1 | \input texinfo |
---|
2 | @input texiplus |
---|
3 | @input smpklug.texi |
---|
4 | @smallbook |
---|
5 | @cropmarks |
---|
6 | @setfilename kerb-devo-man |
---|
7 | |
---|
8 | @setchapternewpage odd |
---|
9 | @settitle Cygnus Network Security |
---|
10 | @titlepage |
---|
11 | @finalout |
---|
12 | @title Cygnus Network Security |
---|
13 | @subtitle Developers Notes for CNS Version 1.0 |
---|
14 | @end titlepage |
---|
15 | @page |
---|
16 | |
---|
17 | |
---|
18 | @ifinfo |
---|
19 | @node Top, Defines, (dir), (dir) |
---|
20 | @top |
---|
21 | |
---|
22 | @menu |
---|
23 | * Defines:: where they need to be |
---|
24 | * Oddities:: little frobs |
---|
25 | * Byte order:: Use of HOST_BYTE_ORDER define |
---|
26 | * ttyent:: use of <ttyent.h> |
---|
27 | * POSIX:: |
---|
28 | * rlogind:: |
---|
29 | * ksrvutil:: |
---|
30 | * gettimeofday:: |
---|
31 | * svr4:: |
---|
32 | * gnu-tools:: |
---|
33 | * Unix:: how to configure and build for Unix |
---|
34 | * Microsoft Windows:: how to configure and build for MS-Windows |
---|
35 | * Macintosh - MPW:: how to configure and build for Macintosh (MPW) |
---|
36 | * Macintosh - Think C:: how to configure and build for Macintosh (Think) |
---|
37 | * Extensions:: Cygnus Extensions to Kerberos V4 |
---|
38 | * Kadmin internals:: Internal data structures of the kadmin protocol |
---|
39 | * Multiple Realms:: Serving multiple realms on one machine, clumsily |
---|
40 | @end menu |
---|
41 | @end ifinfo |
---|
42 | |
---|
43 | @node Defines, |
---|
44 | @chapter Defines |
---|
45 | |
---|
46 | Some defines need to go into the makefile because they are either used |
---|
47 | to decide what header files get included before any common one is, or |
---|
48 | because they're relevant in packages like ss or et that don't include |
---|
49 | kerberos headers. |
---|
50 | |
---|
51 | In May 1994, many defines have been moved out of the @file{Makefile} and |
---|
52 | @file{config/} directory |
---|
53 | into @file{include/c-*.h} files after |
---|
54 | examining |
---|
55 | and/or changing the code that uses them. More could be moved. I was |
---|
56 | trying to make the @samp{cc} command lines short enough that Microloss |
---|
57 | Windows, NMAKE, and DOS could run them. |
---|
58 | |
---|
59 | header stuff that at one pointed needed to be in the makefile (and still |
---|
60 | might): |
---|
61 | @example |
---|
62 | NOTTYENT |
---|
63 | NEED_SYS_FCNTL_H |
---|
64 | POSIX |
---|
65 | KERBEROS |
---|
66 | NCOMPAT |
---|
67 | MAXPATHLEN (since compile_et.c uses it) |
---|
68 | NEED_SYS_TIME_H |
---|
69 | NEED_TIME_H |
---|
70 | WAIT_USES_INT (list_rqs uses it.) |
---|
71 | @end example |
---|
72 | |
---|
73 | @node Oddities |
---|
74 | @chapter Oddities |
---|
75 | |
---|
76 | @samp{gethostid()} is used by @samp{des_random_key} and |
---|
77 | @samp{des_init_random_number_generator}. Apparently hpux 8 has a |
---|
78 | @samp{gethostid} that takes arguments (but it isn't in any man page.) |
---|
79 | |
---|
80 | |
---|
81 | @node POSIX |
---|
82 | @chapter Use of POSIX define |
---|
83 | |
---|
84 | For @samp{flock}: |
---|
85 | |
---|
86 | The POP server uses @samp{POSIX} only to indicate that we don't have |
---|
87 | flock and need to use @samp{emul_flock} instead. |
---|
88 | |
---|
89 | @samp{krb_dbm} uses it to select @samp{fcntl(F_SETLK)} instead of flock. |
---|
90 | |
---|
91 | @samp{tf_util} uses it to choose to define @samp{emul_flock} (based on |
---|
92 | @samp{fcntl(F_SETLK)}.) |
---|
93 | |
---|
94 | @samp{kprop}, @samp{kpropd} use it to select @samp{emul_flock}. |
---|
95 | |
---|
96 | For terminal control: |
---|
97 | |
---|
98 | @file{login.c} uses it for terminal control; rcp mis-uses it for |
---|
99 | @samp{int} vs. @samp{void}. @file{rlogind} uses it for terminal and |
---|
100 | setsid; @file{rlogin} uses it for terminal control and misuses it a |
---|
101 | little bit for wait. |
---|
102 | |
---|
103 | @file{rkinit} uses it for explicit password prompting. |
---|
104 | |
---|
105 | @file{lib/des/read_password.c} uses it for terminal control. |
---|
106 | |
---|
107 | For signal types: |
---|
108 | |
---|
109 | @file{kadm.h} (mis?) uses it for typedef sigtype (@file{int} vs. @file{void}). |
---|
110 | @file{admin_server} uses it for sigtype as well. |
---|
111 | |
---|
112 | @file{get_in_tkt} (mis?)uses it for signal types. |
---|
113 | |
---|
114 | @file{makedepend} (mis)uses it to determine signal types. |
---|
115 | |
---|
116 | |
---|
117 | @node Byte order |
---|
118 | @chapter Use of HOST_BYTE_ORDER define |
---|
119 | |
---|
120 | All of these files are in the @file{lib/krb} subdirectory. |
---|
121 | |
---|
122 | @table @file |
---|
123 | @item cr_err_repl.c |
---|
124 | @itemx cr_auth_repl.c |
---|
125 | @itemx cr_death_pkt.c |
---|
126 | @itemx krb_g_pw_in_tkt.c |
---|
127 | @itemx mk_req.c |
---|
128 | use @samp{HOST_BYTE_ORDER} (as 1 or 0): @code{*t |= HOST_BYTE_ORDER;} |
---|
129 | @item cr_tkt.c |
---|
130 | @code{flags |= HOST_BYTE_ORDER;} |
---|
131 | @item decomp_tkt.c |
---|
132 | @code{if (HOST_BYTE_ORDER != ((*flags >> K_FLAG_ORDER)& 1))} |
---|
133 | @item g_ad_tkt.c |
---|
134 | @itemx krb_g_pw_in_tkt.c |
---|
135 | @itemx kerberos.c |
---|
136 | @code{if (msg_byte_order != HOST_BYTE_ORDER)} |
---|
137 | @item mk_err.c |
---|
138 | @code{*p++ |= HOST_BYTE_ORDER;} |
---|
139 | @item mk_priv.c |
---|
140 | @code{*p++ = AUTH_MSG_PRIVATE | HOST_BYTE_ORDER;} |
---|
141 | @item mk_safe.c |
---|
142 | @code{*p++ = AUTH_MSG_SAFE | HOST_BYTE_ORDER;} |
---|
143 | @item rd_err.c |
---|
144 | @itemx rd_priv.c |
---|
145 | @itemx rd_req.c |
---|
146 | @itemx rd_safe.c |
---|
147 | @code{if ((*p++ & 1) != HOST_BYTE_ORDER)} |
---|
148 | @end table |
---|
149 | |
---|
150 | @node ttyent |
---|
151 | @chapter use of <ttyent.h> |
---|
152 | |
---|
153 | Using @samp{-DNOTTYENT} in a configuration indicates that all ttys are ``secure'' |
---|
154 | for root login. This is reasonable; but some systems have a @file{<ttyent.h>} |
---|
155 | and a @samp{getttynam()} that look in something like @file{/etc/ttytab} for flags |
---|
156 | indicating whether the tty is marked ``secure''. |
---|
157 | |
---|
158 | @node rlogind |
---|
159 | @chapter how to hack on rlogind |
---|
160 | |
---|
161 | (We had some diffs and stuff here, but they weren't set up to format |
---|
162 | properly, and were disabled from printing anyhow.) |
---|
163 | |
---|
164 | @node ksrvutil |
---|
165 | @chapter verify that ksrvutil should add krb_err_base explicitly |
---|
166 | |
---|
167 | ... |
---|
168 | @table @samp |
---|
169 | @item k_isinst(char*) |
---|
170 | checks for a valid instance, in @samp{ext_srvtab, kpasswd, kinit}. |
---|
171 | Changed June 94 by gnu@@cygnus.com to allow @samp{.} as valid char in instances. |
---|
172 | @samp{kparse_name} no longer has to quote it, but especially in a real, |
---|
173 | separated-out instance, it is already ok. |
---|
174 | |
---|
175 | @item k_isname |
---|
176 | same thing, never used unless we *know* it's only a name. |
---|
177 | |
---|
178 | @item k_isrealm |
---|
179 | kdb_init, kpasswd, kinit |
---|
180 | |
---|
181 | @item kcmd.c |
---|
182 | kcmd() calls gethostbyname [on arg?], copies the string, then calls |
---|
183 | krb_realmofhost on the copy. But later, it uses bits of hp... |
---|
184 | |
---|
185 | @item rlogin.c |
---|
186 | main() calls krb_realmofhost on host argument, then |
---|
187 | passes host to kcmd. |
---|
188 | (rcp, rsh also use it.) |
---|
189 | |
---|
190 | @item login.c |
---|
191 | do_krb_login() calls gethostbyname, then copies parts and never |
---|
192 | reuses the value. However, it calls gethostbyname on its argument, |
---|
193 | char *host... but that can only come from getopt. |
---|
194 | |
---|
195 | @item kadm_ser_wrap.c |
---|
196 | kadm_ser_init() calls gethostbyname, copies the addr into |
---|
197 | a static, and drops it |
---|
198 | |
---|
199 | @item kadm_cli_wrap.c |
---|
200 | kadm_init_link() calls gethostbyname, copies the values, |
---|
201 | and returns |
---|
202 | |
---|
203 | @item g_phost.c |
---|
204 | krb_get_phost() calls gethostbyname on argument char*alias, |
---|
205 | may call gethostbyaddr on a *copy* of the args, and returns |
---|
206 | a pointer into space returned by gethostby@{name,addr@}... |
---|
207 | |
---|
208 | @item sendauth.c |
---|
209 | krb_sendauth() calls krb_get_phost() on inst, |
---|
210 | which is a char* argument. (It then strcpy's it.) |
---|
211 | |
---|
212 | @item kcmd.c |
---|
213 | kcmd() calls krb_sendauth() on *ahost, which |
---|
214 | is from host_save... so it is safe... |
---|
215 | |
---|
216 | @item send_to_kdc.c |
---|
217 | send_to_kdc() calls gethostbyname on the value from |
---|
218 | krb_get_krbhst(), copies adress returns, calls send_recv, and |
---|
219 | loops around. |
---|
220 | |
---|
221 | |
---|
222 | |
---|
223 | @item realmofhost.c |
---|
224 | krb_realmofhost() calls krb_get_lrealm, and little else |
---|
225 | |
---|
226 | @item g_krbrlm.c |
---|
227 | krb_get_lrealm() calls stdio functions and nothing else |
---|
228 | |
---|
229 | @end table |
---|
230 | |
---|
231 | @node gettimeofday |
---|
232 | @chapter how gettimeofday differs on various platforms |
---|
233 | |
---|
234 | @table @code |
---|
235 | @item solaris |
---|
236 | @example |
---|
237 | int gettimeofday(struct timeval *tp); |
---|
238 | @end example |
---|
239 | |
---|
240 | A -1 return value indicates that an error occurred and @samp{errno} |
---|
241 | has been set. |
---|
242 | |
---|
243 | @item sunos4.1.3 |
---|
244 | |
---|
245 | @example |
---|
246 | int gettimeofday(tp, tzp) |
---|
247 | struct timeval *tp; |
---|
248 | struct timezone *tzp; |
---|
249 | @end example |
---|
250 | |
---|
251 | returns |
---|
252 | 0 on success; |
---|
253 | -1 on failure and sets @samp{errno} to indicate the error. |
---|
254 | |
---|
255 | @item SCO |
---|
256 | @example |
---|
257 | gettimeofday(tp, tzp) |
---|
258 | struct timeval *tp; |
---|
259 | struct timezone *tzp; |
---|
260 | @end example |
---|
261 | |
---|
262 | A return value of zero indicates that the call succeeded. A return value |
---|
263 | of -1 indicates that an error occurred, and in this case an error code is |
---|
264 | stored in the global variable @samp{errno}. |
---|
265 | |
---|
266 | @end table |
---|
267 | |
---|
268 | |
---|
269 | @node svr4 |
---|
270 | @chapter things that showed up in the svr4 port |
---|
271 | |
---|
272 | SVR4 csh uses TIOCLGET, which is supplied by the @samp{ttcompat} streams driver (i.e., |
---|
273 | it is a BSD-compatibility function) and @samp{ttcompat} isn't pushed on pty's by |
---|
274 | default. Under Solaris, it *is* pushed by default. The @samp{ioctl} isn't needed, |
---|
275 | as evidenced by @samp{tcsh} not using it... |
---|
276 | |
---|
277 | csh: |
---|
278 | @example |
---|
279 | ioctl(18, TCGETA, 0x08047C0A) = 0 |
---|
280 | ioctl(18, TIOCGPGRP, 0x0831EBB4) = 0 |
---|
281 | ioctl(18, TIOCGETD, 0x0831FD64) Err#22 EINVAL |
---|
282 | ioctl(17, (('t'<<8)|124), 0x08047BC0) Err#22 EINVAL |
---|
283 | write(17, " W a r n i n g : n o ".., 64) = 64 |
---|
284 | |
---|
285 | /usr/include/sys/filio.h:#define FIOSETOWN _IOW('f', 124, int) /* set owner */ |
---|
286 | /usr/include/sys/termios.h:#define TIOCLGET (tIOC|124) /* get local modes */ |
---|
287 | /usr/include/sys/ttold.h:#define TIOCLGET (tIOC|124) /* get l |
---|
288 | @end example |
---|
289 | |
---|
290 | @node gnu-tools |
---|
291 | @chapter how to build with *only* GNU tools |
---|
292 | |
---|
293 | config/ms-gnu containing: |
---|
294 | |
---|
295 | @example |
---|
296 | BISON=/usr/latest/bin/byacc |
---|
297 | FLEX=/usr/latest/bin/flex |
---|
298 | LEXLIB=/usr/latest/lib/libfl.a |
---|
299 | TARGET_CDEFS:= $(TARGET_CDEFS) -DNO_YYLINENO |
---|
300 | @end example |
---|
301 | |
---|
302 | then @samp{configure --site=gnu} should be a start. Similar work to hack |
---|
303 | dbm as well. |
---|
304 | |
---|
305 | @node Unix |
---|
306 | @chapter Building Cygnus Kerberos for Unix |
---|
307 | |
---|
308 | This info is replicated in @file{README} in the top level of the |
---|
309 | Kerberos V4 source tree. |
---|
310 | |
---|
311 | @enumerate |
---|
312 | @item |
---|
313 | Unpack the sources; the top level directory will be referred to as |
---|
314 | @samp{$(srcdir)}. |
---|
315 | |
---|
316 | @item |
---|
317 | If you have GNU make, create a build directory somewhere, and refer to it as |
---|
318 | @samp{$(builddir)}; if you don't, @samp{builddir} should be the same as |
---|
319 | @samp{srcdir}. |
---|
320 | |
---|
321 | @item |
---|
322 | Run @samp{cd $(builddir); $(srcdir)/configure}. The path to @samp{$(srcdir)} |
---|
323 | can be relative. See below for options that can be given to @samp{configure}. |
---|
324 | |
---|
325 | @item |
---|
326 | @samp{make all} |
---|
327 | |
---|
328 | @item |
---|
329 | @samp{make install DESTDIR=$(buildir)/DESTDIR} (path must be absolute) |
---|
330 | @end enumerate |
---|
331 | |
---|
332 | Now, @file{./DESTDIR} has a @file{usr/kerberos} tree. Tar it up and save |
---|
333 | it -- this is an installation kit. (@samp{tar cf krb-$(host).tar -C |
---|
334 | DESTDIR usr}) |
---|
335 | |
---|
336 | You can then use the installation instructions in @file{install.texinfo} |
---|
337 | to install it on your system. |
---|
338 | |
---|
339 | You can add options to the @code{configure} command to change the |
---|
340 | behavior of the build process or the compiled software. The currently |
---|
341 | supported options include: |
---|
342 | |
---|
343 | @table @code |
---|
344 | @item --disable-ip-address-validation |
---|
345 | This option will cause the Kerberos library to ignore IP addresses when |
---|
346 | verifying the validity of a received authenticator. (Actually, this |
---|
347 | behavior is controlled by a hidden variable, and this option changes the |
---|
348 | default value of that variable. It is still possible to change that |
---|
349 | variable and re-enable IP address checking.) |
---|
350 | |
---|
351 | This leads to a greatly increased vulnerability to replay attacks, |
---|
352 | especially if your software does not implement a replay cache. None(?) |
---|
353 | of the programs distributed with CNS use replay caches. So we don't |
---|
354 | recommend using this option. |
---|
355 | |
---|
356 | The @samp{--enable} form is available also, but it's the default, so there's no |
---|
357 | point in using it. |
---|
358 | |
---|
359 | @item --enable-xdm |
---|
360 | This option will cause a Kerberos-based version of the X11R5 @samp{xdm} program |
---|
361 | to be built and installed under @file{/usr/kerberos}. The configuration files |
---|
362 | for this version will reside under this directory; they will not be sought in |
---|
363 | @file{/usr/lib/X11}, @file{/usr/X11R5}, or anywhere else. |
---|
364 | |
---|
365 | Since the CNS source tree uses @samp{configure} rather than @samp{imake}, some |
---|
366 | work may be required to get @samp{xdm} working on various systems that the |
---|
367 | original X11R5 version we started with did work on. Currently it works on |
---|
368 | SunOS 4 and Solaris 2; the SCO port may also work. |
---|
369 | |
---|
370 | The @samp{--disable} form is available also, but it's the default, so there's |
---|
371 | no point in using it. |
---|
372 | |
---|
373 | @item --site=athena |
---|
374 | Use MIT/Athena pathnames. Use Hesiod. Don't use this if you aren't Mark |
---|
375 | Eichin or you aren't building on Solaris for MIT. It just won't work. |
---|
376 | |
---|
377 | @item --site=gdbm |
---|
378 | Use the GNU DBM library. |
---|
379 | |
---|
380 | @item --with-x11r5-include=@var{dir} |
---|
381 | @itemx --with-x11r5-lib=@var{dir} |
---|
382 | Specify where X11R5 header files and libraries should be found, if they aren't |
---|
383 | in the default search paths used by the compiler and linker. This option is |
---|
384 | only useful if you are building @samp{xdm}. |
---|
385 | |
---|
386 | @end table |
---|
387 | |
---|
388 | @node Microsoft Windows |
---|
389 | @chapter Cygnus Kerberos for Microsoft Windows |
---|
390 | |
---|
391 | This software runs on Microsoft Windows version 3.1. |
---|
392 | |
---|
393 | The procedure assumes that you have |
---|
394 | Microsoft Visual C/C++ 1.0 |
---|
395 | already installed on |
---|
396 | your PC system and available on your path. |
---|
397 | You need to have loaded the large-model libraries with it. |
---|
398 | Microsoft C 7.0, or Borland C++ x.x might also work with minor tweaks. |
---|
399 | Also, zip must be available |
---|
400 | on the UNIX system and PKUNZIP must be available on the PC system. It |
---|
401 | is also assumed that WINSOCK.DLL is available somewhere on the path. |
---|
402 | |
---|
403 | Building this software for Microsoft Windows requires a special |
---|
404 | configuration procedure at the moment. |
---|
405 | The first part of the procedure assumes that you have |
---|
406 | checked out a version of Kerberos on a UNIX system, while the |
---|
407 | second part, is intended to be performed on a DOS/Windows PC: |
---|
408 | |
---|
409 | @itemize @bullet{} |
---|
410 | @item |
---|
411 | Copy or unpack the source tree. CD to the src directory. |
---|
412 | @item |
---|
413 | @code{make -f Makefile.in kerbsrc.zip} |
---|
414 | |
---|
415 | This builds two files with "awk", then uses a pair of "zip" commands |
---|
416 | to produce a file called kerbsrc.zip |
---|
417 | @item |
---|
418 | Transport kerbsrc.zip to a Windows machine by whatever technique is |
---|
419 | convenient. Move to |
---|
420 | the Windows machine to type the rest of the commands. |
---|
421 | @item |
---|
422 | Make a directory and CD there. |
---|
423 | @item |
---|
424 | Put the kerbsrc.zip file in the new directory. |
---|
425 | @item |
---|
426 | @code{pkunzip -d kerbsrc.zip} |
---|
427 | |
---|
428 | Unpack the kerbsrc.zip file into a directory tree. |
---|
429 | @item |
---|
430 | @code{nmake -c -f makefile.in} |
---|
431 | |
---|
432 | This |
---|
433 | will build the DES library, the KRB library, the KADM library, |
---|
434 | the KSTREAM library, and KERBEROS.DLL, |
---|
435 | KWIN.EXE, and the WINTEL.EXE program in turn. |
---|
436 | Note that due to DOS/Windows |
---|
437 | limitations, any errors are likely |
---|
438 | to leave you in a directory other than the one in which you started. |
---|
439 | @end itemize |
---|
440 | |
---|
441 | NMAKE will produce some warnings about file names that are too long |
---|
442 | and which have been truncated; these can all be ignored. |
---|
443 | |
---|
444 | If you make modifications to the Kerberos source tree and wish to |
---|
445 | migrate those modifications back to UNIX, the following procedure |
---|
446 | should be followed to insure that all shortened file names are |
---|
447 | restored to their proper form. |
---|
448 | The following procedure assumes that you start CDed to the |
---|
449 | top of the KERBEROS source tree on the PC. |
---|
450 | |
---|
451 | @itemize @bullet{} |
---|
452 | @item |
---|
453 | nmake -c clean |
---|
454 | @item |
---|
455 | pkzip -P -r kerbsrc.zip *.* |
---|
456 | @end itemize |
---|
457 | |
---|
458 | Move the kerbsrc.zip file the UNIX system kerberos/src directory by |
---|
459 | whatever technique is convenient. |
---|
460 | |
---|
461 | @itemize @bullet{} |
---|
462 | @item |
---|
463 | unzip -a kerbsrc.zip |
---|
464 | @item |
---|
465 | make -f makefile.in ren2long |
---|
466 | @end itemize |
---|
467 | |
---|
468 | Note that not all Makefile targets have been implemented under |
---|
469 | Windows. In particular, @samp{all} and @samp{clean} are the only targets |
---|
470 | intended to function properly from the command line. Other targets |
---|
471 | may function correctly but have not been tested extensively. |
---|
472 | |
---|
473 | |
---|
474 | The ticket cache |
---|
475 | |
---|
476 | Kerberos for Windows maintains a single ticket cache in the Heap |
---|
477 | segment of the KERBEROS DLL. Whenever a ticket is present in the |
---|
478 | cache, the DLL is locked in memory with a call to LoadLibrary. As a |
---|
479 | result the cache will remain in memory even after the last program |
---|
480 | which uses KERBEROS.DLL has exited. Only when all tickets are |
---|
481 | deleted and all programs which called KERBEROS.DLL have exited, |
---|
482 | will the KERBEROS.DLL library be allowed to unload. |
---|
483 | |
---|
484 | Note that the KERBEROS.DLL file will remain in use while the ticket |
---|
485 | cache contains tickets, making it impossible to overwrite or delete |
---|
486 | the file. |
---|
487 | |
---|
488 | Windows specific implementation |
---|
489 | |
---|
490 | All pointers in the Windows implementation are assumed to be FAR |
---|
491 | pointers. The interface file kerberos.h casts the pointers |
---|
492 | accordingly. |
---|
493 | |
---|
494 | Note that values which are specified as int will be 16 bits under |
---|
495 | Windows. |
---|
496 | |
---|
497 | Due to the need to formally externalize calls from a DLL, a number |
---|
498 | of routines which are only used in kpasswd on UNIX need to be |
---|
499 | made visible outside the KERBEROS.DLL. The routines are used by |
---|
500 | the KWIN program on Windows. These routines reside within the |
---|
501 | kadm library and are not usually called by users. |
---|
502 | |
---|
503 | int kadm_change_pw(des_cblock key); |
---|
504 | |
---|
505 | int kadm_change_pw2(des_cblock key, char *password, |
---|
506 | unsigned char **ret_st); |
---|
507 | |
---|
508 | int kadm_init_link(char *pwserv_name, char *krb_master, |
---|
509 | char *realm); |
---|
510 | |
---|
511 | In addition an API call has been added under Windows to give an |
---|
512 | interactive application notification when the contents of the ticket |
---|
513 | cache change. The call returns the number of the unique message |
---|
514 | which will be sent to all top level windows after the ticket cache |
---|
515 | changes. The KWIN program uses this message to keep its display |
---|
516 | current. The prototype is as follows: |
---|
517 | |
---|
518 | int krb_get_notification_message(void) |
---|
519 | |
---|
520 | |
---|
521 | Time |
---|
522 | |
---|
523 | The Kerberos library operates on the assumption that time begins at |
---|
524 | 00:00 January 1, 1970. All times expected and returned are in these |
---|
525 | units independent of what the C library returns. Note that C7.0 |
---|
526 | starts time at January 1, 1900. |
---|
527 | |
---|
528 | Kerberos reads time from the hardware clock using BIOS interrupt |
---|
529 | 0x1A. This avoids problems with the software clock drifting as the |
---|
530 | system runs. |
---|
531 | |
---|
532 | |
---|
533 | Known problems |
---|
534 | |
---|
535 | WSASetBlockingHook doesn't work in FTP and NetManage WINSOCKs |
---|
536 | This results in non-cancelable calls to gethostname. Both |
---|
537 | companies are working on a fix for me. |
---|
538 | |
---|
539 | NetManage does not have a moveable heap. The NetManage implementation |
---|
540 | of WINSOCK.DLL has a relatively small heap initial heap size (1k) and |
---|
541 | a non-moveable DATA segment, presumably due to the lack of the MOVEABLE |
---|
542 | keyword in the .DEF file used to build the DLL. Windows tries to load |
---|
543 | the users environment into the heap when it initializes a DLL if the |
---|
544 | heap isn't moveable, it may not be possible to grow the heap in order |
---|
545 | to load the DLL, resulting in a load failure of WINSOCK and the program |
---|
546 | which called WINSOCK. |
---|
547 | |
---|
548 | |
---|
549 | Here is later documentation from John Rivlin on the process by which |
---|
550 | the Cygnus 95Q1 WIndows release was built: |
---|
551 | |
---|
552 | Subject: More Windoze stuff |
---|
553 | |
---|
554 | I believe it is now possible to create and distribute the various types of Windows |
---|
555 | deliverables. I tried the windoc target in the doc directory and it didnt seem |
---|
556 | to find a texi2html command. |
---|
557 | |
---|
558 | (Texi2html in /tfm/bin or available at |
---|
559 | @code{http://asis01.cern.ch/infohtml/texi2html.html}. The version we used |
---|
560 | has enhancements (--no-split) beyond the latest public release at this |
---|
561 | time (1.31).) |
---|
562 | |
---|
563 | Following is a description of how to perform the various operations necessary |
---|
564 | to build and distribute CNS for Windows: |
---|
565 | |
---|
566 | How download the source to a Windows machine: |
---|
567 | |
---|
568 | This will create a file called krbsrc.zip which can be downloaded to the PC |
---|
569 | any way you like. Note that the kerbsrc.zip file is the source deliverable |
---|
570 | which should be included on a deliverable floppy. |
---|
571 | |
---|
572 | 1) cd src |
---|
573 | |
---|
574 | 2) make -f Makefile.in kerbsrc.zip |
---|
575 | |
---|
576 | How to unpack the kerbsrc.zip file: |
---|
577 | |
---|
578 | 1) Create a directory on the PC and kerbsrc.zip file in it |
---|
579 | |
---|
580 | 2) pkunzip -d kerbsrc.zip |
---|
581 | |
---|
582 | How to build the binaries on the PC: |
---|
583 | |
---|
584 | This will compile and link all components of the CNS system. |
---|
585 | |
---|
586 | 1) nmake -f Makefile.in |
---|
587 | |
---|
588 | How to build the floppy disk binary distribution files: |
---|
589 | |
---|
590 | This procedure must be run after all compilations and links have |
---|
591 | taken place. The procedure copies all necessary binary files, the |
---|
592 | include files which will be necessary to use CNS in an application |
---|
593 | and the *.TXT and *.HTM files from the DOC directory to a |
---|
594 | directory called FLOPPY. |
---|
595 | |
---|
596 | 1) nmake install |
---|
597 | |
---|
598 | How to build a binary distribution file appropriate for network distribution. |
---|
599 | |
---|
600 | This procedure creates a file called kerbdist.zip which contains |
---|
601 | the files from the floppy directory. |
---|
602 | |
---|
603 | 1) nmake dist |
---|
604 | |
---|
605 | Uploading the sources from a PC back into the unix source tree. |
---|
606 | |
---|
607 | On the PC: |
---|
608 | |
---|
609 | 1) nmake clean |
---|
610 | |
---|
611 | 2) del kerbsrc.zip |
---|
612 | |
---|
613 | 3) pkzip -P -r kerbsrc.zip |
---|
614 | |
---|
615 | Upload the kerbsrc.zip file to the Unix system. |
---|
616 | |
---|
617 | 1) cd src |
---|
618 | |
---|
619 | 2) unzip -a -o kerbsrc.zip |
---|
620 | |
---|
621 | 3) make -f makefile.in ren2long |
---|
622 | |
---|
623 | Note that the floppy directory may be deleted. Also note that |
---|
624 | the that the contents of the doc directory should be moved to |
---|
625 | the doc directory which exists one level above the src directory and |
---|
626 | be deleted from the src directory. |
---|
627 | |
---|
628 | To create a distribution floppy, copy all the files from the FLOPPY |
---|
629 | directory to the root directory of the floppy. Then copy the |
---|
630 | kerbsrc.zip file to the root directory of the floppy. |
---|
631 | |
---|
632 | |
---|
633 | @node Macintosh - MPW |
---|
634 | @chapter Cygnus Kerberos for Macintosh with MPW |
---|
635 | |
---|
636 | This software runs on the Apple Macintosh using MacOS 7.1. |
---|
637 | Parts are known to build with MPW C version 3.2 (so far). |
---|
638 | We used Intercon's NFS implementation to share the files |
---|
639 | between Mac and Unix (rather than copying the tree to Mac after |
---|
640 | running the Unix part of the configuration below), despite its |
---|
641 | various bugs. |
---|
642 | |
---|
643 | At the moment, the driver can only be built in Think C with a |
---|
644 | little help from MPW. Please refer to the next section, which documents |
---|
645 | the Think C build process. If we could get driver data segments working |
---|
646 | in MPW, we could build the whole thing there. |
---|
647 | |
---|
648 | Building this software for Macintosh requires a special |
---|
649 | configuration procedure at the moment. Here it is: |
---|
650 | |
---|
651 | @itemize @bullet{} |
---|
652 | @item |
---|
653 | Copy or unpack the source tree. Change directories to the top-level |
---|
654 | (kerberos) directory. |
---|
655 | @item |
---|
656 | @samp{./configure m68k-apple-macos7.1} |
---|
657 | |
---|
658 | This will produce files throughout the tree called @file{MakeFile} |
---|
659 | for use with MPW. It also leaves a Makefile suitable for Unix use |
---|
660 | as @file{Makefile.uni} in each directory. |
---|
661 | @item |
---|
662 | @samp{make -f Makefile.in unixmac} |
---|
663 | |
---|
664 | This builds a few files that need Unix tools like sed and awk. |
---|
665 | Eventually this will be able to happen on the Mac. |
---|
666 | @item |
---|
667 | Now transfer the directory to the Mac, and move to |
---|
668 | there to type the rest of the commands. |
---|
669 | @item |
---|
670 | @samp{directory lib:des; make} |
---|
671 | |
---|
672 | Make the DES library for Macintosh. |
---|
673 | @item |
---|
674 | @samp{directory ::krb; make} |
---|
675 | |
---|
676 | Make the KRB library for Macintosh. |
---|
677 | @item |
---|
678 | @samp{directory :::kuser; make kinit} |
---|
679 | |
---|
680 | Build the scaffolding test for the software. This is as far as we |
---|
681 | have gotten as I type this. |
---|
682 | |
---|
683 | @end itemize |
---|
684 | |
---|
685 | Eventually a driver and a GUI and other software will be built as part |
---|
686 | of this tree. |
---|
687 | |
---|
688 | @node Macintosh - Think C |
---|
689 | @chapter Cygnus Kerberos for Macintosh with Think C |
---|
690 | |
---|
691 | This software runs on the Apple Macintosh using MacOS 7.1. |
---|
692 | It is known to build with Think C version 6.0 (assisted in spots |
---|
693 | by MPW C version 3.2 and Unix). |
---|
694 | We used Intercon's NFS implementation to share the files |
---|
695 | between Mac and Unix (rather than copying the tree to Mac after |
---|
696 | running the Unix part of the configuration below), despite its |
---|
697 | various bugs. |
---|
698 | |
---|
699 | Building this software for Macintosh requires a special |
---|
700 | configuration procedure (the legendary ``simple 15-step process'') |
---|
701 | at the moment. Here it is: |
---|
702 | |
---|
703 | @table @code |
---|
704 | @item |
---|
705 | Copy or unpack the source tree on a Unix machine. Change |
---|
706 | directories to the top-level (kerberos) directory. |
---|
707 | @item ./configure m68k-apple-macos7.1 |
---|
708 | This will produce files throughout the tree called @file{MakeFile} |
---|
709 | for use with MPW. |
---|
710 | It also leaves a Makefile suitable for Unix use as @file{Makefile.uni} |
---|
711 | in each directory. |
---|
712 | @item @samp{make -f Makefile.in unixmac} |
---|
713 | This builds a few files that need Unix tools like sed and awk. |
---|
714 | Eventually this will be able to happen on the Mac. |
---|
715 | @item |
---|
716 | Now transfer the directory to the Mac, and move to |
---|
717 | there to type the rest of the commands. |
---|
718 | @item |
---|
719 | In order for Lightspeed C to locate the kerberos include files, |
---|
720 | you will need to create aliases for the directories which |
---|
721 | contain them. |
---|
722 | @item |
---|
723 | Open the folder @samp{kerberos/src} and make a new folder there |
---|
724 | named @samp{Aliases}. Make an alias of the @samp{src/include} |
---|
725 | folder and put it into the @samp{Aliases} folder. |
---|
726 | @item |
---|
727 | Open the @samp{src/lib folder}. Hold down the option key and |
---|
728 | move a copy of the @samp{Aliases} folder from @samp{kerberos/src} |
---|
729 | into the @samp{lib/krb} folder and into @samp{the lib/des} folder. |
---|
730 | @item |
---|
731 | Still in the @samp{src/lib folder}, make an alias for the |
---|
732 | @samp{lib/des folder} and for the @samp{lib/krb} folder. Move |
---|
733 | these two aliases into the @samp{Aliases} folder in |
---|
734 | @samp{kerberos/src}. Close the @samp{src/lib} folder. |
---|
735 | @item |
---|
736 | Hold down the option key and move a copy of the @samp{Aliases} folder |
---|
737 | from @samp{kerberos/src}into the @samp{src/driver} directory. Finally |
---|
738 | move the @samp{Aliases} folder from @samp{kerberos/src}into the |
---|
739 | @samp{src/kuser} directory. |
---|
740 | |
---|
741 | |
---|
742 | @item |
---|
743 | Go to the lib/des directory. |
---|
744 | Run Think C on DesLib-project-A4, and select "Bring up to date" from the Project |
---|
745 | menu. Avoid the temptation to select "Build Library", since that doesn't work. |
---|
746 | |
---|
747 | @item |
---|
748 | Go to the lib/krb directory. |
---|
749 | Run Think C on KrbLib-project-A4, "Bring up to date". |
---|
750 | |
---|
751 | @item |
---|
752 | Build a 4-byte ANSI library for use in a driver: In the Think C |
---|
753 | libraries, make a copy of the ANSI-A4 library and rename it |
---|
754 | ANSI-A4-4byte. Open the ANSI-A4-4byte project and select "Source -> |
---|
755 | add files". Scroll down the file list to the "C sources" folder, open |
---|
756 | that folder, select alloc.c, and click the Add button followed by the |
---|
757 | done button. Next select "Edit -> options -> Think C...", click the |
---|
758 | page changer until you see "4 byte ints", select it, and press done. |
---|
759 | Select "Project -> bring up to date". |
---|
760 | |
---|
761 | |
---|
762 | @item |
---|
763 | Go to the driver directory. |
---|
764 | Run MPW in this directory. "make assembly" to build |
---|
765 | assembler language files into object files. |
---|
766 | |
---|
767 | @item |
---|
768 | Still in the driver directory. |
---|
769 | Run Think C on LoadDriver-project, "Build Code Resource" |
---|
770 | Select "Update" and "save" accepting the default file name. |
---|
771 | Run Think C on Driver-project, "Build Device Driver". Select |
---|
772 | smart link and "save" accepting the default file name for the result. |
---|
773 | |
---|
774 | @item |
---|
775 | Run MPW. Change directories to the driver directory, |
---|
776 | and run "make 'CNS Kerberos'" |
---|
777 | to put all the pieces together with rez and SetFile. |
---|
778 | Don't forget the quotes around 'CNS Kerberos'. |
---|
779 | Copy CNS Kerberos to the Extensions folder |
---|
780 | of your startup disk. Reboot. |
---|
781 | |
---|
782 | @c These next two work, but are unnecessary. |
---|
783 | @c @item |
---|
784 | @c Build a 4-byte ANSI library for use in a program: In the Think C |
---|
785 | @c libraries, make a copy of the ANSI library and rename it ANSI-4byte. |
---|
786 | @c Open the ANSI-4byte library. Select "Edit -> options -> Think C...", click the page |
---|
787 | @c changer until you see "4 byte ints", select it and press done. Select |
---|
788 | @c "Project -> bring up to date". |
---|
789 | @c |
---|
790 | @c @item |
---|
791 | @c Go to the kuser directory. |
---|
792 | @c Run Think C on @samp{kinit-stubs-project}, "Build Application". |
---|
793 | @c The resulting program will let you clumsily get initial tickets. |
---|
794 | @c in the default realm, for testing. |
---|
795 | |
---|
796 | @item |
---|
797 | To build the graphical interface to authentication and configuration, |
---|
798 | run MPW and go to the src/kconfig/kconfig directory. Type "make kconfig" and |
---|
799 | execute the resulting commands. The application file this builds, "KConfig", |
---|
800 | can be copied to any location you choose in the file system. |
---|
801 | |
---|
802 | |
---|
803 | @end table |
---|
804 | |
---|
805 | Eventually Telnet will be built as part |
---|
806 | of this tree. At the moment, a binary is checked-in in src/mactelnet. |
---|
807 | |
---|
808 | To package it up for release, on a Unix system after building the Mac, |
---|
809 | go to the top level and type @code{mkdir floppy; make -i install-mac |
---|
810 | DESTDIR=`pwd`/floppy}. Then rename the "floppy" dir to the release name, |
---|
811 | e.g. cns-95q1. You can copy it directly to a floppy, or run the directory |
---|
812 | into StuffIt (in hierarchical "folder" mode so it unpacks into a single |
---|
813 | folder). |
---|
814 | |
---|
815 | Currently we aren't building 'Kerberos Client Preferences' in the |
---|
816 | driver subdirectory; it gets built by actually running the driver and |
---|
817 | adding a realm. This is why you have to use @code{make -i install-mac} |
---|
818 | (and then manually copy Kerberos Client Preferences to the floppy |
---|
819 | directory. This is a driver bug; it should work if there is no |
---|
820 | preferences file (reading the defaults from the CNS Kerberos file's |
---|
821 | resource fork), but it doesn't. |
---|
822 | @c FIXME -- fix this in the driver. |
---|
823 | |
---|
824 | @node Extensions |
---|
825 | @chapter Cygnus Extensions to Kerberos V4 |
---|
826 | |
---|
827 | @menu |
---|
828 | * preauthentication:: Hooks to support Preauthentication in V4 |
---|
829 | @end menu |
---|
830 | |
---|
831 | @node preauthentication |
---|
832 | @section Hooks to support Preauthentication in V4 |
---|
833 | |
---|
834 | There is interest in a simple method of reducing the risk of the offline |
---|
835 | password-guessing attack described originally by Steve Bellovin. While |
---|
836 | Kerberos Version 5 has full preauthentication support, the technique |
---|
837 | described here is of more limited use. |
---|
838 | |
---|
839 | In order to maximize backwards compatibility, the entire protocol change |
---|
840 | consists of one block of data appended to the end of an initial ticket |
---|
841 | request. This preauthentication information will be ignored by a server |
---|
842 | which doesn't support it, resulting in that server providing tickets |
---|
843 | regardless. |
---|
844 | |
---|
845 | In order to provide hooks for user-defined preauthentication, two |
---|
846 | functions have been added to the library. Currently, stub |
---|
847 | implementations that pass the constant string "PREAUTH" are used; these |
---|
848 | will need to be replaced by code that implements the desired |
---|
849 | preauthentication method. |
---|
850 | |
---|
851 | @menu |
---|
852 | * krb_rd_preauth:: Parse preauthentication data. |
---|
853 | * krb_mk_preauth:: Generate preauthentication data. |
---|
854 | * krb_free_preauth:: Deallocate preauthentication data. |
---|
855 | @end menu |
---|
856 | |
---|
857 | @node krb_rd_preauth |
---|
858 | @subsection krb_rd_preauth |
---|
859 | |
---|
860 | @code{krb_rd_preauth} is used by the server to decode a block of |
---|
861 | preauthentication data. It is passed |
---|
862 | @table @samp |
---|
863 | @item pkt |
---|
864 | The original packet as received by the server (since the |
---|
865 | verifying the preauthentication response may depend on knowing what |
---|
866 | ticket is being requested). |
---|
867 | @item preauth_p |
---|
868 | A pointer to the actual preauthentication data. |
---|
869 | @item preauth_len |
---|
870 | The size of the preauthentication data (based on the number of bytes |
---|
871 | remaining in the packet.) |
---|
872 | @end table |
---|
873 | |
---|
874 | This function is only called inside the KDC itself. If it returns a |
---|
875 | non-zero value, the preauthentication is considered to have failed; for |
---|
876 | this purpose, two new protocol error values have been selected: |
---|
877 | @table @samp |
---|
878 | @item KERB_ERR_PREAUTH_SHORT |
---|
879 | The preauthentication data was truncated, based on the length supplied. |
---|
880 | @item KERB_ERR_PREAUTH_MISMATCH |
---|
881 | The preauthentication data was incorrect. |
---|
882 | @end table |
---|
883 | |
---|
884 | The KDC only calls this function if it is invoked with the @samp{-P} |
---|
885 | flag, allowing one KDC to support both preauthenticated and |
---|
886 | non-preauthenticated operation. |
---|
887 | |
---|
888 | @node krb_mk_preauth |
---|
889 | @subsection krb_mk_preauth |
---|
890 | |
---|
891 | @code{krb_mk_preauth} is used by other functions in the kerberos library |
---|
892 | to produce a preauthentication block. It is passed |
---|
893 | |
---|
894 | @table @samp |
---|
895 | @item preauth_p |
---|
896 | Pointer to preauthentication block, passed by reference, initialized |
---|
897 | (and allocated) by this function. |
---|
898 | @item preauth_len |
---|
899 | Length of preauthentication block (in bytes), passed by reference, |
---|
900 | initialized by this function. |
---|
901 | @item key_proc |
---|
902 | Function that creates the key; arguments are four strings (user, |
---|
903 | instance, realm, password) and a C_block (key) which is filled in with |
---|
904 | the actual key. |
---|
905 | @item aname |
---|
906 | Name of ticket requested. Possibly useful in generating |
---|
907 | preauthentication data. |
---|
908 | @item inst |
---|
909 | Instance of ticket requested. Possibly useful in generating |
---|
910 | preauthentication data. |
---|
911 | @item realm |
---|
912 | Realm in which ticket was requested. Possibly useful in generating |
---|
913 | preauthentication data. |
---|
914 | @item password |
---|
915 | Password string, if already supplied, or NULL. |
---|
916 | @item key |
---|
917 | Key (C_Block) if already supplied, or NULL. |
---|
918 | @end table |
---|
919 | |
---|
920 | This function is only called from @samp{krb_get_pw_in_tkt_preauth} which |
---|
921 | is used by @samp{kinit -p} and @samp{krb_get_svc_in_tkt_preauth} which |
---|
922 | is used by @samp{krb_svc_init_preauth} or directly by clients which need |
---|
923 | to generate their own tickets. |
---|
924 | |
---|
925 | @node krb_free_preauth |
---|
926 | @subsection krb_free_preauth |
---|
927 | |
---|
928 | Finally, @code{krb_free_preauth} cleans up any storage allocated by |
---|
929 | @code{krb_mk_preauth} after the preauthentication data is sent to the |
---|
930 | KDC. It is passed |
---|
931 | @table @samp |
---|
932 | @item preauth_p |
---|
933 | Pointer to preauthentication data. |
---|
934 | @item preauth_len |
---|
935 | Length of preauthentication data. |
---|
936 | @end table |
---|
937 | |
---|
938 | It is called from both places that @samp{krb_mk_preauth} is, immediately |
---|
939 | after the values are used. |
---|
940 | |
---|
941 | @node Kadmin internals |
---|
942 | @chapter Internal data structures of the kadmin protocol |
---|
943 | |
---|
944 | This information is from @file{src/kadmin/Design.txt}. |
---|
945 | |
---|
946 | This node attempts to present the internal functioning of the kerberos |
---|
947 | admin server and interface. |
---|
948 | |
---|
949 | Outer interface (programmers interface) |
---|
950 | |
---|
951 | @samp{kadm_mod_entry(vals *old_dat, vals *new_dat)} returns @samp{vals *cur_dat} |
---|
952 | |
---|
953 | Sends a command telling the server to change all entries which match |
---|
954 | old_dat to entries matching new_dat. |
---|
955 | Returns in cur_dat the actual current values of the modified records. |
---|
956 | implemented with calls to @samp{_vals_to_stream, _send_out, _take_in, and |
---|
957 | _stream_to_vals, _interpret_ret}. |
---|
958 | |
---|
959 | Inner calls: |
---|
960 | |
---|
961 | @samp{_vals_to_stream (vals *, unsigned char *)} |
---|
962 | |
---|
963 | Converts a vals structure to a byte stream for transmission over the net. |
---|
964 | |
---|
965 | @samp{_stream_to_vals (unsigned char *, vals *)} |
---|
966 | |
---|
967 | Converts a byte stream recieved into a vals structure. |
---|
968 | |
---|
969 | @node Multiple Realms |
---|
970 | @chapter Serving multiple realms from one server |
---|
971 | |
---|
972 | (This has a different emphasis than the existing documentation as it |
---|
973 | covers specifically those features which deal with serving multiple |
---|
974 | realms off of one machine. Little of this will be of interest to someone |
---|
975 | setting up a standard release in @file{/usr/kerberos}.) |
---|
976 | |
---|
977 | Choose a database pathname. This is a full pathname for a dbm database |
---|
978 | file; if you use, for example, @file{/site/db/test} then the various programs |
---|
979 | will open @file{/site/db/test.dir} and @file{/site/db/test.pag} as needed. |
---|
980 | |
---|
981 | If you'll be using @samp{kstash} in order to start the KDC and @samp{kadmind} unattended, |
---|
982 | choose a location to stash the key. By default, @file{/.k} is used, but other |
---|
983 | values may make more sense (especially when not running the server as root). |
---|
984 | |
---|
985 | Choose a port number. If you're not running the KDC or @samp{kadmind} as root, |
---|
986 | then you must choose a port number above 1023; the default, 750, requires |
---|
987 | that the server be run as root. If you are running multiple servers |
---|
988 | on the same host, keep in mind that you're reserving two numbers, the |
---|
989 | given one for the KDC, and the one immediately above it for the kadmind. |
---|
990 | (If you are setting up a slave server, the slave itself won't be running |
---|
991 | a kadmind and thus doesn't need this additional port.) |
---|
992 | |
---|
993 | Choose a location to store logs. You may have privacy needs that determine |
---|
994 | more specifically where these need to be stored. There is a seperate |
---|
995 | log file for the kdc and for the kadmind. |
---|
996 | |
---|
997 | If you're running @samp{kadmind}, choose a location to store the access control |
---|
998 | lists it uses to authorize administrators. This is a directory, which will |
---|
999 | contain the files @file{admin_acl.add}, @file{admin_acl.mod}, and @file{admin_acl.get}. |
---|
1000 | |
---|
1001 | Choose a location for the @file{krb.conf} configuration file. Normally, applications |
---|
1002 | will look for @file{/usr/kerberos/lib/krb.conf}. If you can't use that location, |
---|
1003 | set the environment variable @samp{KRB_CONF} to the pathname you chose. |
---|
1004 | [bug: support for handling the @file{krb.realms} file the same way is currently |
---|
1005 | absent.] |
---|
1006 | |
---|
1007 | Also, as in a normal setup, you'll need to choose a realm name. |
---|
1008 | |
---|
1009 | The necessary commands will follow. Note that lines beginning with @samp{#} are |
---|
1010 | not commands but comments; lines begining with @samp{%} are @samp{csh} commands, and |
---|
1011 | intervening text is usually input to those commands. |
---|
1012 | |
---|
1013 | @example |
---|
1014 | # Choices made, per above: |
---|
1015 | # database path: /site/krb/db/test |
---|
1016 | # master key stash: /site/krb/stash/test |
---|
1017 | # kadmind acl path: /site/krb/acl/test |
---|
1018 | # port number: 3882 |
---|
1019 | # log path: /site/krb/log/ |
---|
1020 | # krb.conf: /site/krb/krb.conf |
---|
1021 | # realm name: TEST.CH |
---|
1022 | # server hostname: beech |
---|
1023 | # |
---|
1024 | # First, set up krb.conf. |
---|
1025 | % setenv KRB_CONF /site/krb/krb.conf |
---|
1026 | % cat > $KRB_CONF |
---|
1027 | TEST.CH |
---|
1028 | TEST.CH beech:3882 admin server |
---|
1029 | ^D |
---|
1030 | % kdb_init TEST.CH /site/krb/db/test |
---|
1031 | % kstash -k /site/krb/stash/test -d /site/krb/db/test |
---|
1032 | % kdb_edit -n -k /site/krb/stash/test /site/krb/db/test |
---|
1033 | # If you'll be running kadmin, then simply add one user's admin instance |
---|
1034 | # here; we'll call it "ebs.admin" for now. |
---|
1035 | # If you won't be running kadmin, then add all of your keys here. |
---|
1036 | # If you'll be running kprop, be sure not to forget the rcmd entry. |
---|
1037 | # |
---|
1038 | % kerberos -P -i -k /site/krb/stash/test -l /site/krb/log/krb.log -u 3882 /site/krb/db/test & |
---|
1039 | # |
---|
1040 | # Note that -P causes the kdc to reject requests without preauthentication, |
---|
1041 | # and that -i causes it to ignore ip addresses in authenticators (this should |
---|
1042 | # only be used when you're forwarding tickets around deliberately.) |
---|
1043 | # Note also that the database is the last argument, it doesn't have a specifier. |
---|
1044 | # |
---|
1045 | % cat > /site/krb/acl/test/admin_acl.add |
---|
1046 | ebs.admin@@TEST.CH |
---|
1047 | ^D |
---|
1048 | % cp /site/krb/acl/test/admin_acl.add /site/krb/acl/test/admin_acl.mod |
---|
1049 | % cp /site/krb/acl/test/admin_acl.add /site/krb/acl/test/admin_acl.get |
---|
1050 | % kadmind -k /site/krb/stash/test -n -d /site/krb/db/test -u 3882 -a /site/krb/acl/test -f /site/krb/log/test & |
---|
1051 | # |
---|
1052 | # Note in particular that -u 3882 matches the argument given to the kdc... |
---|
1053 | # since the client has to calculate the real port number from the one given |
---|
1054 | # in the log file, we have the kadmind calculate it too. |
---|
1055 | # |
---|
1056 | % kadmin -p -u ebs |
---|
1057 | # |
---|
1058 | # Here, the -p is needed only because we started the kdc with -P. |
---|
1059 | # The -u ebs causes us to use the name "ebs.admin"; if we were using an |
---|
1060 | # account with the unix login name ebs, we could have skipped that argument. |
---|
1061 | # |
---|
1062 | ank rcmd.beech |
---|
1063 | # add_new_key tells kadmin to add a new key to the database under a given |
---|
1064 | # name. rcmd is used for rlogin, rsh, and kprop, so we add it now to cover |
---|
1065 | # kprop. |
---|
1066 | @end example |
---|
1067 | @bye |
---|