Dd June 1, 1994 +.Dt TELNETD 8 +.Os BSD 4.2 +.Sh NAME +.Nm telnetd +.Nd DARPA +.Tn TELNET +protocol server +.Sh SYNOPSIS +.Nm telnetd +.Op Fl BUhkln +.Op Fl D Ar debugmode +.Op Fl S Ar tos +.Op Fl X Ar authtype +.Op Fl a Ar authmode +.Op Fl r Ns Ar lowpty-highpty +.Op Fl u Ar len +.Op Fl debug +.Op Fl L Ar /bin/login +.Op Ar port +.Sh DESCRIPTION +The +.Nm telnetd +command is a server which supports the +.Tn DARPA +standard +.Tn TELNET +virtual terminal protocol. +.Nm Telnetd +is normally invoked by the internet server (see +.Xr inetd 8 ) +for requests to connect to the +.Tn TELNET +port as indicated by the +.Pa /etc/services +file (see +.Xr services 5 ) . +The +.Fl debug +option may be used to start up +.Nm telnetd +manually, instead of through +.Xr inetd 8 . +If started up this way, +.Ar port +may be specified to run +.Nm telnetd +on an alternate +.Tn TCP +port number. +.Pp +The +.Nm telnetd +command accepts the following options: +.Bl -tag -width "-a authmode" +.It Fl a Ar authmode +This option may be used for specifying what mode should +be used for authentication. +Note that this option is only useful if +.Nm telnetd +has been compiled with support for the +.Dv AUTHENTICATION +option. +There are several valid values for +.Ar authmode: +.Bl -tag -width debug +.It debug +Turns on authentication debugging code. +.It user +Only allow connections when the remote user +can provide valid authentication information +to identify the remote user, +and is allowed access to the specified account +without providing a password. +.It valid +Only allow connections when the remote user +can provide valid authentication information +to identify the remote user. +The +.Xr login 1 +command will provide any additional user verification +needed if the remote user is not allowed automatic +access to the specified account. +.It other +Only allow connections that supply some authentication information. +This option is currently not supported +by any of the existing authentication mechanisms, +and is thus the same as specifying +.Fl a +.Cm valid . +.It otp +Only allow authenticated connections (as with +.Fl a +.Cm user ) +and also logins with one-time passwords (OTPs). This option will call +login with an option so that only OTPs are accepted. The user can of +course still type secret information at the prompt. +.It none +This is the default state. +Authentication information is not required. +If no or insufficient authentication information +is provided, then the +.Xr login 1 +program will provide the necessary user +verification. +.It off +This disables the authentication code. +All user verification will happen through the +.Xr login 1 +program. +.El +.It Fl B +Ignored. +.It Fl D Ar debugmode +This option may be used for debugging purposes. +This allows +.Nm telnetd +to print out debugging information +to the connection, allowing the user to see what +.Nm telnetd +is doing. +There are several possible values for +.Ar debugmode: +.Bl -tag -width exercise +.It Cm options +Prints information about the negotiation of +.Tn TELNET +options. +.It Cm report +Prints the +.Cm options +information, plus some additional information +about what processing is going on. +.It Cm netdata +Displays the data stream received by +.Nm telnetd. +.It Cm ptydata +Displays data written to the pty. +.It Cm exercise +Has not been implemented yet. +.El +.It Fl h +Disables the printing of host-specific information before +login has been completed. +.It Fl k +.It Fl l +Ignored. +.It Fl n +Disable +.Dv TCP +keep-alives. Normally +.Nm telnetd +enables the +.Tn TCP +keep-alive mechanism to probe connections that +have been idle for some period of time to determine +if the client is still there, so that idle connections +from machines that have crashed or can no longer +be reached may be cleaned up. +.It Fl r Ar lowpty-highpty +This option is only enabled when +.Nm telnetd +is compiled for +.Dv UNICOS. +It specifies an inclusive range of pseudo-terminal devices to +use. If the system has sysconf variable +.Dv _SC_CRAY_NPTY +configured, the default pty search range is 0 to +.Dv _SC_CRAY_NPTY; +otherwise, the default range is 0 to 128. Either +.Ar lowpty +or +.Ar highpty +may be omitted to allow changing +either end of the search range. If +.Ar lowpty +is omitted, the - character is still required so that +.Nm telnetd +can differentiate +.Ar highpty +from +.Ar lowpty . +.It Fl S Ar tos +.It Fl u Ar len +This option is used to specify the size of the field +in the +.Dv utmp +structure that holds the remote host name. +If the resolved host name is longer than +.Ar len , +the dotted decimal value will be used instead. +This allows hosts with very long host names that +overflow this field to still be uniquely identified. +Specifying +.Fl u0 +indicates that only dotted decimal addresses +should be put into the +.Pa utmp +file. +.ne 1i +.It Fl U +This option causes +.Nm telnetd +to refuse connections from addresses that +cannot be mapped back into a symbolic name +via the +.Xr gethostbyaddr 3 +routine. +.It Fl X Ar authtype +This option is only valid if +.Nm telnetd +has been built with support for the authentication option. +It disables the use of +.Ar authtype +authentication, and +can be used to temporarily disable +a specific authentication type without having to recompile +.Nm telnetd . +.It Fl L pathname +Specify pathname to an alternative login program. +.El +.Pp +.Nm Telnetd +operates by allocating a pseudo-terminal device (see +.Xr pty 4 ) +for a client, then creating a login process which has +the slave side of the pseudo-terminal as +.Dv stdin , +.Dv stdout +and +.Dv stderr . +.Nm Telnetd +manipulates the master side of the pseudo-terminal, +implementing the +.Tn TELNET +protocol and passing characters +between the remote client and the login process. +.Pp +When a +.Tn TELNET +session is started up, +.Nm telnetd +sends +.Tn TELNET +options to the client side indicating +a willingness to do the +following +.Tn TELNET +options, which are described in more detail below: +.Bd -literal -offset indent +DO AUTHENTICATION +WILL ENCRYPT +DO TERMINAL TYPE +DO TSPEED +DO XDISPLOC +DO NEW-ENVIRON +DO ENVIRON +WILL SUPPRESS GO AHEAD +DO ECHO +DO LINEMODE +DO NAWS +WILL STATUS +DO LFLOW +DO TIMING-MARK +.Ed +.Pp +The pseudo-terminal allocated to the client is configured +to operate in \*(lqcooked\*(rq mode, and with +.Dv XTABS and +.Dv CRMOD +enabled (see +.Xr tty 4 ) . +.Pp +.Nm Telnetd +has support for enabling locally the following +.Tn TELNET +options: +.Bl -tag -width "DO AUTHENTICATION" +.It "WILL ECHO" +When the +.Dv LINEMODE +option is enabled, a +.Dv WILL ECHO +or +.Dv WONT ECHO +will be sent to the client to indicate the +current state of terminal echoing. +When terminal echo is not desired, a +.Dv WILL ECHO +is sent to indicate that +.Tn telnetd +will take care of echoing any data that needs to be +echoed to the terminal, and then nothing is echoed. +When terminal echo is desired, a +.Dv WONT ECHO +is sent to indicate that +.Tn telnetd +will not be doing any terminal echoing, so the +client should do any terminal echoing that is needed. +.It "WILL BINARY" +Indicates that the client is willing to send a +8 bits of data, rather than the normal 7 bits +of the Network Virtual Terminal. +.It "WILL SGA" +Indicates that it will not be sending +.Dv IAC GA, +go ahead, commands. +.It "WILL STATUS" +Indicates a willingness to send the client, upon +request, of the current status of all +.Tn TELNET +options. +.It "WILL TIMING-MARK" +Whenever a +.Dv DO TIMING-MARK +command is received, it is always responded +to with a +.Dv WILL TIMING-MARK +.ne 1i +.It "WILL LOGOUT" +When a +.Dv DO LOGOUT +is received, a +.Dv WILL LOGOUT +is sent in response, and the +.Tn TELNET +session is shut down. +.It "WILL ENCRYPT" +Only sent if +.Nm telnetd +is compiled with support for data encryption, and +indicates a willingness to decrypt +the data stream. +.El +.Pp +.Nm Telnetd +has support for enabling remotely the following +.Tn TELNET +options: +.Bl -tag -width "DO AUTHENTICATION" +.It "DO BINARY" +Sent to indicate that +.Tn telnetd +is willing to receive an 8 bit data stream. +.It "DO LFLOW" +Requests that the client handle flow control +characters remotely. +.It "DO ECHO" +This is not really supported, but is sent to identify a 4.2BSD +.Xr telnet 1 +client, which will improperly respond with +.Dv WILL ECHO. +If a +.Dv WILL ECHO +is received, a +.Dv DONT ECHO +will be sent in response. +.It "DO TERMINAL-TYPE" +Indicates a desire to be able to request the +name of the type of terminal that is attached +to the client side of the connection. +.It "DO SGA" +Indicates that it does not need to receive +.Dv IAC GA, +the go ahead command. +.It "DO NAWS" +Requests that the client inform the server when +the window (display) size changes. +.It "DO TERMINAL-SPEED" +Indicates a desire to be able to request information +about the speed of the serial line to which +the client is attached. +.It "DO XDISPLOC" +Indicates a desire to be able to request the name +of the X windows display that is associated with +the telnet client. +.It "DO NEW-ENVIRON" +Indicates a desire to be able to request environment +variable information, as described in RFC 1572. +.It "DO ENVIRON" +Indicates a desire to be able to request environment +variable information, as described in RFC 1408. +.It "DO LINEMODE" +Only sent if +.Nm telnetd +is compiled with support for linemode, and +requests that the client do line by line processing. +.It "DO TIMING-MARK" +Only sent if +.Nm telnetd +is compiled with support for both linemode and +kludge linemode, and the client responded with +.Dv WONT LINEMODE. +If the client responds with +.Dv WILL TM, +the it is assumed that the client supports +kludge linemode. +Note that the +.Op Fl k +option can be used to disable this. +.It "DO AUTHENTICATION" +Only sent if +.Nm telnetd +is compiled with support for authentication, and +indicates a willingness to receive authentication +information for automatic login. +.It "DO ENCRYPT" +Only sent if +.Nm telnetd +is compiled with support for data encryption, and +indicates a willingness to decrypt +the data stream. +.Sh ENVIRONMENT +.Sh FILES +.Pa /etc/services +.br +.Pa /etc/inittab +(UNICOS systems only) +.br +.Pa /etc/iptos +(if supported) +.br +.Sh "SEE ALSO" +.Xr telnet 1 , +.Xr login 1 +.Sh STANDARDS +.Bl -tag -compact -width RFC-1572 +.It Cm RFC-854 +.Tn TELNET +PROTOCOL SPECIFICATION +.It Cm RFC-855 +TELNET OPTION SPECIFICATIONS +.It Cm RFC-856 +TELNET BINARY TRANSMISSION +.It Cm RFC-857 +TELNET ECHO OPTION +.It Cm RFC-858 +TELNET SUPPRESS GO AHEAD OPTION +.It Cm RFC-859 +TELNET STATUS OPTION +.It Cm RFC-860 +TELNET TIMING MARK OPTION +.It Cm RFC-861 +TELNET EXTENDED OPTIONS - LIST OPTION +.It Cm RFC-885 +TELNET END OF RECORD OPTION +.It Cm RFC-1073 +Telnet Window Size Option +.It Cm RFC-1079 +Telnet Terminal Speed Option +.It Cm RFC-1091 +Telnet Terminal-Type Option +.It Cm RFC-1096 +Telnet X Display Location Option +.It Cm RFC-1123 +Requirements for Internet Hosts -- Application and Support +.It Cm RFC-1184 +Telnet Linemode Option +.It Cm RFC-1372 +Telnet Remote Flow Control Option +.It Cm RFC-1416 +Telnet Authentication Option +.It Cm RFC-1411 +Telnet Authentication: Kerberos Version 4 +.It Cm RFC-1412 +Telnet Authentication: SPX +.It Cm RFC-1571 +Telnet Environment Option Interoperability Issues +.It Cm RFC-1572 +Telnet Environment Option +.Sh BUGS +Some +.Tn TELNET +commands are only partially implemented. +.Pp +Because of bugs in the original 4.2 BSD +.Xr telnet 1 , +.Nm telnetd +performs some dubious protocol exchanges to try to discover if the remote +client is, in fact, a 4.2 BSD +.Xr telnet 1 . +.Pp +Binary mode +has no common interpretation except between similar operating systems +(Unix in this case). +.Pp +The terminal type name received from the remote client is converted to +lower case. +.Pp +.Nm Telnetd +never sends +.Tn TELNET +.Dv IAC GA +(go ahead) commands. |
