1 | \input texinfo |
---|
2 | |
---|
3 | @finalout |
---|
4 | @setfilename kerb-man |
---|
5 | |
---|
6 | @ifinfo |
---|
7 | |
---|
8 | @emph{Cygnus Network Security |
---|
9 | ---User and Administrator Documentation for CNS Version 1,} |
---|
10 | by Cygnus Support. |
---|
11 | |
---|
12 | CNS includes man pages and software developed at the Massachusetts |
---|
13 | Institute of Technology, which includes this copyright information: |
---|
14 | |
---|
15 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology |
---|
16 | |
---|
17 | @quotation |
---|
18 | Export of software employing encryption from the United States of |
---|
19 | America is assumed to require a specific license from the United |
---|
20 | States Government. It is the responsibility of any person or |
---|
21 | organization contemplating export to obtain such a license before |
---|
22 | exporting. |
---|
23 | @end quotation |
---|
24 | |
---|
25 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
---|
26 | distribute this software and its documentation for any purpose and |
---|
27 | without fee is hereby granted, provided that the above copyright |
---|
28 | notice appear in all copies and that both that copyright notice and |
---|
29 | this permission notice appear in supporting documentation, and that |
---|
30 | the name of M.I.T. not be used in advertising or publicity pertaining |
---|
31 | to distribution of the software without specific, written prior |
---|
32 | permission. M.I.T. makes no representations about the suitability of |
---|
33 | this software for any purpose. It is provided ``as is'' without express |
---|
34 | or implied warranty. |
---|
35 | |
---|
36 | Copyright @copyright{} 1991, 1992, 1994, 1995 Cygnus Support |
---|
37 | |
---|
38 | Permission is granted to make and distribute verbatim copies of |
---|
39 | this manual provided the copyright notice and this permission |
---|
40 | notice are preserved on all copies. |
---|
41 | |
---|
42 | @ignore |
---|
43 | Permission is granted to process this file through TeX and print the |
---|
44 | results, provided the printed document carries a copying permission |
---|
45 | notice identical to this one except for the removal of this paragraph |
---|
46 | (this paragraph not being relevant to the printed manual). |
---|
47 | |
---|
48 | @end ignore |
---|
49 | |
---|
50 | |
---|
51 | Permission is granted to copy and distribute modified versions of this |
---|
52 | manual under the conditions for verbatim copying, provided also that |
---|
53 | the entire resulting derived work is distributed under the terms of a |
---|
54 | permission notice identical to this one. |
---|
55 | |
---|
56 | Permission is granted to copy and distribute translations of this manual |
---|
57 | into another language, under the above conditions for modified versions. |
---|
58 | @end ifinfo |
---|
59 | |
---|
60 | @setchapternewpage odd |
---|
61 | @settitle Cygnus Network Security |
---|
62 | @titlepage |
---|
63 | @finalout |
---|
64 | @title Cygnus Network Security |
---|
65 | @subtitle User and Administrator Documentation for CNS Version 1 |
---|
66 | @sp 2 |
---|
67 | @subtitle January 1995 |
---|
68 | @vfill |
---|
69 | @author Mark Eichin |
---|
70 | @author Pat McGregor |
---|
71 | @author Cygnus Support |
---|
72 | |
---|
73 | @page |
---|
74 | |
---|
75 | @vskip 0pt plus 1filll |
---|
76 | |
---|
77 | @emph{Cygnus Network Security |
---|
78 | ---User and Administrator Documentation for CNS Version 1,} |
---|
79 | by Cygnus Support. |
---|
80 | |
---|
81 | CNS includes man pages and software developed at the Massachusetts |
---|
82 | Institute of Technology, which includes this copyright information: |
---|
83 | |
---|
84 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology |
---|
85 | |
---|
86 | @quotation |
---|
87 | Export of software employing encryption from the United States of |
---|
88 | America is assumed to require a specific license from the United |
---|
89 | States Government. It is the responsibility of any person or |
---|
90 | organization contemplating export to obtain such a license before |
---|
91 | exporting. |
---|
92 | @end quotation |
---|
93 | |
---|
94 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
---|
95 | distribute this software and its documentation for any purpose and |
---|
96 | without fee is hereby granted, provided that the above copyright |
---|
97 | notice appear in all copies and that both that copyright notice and |
---|
98 | this permission notice appear in supporting documentation, and that |
---|
99 | the name of M.I.T. not be used in advertising or publicity pertaining |
---|
100 | to distribution of the software without specific, written prior |
---|
101 | permission. M.I.T. makes no representations about the suitability of |
---|
102 | this software for any purpose. It is provided ``as is'' without express |
---|
103 | or implied warranty. |
---|
104 | |
---|
105 | Copyright @copyright{} 1992, 1994, 1995 Cygnus Support. |
---|
106 | |
---|
107 | Permission is granted to make and distribute verbatim copies of |
---|
108 | this manual provided the copyright notice and this permission notice |
---|
109 | are preserved on all copies. |
---|
110 | |
---|
111 | Permission is granted to copy and distribute modified versions of this |
---|
112 | manual under the conditions for verbatim copying, provided also that |
---|
113 | the entire resulting derived work is distributed under the terms of a |
---|
114 | permission notice identical to this one. |
---|
115 | |
---|
116 | Permission is granted to copy and distribute translations of this manual |
---|
117 | into another language, under the above conditions for modified versions. |
---|
118 | @end titlepage |
---|
119 | |
---|
120 | @ifinfo |
---|
121 | @node Top |
---|
122 | @top Cygnus Network Security |
---|
123 | |
---|
124 | @menu |
---|
125 | * Introduction:: A brief introduction to CNS |
---|
126 | * User Programs:: General user applications |
---|
127 | * Config Decisions:: Finding current realm and other realms |
---|
128 | * Administration Tools:: Managing a realm |
---|
129 | * Daemons:: Providing Kerberos-based services |
---|
130 | * Glossary:: A brief description of Kerberos terms |
---|
131 | * Authors:: authors and contributors |
---|
132 | * Appendix:: SecureNet Key Authentication Device |
---|
133 | @end menu |
---|
134 | @end ifinfo |
---|
135 | |
---|
136 | @node Introduction |
---|
137 | @chapter Introduction |
---|
138 | |
---|
139 | @menu |
---|
140 | * CNS Description:: How does CNS work? |
---|
141 | * Bibliography:: Where to get more information |
---|
142 | @end menu |
---|
143 | |
---|
144 | @quotation |
---|
145 | @emph{@strong{Kerberos} The three-headed dog @dots{} guards the entrance |
---|
146 | to Hades. He kept the living from entering the infernal regions@dots{}} |
---|
147 | @end quotation |
---|
148 | |
---|
149 | @emph{---Dictionary of Classical Mythology--Zimmerman} |
---|
150 | |
---|
151 | Today more than ever, system administrators must balance the ease and |
---|
152 | convenience of Internet access, against the need for system security and |
---|
153 | confidentiality. There are many tools that can be used to reach and |
---|
154 | manipulate information at remote sites. Unscrupulous users can pervert |
---|
155 | these tools to gain unauthorized access to connected systems. It is |
---|
156 | relatively easy, for example, to steal login IDs and unencrypted |
---|
157 | passwords passing over the network during remote logins by legitimate |
---|
158 | users. |
---|
159 | |
---|
160 | Popular networking programs such as @code{rlogin}, @code{rsh}, and |
---|
161 | @code{rcp}, were developed when there were few machines on the network, |
---|
162 | and those were owned and managed by central organizations rather than |
---|
163 | individuals. At that time, the Internet was primarily a research |
---|
164 | network, and it was reasonable to trust a machine's indication that it |
---|
165 | was being used by a particular person. |
---|
166 | |
---|
167 | This is no longer the case. There are now millions of inexpensive, |
---|
168 | individually owned, machines on the network. In the current Internet |
---|
169 | environment, it is no longer prudent to trust individual machines over |
---|
170 | the network. There is no assurance that such machines have adequately |
---|
171 | verified their users, nor even that the machine is not being |
---|
172 | impersonated by another. |
---|
173 | |
---|
174 | Cygnus Support developed Cygnus Network Security (CNS) to provide strong |
---|
175 | system access security, with minimal impact on users' ease of access. |
---|
176 | Using Kerberos Version 4 encryption and client-server technology, CNS |
---|
177 | assures that user identities can be checked securely without |
---|
178 | transmitting passwords in clear over the network. |
---|
179 | |
---|
180 | @node CNS Description |
---|
181 | @section How does CNS work? |
---|
182 | |
---|
183 | CNS is based on Kerberos. Kerberos uses a single trusted server, which |
---|
184 | other systems access over the network. The Kerberos server |
---|
185 | @dfn{authenticates} users and application servers. It guarantees that |
---|
186 | authorized users are who they say they are. Kerberos sends this |
---|
187 | information is sent across the network encrypted. Each user and |
---|
188 | application server has a unique secret encryption key it shares with the |
---|
189 | Kerberos server. These secret keys are based on the password of the |
---|
190 | user or application server. Kerberos never sends passwords across the |
---|
191 | network in the clear (unencrypted). Even if an attacker could examine |
---|
192 | all data sent across the network, the attacker would not be able to |
---|
193 | learn these passwords.@footnote{Kerberos authentication assumes the |
---|
194 | Kerberos server is secure. If an attacker gains superuser access to the |
---|
195 | machine, the attacker may be able to masquerade as an authorized user.} |
---|
196 | |
---|
197 | Kerberos provides users with @samp{tickets} they can use to identify |
---|
198 | themselves to application servers. A ticket is a sequence of several |
---|
199 | hundred bytes encrypted for a particular user and application. Kerberos |
---|
200 | tickets can be embedded in most network protocol.@footnote{Practically |
---|
201 | speaking, Kerberos is mostly used in application-level protocols [ISO |
---|
202 | model level 7], such as TELNET or FTP, to provide user to host security. |
---|
203 | It is also used as the implicit authentication system of data stream |
---|
204 | [such as SOCK_STREAM] or RPC mechanisms [ISO model level 6]. It could |
---|
205 | also be used at a lower level for host to host security, in protocols |
---|
206 | like IP, UDP, or TCP [ISO model levels 3 and 4]. Such implementations |
---|
207 | are rare, if they exist at all.} Users must decrypt the tickets, using |
---|
208 | their correct passwords, before the tickets can be used.@footnote{All |
---|
209 | cryptographic manipulations are done by programs; all the CNS user has |
---|
210 | to do is enter a password.} The tickets also contain temporary secret |
---|
211 | cryptographic keys (session keys) that permit secure communications |
---|
212 | during individual transactions in addition to secure authentication. |
---|
213 | This is important if you must type a password on the remote machine. |
---|
214 | Using encryption ensures that an attacker watching the network does not |
---|
215 | know what you type. Encryption is optional because it is |
---|
216 | computationally intensive, and thus slower. |
---|
217 | |
---|
218 | Generally, the first ticket you get from the server is a |
---|
219 | @dfn{ticket-granting ticket}. It provides authentication to the |
---|
220 | Kerberos server and permits users to get more tickets without having to |
---|
221 | enter their passwords repeatedly. (Kerberos keeps user passwords in |
---|
222 | memory only long enough to obtain ticket-granting tickets.) After the |
---|
223 | ticket-granting ticket, subsequent tickets are issued automatically by |
---|
224 | the Kerberos server at the request of CNS applications. For example, if |
---|
225 | you run the CNS @code{rlogin} program, which starts a login shell on a |
---|
226 | remote machine, you automatically get a ticket for the @code{rlogin} |
---|
227 | service on the remote machine. The @code{klogind} daemon running on the |
---|
228 | remote machine accepts the ticket as proof of identify and permits the |
---|
229 | login (if CNS has been installed on the remote |
---|
230 | machine).@footnote{Neither users nor application servers know each |
---|
231 | others' cryptographic keys.} |
---|
232 | |
---|
233 | There are Kerberos versions of other familiar network utilities such as |
---|
234 | @code{rlogin}, @code{rcp} and @code{rsh}. The @code{klogind} daemon is |
---|
235 | an example of an @dfn{application server}. Each application server has |
---|
236 | a cryptographic keys with which to authenticate itself to the Kerberos |
---|
237 | server.@footnote{Cryptographic keys are kept in a file (normally |
---|
238 | @file{/etc/krb-srvtab}) on each machine which hosts application servers. |
---|
239 | If an attacker becomes a superuser on a remote machine, the attacker can |
---|
240 | replace the CNS daemon programs with programs that, for example, record |
---|
241 | everything the user types. This can only be done for application |
---|
242 | servers which do not perform mutual authentication. In general, the CNS |
---|
243 | suite of programs perform mutual authentication when using encryption, |
---|
244 | but not otherwise.} |
---|
245 | |
---|
246 | Currently, CNS does not support authentication forwarding. In other |
---|
247 | words, if users use @code{rlogin} to login to a remote host, they cannot |
---|
248 | use Kerberos services from that host unless they are authenticated on it |
---|
249 | (for instance with @code{kinit}). The user can obtain Kerberos tickets |
---|
250 | on the remote host by running CNS programs there in the usual fashion, |
---|
251 | but this requires typing a password. Since this password is transmitted |
---|
252 | over the network, this should only be done when using an encrypted |
---|
253 | connection. |
---|
254 | |
---|
255 | NOTE: Because CNS software contains DES encryption technology and |
---|
256 | provides it as a user-callable facility, it may not be exported from the |
---|
257 | US without a special license from the US Department of Commerce. |
---|
258 | |
---|
259 | @node Bibliography |
---|
260 | @section Bibliography |
---|
261 | |
---|
262 | The papers listed below have good background information on the Kerberos |
---|
263 | protocol and its use in a network environment. The Internet archive |
---|
264 | information, when known, is listed at the end of the citation. This is |
---|
265 | by no means an exhaustive list of information about Kerberos. Interested |
---|
266 | systems administrators should consider reading the Usenet group |
---|
267 | @emph{comp.protocols.kerberos}. |
---|
268 | |
---|
269 | @noindent |
---|
270 | Jennifer G. Steiner, Clifford Neuman, Jeffrey I. Schiller. |
---|
271 | ``Kerberos: An Authentication Service for Open Network Systems,'' |
---|
272 | @cite{USENIX Mar 1988}. @file{athena-dist.mit.edu:pub/kerberos/doc/usenix.PS} |
---|
273 | |
---|
274 | @noindent |
---|
275 | S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer, |
---|
276 | ``Kerberos Authentication and Authorization System,'' 12/21/87. |
---|
277 | |
---|
278 | @noindent |
---|
279 | R. M. Needham and M. D. Schroeder, ``Using Encryption for |
---|
280 | Authentication in Large Networks of Computers,'' @cite{Communications of the |
---|
281 | ACM}, Vol. 21(12), pp. 993-999 (December, 1978). |
---|
282 | |
---|
283 | @noindent |
---|
284 | V. L. Voydock and S. T. Kent, ``Security Mechanisms in High-Level |
---|
285 | Network Protocols,'' @cite{Computing Surveys}, Vol. 15(2), ACM (June 1983). |
---|
286 | |
---|
287 | @noindent |
---|
288 | Li Gong, ``A Security Risk of Depending on Synchronized Clocks,'' |
---|
289 | @cite{Operating Systems Review}, Vol 26, #1, pp 49--53. |
---|
290 | |
---|
291 | @noindent |
---|
292 | S.M. Bellovin and M. Merritt, ``Limitations of the Kerberos |
---|
293 | Authentication System,'' @cite{USENIX Jan 1991}. @* |
---|
294 | @file{research.att.com: dist/internet_security/kerblimit.usenix.ps} |
---|
295 | |
---|
296 | @noindent |
---|
297 | Refik Molva, Gene Tsudik, Els Van Herreweghen, and Stefano |
---|
298 | Zatti, ``KryptoKnight Authentication and Key Distribution System.'' |
---|
299 | @file{jerico.usc.edu: pub/gene/kryptoknight.ps.Z} |
---|
300 | |
---|
301 | @noindent |
---|
302 | C. Neumann and J. Kohl, ``The Kerberos(tm) Network |
---|
303 | Authentication Service (V5),'' September 1993. RFC1510. |
---|
304 | |
---|
305 | @noindent |
---|
306 | Barry Jaspan, @code{<bjaspan@@security.ov.com>}, compiler. @cite{Kerberos |
---|
307 | Users' Frequently Asked Questions}, January 18, 1994. |
---|
308 | |
---|
309 | |
---|
310 | @c @subsubheading RESTRICTIONS |
---|
311 | @c COPYRIGHT 1985,1986 Massachusetts Institute of Technology |
---|
312 | |
---|
313 | @node User Programs |
---|
314 | @chapter User Programs |
---|
315 | |
---|
316 | @menu |
---|
317 | * CNS Intro:: Why do you need CNS? |
---|
318 | * Initial Steps:: Getting registered in CNS |
---|
319 | * CNS for the User:: CNS for the User |
---|
320 | * Replacements:: replacements for familiar network utilities |
---|
321 | * Ticket Management Commands:: Kerberos-specific ticket management tools |
---|
322 | @end menu |
---|
323 | |
---|
324 | @node CNS Intro |
---|
325 | @section Why do you need CNS? |
---|
326 | |
---|
327 | As a network user accessing data on a remote machine, you want to be |
---|
328 | certain that your password can only be used by you. If you are hooked |
---|
329 | into a remote machine with a direct connection, or a modem on a single |
---|
330 | phone line linked into your remote machine, you can be relatively |
---|
331 | confident that your password is secure. However, if you use an |
---|
332 | Ethernet-linked network, or use the Internet to access a remote host, |
---|
333 | your password is at risk. As we said in the introduction, one of the |
---|
334 | easiest ways for your security to be compromised is by the theft of your |
---|
335 | password and login ID. Passwords and IDs can be stolen fairly easily by |
---|
336 | using monitoring equipment on a network link. |
---|
337 | |
---|
338 | CNS Kerberos technology allows you to be validated locally, rather than |
---|
339 | having to send your passwords and login IDs over the network. You |
---|
340 | authenticate yourself locally to a Kerberos server, which vouches for |
---|
341 | your authenticity with the remote host. The remote host then lets you |
---|
342 | use Kerberos versions of familiar remote login programs such as |
---|
343 | @code{rlogin}. |
---|
344 | |
---|
345 | @node Initial Steps |
---|
346 | @section Initial Steps |
---|
347 | |
---|
348 | Before you can use CNS, you must be registered in the Kerberos database. |
---|
349 | If you are not sure if you are registered in the database, you may use |
---|
350 | the @code{kinit} (@pxref{kinit}) command to find out. This command |
---|
351 | tries to get you a Kerberos `ticket-granting ticket' |
---|
352 | (@pxref{Tickets,,Kerberos Tickets}). @code{kinit} prompts you for a |
---|
353 | principal name and password (for more information about Kerberos |
---|
354 | principal names, @pxref{Principal names,,Your Kerberos principal name}). |
---|
355 | If the Kerberos server issues you a ticket-granting ticket, you have |
---|
356 | already been registered. |
---|
357 | |
---|
358 | If you enter your username and @code{kinit} responds with this message: |
---|
359 | @smallexample |
---|
360 | Principal unknown (kerberos) |
---|
361 | @end smallexample |
---|
362 | @noindent |
---|
363 | you have not been registered as a Kerberos user. See your system |
---|
364 | administrator. |
---|
365 | |
---|
366 | When your system administrator registers you in the CNS database, you |
---|
367 | get a Kerberos username and password. Many people use a different |
---|
368 | password for Kerberos authentication than for their general system |
---|
369 | login. This is done to increase security. |
---|
370 | |
---|
371 | @node CNS for the User |
---|
372 | @section CNS for the User |
---|
373 | |
---|
374 | @menu |
---|
375 | * Tickets:: What are Kerberos tickets? |
---|
376 | * Ticket management:: Using the commands `kinit' and `kdestroy' |
---|
377 | * Passwords:: Kerberos password changing |
---|
378 | * Principal names:: Your Kerberos principal name |
---|
379 | * Remote access:: Remote login, shell, copy (secured by Kerberos) |
---|
380 | @end menu |
---|
381 | |
---|
382 | @node Tickets |
---|
383 | @subsection Kerberos Tickets |
---|
384 | |
---|
385 | When you authenticate yourself with Kerberos through the @code{kinit} |
---|
386 | command, Kerberos gives you a special ticket called a `ticket-granting |
---|
387 | ticket.' (Kerberos tickets are encrypted protocol messages that provide |
---|
388 | authentication.) This special ticket allows you to get tickets for |
---|
389 | application servers without having to enter your password again. The |
---|
390 | ticket-granting ticket can be used to get tickets for network utilities |
---|
391 | such as @code{rlogin} and @code{rcp}. The ticket transactions are done |
---|
392 | transparently, so you do not have to worry about their management. |
---|
393 | |
---|
394 | For security reasons, tickets expire. This protects against users |
---|
395 | accidentally leaving ticket files around on unattended |
---|
396 | machines@footnote{Privileged tickets, such as @samp{root instance} |
---|
397 | tickets, expire in a few minutes, while tickets that carry more ordinary |
---|
398 | privileges may be good for several hours or a day, depending on the |
---|
399 | installation's policy.}. If your login session extends beyond the time |
---|
400 | limit of your ticket-granting ticket, you have to re-authenticate |
---|
401 | yourself to Kerberos to get a new one. Use the @code{kinit} command to |
---|
402 | re-authenticate yourself. |
---|
403 | |
---|
404 | If you use the @code{kinit} command to get your tickets, make sure you |
---|
405 | use the @code{kdestroy} command to destroy your tickets before you end |
---|
406 | your login session. You should probably put the @code{kdestroy} command |
---|
407 | in your @file{.logout} file so that your tickets is destroyed |
---|
408 | automatically when you logout. For more information about the |
---|
409 | @code{kinit} and @code{kdestroy} commands, see @ref{kinit} and |
---|
410 | @ref{kdestroy}. |
---|
411 | |
---|
412 | @node Ticket management |
---|
413 | @subsection Command specifics: @code{kinit}, @code{kdestroy}, @code{klist} |
---|
414 | |
---|
415 | @code{kinit} (@pxref{kinit,,@code{kinit}---Kerberos login utility}) |
---|
416 | requests an initial ticket-granting ticket from Kerberos, then prompts |
---|
417 | for your password and uses it to decrypt the ticket. By default, this |
---|
418 | ticket is valid for ten hours (to cover a typical eight hour workday). |
---|
419 | The ticket is stored in a file in @file{/tmp/tkt@var{uid}} (where |
---|
420 | @var{uid} specifies your identification number) on the local machine. |
---|
421 | |
---|
422 | @code{kdestroy} (@pxref{kdestroy,,@code{kdestroy}---destroy Kerberos |
---|
423 | ticket}) purges the contents of your ticket file and then deletes the |
---|
424 | file itself, to prevent any later users from using the tickets to access |
---|
425 | services. |
---|
426 | |
---|
427 | @code{klist} (@pxref{klist,,@code{klist}---list currently held tickets}) |
---|
428 | shows what tickets you currently have and when they are due to expire. |
---|
429 | This is most useful for determining if you even have tickets, and for |
---|
430 | various debugging purposes. |
---|
431 | |
---|
432 | @node Passwords |
---|
433 | @subsection Changing your password |
---|
434 | |
---|
435 | All the general rules for passwords apply to your CNS authentication |
---|
436 | password. Obviously, they should not be words found in standard |
---|
437 | dictionaries, names of people related to you or with whom you have a |
---|
438 | relationship, numbers like your phone number or social security number. |
---|
439 | Gibberish or nonsense syllables that you can easily remember make good |
---|
440 | passwords. In general, you should choose a password that is easy for |
---|
441 | you to remember, yet difficult for others to guess. (For more |
---|
442 | information on choosing a good password, see your system administrator.) |
---|
443 | No matter how well constructed, passwords should be changed once in |
---|
444 | awhile to provide greater security. |
---|
445 | |
---|
446 | @code{kpasswd} (@pxref{kpasswd,,@code{kpasswd}---changing Kerberos |
---|
447 | passwords}) allows you to change your Kerberos authentication password, |
---|
448 | which may be different from the one you use to log in to your local |
---|
449 | machine. |
---|
450 | |
---|
451 | @node Principal names |
---|
452 | @subsection Your Kerberos principal name |
---|
453 | |
---|
454 | Every Kerberos user and application server has a Kerberos principal |
---|
455 | name. Principal names are of the form @samp{principal.instance@@realm}. |
---|
456 | The following are all valid Kerberos principal names. |
---|
457 | |
---|
458 | @example |
---|
459 | harry |
---|
460 | tina.root |
---|
461 | lmb@@barryar.navy.mil |
---|
462 | rlogin.miles@@barryar.navy.mil |
---|
463 | @end example |
---|
464 | |
---|
465 | @noindent The @var{primary} name is the name of the user on the |
---|
466 | service. Other names may use the same user's ID on another system, or |
---|
467 | trusted users on the same or other systems. The @var{instance} is |
---|
468 | used to distinguish among variations on the principal name. For |
---|
469 | users, the instance is usually null, but if used may indicate special |
---|
470 | privileges, such as ``root'' privileges. In many environments, the |
---|
471 | instance is usually the name of the machine on which the server runs. |
---|
472 | @var{realm} is usually the business or institution at which the |
---|
473 | machine is located. If no realm is given, the local realm is assumed. |
---|
474 | In the example above, @var{rlogin.miles,} is the @code{rlogin} server |
---|
475 | on the machine @samp{miles}. In the example @var{harry}, the |
---|
476 | principal is the local realm where the server is running. |
---|
477 | |
---|
478 | @node Remote access |
---|
479 | @subsection Remote access to hosts (secured by Kerberos) |
---|
480 | |
---|
481 | CNS provides enhanced versions of the Berkeley r-programs. If you are |
---|
482 | familiar with the Berkeley programs, it will be easy for you to use the |
---|
483 | CNS versions. (If you are not familiar with these programs, they are |
---|
484 | described in @ref{Replacements}). |
---|
485 | |
---|
486 | The Berkeley @code{rlogin} program has been enhanced to use Kerberos to |
---|
487 | secure the connection. Kerberos' @code{rlogin} looks the same as a |
---|
488 | standard or system @code{rlogin} session, except that it trusts your |
---|
489 | tickets rather than the host you are on. Your @file{.rhosts} file no |
---|
490 | longer is used; instead, the system automatically trusts you, and |
---|
491 | optionally anyone whose Kerberos name you include in your @file{.klogin} |
---|
492 | file. |
---|
493 | |
---|
494 | For more information on the @code{klogin} file, see @ref{rlogin,.klogin |
---|
495 | files}. |
---|
496 | |
---|
497 | The @code{-x} option may be used with @code{rlogin} to encrypt the |
---|
498 | current session, so that it can not be monitored by anyone with access |
---|
499 | to the network. (Though session encryption is recommended for security |
---|
500 | reasons, this is an option, not the default. You must specify @code{-x} |
---|
501 | if you want your session to be encrypted.) |
---|
502 | |
---|
503 | @code{rsh} has been enhanced in the same way that @code{rlogin} has, |
---|
504 | except that the @code{-x} option is not supported. |
---|
505 | |
---|
506 | @code{rcp} has been enhanced in the same way @code{rlogin} has. The |
---|
507 | @samp{-x} option may be used to encrypt the file copy. For example, |
---|
508 | |
---|
509 | @smallexample |
---|
510 | rcp -x @var{datafile remotehost:remotedatafile} |
---|
511 | @end smallexample |
---|
512 | |
---|
513 | @noindent |
---|
514 | securely copies @var{datafile} to @var{remotehost}, without exposing the |
---|
515 | data on the network. (If either file is not on a local disk, if, for |
---|
516 | example, it is on a Network File System (NFS) file system, then it could |
---|
517 | be exposed to the network during NFS access). |
---|
518 | |
---|
519 | @node Replacements |
---|
520 | @section Replacements for Familiar Network Facilities |
---|
521 | @menu |
---|
522 | * rlogin:: Kerberos remote login |
---|
523 | * rsh:: Kerberos remote shell |
---|
524 | * rcp:: Kerberos remote copy |
---|
525 | * pfrom:: Post Office `from' |
---|
526 | * tftp:: trivial file transfer program |
---|
527 | @end menu |
---|
528 | |
---|
529 | Many standard system facilities have CNS/Kerberos counterparts. Once |
---|
530 | you have set up a Kerberized session, you should set up your path names |
---|
531 | to use Kerberos facilities instead of the ordinary system facilities. |
---|
532 | Some users create macros such as @code{krlogin} and @code{krcp} to use |
---|
533 | the correct Kerberos versions. If you do not know how to set up macros |
---|
534 | or how to set up your pathnames so that the correct Kerberos facilities |
---|
535 | are used, see your system administrator. |
---|
536 | |
---|
537 | @node rlogin |
---|
538 | @subsection @code{rlogin}---Kerberos remote login |
---|
539 | |
---|
540 | @code{rlogin} connects your terminal on the current local host system |
---|
541 | @var{lhost} to the remote host system @var{rhost}. |
---|
542 | |
---|
543 | @subsubheading SYNOPSIS |
---|
544 | @smallexample |
---|
545 | rlogin @var{rhost} [-ec] [-8] [-c] [-C] [-a] [-t @var{termtype}] |
---|
546 | [-n] [-7] [-d] [-k @var{realm}] [-x] [-noflow] |
---|
547 | [-flow] [-L] [-l @var{username}] |
---|
548 | @var{rhost} [-ec] [-8] [-c] [-C] [-a] [-t @var{termtype}] |
---|
549 | [-n] [-7] [-d] [-k @var{realm}] [-x] [-noflow] [-flow] |
---|
550 | [-L] [-l @var{username}] |
---|
551 | @end smallexample |
---|
552 | |
---|
553 | @c @subsubheading DESCRIPTION |
---|
554 | |
---|
555 | The version built to use Kerberos authentication is very similar to the |
---|
556 | standard Berkeley @code{rlogin}(1), except that instead of the |
---|
557 | @file{rhosts} mechanism, it uses Kerberos authentication to determine |
---|
558 | whether a user is authorized to use the remote account. |
---|
559 | |
---|
560 | Each user may have a private authorization list in a file @file{.klogin} |
---|
561 | in his login directory. This file functions much like the |
---|
562 | @file{.rhosts} file; it allows non-local users to access the Kerberos |
---|
563 | service on the machine where the @file{.klogin} file exists. For |
---|
564 | example, user @samp{joe@@EAT.COM} would normally not be permitted to log |
---|
565 | in to machines in the @samp{MUSSELS.COM} realm. However, Joe's friend |
---|
566 | @samp{bertha@@MUSSELS.COM} can create a @file{.klogin} file in her home |
---|
567 | directory, that contains the line @samp{joe@@EAT.COM}. This allows Joe |
---|
568 | to log in as Bertha to Bertha's machine, even though does not have a |
---|
569 | ticket identifying him as Bertha. |
---|
570 | |
---|
571 | Each line in this file should contain a Kerberos principal name of the |
---|
572 | form @samp{principal.instance@@realm}. The following are all valid |
---|
573 | Kerberos principal names. |
---|
574 | |
---|
575 | @example |
---|
576 | harry |
---|
577 | tina.root |
---|
578 | lmb@@barryar.navy.mil |
---|
579 | rlogin.miles@@barryar.navy.mil |
---|
580 | @end example |
---|
581 | |
---|
582 | For more information about Kerberos principal names, see @ref{Principal |
---|
583 | names,,Your Kerberos principal name}. |
---|
584 | |
---|
585 | If the originating user is authenticated to one of the principals named |
---|
586 | in @file{.klogin}, access is granted to the account. The principal |
---|
587 | @samp{@var{accountname}@@@var{localrealm}} is granted access if there is |
---|
588 | no @file{.klogin} file. Otherwise, a login and password is prompted for |
---|
589 | on the remote machine as in @code{login}(1). To avoid security |
---|
590 | problems, the @file{.klogin} file must be owned by the remote user. |
---|
591 | |
---|
592 | If there is some problem in gathering the Kerberos authentication |
---|
593 | information, an error message is printed and the standard UCB |
---|
594 | @code{rlogin} is executed in place of the Kerberos @code{rlogin}. This |
---|
595 | permits the use of the same @code{rlogin} command to connect to hosts |
---|
596 | that do not use CNS, as well as to host which do. |
---|
597 | |
---|
598 | A line of the form `@kbd{~.}' disconnects from the remote host, where |
---|
599 | `@kbd{~}' is the escape character. Similarly, the line `@kbd{~^Z}' |
---|
600 | (where `@kbd{^Z}', `@kbd{Control-Z}', is the suspend character) suspends |
---|
601 | the @code{rlogin} session. Substitution of the delayed suspend |
---|
602 | character (normally `@kbd{^Y})' for the suspend character suspends the |
---|
603 | send portion of the @code{rlogin}, but allows output from the remote |
---|
604 | system. |
---|
605 | |
---|
606 | The remote terminal type is the same as your local terminal type (as |
---|
607 | given in your environment @samp{TERM} variable), unless the @samp{-t} |
---|
608 | option is specified (see below). The terminal or window size is also |
---|
609 | copied to the remote system if the server supports the option, and |
---|
610 | changes in size are reflected as well. |
---|
611 | |
---|
612 | All echoing takes place at the remote site, so that the @code{rlogin} is |
---|
613 | transparent (except for delays). Flow control via `@kbd{^S}' and |
---|
614 | `@kbd{^Q}' and flushing of input and output on interrupts are handled |
---|
615 | properly. |
---|
616 | |
---|
617 | The @samp{-8} option allows an eight-bit input data path at all times; |
---|
618 | otherwise parity bits are stripped except when the remote site's stop |
---|
619 | and start characters are other than `@kbd{^S}'/`@kbd{^Q}'. Eight-bit |
---|
620 | mode is the default. |
---|
621 | |
---|
622 | The @samp{-L} option allows the @code{rlogin} session to be run in |
---|
623 | @samp{litout} mode (see @samp{man stty}). |
---|
624 | |
---|
625 | The @samp{-e} option allows specification of an escape character other |
---|
626 | than @kbd{~}. There is no space separating this option flag and the new |
---|
627 | escape character. If the @samp{-e} option is used without specifying a |
---|
628 | character, then there is no escape character. |
---|
629 | |
---|
630 | The @samp{-c} option requires confirmation before disconnecting via |
---|
631 | `@kbd{~.}'. Normally, `@kbd{~.}' causes @code{rlogin} to exit |
---|
632 | immediately. |
---|
633 | |
---|
634 | The @samp{-a} option forces the remote machine to ask for a password by |
---|
635 | sending a null local username. This option has no effect unless the |
---|
636 | standard UCB @code{rlogin} is executed in place of the Kerberos |
---|
637 | @code{rlogin} (see above). |
---|
638 | |
---|
639 | The @samp{-t} option replaces the terminal type passed to the remote |
---|
640 | host with @var{termtype}. |
---|
641 | |
---|
642 | The @samp{-n} option prevents suspension of rlogin via `@kbd{~^Z}' or |
---|
643 | `@kbd{~^Y}'. |
---|
644 | |
---|
645 | The @samp{-7} option forces seven-bit transmissions. |
---|
646 | |
---|
647 | The @samp{-d} option turns on socket debugging (via |
---|
648 | @samp{setsockopt}(2)) on the TCP sockets used for communication with the |
---|
649 | remote host. |
---|
650 | |
---|
651 | The @samp{-noflow} option forces transmission of flow control characters |
---|
652 | (`@kbd{^S}'/`@kbd{^Q}') to the remote system. This is now the default; |
---|
653 | @samp{-flow} enables local handling of `@kbd{^S}'/`@kbd{^Q}'. |
---|
654 | |
---|
655 | The @samp{-k} option requests @code{rlogin} to obtain tickets for the |
---|
656 | remote host in realm @var{realm} instead of the remote host's realm as |
---|
657 | determined by @code{krb_realmofhost}. |
---|
658 | |
---|
659 | The @samp{-x} option turns on DES encryption for all data passed via the |
---|
660 | @code{rlogin} session. This significantly reduces response time and |
---|
661 | significantly increases CPU utilization. |
---|
662 | |
---|
663 | @ignore |
---|
664 | @subsubheading SEE ALSO |
---|
665 | @table @ref |
---|
666 | @item rsh |
---|
667 | @item Kerberos |
---|
668 | @item krb_sendauth |
---|
669 | @item krb_realmofhost |
---|
670 | @end table |
---|
671 | @code{rlogin}(1) [UCB version] |
---|
672 | |
---|
673 | @subsubheading FILES |
---|
674 | @table @file |
---|
675 | @item /usr/hosts/* |
---|
676 | for rhost version of the command |
---|
677 | @end table |
---|
678 | |
---|
679 | @subsubheading BUGS |
---|
680 | |
---|
681 | More of the environment should be propagated. |
---|
682 | |
---|
683 | @end ignore |
---|
684 | |
---|
685 | |
---|
686 | @node rsh |
---|
687 | @subsection @code{rsh}---Kerberos remote shell |
---|
688 | |
---|
689 | @code{rsh} connects to the specified host, and executes the specified |
---|
690 | @var{command}. |
---|
691 | |
---|
692 | @c @subsubheading SYNOPSIS |
---|
693 | @smallexample |
---|
694 | rsh @var{host} [-l @var{username}] [-n] [-d] [-k @var{realm}] [-p @var{port}] |
---|
695 | @var{command} |
---|
696 | @var{host} [-l @var{username}] [-n] [-d] [-k @var{realm}] [-p @var{port}] |
---|
697 | @var{command} |
---|
698 | @end smallexample |
---|
699 | @c @subsubheading DESCRIPTION |
---|
700 | |
---|
701 | @code{rsh} copies its standard input to the remote command, the standard |
---|
702 | output of the remote command to its standard output, and the standard |
---|
703 | error of the remote command to its standard error. @samp{Interrupt}, |
---|
704 | @samp{quit} and @samp{terminate} signals are propagated to the remote |
---|
705 | command; @code{rsh} normally terminates when the remote command does. |
---|
706 | |
---|
707 | The remote @var{username} used is the same as your local username, |
---|
708 | unless you specify a different remote name with the @samp{-l} option. |
---|
709 | Kerberos authentication is used, and authorization is determined as in |
---|
710 | @ref{rlogin}. |
---|
711 | |
---|
712 | The @samp{-k} @var{realm} option causes @code{rsh} to obtain tickets for |
---|
713 | the remote host in @var{realm} instead of the remote host's realm as |
---|
714 | determined by @code{krb_realmofhost}. |
---|
715 | |
---|
716 | The @samp{-d} option turns on socket debugging (via |
---|
717 | @samp{setsockopt}(2)) on the TCP sockets used for communication with the |
---|
718 | remote host. |
---|
719 | |
---|
720 | The @samp{-n} option redirects input from the special device |
---|
721 | @file{/dev/null}. |
---|
722 | |
---|
723 | If you are using @code{csh}(1) and put a @code{rsh}(1) in the background |
---|
724 | without redirecting its input away from the terminal, it blocks even if |
---|
725 | no reads are posted by the remote command. Use this option if no input |
---|
726 | is desired. |
---|
727 | |
---|
728 | The @samp{-p} @var{port} option sets the TCP port number to use. This |
---|
729 | option is not normally used, but can be helpful when testing. |
---|
730 | |
---|
731 | If you omit @var{command}, then instead of executing a single command, |
---|
732 | you are logged in on the remote host using @code{rlogin}. |
---|
733 | |
---|
734 | Shell meta-characters which are not in quotes are interpreted on local |
---|
735 | machine, while meta-characters in quotes are interpreted on the remote |
---|
736 | machine. Thus the command |
---|
737 | @smallexample |
---|
738 | rsh @var{otherhost} cat @var{remotefile} >> @var{localfile} |
---|
739 | @end smallexample |
---|
740 | @noindent |
---|
741 | appends the remote file @var{remotefile} to the local file @var{localfile}, |
---|
742 | while |
---|
743 | @smallexample |
---|
744 | rsh @var{otherhost} cat @var{remotefile} ``>>'' @var{otherremotefile} |
---|
745 | @end smallexample |
---|
746 | |
---|
747 | @noindent |
---|
748 | appends @var{remotefile} (on the other host) to @var{otherremotefile} |
---|
749 | (also on the other host). |
---|
750 | |
---|
751 | On some systems, the host names for local machines are also commands in |
---|
752 | the directory @file{/usr/hosts}; if you put this directory in your |
---|
753 | search path then the @code{rsh} on the command line can be |
---|
754 | omitted. While it is impractical to maintain such a collection, it may |
---|
755 | be useful to make yourself a directory, add it to your path, and put |
---|
756 | symbolic links into it that point to @file{/usr/kerberos/bin/rsh}. |
---|
757 | |
---|
758 | @ignore |
---|
759 | |
---|
760 | @subsubheading FILES |
---|
761 | @table @file |
---|
762 | @item /etc/hosts |
---|
763 | @item /usr/hosts/* |
---|
764 | @end table |
---|
765 | |
---|
766 | @subsubheading SEE ALSO |
---|
767 | @table @ref |
---|
768 | @item rlogin |
---|
769 | @item Kerberos |
---|
770 | @item krb_sendauth |
---|
771 | @item krb_realmofhost |
---|
772 | @end table |
---|
773 | |
---|
774 | @subsubheading BUGS |
---|
775 | |
---|
776 | You cannot run an interactive command (like @samp{rogue}(6) or |
---|
777 | @samp{vi}(1)); use @ref{rlogin}. |
---|
778 | |
---|
779 | Stop signals stop the local @code{rsh} process only; this is arguably |
---|
780 | wrong, but currently hard to fix for reasons too complicated to explain |
---|
781 | here. |
---|
782 | @end ignore |
---|
783 | |
---|
784 | @node rcp |
---|
785 | @subsection @code{rcp}---Kerberos remote file copy |
---|
786 | |
---|
787 | @var{rcp} copies files between machines. |
---|
788 | |
---|
789 | @c @subsubheading SYNOPSIS |
---|
790 | @smallexample |
---|
791 | rcp [-p] [-x] [-k @var{realm}] [-N] [-P @var{port}] @var{file1} @var{file2} |
---|
792 | rcp [-p] [-x] [-k @var{realm}] [-r] [-N] [-P @var{port}] |
---|
793 | @var{file} @dots{} @var{directory} |
---|
794 | @end smallexample |
---|
795 | |
---|
796 | @c @subsubheading DESCRIPTION |
---|
797 | Each file or directory argument is either a remote file name of the form |
---|
798 | @var{rhost}@samp{:}@var{path}, or a local file name (containing no |
---|
799 | @samp{:} characters, or a @samp{/} before any @samp{:}s). |
---|
800 | |
---|
801 | If the @samp{-r} option is specified and any of the source files are |
---|
802 | directories, @code{rcp} copies each subtree rooted at that name; in this |
---|
803 | case the destination must be a directory. |
---|
804 | |
---|
805 | By default, the mode and owner of @var{file2} are preserved if it |
---|
806 | already existed; otherwise the mode of the source file modified by the |
---|
807 | @code{umask}(2) on the destination host is used. The @samp{-p} option |
---|
808 | causes @code{rcp} to attempt to preserve (duplicate) in its copies the |
---|
809 | modification times and modes of the source files, ignoring the umask. |
---|
810 | |
---|
811 | If path is not a full path name, it is interpreted relative to your |
---|
812 | login directory on @code{rhost}. A path on a remote host may be quoted |
---|
813 | (using @samp{\}, @samp{"}, or @samp{'}) so that the meta-characters are |
---|
814 | interpreted remotely. |
---|
815 | |
---|
816 | @code{rcp} does not prompt for passwords; it uses Kerberos |
---|
817 | authentication when connecting to @var{rhost}. Authorization is as |
---|
818 | described in @ref{rlogin}. |
---|
819 | |
---|
820 | The @samp{-x} option selects encryption of all information transferred |
---|
821 | between hosts. The @samp{-k} @var{realm} option causes @code{rcp} to |
---|
822 | obtain tickets for the remote host in @var{realm} instead of the remote |
---|
823 | host's realm as determined by @code{krb_realmofhost}. |
---|
824 | |
---|
825 | @code{rcp} handles third party copies, where neither source nor target |
---|
826 | files are on the current machine. Note that Kerberos is only used for |
---|
827 | the first connection of a third party copy; the second connection uses |
---|
828 | the standard Berkeley @code{rcp} protocol. This is due to a limitation |
---|
829 | of the version 4 protocol. |
---|
830 | |
---|
831 | Hostnames may also take the form |
---|
832 | @var{rname}@@@var{rhost}' to use @var{rname} rather than the current |
---|
833 | user name on the remote host. |
---|
834 | |
---|
835 | There are two options to @code{rcp} which are not normally used, but |
---|
836 | can be helpful when testing. The @samp{-N} option forces @code{rcp} |
---|
837 | to use a network connection, even when copying files which are on the |
---|
838 | local host. The @samp{-P} @var{port} option sets the TCP port number |
---|
839 | to use. |
---|
840 | |
---|
841 | @ignore |
---|
842 | @subsubheading SEE ALSO |
---|
843 | @table @ref |
---|
844 | @item rsh |
---|
845 | @item rlogin |
---|
846 | @item Kerberos |
---|
847 | @item krb_realmofhost,,krb_get_lrealm |
---|
848 | @end table |
---|
849 | See also @code{cp}(1), @code{ftp}(1), @code{rcp}(1) [UCB version]. |
---|
850 | |
---|
851 | @subsubheading BUGS |
---|
852 | |
---|
853 | Does not detect all cases where the target of a copy might be a file in |
---|
854 | cases where only a directory should be legal. |
---|
855 | |
---|
856 | Is confused by any output generated by commands in a @file{.login}, |
---|
857 | @file{.profile}, or @file{.cshrc} file on the remote host. |
---|
858 | |
---|
859 | The destination user and hostname may have to be specified as |
---|
860 | @var{rhost}@samp{.}@var{rname} when the destination machine is |
---|
861 | running |
---|
862 | the 4.2BSD version of @code{rcp}. |
---|
863 | |
---|
864 | @end ignore |
---|
865 | |
---|
866 | @node pfrom |
---|
867 | @subsection @code{pfrom}---Who sent me mail? |
---|
868 | |
---|
869 | @c @subsubheading SYNOPSIS |
---|
870 | @smallexample |
---|
871 | pfrom [-s @var{sender}] [-h @var{host}] [-v] [-d] |
---|
872 | @end smallexample |
---|
873 | |
---|
874 | @c @subsubheading DESCRIPTION |
---|
875 | If you are using the `POP' mail system (@pxref{popper}) the @code{pfrom} |
---|
876 | program prints out the mail header lines in your incoming mail to show |
---|
877 | you who your mail is from. It does this without retrieving the mail |
---|
878 | from the post office. If the @samp{-s} option is given, then only |
---|
879 | headers for mail sent by sender are printed. If the @samp{-h} option is |
---|
880 | given, then @var{host} is consulted instead of your default post office. |
---|
881 | The @samp{-v} option puts @code{pfrom} into verbose mode, and the |
---|
882 | @samp{-d} option puts @code{pfrom} into debug mode. |
---|
883 | |
---|
884 | @code{pfrom} is equivalent to the @code{from} command used on |
---|
885 | traditional |
---|
886 | local mail systems. |
---|
887 | |
---|
888 | @ignore |
---|
889 | @subsubheading SEE ALSO |
---|
890 | Post Office Protocol (revised) (aka RFC-819 with revisions) |
---|
891 | @end ignore |
---|
892 | |
---|
893 | @node tftp |
---|
894 | @subsection @code{tftp}---trivial file transfer protocol |
---|
895 | |
---|
896 | @c @subsubheading SYNOPSIS |
---|
897 | @smallexample |
---|
898 | tftp -@var{action} @var{localname} @var{host} @var{foreignname} |
---|
899 | [@var{mode}] |
---|
900 | @end smallexample |
---|
901 | @c @subsubheading DESCRIPTION |
---|
902 | If action is @samp{w}, @samp{p}, or @samp{ap}, @code{tftp} writes the |
---|
903 | local file, called @var{localname}, onto the foreign host's file system |
---|
904 | as @var{foreignname}. If action is @samp{ap}, Kerberos authentication |
---|
905 | is used. Note that @var{foreignname} must be in quotes if it contains |
---|
906 | shell special characters. If action is @samp{r}, @samp{g}, or |
---|
907 | @samp{ag}, @code{tftp} reads foreign host's file @var{foreignname} into |
---|
908 | the local file, @var{localname}. If action is @samp{ag}, Kerberos |
---|
909 | authentication is used. @code{tftp} does not supersede or overwrite |
---|
910 | existing local files, however; to do so, use action @samp{o}. |
---|
911 | |
---|
912 | Mode may be @samp{netascii}, or @samp{image}. @samp{netascii}, the |
---|
913 | default mode, transfers the file as standard ASCII characters. |
---|
914 | @samp{image} mode transfers the file in binary, with no character |
---|
915 | conversion. |
---|
916 | |
---|
917 | If Kerberos authentication is not used with @code{tftp}, access is |
---|
918 | denied unless the remote and local host are on the same local-area |
---|
919 | network. |
---|
920 | |
---|
921 | @ignore |
---|
922 | @subsubheading SEE ALSO |
---|
923 | @xref{Kerberos Intro}, Internet Protocol Handbook |
---|
924 | @end ignore |
---|
925 | |
---|
926 | @node Ticket Management Commands |
---|
927 | @section Ticket Management Commands |
---|
928 | @menu |
---|
929 | * kinit:: get initial tickets |
---|
930 | * klist:: list tickets |
---|
931 | * kdestroy:: erase tickets |
---|
932 | * kpasswd:: change Kerberos password |
---|
933 | * ksu:: switch local user based on Kerberos access list |
---|
934 | @end menu |
---|
935 | |
---|
936 | |
---|
937 | @node kinit |
---|
938 | @subsection @code{kinit}---Kerberos login utility |
---|
939 | |
---|
940 | @c @subsubheading SYNOPSIS |
---|
941 | @c kinit [-irvl] [@var{user}] |
---|
942 | @smallexample |
---|
943 | kinit [-ivl] |
---|
944 | @end smallexample |
---|
945 | @c @subsubheading DESCRIPTION |
---|
946 | The @code{kinit} command is used to login to the Kerberos authentication |
---|
947 | and authorization system. Note that only registered Kerberos users can |
---|
948 | use the Kerberos system. For information about registering as a |
---|
949 | Kerberos user, see the @xref{Initial Steps} of the manual, or talk to |
---|
950 | your system administrator. |
---|
951 | |
---|
952 | @ignore |
---|
953 | If you are logged in to a workstation that is running the @samp{toehold} |
---|
954 | service, you do not have to use @code{kinit}. The @samp{toehold} login |
---|
955 | procedure logs you into Kerberos automatically. You need to use |
---|
956 | @code{kinit} only in those situations in which your original tickets |
---|
957 | have expired. (Tickets expire in ten hours, enough to cover a typical |
---|
958 | workday.) Note as well that @samp{toehold} automatically destroys your |
---|
959 | tickets when you logout from the workstation. . .. UPDATE THAT ... |
---|
960 | @end ignore |
---|
961 | |
---|
962 | When you use @code{kinit} without options, the utility prompts for your |
---|
963 | username and Kerberos password, and tries to authenticate that name |
---|
964 | with the local Kerberos server. |
---|
965 | |
---|
966 | If Kerberos authenticates the login attempt, @code{kinit} retrieves your |
---|
967 | ticket-granting ticket and puts it in the ticket file specified by your |
---|
968 | @samp{KRBTKFILE} environment variable. If this variable is undefined, |
---|
969 | your ticket is stored in the @file{/tmp} directory, in the file |
---|
970 | @file{tkt@var{uid}}, where @samp{uid} specifies your user ID number from |
---|
971 | the password file. |
---|
972 | |
---|
973 | Make sure you use the @code{kdestroy} command to destroy any active |
---|
974 | tickets before you end your login session. You may want to put the |
---|
975 | @code{kdestroy} command in your @file{.logout} file so that your |
---|
976 | tickets are destroyed automatically when you logout. |
---|
977 | |
---|
978 | The options to @code{kinit} are as follows: |
---|
979 | |
---|
980 | @table @code |
---|
981 | @item -i |
---|
982 | @code{kinit} prompts you for a Kerberos instance. |
---|
983 | |
---|
984 | @item -r |
---|
985 | @code{kinit} prompts you for a Kerberos realm. This option lets you |
---|
986 | authenticate yourself with a remote Kerberos server. |
---|
987 | |
---|
988 | @item -v |
---|
989 | Verbose mode. @code{kinit} prints the name of the ticket file used, and |
---|
990 | a status message indicating the success or failure of your login |
---|
991 | attempt. |
---|
992 | |
---|
993 | @item -l |
---|
994 | @code{kinit} prompts you for a ticket lifetime in minutes. Due to |
---|
995 | protocol restrictions in Kerberos Version 4, this value must be between |
---|
996 | 5 and 1275 minutes. |
---|
997 | |
---|
998 | @item -s |
---|
999 | @code{kinit} prompts you for a username. It then challenges you with a |
---|
1000 | six digit number which you enter into the SNK4. The SNK4 produces an |
---|
1001 | eight-digit response which you enter into the system to confirm your |
---|
1002 | identity. (See, @ref{Appendix,,SecureNet Key Authentication Device}.) |
---|
1003 | @end table |
---|
1004 | |
---|
1005 | @ignore |
---|
1006 | @subsubheading SEE ALSO |
---|
1007 | @table @ref |
---|
1008 | @item Kerberos Intro |
---|
1009 | @item kdestroy |
---|
1010 | @item klist |
---|
1011 | @end table |
---|
1012 | See also toehold(1). |
---|
1013 | |
---|
1014 | @subsubheading BUGS |
---|
1015 | |
---|
1016 | The @samp{-r} option has not been fully implemented. |
---|
1017 | |
---|
1018 | @end ignore |
---|
1019 | |
---|
1020 | @node klist |
---|
1021 | @subsection @code{klist}---list currently held tickets |
---|
1022 | |
---|
1023 | @c @subsubheading SYNOPSIS |
---|
1024 | @smallexample |
---|
1025 | klist [-s|-t] [-file @var{name}] [-srvtab] |
---|
1026 | @end smallexample |
---|
1027 | @c @subsubheading DESCRIPTION |
---|
1028 | |
---|
1029 | @code{klist} prints the name of the ticket file and the identity of the |
---|
1030 | principal the tickets are for (as listed in the ticket file), and lists |
---|
1031 | the principal names of all Kerberos tickets currently held by the user, |
---|
1032 | along with the issue and expire time for each authenticator. Principal |
---|
1033 | names are listed in the form |
---|
1034 | @samp{@var{name}.@var{instance}@@@var{realm}}, with the |
---|
1035 | @samp{.} |
---|
1036 | omitted if the instance is null, and the @samp{@@} omitted if the realm |
---|
1037 | is null. |
---|
1038 | |
---|
1039 | If given the @samp{-s} option, @code{klist} does not print the issue and |
---|
1040 | expire times, the name of the ticket file, or the identity of the |
---|
1041 | principal. |
---|
1042 | |
---|
1043 | If given the @samp{-t} option, @code{klist} checks for the existence of |
---|
1044 | a non-expired ticket-granting ticket in the ticket file. If one is |
---|
1045 | present, it exits with status 0, otherwise, it exits with status 1. No |
---|
1046 | output is generated when this option is specified. |
---|
1047 | |
---|
1048 | If given the @samp{-file} option, the following argument is used as the |
---|
1049 | ticket file. Otherwise, if the @code{KRBTKFILE} environment variable is |
---|
1050 | set, it is used. If this environment variable is not set, the file |
---|
1051 | @file{/tmp/tkt@var{uid}} is used, where @var{uid} is the current user-ID |
---|
1052 | of the user. |
---|
1053 | |
---|
1054 | If given the @samp{-srvtab} option, the file is treated as a service key |
---|
1055 | file, and the names of the keys contained therein are printed. If no |
---|
1056 | file is specified with a @samp{-file} option, the default is |
---|
1057 | @file{/etc/krb-srvtab}. See, @ref{Application server entries,,keys for |
---|
1058 | application servers}. |
---|
1059 | |
---|
1060 | @ignore |
---|
1061 | |
---|
1062 | @subsubheading FILES |
---|
1063 | @table @file |
---|
1064 | @item /usr/kerberos/lib/krb.conf |
---|
1065 | to get the name of the local realm |
---|
1066 | @item /tmp/tkt@var{uid} |
---|
1067 | as the default ticket file (@var{uid} is the decimal UID of the user). |
---|
1068 | Note that on the IBM RS/6000, there is an additional file |
---|
1069 | @file{/tmp/tkt@var{uid}.shm}, due to the shared-memory implementation of |
---|
1070 | the Kerberos tickets. |
---|
1071 | @item /etc/krb-srvtab |
---|
1072 | as the default service key file |
---|
1073 | @end table |
---|
1074 | |
---|
1075 | @subsubheading SEE ALSO |
---|
1076 | @table @ref |
---|
1077 | @item Kerberos Intro |
---|
1078 | @item kinit |
---|
1079 | @item kdestroy |
---|
1080 | @end table |
---|
1081 | |
---|
1082 | @subsubheading BUGS |
---|
1083 | |
---|
1084 | When reading a file as a service key file, very little sanity or error |
---|
1085 | checking is performed. |
---|
1086 | |
---|
1087 | @end ignore |
---|
1088 | |
---|
1089 | |
---|
1090 | @node kdestroy |
---|
1091 | @subsection @code{kdestroy}---destroy Kerberos tickets |
---|
1092 | |
---|
1093 | @c @subsubheading SYNOPSIS |
---|
1094 | @smallexample |
---|
1095 | kdestroy [-f] [-q] |
---|
1096 | @end smallexample |
---|
1097 | @c @subsubheading DESCRIPTION |
---|
1098 | |
---|
1099 | The @code{kdestroy} utility destroys the user's active Kerberos |
---|
1100 | authorization tickets by writing zeros to the file that contains them. |
---|
1101 | If the ticket file does not exist, @code{kdestroy} displays a message to |
---|
1102 | that effect. |
---|
1103 | |
---|
1104 | After overwriting the file, @code{kdestroy} removes the file from the |
---|
1105 | system. The utility displays a message indicating the success or |
---|
1106 | failure of the operation. If @code{kdestroy} is unable to destroy the |
---|
1107 | ticket file, the utility warns you by making your terminal beep. |
---|
1108 | |
---|
1109 | You should place the @code{kdestroy} command in your @file{.logout} file |
---|
1110 | so that your tickets are destroyed automatically when you logout. |
---|
1111 | |
---|
1112 | The options to @code{kdestroy} are as follows: |
---|
1113 | |
---|
1114 | @table @code |
---|
1115 | @item -f |
---|
1116 | @code{kdestroy} runs without displaying the status message. |
---|
1117 | |
---|
1118 | @item -q |
---|
1119 | @code{kdestroy} does not make your terminal beep if it fails to destroy |
---|
1120 | the tickets. |
---|
1121 | @end table |
---|
1122 | |
---|
1123 | @ignore |
---|
1124 | @subsubheading FILES |
---|
1125 | @itemize @bullet |
---|
1126 | @item @code{KRBTKFILE} environment variable if set, otherwise |
---|
1127 | @item @file{/tmp/tkt@var{uid}} |
---|
1128 | @end itemize |
---|
1129 | |
---|
1130 | @subsubheading SEE ALSO |
---|
1131 | @table @ref |
---|
1132 | @item Kerberos Intro |
---|
1133 | @item kinit |
---|
1134 | @item klist |
---|
1135 | @end table |
---|
1136 | |
---|
1137 | @subsubheading BUGS |
---|
1138 | |
---|
1139 | Note that only the tickets in the user's current ticket file are |
---|
1140 | destroyed. Unfortunately, separate ticket files are used to hold root |
---|
1141 | instance and password changing tickets. |
---|
1142 | @end ignore |
---|
1143 | |
---|
1144 | @node kpasswd |
---|
1145 | @subsection @code{kpasswd}---changing Kerberos passwords |
---|
1146 | |
---|
1147 | @c @subsubheading SYNOPSIS |
---|
1148 | @smallexample |
---|
1149 | kpasswd [-h] [-n @var{name}] [-i @var{instance}] [-r @var{realm}] |
---|
1150 | [-u @var{username}[.@var{instance}][@@@var{realm}]] |
---|
1151 | @end smallexample |
---|
1152 | @c @subsubheading DESCRIPTION |
---|
1153 | The @code{kpasswd} command is used to change a Kerberos principal's |
---|
1154 | password. |
---|
1155 | |
---|
1156 | If the @samp{-h} option is specified, a brief summary of the options is |
---|
1157 | printed, and @code{kpasswd} then exits. |
---|
1158 | |
---|
1159 | If the @samp{-n} option is specified, @var{name} is used as the |
---|
1160 | principal name rather than the username of the user running |
---|
1161 | @code{kpasswd}. (This is determined from the ticket file if it exists; |
---|
1162 | otherwise, it is determined from the Unix user ID.) |
---|
1163 | |
---|
1164 | If the @samp{-i} option is specified, @var{instance} is used as the |
---|
1165 | instance rather than a null instance. |
---|
1166 | |
---|
1167 | If the @samp{-r} option is specified, @var{realm} is used as the realm |
---|
1168 | rather than the local realm. |
---|
1169 | |
---|
1170 | If the @samp{-u} option is specified, a fully qualified Kerberos |
---|
1171 | principal can be given. |
---|
1172 | |
---|
1173 | The utility prompts for the current Kerberos password (printing the name |
---|
1174 | of the principal for which it intends to change the password), which is |
---|
1175 | verified by the Kerberos server. If the old password is correct, the |
---|
1176 | user is prompted twice for the new password. A message is printed |
---|
1177 | indicating the success or failure of the password changing operation. |
---|
1178 | |
---|
1179 | |
---|
1180 | @ignore |
---|
1181 | @subsubheading BUGS |
---|
1182 | |
---|
1183 | @code{kpasswd} does not handle names, instances, or realms with |
---|
1184 | special |
---|
1185 | characters in them when the @samp{-n}, @samp{-i}, or @samp{-r} |
---|
1186 | options |
---|
1187 | are used. Any valid fullname is accepted, however, if the @samp{-u} |
---|
1188 | option is used. |
---|
1189 | |
---|
1190 | If the principal whose password you are trying to change does not exist, |
---|
1191 | you are not be told until after you have entered the old password. |
---|
1192 | |
---|
1193 | @subsubheading SEE ALSO |
---|
1194 | @table @ref |
---|
1195 | @item Kerberos Intro |
---|
1196 | @item kinit |
---|
1197 | @item kpasswd |
---|
1198 | @item kadmin |
---|
1199 | @end table |
---|
1200 | @end ignore |
---|
1201 | |
---|
1202 | @node ksu |
---|
1203 | @subsection @code{ksu}---Kerberized substitute user ID |
---|
1204 | |
---|
1205 | @code{ksu} requests the Kerberos password for login (or for @samp{root}, |
---|
1206 | if no login is provided), and switches to that user and group ID. A |
---|
1207 | shell is then invoked. |
---|
1208 | |
---|
1209 | @c @subsubheading SYNOPSIS |
---|
1210 | @smallexample |
---|
1211 | ksu [-flm] [@var{login}] |
---|
1212 | @end smallexample |
---|
1213 | |
---|
1214 | @c @subsubheading DESCRIPTION |
---|
1215 | By default, your environment is |
---|
1216 | unmodified with the exception of @samp{USER}, @samp{HOME}, and |
---|
1217 | @samp{SHELL}. @samp{HOME} and @samp{SHELL} are set to the target |
---|
1218 | login's @file{/etc/passwd} values. @samp{USER} is set to the target |
---|
1219 | login, unless the target login has a user ID of zero, in which case it is |
---|
1220 | unmodified. The invoked shell is that of the target login. |
---|
1221 | |
---|
1222 | The @samp{-l} option simulates a full login. The environment is |
---|
1223 | discarded except for @samp{HOME}, @samp{SHELL}, @samp{PATH}, |
---|
1224 | @samp{TERM}, and @samp{USER}. @samp{HOME} and @samp{SHELL} are modified |
---|
1225 | as above. @samp{USER} is set to the target login. @samp{PATH} is set |
---|
1226 | to @samp{/usr/ucb:/bin:/usr/bin}. @samp{TERM} is imported from your |
---|
1227 | current environment. The invoked shell is that of the target login, and |
---|
1228 | @code{ksu} changes directory to the target login's home directory. |
---|
1229 | |
---|
1230 | The @samp{-m} option causes the environment to remain unmodified, and |
---|
1231 | the invoked shell to be your login shell. No directory changes are |
---|
1232 | made. As a security precaution, if the @samp{-m} option is specified, |
---|
1233 | the target user's shell is a nonstandard shell (as defined by |
---|
1234 | @samp{getusershell}(3)) and the caller's real user ID is non-zero, |
---|
1235 | @code{ksu} fails. |
---|
1236 | |
---|
1237 | If the invoked shell is @code{csh}, the @samp{-f} option prevents it |
---|
1238 | from reading the @file{.cshrc} file. Otherwise, this option is ignored. |
---|
1239 | |
---|
1240 | Only users with root instances listed in @file{~root/.klogin} may @code{ksu} |
---|
1241 | to @samp{root} (The format of this file is described by @ref{rlogin}.). |
---|
1242 | When attempting root access, @code{ksu} attempts to fetch a |
---|
1243 | ticket-granting ticket for @samp{@var{username}.root@@@var{localrealm}}, |
---|
1244 | where @var{username} is the username of the process. If possible, the |
---|
1245 | tickets are used to obtain, use, and verify tickets for the service |
---|
1246 | @samp{rcmd.@var{host}@@@var{localrealm}} where @var{host} is the |
---|
1247 | canonical host name of the machine (as determined by |
---|
1248 | @code{krb_get_phost}). If this verification fails, the @code{ksu} is |
---|
1249 | disallowed. (If the service @samp{rcmd.@var{host}@@@var{localrealm}} is |
---|
1250 | not registered, the @code{ksu} is allowed.) |
---|
1251 | |
---|
1252 | By default (unless the prompt is reset by a startup file) the super-user |
---|
1253 | prompt is set to @samp{#} to remind one of its power. |
---|
1254 | |
---|
1255 | When not attempting to switch to the @samp{root} user, @code{ksu} |
---|
1256 | behaves exactly like @code{su}(1). |
---|
1257 | |
---|
1258 | @ignore |
---|
1259 | @subsubheading SEE ALSO |
---|
1260 | @table @ref |
---|
1261 | @item rlogin |
---|
1262 | @item krb_realmofhost,,krb_get_phost |
---|
1263 | @end table |
---|
1264 | See also @code{su}(1), @code{csh}(1), @code{login}(1), |
---|
1265 | @code{sh}(1), |
---|
1266 | @code{passwd}(5), @code{group}(5), @code{environ}(7). |
---|
1267 | @end ignore |
---|
1268 | |
---|
1269 | |
---|
1270 | @node Config Decisions |
---|
1271 | @chapter The Kerberos Administrator: Configuration Decisions |
---|
1272 | |
---|
1273 | @c list server configs here too. |
---|
1274 | @menu |
---|
1275 | * Options:: naming realms, storage locations, etc. |
---|
1276 | * General Configuration:: other changes needed |
---|
1277 | * CNS Configuration:: configuring CNS |
---|
1278 | @end menu |
---|
1279 | |
---|
1280 | To make administration of a Kerberos realm simpler, some important |
---|
1281 | decisions should be made before installation. Carefully consider the |
---|
1282 | following options. |
---|
1283 | |
---|
1284 | @node Options |
---|
1285 | @section Options for your Kerberos Service |
---|
1286 | |
---|
1287 | @menu |
---|
1288 | * Site Configuration:: choice of names and storage |
---|
1289 | * Client Installation:: what to put on a client |
---|
1290 | * Host Installation:: what to put on a network service host |
---|
1291 | * Server Installation:: what to put on the Key Distribution Center |
---|
1292 | * Slave Server Installation:: adding backup Key Distribution Centers |
---|
1293 | @end menu |
---|
1294 | |
---|
1295 | |
---|
1296 | @node Site Configuration |
---|
1297 | @subsection Choice of Names and Storage |
---|
1298 | |
---|
1299 | @itemize @bullet |
---|
1300 | @item @strong{Resources:} |
---|
1301 | Kerberos does not require much disk space. Any client that is already |
---|
1302 | getting system software via Network File System (NFS) can get Kerberos |
---|
1303 | software the same way, unless you wish to guard against someone spoofing |
---|
1304 | the NFS server. Any application server can do the same, though we |
---|
1305 | expect most application servers to have system software stored locally; |
---|
1306 | there must be a small amount of local space for the server private key |
---|
1307 | (in the @file{krb-srvtab} file). |
---|
1308 | |
---|
1309 | The Kerberos master server itself needs enough disk space to hold the |
---|
1310 | key database, and for reliability reasons should have the |
---|
1311 | @samp{kerberos} and @samp{kadmin} servers locally. |
---|
1312 | |
---|
1313 | @item @strong{Naming:} |
---|
1314 | If you are already using the Domain Name Service, which we recommend, |
---|
1315 | and you are only setting up one Kerberos Realm (i.e., one administrative |
---|
1316 | authority---size is not an issue) then we suggest |
---|
1317 | |
---|
1318 | @itemize @bullet |
---|
1319 | @item @strong{Realm name:} |
---|
1320 | DNS domain name. |
---|
1321 | |
---|
1322 | @item @strong{Kerberos server names:} |
---|
1323 | @samp{kerberos} (for a single server) and @samp{kerberos-@var{n}} |
---|
1324 | (kerberos-1,2... etc.) for slaves. |
---|
1325 | @end itemize |
---|
1326 | |
---|
1327 | If you have multiple administrative areas that may need to work |
---|
1328 | together, you still want to divide things in a similar manner to how you |
---|
1329 | have already divided your namespace. If the namespace is not divided, |
---|
1330 | you either need to explicitly list members of one domain in the |
---|
1331 | @file{krb.realms} file or you need to have users specify the @samp{-k} |
---|
1332 | argument for most commands. |
---|
1333 | @end itemize |
---|
1334 | |
---|
1335 | @node Client Installation |
---|
1336 | @subsection What to put on a client |
---|
1337 | |
---|
1338 | Everything in this installation can be installed in a common location. |
---|
1339 | Applications provided are: |
---|
1340 | @table @code |
---|
1341 | @item kinit |
---|
1342 | @item klist |
---|
1343 | @item kdestroy |
---|
1344 | @item rlogin |
---|
1345 | @item rcp |
---|
1346 | @item rsh |
---|
1347 | @item telnet |
---|
1348 | @item ksu |
---|
1349 | @item kadmin |
---|
1350 | @item movemail |
---|
1351 | @item pfrom |
---|
1352 | @item ftp |
---|
1353 | @item kpasswd |
---|
1354 | @end table |
---|
1355 | |
---|
1356 | A pair of configuration files (@file{krb.conf} and @file{krb.realms}) |
---|
1357 | are needed to identify the realms within which the host needs to |
---|
1358 | authenticate (see, respectively, |
---|
1359 | @ref{krb.conf,,@code{krb.conf}---Kerberos configuration file}, and |
---|
1360 | @pxref{krb.realms,,@code{krb.realms}---host to Kerberos realm |
---|
1361 | translation file}). These files are stored in @file{/usr/kerberos/lib}. |
---|
1362 | |
---|
1363 | @enumerate |
---|
1364 | @item |
---|
1365 | Either install the release directly in @file{/usr/kerberos}, or set up |
---|
1366 | symbolic links or NFS mounts as your configuration warrants. |
---|
1367 | |
---|
1368 | @item |
---|
1369 | Generate @file{krb.conf} and @file{krb.realms} files with your |
---|
1370 | local configuration parameters. See @xref{krb.realms} for details. |
---|
1371 | |
---|
1372 | @item |
---|
1373 | Update the @file{/etc/services} file. |
---|
1374 | @end enumerate |
---|
1375 | |
---|
1376 | @node Host Installation |
---|
1377 | @subsection What to put on a network service host |
---|
1378 | |
---|
1379 | Executables should be installed reliably (they may be shared between |
---|
1380 | machines, but this is not usually a good idea.) Daemons provided |
---|
1381 | are: |
---|
1382 | @table @code |
---|
1383 | @item klogind |
---|
1384 | @item telnetd |
---|
1385 | @item kshd |
---|
1386 | @item popper |
---|
1387 | @item ksrvutil |
---|
1388 | @item ftpd |
---|
1389 | @item login.krb |
---|
1390 | @item tftpd |
---|
1391 | @end table |
---|
1392 | |
---|
1393 | Along with the configuration files used in the client install, you need |
---|
1394 | to create a @file{krb-srvtab}. If the @file{krb-srvtab} is compromised, |
---|
1395 | it is possible to impersonate users and obtain access to the services on |
---|
1396 | this particular server. |
---|
1397 | |
---|
1398 | Kerberos-enhanced network services can be installed simply by adding |
---|
1399 | entries for them to @file{/etc/inetd.conf} on Berkeley Standard |
---|
1400 | Distribution (BSD) derived systems. On some systems there is a limit on |
---|
1401 | the number of services which @code{inetd} can support. If this is the |
---|
1402 | case on your system, a simple workaround is to run a second instance of |
---|
1403 | @code{inetd}, the Internet service daemon, with a configuration file |
---|
1404 | containing the Kerberos-enhanced services. On BSD derived systems, this |
---|
1405 | @code{inetd} should be started in @file{/etc/rc.local} using whatever |
---|
1406 | idiom was used for the normal @code{inetd}. |
---|
1407 | |
---|
1408 | @node Server Installation |
---|
1409 | @subsection What to put on the Key Distribution Center |
---|
1410 | |
---|
1411 | Executables should be installed very reliably (preferably locally.) |
---|
1412 | Local disk space is also needed for the Key Database. The programs are: |
---|
1413 | @table @code |
---|
1414 | @item Kerberos |
---|
1415 | @item kadmind |
---|
1416 | @item kstash |
---|
1417 | @item kdb_util |
---|
1418 | @item kdb_edit |
---|
1419 | @item kdb_init |
---|
1420 | @item kdb_destroy |
---|
1421 | @item kprop |
---|
1422 | @item kpropd |
---|
1423 | @item ext_srvtab |
---|
1424 | @end table |
---|
1425 | |
---|
1426 | Access to the memory or core dumps from this machine could compromise |
---|
1427 | security for the entire realm. If there is a human operator always |
---|
1428 | available, the Kerberos master key can be manually entered at every |
---|
1429 | reboot, and not otherwise recorded on disk; if so, normal backups can be |
---|
1430 | made of the database. For convenience, @code{kstash} can be used to |
---|
1431 | store the master key on local disk; care should be taken not to make |
---|
1432 | this file accessible or to make backups of it. (@xref{kstash}.) |
---|
1433 | |
---|
1434 | @node Slave Server Installation |
---|
1435 | @subsection Adding a Slave Server |
---|
1436 | |
---|
1437 | The use of slave servers provides continued service in case the master |
---|
1438 | KDC server is down, unreachable, or overloaded. Periodically, the |
---|
1439 | master sends out copies of its entire database to all of it's slave |
---|
1440 | servers. When clients cannot reach the master for ticket requests, they |
---|
1441 | try the slaves. |
---|
1442 | |
---|
1443 | Note that there is no continued @code{kadmin/kpasswd} service---the |
---|
1444 | master database is the only one that gets modified, and is defined as |
---|
1445 | the one on which @code{kadmind} is running. |
---|
1446 | |
---|
1447 | Follow these steps to set up slave servers. |
---|
1448 | |
---|
1449 | @itemize @bullet |
---|
1450 | @item The master server and all slave servers must also be set up as |
---|
1451 | application servers, with srvtab files containing an @samp{rcmd} key. |
---|
1452 | @xref{Application server configuration,,Configuring an Application |
---|
1453 | Server,install,Cygnus Network Security Installation Notes}. |
---|
1454 | |
---|
1455 | @item Each slave server uses the @code{kpropd} daemon to receive copies |
---|
1456 | of the Kerberos database from the master server. Add a line like the |
---|
1457 | following to @file{/etc/inetd.conf} to make @code{inetd} invoke the |
---|
1458 | @code{kpropd} daemon when it receives an incoming connection: |
---|
1459 | |
---|
1460 | @iftex |
---|
1461 | @let@nonarrowing=@comment |
---|
1462 | @end iftex |
---|
1463 | @smallexample |
---|
1464 | krb_prop stream tcp nowait root /usr/kerberos/etc/in.kpropd in.kpropd |
---|
1465 | @end smallexample |
---|
1466 | @iftex |
---|
1467 | @let@nonarrowing=@relax |
---|
1468 | @end iftex |
---|
1469 | |
---|
1470 | @code{in.kpropd} is a simple shell script which invokes @code{kpropd} |
---|
1471 | with the correct arguments. |
---|
1472 | |
---|
1473 | @item The master server uses the @code{kprop} program to send copies of |
---|
1474 | the Kerberos database to the slave servers. This is most easily done |
---|
1475 | using the @code{push-kprop} shell script. Enter the hostname of each |
---|
1476 | slave server into the file @file{/usr/kerberos/database/slavelist}. |
---|
1477 | This should be a simple text file, with each hostname on a separate |
---|
1478 | line. |
---|
1479 | |
---|
1480 | @item Run the @code{push-kprop} script on the master to send the master |
---|
1481 | database over to all the slaves. You should arrange for |
---|
1482 | @code{push-kprop} to be invoked regularly on the master, using |
---|
1483 | @code{cron}. The frequency of the update depends upon how urgently you |
---|
1484 | need the slave servers to know about database changes, such as changed |
---|
1485 | passwords or new Kerberos principals. Once an hour is usually adequate. |
---|
1486 | |
---|
1487 | @item Once the slaves have received their own copy of the database, you |
---|
1488 | can start the @code{kerberos} server on the slave. Start it with the |
---|
1489 | @samp{-s} option. You should arrange for each slave server to start the |
---|
1490 | @code{kerberos} server at boot time, just as on the master server, |
---|
1491 | except that on the slaves @code{kerberos} should be invoked with |
---|
1492 | @samp{-s}. |
---|
1493 | |
---|
1494 | @item Add the slave hostnames to the @file{/usr/kerberos/lib/krb.conf} |
---|
1495 | file on any machine which should be able to get Kerberos tickets from |
---|
1496 | the slave servers. The CNS client programs queries servers in the order |
---|
1497 | they are listed in @file{krb.conf}, so you can, for example, arrange for |
---|
1498 | client programs to contact a local slave server before trying the master |
---|
1499 | server. |
---|
1500 | |
---|
1501 | @item To add a new slave server, just arrange for @code{kpropd} to be |
---|
1502 | invoked via @code{inetd} on the slave, add the new slave hostname to |
---|
1503 | @file{slavelist} on the master server, run @code{push-kprop} on the |
---|
1504 | master server, and start @code{kerberos -s} on the new slave. |
---|
1505 | @end itemize |
---|
1506 | |
---|
1507 | For detailed information on @code{kprop}, see @ref{kprop and |
---|
1508 | push-kprop}. For detailed information on @code{kpropd}, see @ref{Slave |
---|
1509 | Servers,kpropd}. |
---|
1510 | |
---|
1511 | @node General Configuration |
---|
1512 | @section General Configuration |
---|
1513 | |
---|
1514 | A few existing configuration files may be modified for the use of |
---|
1515 | Kerberos. |
---|
1516 | @table @file |
---|
1517 | @item /etc/services |
---|
1518 | Kerberos Enhanced services use different ports than their traditional |
---|
1519 | counterparts. These need to be added to @file{/etc/services} on any |
---|
1520 | client machine. |
---|
1521 | @item /etc/inetd.conf |
---|
1522 | If a machine is hosting any Kerberos Enhanced services, such as |
---|
1523 | @code{popper} (see @xref{popper}), @code{rlogind} (see @xref{klogind}) |
---|
1524 | or @code{rshd} (see @xref{kshd}), these should be added to |
---|
1525 | @code{inetd.conf} along with the other services the machine provides. |
---|
1526 | It is also possible to run a second @code{inetd} with only the Kerberos |
---|
1527 | services rather than changing the existing list. |
---|
1528 | |
---|
1529 | Note that if you wish to allow access @strong{only} when |
---|
1530 | Kerberos-mediated, than you must remove services like @code{rlogin} from |
---|
1531 | @file{/etc/inetd.conf}, leaving only the versions from Cygnus. For |
---|
1532 | further protection, you may allow access to @code{eklogind}, the server |
---|
1533 | only for encrypted remote logins. |
---|
1534 | |
---|
1535 | @item /etc/rc |
---|
1536 | Since the Kerberos Key Distribution Center (and any slave servers) |
---|
1537 | should be running all the time, the Kerberos server is often started out |
---|
1538 | of the system @file{/etc/rc} file, or the equivalent on your system. |
---|
1539 | @xref{Configuring the KDC,,Configuring the KDC,install,Cygnus Network |
---|
1540 | Security Installation Notes}. |
---|
1541 | |
---|
1542 | @end table |
---|
1543 | |
---|
1544 | @node CNS Configuration |
---|
1545 | @section CNS Configuration |
---|
1546 | |
---|
1547 | @menu |
---|
1548 | * krb.conf:: Realm to Server mapping |
---|
1549 | * krb.realms:: Host to Realm exceptions |
---|
1550 | @end menu |
---|
1551 | |
---|
1552 | @node krb.conf |
---|
1553 | @subsection @code{krb.conf}---Kerberos configuration file |
---|
1554 | |
---|
1555 | @c @subsubheading DESCRIPTION |
---|
1556 | @file{krb.conf} contains configuration information describing the |
---|
1557 | Kerberos realm and the Kerberos key distribution center (KDC) servers |
---|
1558 | for known realms. |
---|
1559 | |
---|
1560 | @file{krb.conf} contains the name of the local realm in the first line, |
---|
1561 | followed by lines indicating realm/host entries. The first token is a |
---|
1562 | realm name, and the second is the hostname of a host running a KDC for |
---|
1563 | that realm. The words @samp{admin server} following the hostname |
---|
1564 | indicate that the host also provides an administrative database server, |
---|
1565 | that is, it is the master Kerberos server for this realm, where requests |
---|
1566 | to change passwords, add users, etc, are sent. |
---|
1567 | |
---|
1568 | For example: |
---|
1569 | @smallexample |
---|
1570 | CYGNUS.COM |
---|
1571 | CYGNUS.COM kerberos-1.cygnus.com admin server |
---|
1572 | CYGNUS.COM kerberos-2.cygnus.com |
---|
1573 | ANOTHER.CYGNUS.COM kerberos.another.cygnus.com admin server |
---|
1574 | @end smallexample |
---|
1575 | @ignore |
---|
1576 | @subsubheading SEE ALSO |
---|
1577 | @table @ref |
---|
1578 | @item krb.realms |
---|
1579 | @item krb_realmofhost,,krb_get_krbhst |
---|
1580 | @item krb_realmofhost,,krb_get_lrealm |
---|
1581 | @end table |
---|
1582 | @end ignore |
---|
1583 | |
---|
1584 | |
---|
1585 | |
---|
1586 | @node krb.realms |
---|
1587 | @subsection @code{krb.realms}---host to Kerberos realm translation file |
---|
1588 | |
---|
1589 | @c @subsubheading DESCRIPTION |
---|
1590 | @file{krb.realms} provides a translation from a hostname to the Kerberos |
---|
1591 | realm name for the services provided by that host. |
---|
1592 | |
---|
1593 | Each line of the translation file is in one of the following forms |
---|
1594 | (@var{domain_name} should be of the form @samp{.XXX.YYY}, e.g. |
---|
1595 | @samp{.CYGNUS.COM}): |
---|
1596 | @smallexample |
---|
1597 | @var{host_name} @var{kerberos_realm} |
---|
1598 | @var{domain_name} @var{kerberos_realm} |
---|
1599 | @end smallexample |
---|
1600 | If a hostname exactly matches the @var{host_name} field in a line of the |
---|
1601 | first form, the corresponding realm is the realm of the host. If a |
---|
1602 | hostname does not match any @var{host_name} in the file, but its domain |
---|
1603 | exactly matches the @var{domain_name} field in a line of the second |
---|
1604 | form, the corresponding realm is the realm of the host. |
---|
1605 | |
---|
1606 | If no translation entry applies, the host's realm is considered to be |
---|
1607 | the the domain portion of the hostname converted to upper case. |
---|
1608 | |
---|
1609 | @ignore |
---|
1610 | @subsubheading SEE ALSO |
---|
1611 | @xref{krb_realmofhost} |
---|
1612 | @end ignore |
---|
1613 | |
---|
1614 | @node Administration Tools |
---|
1615 | @chapter Administration Tools |
---|
1616 | |
---|
1617 | @menu |
---|
1618 | * General Administration:: How to administer a Kerberos Realm |
---|
1619 | * Administrative Tools:: kadmin, kstash, ksrvutil, ksrvtgt |
---|
1620 | * Raw Database Manipulation:: kdb_edit, others |
---|
1621 | @end menu |
---|
1622 | |
---|
1623 | @node General Administration |
---|
1624 | @section How to administer a Kerberos Realm |
---|
1625 | |
---|
1626 | @menu |
---|
1627 | * User entries:: Keys for users |
---|
1628 | * Application server entries:: Keys for application servers |
---|
1629 | * Admin Tools:: kadmin and other tools |
---|
1630 | @end menu |
---|
1631 | |
---|
1632 | @node User entries |
---|
1633 | @subsection Keys for users |
---|
1634 | |
---|
1635 | Users are @dfn{principals} in the database. Each principal has a secret |
---|
1636 | key; this key is known only to the user and to the Kerberos server. The |
---|
1637 | user actually knows only a password which is a string that is converted |
---|
1638 | to an encryption key; the server stores only the key, not the password. |
---|
1639 | |
---|
1640 | You may set and administer initial user names and passwords with |
---|
1641 | @code{kadmin}. You should not give users their passwords via email (too |
---|
1642 | insecure). You should speak to them directly. Likewise, you can change |
---|
1643 | a password, but should only do so when they are certain that the person |
---|
1644 | requesting the change is really the user in question. |
---|
1645 | |
---|
1646 | @node Application server entries |
---|
1647 | @subsection Keys for application servers |
---|
1648 | |
---|
1649 | Application servers are also principals. Typically, an application |
---|
1650 | server uses an application name as the principal name and the name of |
---|
1651 | the host supporting the application server as the instance. The key for |
---|
1652 | this entry is stored in the Kerberos database and in the |
---|
1653 | @file{krb-srvtab} file on the host supporting the application server. |
---|
1654 | |
---|
1655 | You must keep the @file{krb-srvtab} file secure, since it is the basis |
---|
1656 | for all authentication to the application servers on that host. This |
---|
1657 | means that you must either generate it locally or transfer it in a |
---|
1658 | secure manner (either on a physical medium or via an encrypted network.) |
---|
1659 | |
---|
1660 | One secure way of generating a @file{krb-srvtab} is for a database |
---|
1661 | administrator to use @code{kadmin} to create the application server key |
---|
1662 | with a known password. Then this key must be given to the sysadmin of |
---|
1663 | the destination system in a secure manner (in person, not via email.) |
---|
1664 | The sysadmin can then run @code{ksrvutil} on the host (from a directly |
---|
1665 | connected terminal, such as the system console, not over the network) |
---|
1666 | and specify the password. This creates an initial @file{krb-srvtab} |
---|
1667 | with known password. It is best to immediately perform a @code{ksrvutil |
---|
1668 | change} which uses the current key to securely change the key to a new |
---|
1669 | (randomly generated) value. (Randomly chosen passwords are more secure |
---|
1670 | than human chosen ones.) |
---|
1671 | |
---|
1672 | A short cut in this process (if for example the machine's system |
---|
1673 | administrator is also a Kerberos database administrator) would be to run |
---|
1674 | @code{kadmin} directly from the host for which the key is desired, and |
---|
1675 | then use @code{ksrvutil} change, immediately. This avoids the need for |
---|
1676 | any communication of the key. |
---|
1677 | |
---|
1678 | An alternative approach is to have the administrator use @code{kadmin} |
---|
1679 | to enter the keys and then use @code{ext_srvtab} to create the new |
---|
1680 | @file{krb-srvtab} file. Then that file would be put on a tape and |
---|
1681 | securely transported to the host site and loaded. This technique might |
---|
1682 | be useful for machines which are being installed offline but need to be |
---|
1683 | immediately accessible from the network at a later time. |
---|
1684 | |
---|
1685 | @node Admin Tools |
---|
1686 | @subsection kadmin and other utilities |
---|
1687 | |
---|
1688 | While @code{kdb_util} and @code{kdb_edit} can be used directly on the |
---|
1689 | server to change the database, it is more convenient to simply add |
---|
1690 | administrators to access control lists. An administrator needs to have |
---|
1691 | an @samp{admin} instance. You need to use @code{kdb_edit} to add an |
---|
1692 | @samp{admin} instance for at least one user. Once you have an |
---|
1693 | @code{admin} instance, you can use the simpler @code{kadmin} program to |
---|
1694 | handle most types of changes to the database. |
---|
1695 | |
---|
1696 | (For more information about @code{kdb_util}, see @ref{kdb_util}. For |
---|
1697 | more information about @code{kdb_edit}, see @ref{kdb_edit}. For an |
---|
1698 | example of using them to create an initial @samp{admin} instance, see |
---|
1699 | @pxref{Configuring the KDC,,Configuring the KDC,install,Cygnus Network |
---|
1700 | Security Installation Notes}). |
---|
1701 | |
---|
1702 | A database administrator either adds new entries or changes existing |
---|
1703 | ones. New users are added with the @code{ank} (add new key) command to |
---|
1704 | @samp{kadmin}. Ideally the users identifies themselves to the |
---|
1705 | administrator, who then creates the entry and lets the users type their |
---|
1706 | initial password. (The users should still change the password at their |
---|
1707 | earliest convenience.) An administrator must be listed in the |
---|
1708 | @file{admin_acl.add} file to do this. (For information about ACL files, |
---|
1709 | see @pxref{kadmind,ACL files}). |
---|
1710 | |
---|
1711 | Occasionally users forget their passwords, or accidentally type them |
---|
1712 | over the network in cleartext thus compromising the passwords' security. |
---|
1713 | Anything the user sends over the network after that (including a |
---|
1714 | @code{kpasswd} command) could be read by an attacker. The only way to |
---|
1715 | re-establish a secure password is to have a new one set by a system |
---|
1716 | administrator. The @samp{kadmin} @code{cpw} request lets an |
---|
1717 | administrator change the password of any user. An administrator must be |
---|
1718 | listed in the @file{admin_acl.mod} file to do this. |
---|
1719 | |
---|
1720 | One way to disable an account is to change the password to a value |
---|
1721 | unknown to the user; this is useful if the password has been exposed or |
---|
1722 | discovered. The Kerberos administrative server does not provide any |
---|
1723 | easy way to delete names, since any name that `expires' may remain on |
---|
1724 | access control lists, such as @file{.klogin} files or @file{admin_acl.*} |
---|
1725 | files, long afterwards; reusing the name would provide a new person the |
---|
1726 | access of a previous one. (Names can be deleted by dumping and |
---|
1727 | reloading the database. This should only be done after access lists are |
---|
1728 | searched for the old names.) |
---|
1729 | |
---|
1730 | Database administrators may also create principal names for new |
---|
1731 | instances of an application servers on their machines. If a machine is |
---|
1732 | providing a new authenticated service, it needs a key for that service |
---|
1733 | (unless it is using an existing one---for example, @code{rlogin} and |
---|
1734 | @code{rsh} use the same @code{rcmd} principal.) |
---|
1735 | |
---|
1736 | |
---|
1737 | @node Administrative Tools |
---|
1738 | @section Administrative Tools |
---|
1739 | |
---|
1740 | @menu |
---|
1741 | * kadmin:: Database Administration |
---|
1742 | * kstash:: Master Key Storage |
---|
1743 | * ksrvutil:: Host Key Management |
---|
1744 | * ksrvtgt:: Application Authentication |
---|
1745 | * kprop and push-kprop:: Send Database to a Slave Server |
---|
1746 | @end menu |
---|
1747 | |
---|
1748 | @node kadmin |
---|
1749 | @subsection @code{kadmin}---network utility for CNS database administration |
---|
1750 | |
---|
1751 | @c @subsubheading SYNOPSIS |
---|
1752 | @smallexample |
---|
1753 | kadmin [-u @var{user}] [-r @var{default_realm}] [-m] |
---|
1754 | @end smallexample |
---|
1755 | @c @subsubheading DESCRIPTION |
---|
1756 | |
---|
1757 | This utility provides a unified administration interface to the Kerberos |
---|
1758 | master database. Kerberos administrators use @code{kadmin} to register |
---|
1759 | new users and application servers to the master database, and to change |
---|
1760 | information about existing database entries. For instance, an |
---|
1761 | administrator can use @code{kadmin} to change a user's Kerberos |
---|
1762 | password. A Kerberos administrator is a user with an @samp{admin} |
---|
1763 | instance whose name appears on one of the Kerberos administration access |
---|
1764 | control lists. If the @samp{-u} option is used, @var{user} is used as |
---|
1765 | the administrator instead of the local user. If the @samp{-r} option is |
---|
1766 | used, @var{default_realm} is used as the default realm for transactions. |
---|
1767 | Otherwise, the local realm is used by default. If the @samp{-m} option |
---|
1768 | is used, multiple requests are permitted on only one entry of the admin |
---|
1769 | password. Some sites do not support this option. |
---|
1770 | |
---|
1771 | The @code{kadmin} program communicates over the network with the |
---|
1772 | @code{kadmind} program, which runs on the machine housing the Kerberos |
---|
1773 | master database. The @code{kadmind} creates new entries and makes |
---|
1774 | modifications to the database. |
---|
1775 | |
---|
1776 | When you enter the @code{kadmin} command, the program displays a message |
---|
1777 | that welcomes you and explains how to ask for help. Then @code{kadmin} |
---|
1778 | waits for you to enter commands (which are described below). It then |
---|
1779 | asks you for your admin password before accessing the database. |
---|
1780 | |
---|
1781 | Use the @code{add_new_key} (or @code{ank} for short) command to register |
---|
1782 | a new principal with the master database. The command requires one |
---|
1783 | argument, the principal's name. The name given can be fully qualified |
---|
1784 | using the standard @var{name.instance@@realm} convention (see, |
---|
1785 | @pxref{Principal names,,Your Kerberos principal name}). You are asked |
---|
1786 | to enter your admin password, then prompted twice to enter the |
---|
1787 | principal's new password. If no realm is specified, the local realm is |
---|
1788 | used unless another was given on the command line with the @samp{-r} |
---|
1789 | flag. If no instance is specified, a null instance is used. If a realm |
---|
1790 | other than the default realm is specified, you need to supply your admin |
---|
1791 | password for the other realm. |
---|
1792 | |
---|
1793 | Use the @code{change_password} (@code{cpw}) command to change a |
---|
1794 | principal's Kerberos password. The command requires one argument, the |
---|
1795 | principal's name. You are asked to enter your admin password, then |
---|
1796 | prompted twice to enter the principal's new password. The name given |
---|
1797 | can be fully qualified using the standard @var{name.instance@@realm} |
---|
1798 | convention. |
---|
1799 | |
---|
1800 | Use the @code{change_admin_password} (@code{cap}) command to change your |
---|
1801 | admin instance password. This command requires no arguments. It |
---|
1802 | prompts you for your old admin password, then prompts you twice to enter |
---|
1803 | the new admin password. If this is your first command, the default |
---|
1804 | realm is used. Otherwise, the realm used in the last command is used. |
---|
1805 | |
---|
1806 | Use the @code{get_entry} (@code{get}) command to get information about a |
---|
1807 | principal. The command requires one argument, the principal's name. |
---|
1808 | You are prompted to enter your admin password. |
---|
1809 | |
---|
1810 | Use the @code{delete_principal} (@code{del}) command to delete a |
---|
1811 | principal. This command should be used with care. When you delete an |
---|
1812 | entry, be sure to take it off any access control lists |
---|
1813 | (@file{admin_acl.*} files (@pxref{kadmind, ACL files}) and |
---|
1814 | @file{.klogin} files (@pxref{rlogin, .klogin files})). If you do not, |
---|
1815 | then, if the principal name is reused for somebody else, that person |
---|
1816 | obtains unauthorized access. |
---|
1817 | |
---|
1818 | Use the @code{destroy_tickets} (@code{dest}) command to destroy your |
---|
1819 | admin tickets explicitly. |
---|
1820 | |
---|
1821 | Use the @code{list_requests} (@code{lr}) command to get a list of |
---|
1822 | possible commands. |
---|
1823 | |
---|
1824 | Use the @code{help} command to display @code{kadmin}'s various help |
---|
1825 | messages. If entered without an argument, help displays a general help |
---|
1826 | message. You can get detailed information on specific @code{kadmin} |
---|
1827 | commands by entering @code{help command_name}. |
---|
1828 | |
---|
1829 | Use the @code{add_snk_key} or @code{snk} to generate and display random |
---|
1830 | keys for use initializing or reinitializing SNK4 devices. (See, |
---|
1831 | @ref{Appendix,,SecureNet Key Authentication Device}.) |
---|
1832 | |
---|
1833 | To quit the program, type @code{quit}. |
---|
1834 | |
---|
1835 | |
---|
1836 | @ignore |
---|
1837 | @subsubheading BUGS |
---|
1838 | |
---|
1839 | The user interface is primitive, and the command names could be better. |
---|
1840 | |
---|
1841 | |
---|
1842 | @subsubheading SEE ALSO |
---|
1843 | @table @ref |
---|
1844 | @item Kerberos Intro |
---|
1845 | @item kadmind |
---|
1846 | @item kpasswd |
---|
1847 | @item ksrvutil |
---|
1848 | @end table |
---|
1849 | |
---|
1850 | `A Subsystem Utilities Package for UNIX' by Ken Raeburn |
---|
1851 | @end ignore |
---|
1852 | |
---|
1853 | |
---|
1854 | |
---|
1855 | @node kstash |
---|
1856 | @subsection @code{kstash}---stash CNS Key Database master key |
---|
1857 | |
---|
1858 | @code{kstash} saves the Kerberos key distribution center (KDC) database |
---|
1859 | master key in the master key cache file, @file{/.k}. This is normally |
---|
1860 | done so that the @code{kerberos} daemon can read the master key from the |
---|
1861 | file when it starts up at boot time. If the key is not saved using |
---|
1862 | @code{kstash}, somebody must enter the master key manually each time the |
---|
1863 | system is rebooted. |
---|
1864 | |
---|
1865 | The master key cache file, @file{/.k}, should not be saved on backup |
---|
1866 | tapes. If it is, the backup tapes must be guarded with the same level |
---|
1867 | of security used to protect the master Key Distribution Center machine |
---|
1868 | itself. If somebody is able to learn the master key, the contents of |
---|
1869 | the entire database, including all passwords, are vulnerable. |
---|
1870 | |
---|
1871 | When @code{kstash} is run, it prompts the user to enter the master key, |
---|
1872 | to verify the authenticity of the key and the authorization to store the |
---|
1873 | key in the file. |
---|
1874 | |
---|
1875 | @subsubheading DIAGNOSTICS |
---|
1876 | @table @code |
---|
1877 | @item verify_master_key: Invalid master key, does not match database. |
---|
1878 | The master key string entered was incorrect. |
---|
1879 | @item kstash: Unable to open master key file |
---|
1880 | The attempt to open the cache file for writing failed (probably due to |
---|
1881 | a system or access permission error). |
---|
1882 | @item kstash: Write I/O error on master key file |
---|
1883 | The @code{write}(2) system call returned an error while @code{kstash} |
---|
1884 | was attempting to write the key to the file. |
---|
1885 | @end table |
---|
1886 | @subsubheading FILES |
---|
1887 | @table @file |
---|
1888 | @item /usr/kerberos/database/principal.pag |
---|
1889 | @itemx /usr/kerberos/database/principal.dir |
---|
1890 | DBM files containing database |
---|
1891 | @item /.k |
---|
1892 | Master key cache file. |
---|
1893 | @end table |
---|
1894 | |
---|
1895 | @node ksrvutil |
---|
1896 | @subsection @code{ksrvutil}---host CNS srvtab manipulation utility |
---|
1897 | |
---|
1898 | @c @subsubheading SYNOPSIS |
---|
1899 | @smallexample |
---|
1900 | ksrvutil @var{operation} [-k] [-i] [-f @var{filename}] |
---|
1901 | @end smallexample |
---|
1902 | @c @subsubheading DESCRIPTION |
---|
1903 | @code{ksrvutil} allows a system manager to list or change keys currently |
---|
1904 | in his srvtab or to add new keys to the srvtab. |
---|
1905 | |
---|
1906 | Operation must be one of the following: |
---|
1907 | |
---|
1908 | @table @code |
---|
1909 | @item list |
---|
1910 | lists the keys in a srvtab showing version number and principal name. |
---|
1911 | If the @samp{-k} option is given, keys are also shown. |
---|
1912 | |
---|
1913 | @item change |
---|
1914 | changes all the keys in the Kerberos database and in the @samp{srvtab} |
---|
1915 | by using the regular admin protocol. If the @samp{-i} flag is given, |
---|
1916 | @code{ksrvutil} prompts for `yes' or `no' before changing each key. If |
---|
1917 | the @samp{-k} option is used, the old and new keys are displayed. |
---|
1918 | |
---|
1919 | @item add |
---|
1920 | allows the user to add a key. @code{add} prompts for name, instance, |
---|
1921 | realm, and key version number, asks for confirmation, and then asks for |
---|
1922 | a password. @code{ksrvutil} then converts the password to a key and |
---|
1923 | appends the srvtab with the new information. If the @samp{-k} option |
---|
1924 | is used, the key is displayed. |
---|
1925 | |
---|
1926 | @item delete |
---|
1927 | deletes particular keys in the srvtab, interactively prompting for |
---|
1928 | each key. |
---|
1929 | @end table |
---|
1930 | |
---|
1931 | In all cases, the default file used is @file{/etc/krb-srvtab} as defined in |
---|
1932 | @file{krb.h} unless this is overridden by the @samp{-f} option. |
---|
1933 | |
---|
1934 | |
---|
1935 | @code{ksrvutil} is used to add keys to a key file. A system manager |
---|
1936 | asks a Kerberos administrator to create a new service key with |
---|
1937 | @ref{kadmin} and supplies an initial password. The manager then uses |
---|
1938 | @code{ksrvutil} to add the key to the srvtab. Finally, the manager |
---|
1939 | changes the key so that it is random and, therefore, unknown to either |
---|
1940 | the system manager or the Kerberos administrator. |
---|
1941 | |
---|
1942 | @code{ksrvutil} always makes a backup copy of the srvtab before making |
---|
1943 | any changes. |
---|
1944 | |
---|
1945 | @c @subsubheading DIAGNOSTICS |
---|
1946 | If @code{ksrvutil} should exit on an error condition at any time during |
---|
1947 | a change or add, a copy of the original srvtab can be found in |
---|
1948 | @file{@var{filename}.old} where @file{filename} is the name of the |
---|
1949 | srvtab. A copy of the file with all new keys, changed or added so far, |
---|
1950 | can be found in @file{@var{filename}.work}. The original srvtab is |
---|
1951 | left unmodified until the program exits. At that point, it is removed |
---|
1952 | and replaced it with the workfile. Appending the workfile to the backup |
---|
1953 | copy and replacing the srvtab with the result should always give a |
---|
1954 | usable srvtab. The resulting srvtab, however, may have some out of |
---|
1955 | date keys. |
---|
1956 | |
---|
1957 | |
---|
1958 | @ignore |
---|
1959 | @subsubheading SEE ALSO |
---|
1960 | @table @ref |
---|
1961 | @item kadmin |
---|
1962 | @item ksrvtgt |
---|
1963 | @end table |
---|
1964 | @end ignore |
---|
1965 | |
---|
1966 | @node ksrvtgt |
---|
1967 | @subsection @code{ksrvtgt}---fetch and store CNS ticket-granting-ticket using a service key |
---|
1968 | |
---|
1969 | @c @subsubheading SYNOPSIS |
---|
1970 | @smallexample |
---|
1971 | ksrvtgt @var{name} @var{instance} [[@var{realm}] @var{srvtab}] |
---|
1972 | @end smallexample |
---|
1973 | @c @subsubheading DESCRIPTION |
---|
1974 | @code{ksrvtgt} retrieves a ticket-granting ticket with a lifetime of 5 |
---|
1975 | minutes for the principal @var{name}.@var{instance}@@@var{realm} (or |
---|
1976 | @var{name}.@var{instance}@@@var{localrealm} if realm is not supplied on |
---|
1977 | the command line), decrypts the response using the service key found in |
---|
1978 | @var{srvtab} (or in @file{/etc/krb-srvtab} if @var{srvtab} is not |
---|
1979 | specified on the command line), and stores the ticket in the standard |
---|
1980 | ticket cache. |
---|
1981 | |
---|
1982 | This command is intended primarily for use in shell scripts and other |
---|
1983 | batch-type facilities. For example, suppose you have one machine with a |
---|
1984 | tape drive (we'll call it @samp{tapehost}), and you want to be able to |
---|
1985 | back up all machines on the local network on to that drive, and you want |
---|
1986 | the backup script to run unattended. |
---|
1987 | |
---|
1988 | @itemize @bullet |
---|
1989 | @item Make sure that @file{/etc/krb-srvtab} on @samp{tapehost} |
---|
1990 | drive has an entry for the @code{rcmd} service. This is already the |
---|
1991 | case if @samp{tapehost} is a CNS application server. |
---|
1992 | |
---|
1993 | @item Add @code{rcmd.tapehost} to the @file{~root/.klogin} file on each |
---|
1994 | client machine. This gives anybody with an @code{rcmd.tapehost} ticket |
---|
1995 | root access to those machines. (If the backup process on the client |
---|
1996 | machines need not be run as root, some other user can be used instead). |
---|
1997 | |
---|
1998 | @item The backup script on @samp{tapehost} can then look something like |
---|
1999 | this: |
---|
2000 | @smallexample |
---|
2001 | for m in @var{clients}; do |
---|
2002 | ksrvtgt rcmd @samp{tapehost} |
---|
2003 | rsh $m dump | dd of=@var{tapedevice} |
---|
2004 | done |
---|
2005 | @end smallexample |
---|
2006 | The @code{ksrvtgt} command gets a ticket for the principal |
---|
2007 | @code{rcmd.tapehost} and store it in root's ticket file. Since |
---|
2008 | @code{rcmd.tapehost} is in @file{~root/.klogin} on the client machines, |
---|
2009 | the @code{rsh} is permitted. |
---|
2010 | |
---|
2011 | @item @code{ksrvtgt} is invoked before each @code{rsh} |
---|
2012 | command. This is because the ticket obtained by @code{ksrvtgt} is |
---|
2013 | short-lived: it is only valid for five minutes. |
---|
2014 | |
---|
2015 | @item The script must be run by root. @code{ksrvtgt} must be |
---|
2016 | able to read the @file{/etc/krb-srvtab} file, which should only be |
---|
2017 | readable by root. |
---|
2018 | |
---|
2019 | @item This approach means that if somebody is able to become |
---|
2020 | root on @samp{tapehost}, they are able to become root on any of the |
---|
2021 | client machines. This may introduce a weak point in security, which |
---|
2022 | should be considered before adding @code{rcmd.tapehost} to the |
---|
2023 | @file{~root/.klogin} files on the client machines. |
---|
2024 | @end itemize |
---|
2025 | |
---|
2026 | @ignore |
---|
2027 | @subsubheading DIAGNOSTICS |
---|
2028 | |
---|
2029 | @samp{Generic Kerberos failure (kfailure)} can indicate a whole range of |
---|
2030 | problems, the most common of which is the inability to read the service |
---|
2031 | key file. |
---|
2032 | |
---|
2033 | @subsubheading FILES |
---|
2034 | @table @file |
---|
2035 | @item /usr/kerberos/lib/krb.conf |
---|
2036 | to get the name of the local realm. |
---|
2037 | @item /tmp/tkt@var{uid} |
---|
2038 | The default ticket file. |
---|
2039 | @item /etc/krb-srvtab |
---|
2040 | The default service key file. |
---|
2041 | @end table |
---|
2042 | |
---|
2043 | @subsubheading SEE ALSO |
---|
2044 | @table @ref |
---|
2045 | @item Kerberos Intro |
---|
2046 | @item kinit |
---|
2047 | @item kdestroy |
---|
2048 | @end table |
---|
2049 | @end ignore |
---|
2050 | |
---|
2051 | @node kprop and push-kprop |
---|
2052 | @subsection kprop and push-kprop |
---|
2053 | |
---|
2054 | @smallexample |
---|
2055 | kprop [-p] [-force] [-realm @var{realm}] [-private] [-s @var{srvtab}] |
---|
2056 | @var{data_file} @var{slaves_file} |
---|
2057 | @end smallexample |
---|
2058 | |
---|
2059 | The @code{kprop} program is used to copy the Kerberos database from the |
---|
2060 | Kerberos master server to a slave server. Any slave server may serve as |
---|
2061 | a Key Distribution Center just as the master server does, permitting |
---|
2062 | people to use CNS client programs even if the master server is |
---|
2063 | inaccessible. |
---|
2064 | |
---|
2065 | @xref{Slave Server Installation} for a description of how to use |
---|
2066 | @code{kprop} and @code{kpropd} to set up slave servers. |
---|
2067 | |
---|
2068 | The @code{kprop} program communicates with the @code{kpropd} daemon, |
---|
2069 | which runs on the slave server (@pxref{Slave Servers,kpropd}). |
---|
2070 | |
---|
2071 | The @var{data_file} argument is a file created by @code{kdb_util} with |
---|
2072 | the @code{slave_dump} option (@pxref{kdb_util}). |
---|
2073 | |
---|
2074 | The @var{slaves_file} argument is a text file containing a list of the |
---|
2075 | hostnames of the slave servers. It should contain one hostname per |
---|
2076 | line. Each hostname may optionally be followed by the port number to |
---|
2077 | contact, separated by a colon (e.g. host.domain:2754). The default port |
---|
2078 | number is found by using @code{getservbyname} to look up the |
---|
2079 | @samp{krb_prop} service. If that is not defined, @code{kprop} uses |
---|
2080 | @samp{754}. |
---|
2081 | |
---|
2082 | The @code{kprop} program and the @code{kdb_util} program communicate |
---|
2083 | using a semaphore file. The name of the file is the @var{data_file} |
---|
2084 | argument with @file{.dump_ok} appended. The file is automatically |
---|
2085 | created by @code{kdb_util} when the @code{slave_dump} option is used. |
---|
2086 | |
---|
2087 | The @code{push_kprop} shell script may be used to invoke @code{kprop}. |
---|
2088 | It assumes that the list of slaves is in the file |
---|
2089 | @file{/usr/kerberos/database/slavelist}. |
---|
2090 | |
---|
2091 | Normally the Kerberos database is propagated from the server to the |
---|
2092 | slaves by invoking @code{push_kprop} on a regular basis using |
---|
2093 | @code{cron}. |
---|
2094 | |
---|
2095 | The @code{kprop} program requires a srvtab file with an entry for |
---|
2096 | @samp{rcmd}.@var{HOSTNAME}@@@var{REALM}. This is the same type of |
---|
2097 | srvtab file required to run the @code{klogind} or @code{kshd} servers. |
---|
2098 | Srvtab files can be created using the @code{ksrvutil} program |
---|
2099 | (@pxref{ksrvutil}). The default srvtab file is @file{/etc/krb-srvtab}. |
---|
2100 | This default may be overridden with the @samp{-s} option. |
---|
2101 | |
---|
2102 | The @samp{-p} option means to use preauthentication when retrieving |
---|
2103 | tickets. |
---|
2104 | |
---|
2105 | The @samp{-force} option means to transfer the database even if the |
---|
2106 | semaphore file generated by @code{kdb_util} indicates that the dump is |
---|
2107 | not up to date. |
---|
2108 | |
---|
2109 | The @samp{-realm} @var{realm} option sets the Kerberos realm name. The |
---|
2110 | default realm name is obtained using @code{krb_get_lrealm}. |
---|
2111 | |
---|
2112 | The @samp{-private} option means to encrypt the data being sent to the |
---|
2113 | slave server. This is the default. |
---|
2114 | |
---|
2115 | The @samp{-s} @var{srvtab} sets the name of the srvtab file to use when |
---|
2116 | retrieving tickets. The default is @file{/etc/krb-srvtab}. |
---|
2117 | |
---|
2118 | @node Raw Database Manipulation |
---|
2119 | @section Raw Database Management |
---|
2120 | Directly manipulate key database on key distribution center. |
---|
2121 | |
---|
2122 | @menu |
---|
2123 | * kdb_edit:: Edit Raw Database |
---|
2124 | * kdb_init:: Create New Database |
---|
2125 | * kdb_destroy:: Erase Database |
---|
2126 | * kdb_util:: Other Manipulation |
---|
2127 | @end menu |
---|
2128 | |
---|
2129 | @node kdb_edit |
---|
2130 | @subsection @code{kdb_edit}---CNS Key Database editing utility |
---|
2131 | |
---|
2132 | @c @subsubheading SYNOPSIS |
---|
2133 | @smallexample |
---|
2134 | kdb_edit [-n] [-k mkeyfile] |
---|
2135 | @end smallexample |
---|
2136 | |
---|
2137 | @c @subsubheading DESCRIPTION |
---|
2138 | @code{kdb_edit} is used to create or change principals stored in the |
---|
2139 | Kerberos key distribution center (KDC) database. |
---|
2140 | |
---|
2141 | When executed, @code{kdb_edit} prompts for the master key string and |
---|
2142 | verifies that it matches the master key stored in the database. If the |
---|
2143 | @samp{-n} or @samp{-k} options are specified, the master key is instead |
---|
2144 | fetched from a master key cache file (as created by @code{kstash}). The |
---|
2145 | @samp{-n} option reads the default master key cache file, @file{/.k}. |
---|
2146 | The @samp{-k} option may be used to name a different key cache file. |
---|
2147 | |
---|
2148 | Once the master key has been verified, @code{kdb_edit} prompts the user |
---|
2149 | for the principal and instance to be modified. If the entry is not |
---|
2150 | found the user may create it. Once an entry is found or created, the |
---|
2151 | user may set the password, expiration date, maximum ticket lifetime, and |
---|
2152 | attributes. Default expiration dates, maximum ticket lifetimes, and |
---|
2153 | attributes are presented in brackets; if the user presses return the |
---|
2154 | default is selected. There is no default password. The password |
---|
2155 | @samp{RANDOM} is interpreted specially, and if entered the user may have |
---|
2156 | the program select a random key for the principal. |
---|
2157 | |
---|
2158 | Upon successfully creating or changing the entry, @samp{Edit O.K.} is |
---|
2159 | printed. |
---|
2160 | |
---|
2161 | @ignore |
---|
2162 | @subsubheading DIAGNOSTICS |
---|
2163 | |
---|
2164 | @table @code |
---|
2165 | @item verify_master_key: Invalid master key, does not match database. |
---|
2166 | The master key string entered was incorrect. |
---|
2167 | @end table |
---|
2168 | |
---|
2169 | @subsubheading FILES |
---|
2170 | @table @file |
---|
2171 | @item /usr/kerberos/database/principal.pag |
---|
2172 | @itemx /usr/kerberos/database/principal.dir |
---|
2173 | DBM files containing database |
---|
2174 | @item /.k |
---|
2175 | Master key cache file. |
---|
2176 | @end table |
---|
2177 | @end ignore |
---|
2178 | |
---|
2179 | @node kdb_init |
---|
2180 | @subsection @code{kdb_init}---Initialize Kerberos Key Database |
---|
2181 | |
---|
2182 | @c @subsubheading SYNOPSIS |
---|
2183 | @smallexample |
---|
2184 | kdb_init [@var{realm}] |
---|
2185 | @end smallexample |
---|
2186 | @c @subsubheading DESCRIPTION |
---|
2187 | @code{kdb_init} initializes a Kerberos key distribution center database, |
---|
2188 | creating the necessary principals. |
---|
2189 | |
---|
2190 | If the optional @var{realm} argument is not present, @code{kdb_init} |
---|
2191 | prompts for a realm name (or default to the pre-defined value in |
---|
2192 | @file{/usr/kerberos/include/krb.h}). After determining the realm to be |
---|
2193 | created, it prompts for a master key password. The master key password |
---|
2194 | is used to encrypt every encryption key stored in the database. IF THE |
---|
2195 | MASTER KEY PASSWORD IS LOST, THERE IS NO WAY TO RECOVER ENCRYPTION KEYS |
---|
2196 | STORED IN THE DATABASE. |
---|
2197 | |
---|
2198 | @ignore |
---|
2199 | @subsubheading DIAGNOSTICS |
---|
2200 | |
---|
2201 | @table @code |
---|
2202 | @item /usr/kerberos/database/principal: File exists |
---|
2203 | An attempt was made to create a database on a machine which already |
---|
2204 | had |
---|
2205 | an existing database. |
---|
2206 | @end table |
---|
2207 | |
---|
2208 | @subsubheading FILES |
---|
2209 | @table @file |
---|
2210 | @item /usr/kerberos/database/principal.pag |
---|
2211 | @itemx /usr/kerberos/database/principal.dir |
---|
2212 | DBM files containing database |
---|
2213 | @item /usr/kerberos/include/krb.h |
---|
2214 | Include file defining default realm |
---|
2215 | @end table |
---|
2216 | |
---|
2217 | @subsubheading SEE ALSO |
---|
2218 | @xref{kdb_destroy}. |
---|
2219 | @end ignore |
---|
2220 | |
---|
2221 | @node kdb_destroy |
---|
2222 | @subsection @code{kdb_destroy}---destroy Kerberos Key Database |
---|
2223 | |
---|
2224 | @c @subsubheading SYNOPSIS |
---|
2225 | @smallexample |
---|
2226 | kdb_destroy |
---|
2227 | @end smallexample |
---|
2228 | @c @subsubheading DESCRIPTION |
---|
2229 | @code{kdb_destroy} deletes a Kerberos key distribution center |
---|
2230 | database. |
---|
2231 | |
---|
2232 | The user is prompted to verify that the database should be destroyed. A |
---|
2233 | response beginning with @samp{y} or @samp{Y} confirms deletion. Any |
---|
2234 | other response aborts deletion. Extreme caution should be exercised in |
---|
2235 | the use of this command. |
---|
2236 | |
---|
2237 | @ignore |
---|
2238 | @subsubheading DIAGNOSTICS |
---|
2239 | |
---|
2240 | @table @code |
---|
2241 | @item Database cannot be deleted at /usr/kerberos/database/principal |
---|
2242 | The attempt to delete the database failed (probably due to a system or |
---|
2243 | access permission error). |
---|
2244 | @item Database not deleted. |
---|
2245 | The user aborted the deletion. |
---|
2246 | @end table |
---|
2247 | |
---|
2248 | @subsubheading FILES |
---|
2249 | @table @file |
---|
2250 | @item /usr/kerberos/database/principal.pag |
---|
2251 | @itemx /usr/kerberos/database/principal.dir |
---|
2252 | DBM files containing database |
---|
2253 | @end table |
---|
2254 | |
---|
2255 | @subsubheading SEE ALSO |
---|
2256 | @xref{kdb_init} |
---|
2257 | @end ignore |
---|
2258 | |
---|
2259 | @node kdb_util |
---|
2260 | @subsection @code{kdb_util}---Kerberos Key Database utility |
---|
2261 | |
---|
2262 | @c @subsubheading SYNOPSIS |
---|
2263 | @smallexample |
---|
2264 | kdb_util @var{operation} @var{filename} |
---|
2265 | @end smallexample |
---|
2266 | @c @subsubheading DESCRIPTION |
---|
2267 | @code{kdb_util} allows the Kerberos key distribution center (KDC) |
---|
2268 | database administrator to perform utility functions on the database. |
---|
2269 | |
---|
2270 | @var{operation} must be one of the following: |
---|
2271 | |
---|
2272 | @table @code |
---|
2273 | @item load |
---|
2274 | Initializes the KDC database with the records described by the text |
---|
2275 | contained in the file @var{filename}. Any existing database is |
---|
2276 | overwritten. |
---|
2277 | @item dump |
---|
2278 | dumps the KDC database into a text representation in the file |
---|
2279 | @var{filename}. |
---|
2280 | @item slave_dump |
---|
2281 | performs a database dump like the dump operation, and additionally |
---|
2282 | creates a semaphore file signaling the propagation software that an |
---|
2283 | update is available for distribution to slave KDC databases. |
---|
2284 | @item new_master_key |
---|
2285 | prompts for the old and new master key strings, and then dumps the KDC |
---|
2286 | database into a text representation in the file @var{filename}. The |
---|
2287 | keys in the text representation are encrypted in the new master key. |
---|
2288 | @item convert_old_db |
---|
2289 | prompts for the master key string, and then dumps the KDC database into |
---|
2290 | a text representation in the file @var{filename}. The existing database |
---|
2291 | is encrypted using the old key string (encrypted by the key schedule of |
---|
2292 | the master key); the dumped database is encrypted using the new key |
---|
2293 | string (encrypted directly with master key). |
---|
2294 | @end table |
---|
2295 | |
---|
2296 | @ignore |
---|
2297 | @subsubheading DIAGNOSTICS |
---|
2298 | @table @code |
---|
2299 | @item verify_master_key: Invalid master key, does not match database. |
---|
2300 | The master key string entered was incorrect. |
---|
2301 | @end table |
---|
2302 | |
---|
2303 | @subsubheading FILES |
---|
2304 | @table @file |
---|
2305 | @item /usr/kerberos/database/principal.pag |
---|
2306 | @itemx /usr/kerberos/database/principal.dir |
---|
2307 | DBM files containing database |
---|
2308 | @item filename.ok |
---|
2309 | semaphore file created by slave_dump. |
---|
2310 | @end table |
---|
2311 | @end ignore |
---|
2312 | |
---|
2313 | @node Daemons |
---|
2314 | @chapter Daemons |
---|
2315 | @menu |
---|
2316 | * Admin Services:: kadmind |
---|
2317 | * Interactive Command:: klogind, kshd |
---|
2318 | * File Transfer:: tftp, tcom |
---|
2319 | * Slave Servers:: kpropd, in.propd |
---|
2320 | @end menu |
---|
2321 | |
---|
2322 | @node Admin Services |
---|
2323 | @section Admin Services |
---|
2324 | @menu |
---|
2325 | * kadmind:: Admin Server |
---|
2326 | @end menu |
---|
2327 | |
---|
2328 | @node kadmind |
---|
2329 | @subsection @code{kadmind}---network daemon for Kerberos database administration |
---|
2330 | |
---|
2331 | @c @subsubheading SYNOPSIS |
---|
2332 | @smallexample |
---|
2333 | kadmind [-n] [-h] [-r @var{realm}] [-f @var{filename}] |
---|
2334 | [-d @var{dbname}] [-a @var{acldir}] |
---|
2335 | @end smallexample |
---|
2336 | @c @subsubheading DESCRIPTION |
---|
2337 | @samp{kadmind} is the network database server for the Kerberos |
---|
2338 | password-changing and administration tools. |
---|
2339 | |
---|
2340 | Upon execution, it prompts the user to enter the master key string for |
---|
2341 | the database. |
---|
2342 | |
---|
2343 | If the @samp{-n} option is specified, the master key is instead fetched |
---|
2344 | from the master key cache file. |
---|
2345 | |
---|
2346 | If the @samp{-r} @var{realm} option is specified, the admin server |
---|
2347 | pretends that its local realm is @var{realm} instead of the actual local |
---|
2348 | realm of the host it is running on. This makes it possible to run a |
---|
2349 | server for a foreign Kerberos realm. |
---|
2350 | |
---|
2351 | If the @samp{-f} @var{filename} option is specified, that file is |
---|
2352 | used to hold the log information instead of the default. |
---|
2353 | |
---|
2354 | If the @samp{-d} @var{dbname} option is specified, that file is |
---|
2355 | used as the database name instead of the default. |
---|
2356 | |
---|
2357 | If the @samp{-a} @var{acldir} option is specified, the directory |
---|
2358 | @var{acldir} is searched for access control lists. The default is |
---|
2359 | @file{/usr/kerberos/database}. |
---|
2360 | |
---|
2361 | If the @samp{-h} option is specified, @code{kadmind} prints out a short |
---|
2362 | summary of the permissible control arguments, and then exits. |
---|
2363 | |
---|
2364 | When performing requests on behalf of clients, @code{kadmind} checks |
---|
2365 | access control lists (ACLs) to determine if the client is authorized to |
---|
2366 | perform the requested action. The ACL files are normally kept in |
---|
2367 | @file{/usr/kerberos/database}; this may be overridden by the @samp{-a} |
---|
2368 | option. Each ACL file is named with a prefix of @file{admin_acl}, and a |
---|
2369 | suffix indicating the type. ACL files are simple text files with lists |
---|
2370 | of principal names, with each principal name on a separate line (i.e., |
---|
2371 | the same format as a @file{.klogin} file; @pxref{rlogin, .klogin |
---|
2372 | files}). |
---|
2373 | |
---|
2374 | Currently three distinct access types are supported: |
---|
2375 | |
---|
2376 | @itemize @bullet |
---|
2377 | @item Addition (@file{.add} ACL file). If a principal is on this list, |
---|
2378 | the principal may add new principals to the database. |
---|
2379 | @item Retrieval (@file{.get} ACL file). If a principal is on this list, |
---|
2380 | the principal may retrieve database entries. NOTE: A principal's |
---|
2381 | private key is never returned by the get functions. |
---|
2382 | @item Modification (@file{.mod} ACL file). If a principal is on this |
---|
2383 | list, the principal may modify entries in the database. |
---|
2384 | @end itemize |
---|
2385 | |
---|
2386 | A principal is always granted authorization to change its own password. |
---|
2387 | |
---|
2388 | @subsubheading FILES |
---|
2389 | @table @file |
---|
2390 | @item /usr/kerberos/database/admin_server.syslog |
---|
2391 | Default log file. |
---|
2392 | @item /usr/kerberos/database |
---|
2393 | Default access control list directory. |
---|
2394 | @item admin_acl.add |
---|
2395 | @itemx admin_acl.get |
---|
2396 | @itemx admin_acl.mod |
---|
2397 | Access control list files (within the directory) |
---|
2398 | @item /usr/kerberos/database/principal.pag |
---|
2399 | @itemx /usr/kerberos/database/principal.dir |
---|
2400 | Default DBM files containing database |
---|
2401 | @item /.k |
---|
2402 | Master key cache file. |
---|
2403 | @end table |
---|
2404 | |
---|
2405 | @ignore |
---|
2406 | @subsubheading SEE ALSO |
---|
2407 | @table @ref |
---|
2408 | @item Kerberos Intro |
---|
2409 | @item kpasswd |
---|
2410 | @item kadmin |
---|
2411 | @item acl_check |
---|
2412 | @end table |
---|
2413 | @end ignore |
---|
2414 | |
---|
2415 | @node Interactive Command |
---|
2416 | @section Interactive Command |
---|
2417 | @menu |
---|
2418 | * popper:: Post Office Server |
---|
2419 | * klogind:: Kerberized rlogin |
---|
2420 | * kshd:: Kerberized rsh |
---|
2421 | @end menu |
---|
2422 | @node popper |
---|
2423 | @subsection @code{popper}---pop 3 server |
---|
2424 | |
---|
2425 | @c @subsubheading SYNOPSIS |
---|
2426 | @smallexample |
---|
2427 | /usr/etc/popper [-d] [-t @var{trace-file}] |
---|
2428 | @end smallexample |
---|
2429 | @c @subsubheading DESCRIPTION |
---|
2430 | @code{popper} is an implementation of the Post Office Protocol server |
---|
2431 | that runs on a variety of Unix computers to manage electronic mail for |
---|
2432 | Macintosh and MS-DOS computers. POP allows one host to be a secure mail |
---|
2433 | server, and allows users on other machines to reliably pick up their |
---|
2434 | mail from the mail server, without having to log in or worry about NFS |
---|
2435 | collisions (as could be the case were @var{/var/spool/mail} exported). |
---|
2436 | |
---|
2437 | The server was developed at the |
---|
2438 | University of California at Berkeley and conforms fully to the |
---|
2439 | specifications in RFC 1081 and RFC 1082. The Berkeley server also has |
---|
2440 | extensions to send electronic mail on behalf of a client. |
---|
2441 | |
---|
2442 | @ignore |
---|
2443 | @subsubheading THE POP TRANSACTION CYCLE |
---|
2444 | The Berkeley POP server is a single program (called @code{popper}) that |
---|
2445 | is launched by @code{inetd} when it gets a service request on the POP |
---|
2446 | TCP port. (The official port number specified in RFC 1081 for POP |
---|
2447 | version 3 is port 110. However, some POP3 clients attempt to contact |
---|
2448 | the server at port 109, the POP version 2 port. Unless you are running |
---|
2449 | both POP2 and POP3 servers, you can simply define both ports for use by |
---|
2450 | the POP3 server. This is explained in the installation instructions |
---|
2451 | later on.) The @code{popper} program initializes and verifies that the |
---|
2452 | peer IP address is registered in the local domain, logging a warning |
---|
2453 | message when a connection is made to a client whose IP address does not |
---|
2454 | have a canonical name. For systems using BSD 4.3 bind, it also checks to |
---|
2455 | see if a canonical name lookup for the client returns the same peer IP |
---|
2456 | address, logging a warning message if it does not. The the server |
---|
2457 | enters the authorization state, during which the client must correctly |
---|
2458 | identify itself by providing a valid Unix userid and password on the |
---|
2459 | server's host machine. No other exchanges are allowed during this state |
---|
2460 | (other than a request to quit.) If authentication fails, a warning |
---|
2461 | message is logged and the session ends. Once the user is identified, |
---|
2462 | @code{popper} changes its user and group IDs to match that of the user |
---|
2463 | and enters the transaction state. The server makes a temporary copy of |
---|
2464 | the user's maildrop (ordinarily in @file{/usr/spool/mail}) which is used |
---|
2465 | for all subsequent transactions. These the bulk of POP commands to |
---|
2466 | retrieve mail, delete mail, undelete mail, and so forth. A Berkeley |
---|
2467 | extension also allows the user to submit a mail parcel to the server who |
---|
2468 | mails it using the @code{sendmail} program (this extension is supported |
---|
2469 | in the HyperMail client distributed with the server). When the client |
---|
2470 | quits, the server enters the final update state during which the network |
---|
2471 | connection is terminated and the user's maildrop is updated with the |
---|
2472 | (possibly) modified temporary maildrop. |
---|
2473 | |
---|
2474 | @subsubheading LOGGING |
---|
2475 | @end ignore |
---|
2476 | |
---|
2477 | The POP server uses @code{syslog} to keep a record of its activities. |
---|
2478 | On systems with BSD 4.3 syslogging, the server logs (by default) to the |
---|
2479 | @samp{local0} facility at priority @samp{notice} for all messages except |
---|
2480 | debugging which is logged at priority @samp{debug}. The default log |
---|
2481 | file is @file{/usr/spool/mqueue/POPlog}. These can be changed, if |
---|
2482 | desired. On systems with 4.2 syslogging all messages are logged to the |
---|
2483 | local log file, usually @file{/usr/spool/mqueue/syslog}. |
---|
2484 | |
---|
2485 | @subsubheading DEBUGGING |
---|
2486 | |
---|
2487 | The @code{popper} program logs debugging information when the @samp{-d} |
---|
2488 | parameter is specified after its invocation in the @file{inetd.conf} |
---|
2489 | file. The @samp{-d} flag sets the socket to debugging and turns on |
---|
2490 | debugging. All debugging information is saved using @code{syslog}(8). |
---|
2491 | Care should be exercised in using this option since it generates |
---|
2492 | considerable output in the syslog file. Alternatively, the @samp{-t |
---|
2493 | @var{file-name}} option places debugging information into file |
---|
2494 | @var{`file-name'} using @code{fprintf} instead of @code{syslog}. |
---|
2495 | |
---|
2496 | You can confirm that the POP server is running on Unix by |
---|
2497 | @code{telnet}ing to port 110 (or 109 if you set it up that way). For |
---|
2498 | example: |
---|
2499 | |
---|
2500 | @smallexample |
---|
2501 | %telnet @var{myhost} 110 |
---|
2502 | Trying... |
---|
2503 | Connected to @var{myhost}.berkeley.edu. |
---|
2504 | Escape character is '^]'. |
---|
2505 | +OK UCB Pop server (version 1.6) at @var{myhost} starting. |
---|
2506 | quit |
---|
2507 | Connection closed by foreign host. |
---|
2508 | @end smallexample |
---|
2509 | |
---|
2510 | @subsubheading FILES |
---|
2511 | @table @file |
---|
2512 | @item /usr/spool/mail |
---|
2513 | mail files |
---|
2514 | @item /etc/inetd.conf |
---|
2515 | pop program invocation |
---|
2516 | @item /etc/syslog.conf |
---|
2517 | logging specifications |
---|
2518 | @end table |
---|
2519 | |
---|
2520 | @ignore |
---|
2521 | @subsubheading SEE ALSO |
---|
2522 | @code{inetd}(8), RFC1081, RFC1082. |
---|
2523 | @end ignore |
---|
2524 | |
---|
2525 | |
---|
2526 | |
---|
2527 | @node klogind |
---|
2528 | @subsection @code{klogind}---Kerberos remote login server |
---|
2529 | |
---|
2530 | @c @subsubheading SYNOPSIS |
---|
2531 | @smallexample |
---|
2532 | /usr/kerberos/etc/klogind |
---|
2533 | /usr/kerberos/etc/Klogind |
---|
2534 | /usr/kerberos/etc/eklogind |
---|
2535 | @end smallexample |
---|
2536 | @c @subsubheading DESCRIPTION |
---|
2537 | @code{klogind} is the server for the Kerberos version of the |
---|
2538 | @ref{rlogin} program. The server provides a remote login facility with |
---|
2539 | authentication provided by Kerberos. |
---|
2540 | |
---|
2541 | @code{klogind} listens for service requests at the port indicated in the |
---|
2542 | @code{klogin} or @code{eklogin} service specification; see |
---|
2543 | @samp{services}(5). |
---|
2544 | |
---|
2545 | In the past, invocation as @code{klogind} was used for normal hosts to |
---|
2546 | which password access was granted if Kerberos authentication failed, |
---|
2547 | whereas invocation as @code{Klogind} required Kerberos authentication. |
---|
2548 | However, this distinction has been removed, because @code{klogind} does |
---|
2549 | not behave identically to the traditional @code{rlogind} server, and |
---|
2550 | because the password fallback does not work with encryption. Invocation |
---|
2551 | as @code{klogind} is now identical to invocation as @code{Klogind}. It |
---|
2552 | is still possible to run the system provided @code{rlogind} server to |
---|
2553 | permit access with a password. |
---|
2554 | |
---|
2555 | Invocation as @code{eklogind} provides an encrypted communications |
---|
2556 | channel. |
---|
2557 | |
---|
2558 | When a service request is received, the server checks the client's |
---|
2559 | source address and requests the corresponding host name (see |
---|
2560 | @code{gethostbyaddr}(3N), @samp{hosts}(5) and @samp{named}(8)). If the |
---|
2561 | hostname cannot be determined, the dot-notation representation of the |
---|
2562 | host address is used. |
---|
2563 | |
---|
2564 | Once the source address has been checked, @code{klogind} allocates a |
---|
2565 | pseudo terminal (see @samp{pty}(4)), and manipulates file descriptors so |
---|
2566 | that the slave half of the pseudo terminal becomes the @code{stdin}, |
---|
2567 | @code{stdout}, and @code{stderr} for a login process. The login process |
---|
2568 | is an instance of the @code{login}(1) program, invoked with the |
---|
2569 | @samp{-k}, @samp{-K}, or @samp{-e} option, depending on whether the |
---|
2570 | @code{klogind} was started as @code{klogind}, @code{Klogind} or |
---|
2571 | @code{eklogind}, respectively. The login process then proceeds with the |
---|
2572 | authentication process as described in @ref{kshd}, but if automatic |
---|
2573 | authentication fails, the user is re-prompted to login as one would on a |
---|
2574 | standard terminal line. |
---|
2575 | |
---|
2576 | The parent of the login process manipulates the master side of the |
---|
2577 | pseudo terminal, operating as an intermediary between the login process |
---|
2578 | and the client instance of the @code{rlogin} program. If @code{klogind} |
---|
2579 | is invoked as @code{eklogind}, all data passed over the network are |
---|
2580 | encrypted. In normal operation, the packet protocol described in |
---|
2581 | @samp{pty}(4) is invoked to provide @kbd{^S}/@kbd{^Q} type facilities |
---|
2582 | and propagate interrupt signals to the remote programs. The login |
---|
2583 | process propagates the client terminal's baud rate and terminal type, as |
---|
2584 | found in the environment variable, @samp{TERM}; see @samp{environ}(7). |
---|
2585 | The screen or window size of the terminal is requested from the client, |
---|
2586 | and window size changes from the client are propagated to the pseudo |
---|
2587 | terminal. |
---|
2588 | |
---|
2589 | @code{Klogind} |
---|
2590 | accepts three options which may be used for testing purposes. |
---|
2591 | |
---|
2592 | The @samp{-l} @var{login_program} option sets the login program to |
---|
2593 | run. The default value is normally |
---|
2594 | @file{/usr/kerberos/etc/login.krb}. |
---|
2595 | |
---|
2596 | The @samp{-r} @var{realm_file} option sets the name of the |
---|
2597 | @file{krb.realms} file to use. The default value is normally |
---|
2598 | @file{/usr/kerberos/lib/krb.realms}. @xref{krb.realms}. |
---|
2599 | |
---|
2600 | The @samp{-s} @var{srvtab_file} option sets the name of the srvtab |
---|
2601 | file to use. The default value is normally @file{/etc/krb-srvtab}. |
---|
2602 | |
---|
2603 | @ignore |
---|
2604 | @subsubheading DIAGNOSTICS |
---|
2605 | |
---|
2606 | All diagnostic messages are returned on the connection associated with |
---|
2607 | the stderr, after which any network connections are closed. An error is |
---|
2608 | indicated by a leading byte with a value of 1. |
---|
2609 | @table @code |
---|
2610 | @item Try again. |
---|
2611 | A @code{fork} by the server failed. |
---|
2612 | @item /bin/sh: @dots{} |
---|
2613 | The user's login shell could not be started. |
---|
2614 | @end table |
---|
2615 | @ignore |
---|
2616 | @subsubheading SEE ALSO |
---|
2617 | @xref{kerberos}. |
---|
2618 | |
---|
2619 | @subsubheading BUGS |
---|
2620 | |
---|
2621 | A more extensible protocol should be used. |
---|
2622 | @end ignore |
---|
2623 | |
---|
2624 | @node kshd |
---|
2625 | @subsection @code{kshd}---Kerberos remote shell server |
---|
2626 | |
---|
2627 | @c @subsubheading SYNOPSIS |
---|
2628 | @smallexample |
---|
2629 | /usr/kerberos/etc/kshd |
---|
2630 | @end smallexample |
---|
2631 | |
---|
2632 | @c @subsubheading DESCRIPTION |
---|
2633 | @code{kshd} is the server for the @code{kcmd} routine and, |
---|
2634 | consequently, |
---|
2635 | for the @ref{rsh} program. The server provides remote execution |
---|
2636 | facilities with authentication based on Kerberos. |
---|
2637 | |
---|
2638 | @code{kshd} listens for service requests at the port indicated in the |
---|
2639 | @samp{kshell} service specification; see @samp{services}(5). When a |
---|
2640 | service request is received the following protocol is initiated: |
---|
2641 | |
---|
2642 | @enumerate |
---|
2643 | @item |
---|
2644 | The server reads characters from the socket up to a null (\0) byte. |
---|
2645 | The resultant string is interpreted as an ASCII number, base 10. |
---|
2646 | @item |
---|
2647 | If the number received in step 1 is non-zero, it is interpreted as the |
---|
2648 | port number of a secondary stream to be used for the @code{stderr}. A |
---|
2649 | second connection is then created to the specified port on the client's |
---|
2650 | machine. |
---|
2651 | @item |
---|
2652 | The server checks the client's source address and requests the |
---|
2653 | corresponding host name (see @code{gethostbyaddr}(3N), |
---|
2654 | @samp{hosts}(5) |
---|
2655 | and @samp{named}(8)). If the hostname cannot be determined, the |
---|
2656 | dot-notation representation of the host address is used. |
---|
2657 | @item |
---|
2658 | A Kerberos ticket/authenticator pair are retrieved on the initial |
---|
2659 | socket. |
---|
2660 | @item |
---|
2661 | A null terminated user name of at most 16 characters is retrieved on |
---|
2662 | the initial socket. This user name is interpreted as a user identity to |
---|
2663 | use on the server's machine. |
---|
2664 | @item |
---|
2665 | A null terminated command to be passed to a shell is retrieved |
---|
2666 | on the initial socket. The length of the command is limited by the |
---|
2667 | upper bound on the size of the system's argument list. |
---|
2668 | @item |
---|
2669 | @code{kshd} then validates the user according to the following steps. |
---|
2670 | The local (server-end) user name is looked up in the password file and a |
---|
2671 | @code{chdir} is performed to the user's home directory. If either the |
---|
2672 | lookup or @code{chdir} fail, the connection is terminated. The |
---|
2673 | @file{.klogin} file in the home directory is used to mediate access to |
---|
2674 | the account (via @samp{kuserok}) by the Kerberos principal named in the |
---|
2675 | ticket/authenticator. If this authorization check fails, the connection |
---|
2676 | is terminated. |
---|
2677 | @item |
---|
2678 | A null byte is returned on the initial socket and the command line is |
---|
2679 | passed to the normal login shell of the user. The shell inherits the |
---|
2680 | network connections established by @code{kshd}. |
---|
2681 | @end enumerate |
---|
2682 | |
---|
2683 | @code{kshd} |
---|
2684 | accepts three options which may be used for testing purposes. |
---|
2685 | |
---|
2686 | The @samp{-p} @var{directory} option sets the directory where Kerberos |
---|
2687 | programs are found. This directory is put at the start of @samp{PATH} |
---|
2688 | before the command is executed. The default value is normally |
---|
2689 | @file{/usr/kerberos/bin}. (For correct operation of Kerberos |
---|
2690 | @code{rcp}, the Kerberos @code{rcp} program must be in @samp{PATH} |
---|
2691 | before any other @code{rcp} program. @xref{rcp}). |
---|
2692 | |
---|
2693 | The @samp{-r} @var{realm_file} option sets the name of the |
---|
2694 | @file{krb.realms} file to use. The default value is normally |
---|
2695 | @file{/usr/kerberos/lib/krb.realms}. @xref{krb.realms}. |
---|
2696 | |
---|
2697 | The @samp{-s} @var{srvtab_file} option sets the name of the srvtab |
---|
2698 | file to use. The default value is normally @file{/etc/krb-srvtab}. |
---|
2699 | |
---|
2700 | @subsubheading DIAGNOSTICS |
---|
2701 | |
---|
2702 | Except for the last one listed below, all diagnostic messages are |
---|
2703 | returned on the initial socket, after which any network connections are |
---|
2704 | closed. An error is indicated by a leading byte with a value of `1' |
---|
2705 | (zero is returned in step 8 above upon successful completion of all the |
---|
2706 | steps prior to the execution of the login shell). |
---|
2707 | @table @code |
---|
2708 | @item remuser too long |
---|
2709 | The name of the user on the remote machine is longer than 16 |
---|
2710 | characters. |
---|
2711 | @item command too long |
---|
2712 | The command line passed exceeds the size of the argument list (as |
---|
2713 | configured into the system). |
---|
2714 | @item Login incorrect. |
---|
2715 | No password file entry for the user name existed. |
---|
2716 | @item No remote directory. |
---|
2717 | The @code{chdir} command to the home directory failed. |
---|
2718 | @item Permission denied. |
---|
2719 | The authorization procedure described above failed. |
---|
2720 | @item Can not make pipe. |
---|
2721 | The pipe needed for the @code{stderr}, was not created. |
---|
2722 | @item Try again. |
---|
2723 | A @code{fork} by the server failed. |
---|
2724 | @item @var{shellname}: @dots{} |
---|
2725 | The user's login shell could not be started. This message is returned on |
---|
2726 | the connection associated with the @code{stderr}, and is not preceded by |
---|
2727 | a flag byte. |
---|
2728 | @end table |
---|
2729 | |
---|
2730 | @ignore |
---|
2731 | @subsubheading SEE ALSO |
---|
2732 | @table @ref |
---|
2733 | @item rsh |
---|
2734 | @item Kerberos |
---|
2735 | @item kuserok |
---|
2736 | @end table |
---|
2737 | @end ignore |
---|
2738 | |
---|
2739 | @ignore |
---|
2740 | @subsubheading BUGS |
---|
2741 | |
---|
2742 | A facility to allow all data exchanges to be encrypted should be |
---|
2743 | present. |
---|
2744 | |
---|
2745 | A more extensible protocol should be used. |
---|
2746 | @end ignore |
---|
2747 | |
---|
2748 | @node File Transfer |
---|
2749 | @section File Transfer |
---|
2750 | @menu |
---|
2751 | * tftpd:: TFTP |
---|
2752 | * tcom:: TCOM |
---|
2753 | @end menu |
---|
2754 | @node tftpd |
---|
2755 | @subsection @code{tftpd}---server tftp daemon |
---|
2756 | |
---|
2757 | @c @subsubheading SYNOPSIS |
---|
2758 | @smallexample |
---|
2759 | /etc/tftpd |
---|
2760 | @end smallexample |
---|
2761 | @c @subsubheading DESCRIPTION |
---|
2762 | @code{tftpd} is a daemon which runs the trivial file transfer protocol |
---|
2763 | server. It listens for incoming connections, and forks a child to |
---|
2764 | perform each requested transfer. It uses the directory @file{/tftpd}; |
---|
2765 | the file @file{lock} in that directory is used to prevent two daemons from |
---|
2766 | becoming active simultaneously; it also contains the daemon's process |
---|
2767 | ID, which is used by the @code{tftp} command program @ref{tcom} to |
---|
2768 | control the daemon's operation. |
---|
2769 | |
---|
2770 | |
---|
2771 | @subsubheading FILES |
---|
2772 | @table @file |
---|
2773 | @item /tftpd/lock |
---|
2774 | interlock, PID storage |
---|
2775 | @item /dev/net |
---|
2776 | the network device |
---|
2777 | @end table |
---|
2778 | |
---|
2779 | @ignore |
---|
2780 | @subsubheading SEE ALSO |
---|
2781 | @table @ref |
---|
2782 | @item tftp |
---|
2783 | @item tcom |
---|
2784 | @item Internet Protocol Handbook |
---|
2785 | @end table |
---|
2786 | @end ignore |
---|
2787 | |
---|
2788 | @node tcom |
---|
2789 | @subsection @code{tcom}---control operation of server tftp daemon |
---|
2790 | |
---|
2791 | @c @subsubheading SYNOPSIS |
---|
2792 | @smallexample |
---|
2793 | tcom |
---|
2794 | @end smallexample |
---|
2795 | @c @subsubheading DESCRIPTION |
---|
2796 | @code{tcom} is a program to control the execution of the server trivial |
---|
2797 | file transfer daemon. It sends user commands to the daemon by writing |
---|
2798 | them into a shared file and signaling the daemon; it watches the |
---|
2799 | daemon's log to obtain the results of the commands. The following |
---|
2800 | commands are supported: |
---|
2801 | @table @code |
---|
2802 | @item help |
---|
2803 | display a list of commands |
---|
2804 | @item input trace on|off |
---|
2805 | turn tracing of input packets on or off |
---|
2806 | @item output trace on|off |
---|
2807 | turn tracing of output packets on or off |
---|
2808 | @item trace on|off |
---|
2809 | turn all packet tracing on or off |
---|
2810 | @item times |
---|
2811 | display server parent and children process times |
---|
2812 | @item uptime |
---|
2813 | display daemon up time |
---|
2814 | @item exit |
---|
2815 | force daemon to shut down and exit |
---|
2816 | @end table |
---|
2817 | @subsubheading FILES |
---|
2818 | @table @file |
---|
2819 | @item /tftpd/lock |
---|
2820 | lock file containing daemon's PID |
---|
2821 | @item /tftpd/command |
---|
2822 | command file to daemon |
---|
2823 | @item /tftpd/slog |
---|
2824 | daemon's log file |
---|
2825 | @end table |
---|
2826 | |
---|
2827 | Note that two @code{tcom}s running at the same time result in chaos. Be |
---|
2828 | aware that watching the daemon's log file uses a lot of CPU time. |
---|
2829 | |
---|
2830 | @node Slave Servers |
---|
2831 | @section Slave Servers |
---|
2832 | |
---|
2833 | @smallexample |
---|
2834 | kpropd [-r @var{realm}] [-s @var{srvtab}] [-d @var{database}] |
---|
2835 | [-u @var{port}] [-l @var{logfile}] [-i] [-c @var{command}] |
---|
2836 | [-C @var{arg}] @var{filename} |
---|
2837 | @end smallexample |
---|
2838 | |
---|
2839 | The @code{kpropd} daemon runs on a Kerberos slave server. A Kerberos |
---|
2840 | slave server holds a copy of the master Kerberos database. Any slave |
---|
2841 | server may serve as a Key Distribution Center just as the master server |
---|
2842 | does, permitting people to use Kerberos programs even if the master |
---|
2843 | server is inaccessible. |
---|
2844 | |
---|
2845 | @xref{Slave Server Installation} for a description of how to use |
---|
2846 | @code{kprop} and @code{kpropd} to set up slave servers. |
---|
2847 | |
---|
2848 | The @code{kprop} program running on the master server contacts the |
---|
2849 | @code{kpropd} daemon running on the slave server in order to copy over |
---|
2850 | the Kerberos database (@pxref{kprop and push-kprop}). |
---|
2851 | |
---|
2852 | The |
---|
2853 | @code{kpropd} |
---|
2854 | daemon is normally started by arranging for |
---|
2855 | @code{inetd} |
---|
2856 | to run the |
---|
2857 | @code{in.kpropd} |
---|
2858 | shell script. Normally, a line like this would be added to the |
---|
2859 | @file{/etc/inetd.conf} |
---|
2860 | file: |
---|
2861 | |
---|
2862 | @smallexample |
---|
2863 | krb_prop stream tcp nowait root /usr/kerberos/etc/in.kpropd in.kpropd |
---|
2864 | @end smallexample |
---|
2865 | |
---|
2866 | The @code{kpropd} daemon may also be run directly as a server. |
---|
2867 | |
---|
2868 | The @code{kpropd} daemon has a single required argument, which is the |
---|
2869 | name of a file in which to store the database received from @code{kprop} |
---|
2870 | running on the master server (the @code{in.kpropd} script passes |
---|
2871 | @file{/usr/kerberos/database/slavedb}). After @code{kpropd} receives |
---|
2872 | the database information, it runs @code{kdb_util} to load it into the |
---|
2873 | local Kerberos database (@pxref{kdb_util}). |
---|
2874 | |
---|
2875 | The @code{kpropd} daemon only accepts data from machines which are |
---|
2876 | listed in @file{krb.conf} as an admin server (@pxref{krb.conf}). |
---|
2877 | |
---|
2878 | The @samp{-r} @var{realm} option sets the Kerberos realm name. The |
---|
2879 | default realm is obtained using @code{krb_get_lrealm}. |
---|
2880 | |
---|
2881 | The @samp{-s} @var{srvtab} option sets the name of the srvtab file to |
---|
2882 | use when authenticating the ticket received from @code{kprop}. The |
---|
2883 | default is @file{/etc/krb-srvtab}. |
---|
2884 | |
---|
2885 | The @samp{-d} @var{database} option sets the name of the Kerberos |
---|
2886 | database. This is a prefix used to name three files. The default is |
---|
2887 | @file{/usr/kerberos/database/principal}. |
---|
2888 | |
---|
2889 | The @samp{-u} @var{port} option sets the port to accept connections on. |
---|
2890 | This is only meaningful if the @samp{-i} option is not used. The |
---|
2891 | default is to use @code{getservbyname} to look up the @samp{krb_prop} |
---|
2892 | service. If that is not defined, @code{kpropd} uses @samp{754}. |
---|
2893 | |
---|
2894 | The @samp{-l} @var{logfile} option sets the name of the log file. The |
---|
2895 | default is @file{/usr/kerberos/database/kpropd.log}. |
---|
2896 | |
---|
2897 | The @samp{-i} option causes @code{kpropd} to assume that it was run from |
---|
2898 | @code{inetd}. The default is for @code{kpropd} to open a socket and to |
---|
2899 | loop accepting connections. |
---|
2900 | |
---|
2901 | The @samp{-c} @var{command} option sets the path of the @code{kdb_util} |
---|
2902 | command which @code{kpropd} should run after receiving the database. |
---|
2903 | The default is to just run @code{kdb_util}, assuming it is on |
---|
2904 | @samp{PATH}. |
---|
2905 | |
---|
2906 | The @samp{-C} @var{arg} option sets the argument to pass to |
---|
2907 | @code{kdb_util}. The default argument is @code{load}. |
---|
2908 | |
---|
2909 | @node Glossary |
---|
2910 | @chapter A Glossary of Kerberos Terms |
---|
2911 | |
---|
2912 | @itemize @bullet |
---|
2913 | @item @strong{Kerberos (Cerberus):} A figure out of Greek and Roman |
---|
2914 | mythology, the three-headed dog who guards the entrance to the |
---|
2915 | underworld. Kerberos would howl at the presence of the living among the |
---|
2916 | dead. |
---|
2917 | |
---|
2918 | @item @strong{ACL:} Access Control List. |
---|
2919 | An access control list determines who has access to do particular |
---|
2920 | operations. In Kerberos V4, access control lists are only used to |
---|
2921 | control access to administrative operations (such as adding users or |
---|
2922 | changing passwords), and are kept as ordinary ASCII files in |
---|
2923 | @file{/usr/kerberos/database/admin_acl.*}. The three lists there control |
---|
2924 | who can add, get information about, and modify information about |
---|
2925 | principals in the Kerberos database. |
---|
2926 | |
---|
2927 | @item @strong{application server:} A program that provides a service, |
---|
2928 | typically to multiple people at the same time. For example, file |
---|
2929 | transfers on the Internet are handled by FTP servers and NFS servers. |
---|
2930 | You can log in to other machines by using a @code{telnet} server or an |
---|
2931 | rlogin server. Application servers often run as ``daemons,'' which are |
---|
2932 | programs that run quietly in the background inside a machine, invisible |
---|
2933 | to the person at the console. (See, `principal'.) |
---|
2934 | |
---|
2935 | @item @strong{authentication:} The process of proving that you are |
---|
2936 | who you claim to be. It usually involves validating a user's identity |
---|
2937 | by means of a multiple-step transaction. Automated teller machines do |
---|
2938 | authentication by making you provide a token (your ATM card) and then |
---|
2939 | type in a PIN or other secret number to prove you are using the card |
---|
2940 | legitimately. Kerberos provides authentication across a computer |
---|
2941 | network, without revealing the authentication information to |
---|
2942 | wiretappers. Once you are authenticated to a host, either Kerberos or |
---|
2943 | some other process @emph{authorizes} you to perform certain functions. |
---|
2944 | |
---|
2945 | @item @strong{authorization:} A process whereby you get permission to |
---|
2946 | perform actions. In the example of the bank machine above, you are |
---|
2947 | @emph{authenticated} to the bank machine by using your card and PIN |
---|
2948 | number; then the bank's computer @emph{authorizes} you to receive money |
---|
2949 | if it determines you have enough in your account. Kerberos provides |
---|
2950 | simple authorization service via the ACL system; other authorization |
---|
2951 | services can be built on top of Kerberos if the system administrator |
---|
2952 | wishes. |
---|
2953 | |
---|
2954 | @item @strong{client:} A partner in a client-server relationship. The |
---|
2955 | client acts as the users' interface to the services offered by the |
---|
2956 | application server. (See, `principal'.) |
---|
2957 | |
---|
2958 | @item @strong{domain:} As in feudal days, a @emph{domain} is an area over |
---|
2959 | which one administrator exercises control. |
---|
2960 | |
---|
2961 | @item @strong{Domain Name Service:} |
---|
2962 | A service which translates Internet host names to and from numeric |
---|
2963 | IP addresses. DNS (as it is usually known) also provides additional |
---|
2964 | services (e.g., managing email delivery). |
---|
2965 | |
---|
2966 | @item @strong{instance:} An instance refers to a particular |
---|
2967 | @emph{role} of a user. For example, Kerberos administrators have two |
---|
2968 | roles: that of an ordinary user (with an empty instance); and that of |
---|
2969 | an administrator (with an instance of @emph{admin}). Instances are |
---|
2970 | normally written after the principal name, separated by a dot, as in |
---|
2971 | @samp{person.admin}. Some programs (@code{kinit} and @code{kdb_edit}) |
---|
2972 | prompt separately for a principal name and an instance name. |
---|
2973 | Instances are also used with keys for programs, to indicate on which |
---|
2974 | hostname the program runs. For example, @samp{rcmd.host1@@your-realm} |
---|
2975 | is the principal name for the @code{rcmd} service (the name used by |
---|
2976 | @code{rlogin, rcp}, and @code{rsh}) for @samp{host1} in your realm. |
---|
2977 | (See, `principal'.) |
---|
2978 | |
---|
2979 | @item @strong{key:} The encryption secret used to encrypt and decrypt |
---|
2980 | network @code{rlogin} sessions and other transactions. Each session has |
---|
2981 | a temporary key associated with it for exchanging authentication |
---|
2982 | information (and possibly encrypting other data as well), and each user |
---|
2983 | and application server has a key of its own. Users' keys are generated |
---|
2984 | from their passwords. The application server's key is generally stored |
---|
2985 | in a file. |
---|
2986 | |
---|
2987 | @item @strong{principal:} A Kerberos principal can be a user, |
---|
2988 | a host, a service, a client, or an application server. The term |
---|
2989 | @emph{principal} is a generic name used to describe actors in the |
---|
2990 | Kerberos function. The principal name is usually a user's or |
---|
2991 | application server's name. Sometimes the entire string |
---|
2992 | @samp{principal.instance@@realm} is called the principal name. |
---|
2993 | |
---|
2994 | @item @strong{realm:} An administrative domain which operates a |
---|
2995 | Kerberos authentication service. Each user in the realm is identified |
---|
2996 | in the same way to all machines in the realm. Realm names are in |
---|
2997 | capital letters by convention. For one-host sites, the realm name is |
---|
2998 | the same as the host name (in capital letters). At larger sites, the |
---|
2999 | realm name is usually the capitalized name of the main Internet domain |
---|
3000 | (e.g., CYGNUS.COM or EFF.ORG). At large sites, there may be several |
---|
3001 | realms (e.g., ENG.SUN.COM and MKTG.SUN.COM). |
---|
3002 | |
---|
3003 | @item @strong{server:} See `application server'. |
---|
3004 | |
---|
3005 | @item @strong{ticket:} A software token used to securely pass the |
---|
3006 | identity of a user from the one Kerberos host to another. Tickets |
---|
3007 | contain the name of the server, the name of the client, the Internet |
---|
3008 | address of the client, a time-stamp, a lifetime (or expiration time) |
---|
3009 | of the ticket, and a random session key. The contents of the |
---|
3010 | so-called @emph{ticket file,} where the Kerberos client looks to find |
---|
3011 | authentication information, is sometimes incorrectly referred to as a |
---|
3012 | ticket, as well. |
---|
3013 | @end itemize |
---|
3014 | |
---|
3015 | @node Authors |
---|
3016 | @chapter Authors and Contributors |
---|
3017 | |
---|
3018 | The following people helped out on various aspects of the |
---|
3019 | system: |
---|
3020 | |
---|
3021 | Jeff Schiller designed and wrote the administration server and its |
---|
3022 | user interface, kadmin. He also wrote the DBM version of the database |
---|
3023 | management system. |
---|
3024 | |
---|
3025 | Mark Colan developed the Kerberos versions of rlogin, rsh, and rcp, as |
---|
3026 | well as contributing work on the servers. |
---|
3027 | |
---|
3028 | John Ostlund developed the Kerberos versions of passwd and |
---|
3029 | userreg. |
---|
3030 | |
---|
3031 | Stan Zanarotti pioneered Kerberos in a foreign realm (LCS), |
---|
3032 | and made many contributions based on that experience. |
---|
3033 | |
---|
3034 | Many other people contributed code and/or useful ideas, including: |
---|
3035 | |
---|
3036 | @itemize @bullet |
---|
3037 | @item Bill Bryant, MIT Project Athena |
---|
3038 | @item Bill Sommerfeld, MIT Project Athena |
---|
3039 | @item Bob Baldwin |
---|
3040 | @item Bob McKie, MIT Project Athena |
---|
3041 | @item Brian Murphy, MIT Project Athena |
---|
3042 | @item Chris Reed, MIT Project Athena |
---|
3043 | @item Clifford Neuman, MIT Project Athena |
---|
3044 | @item Dan Geer, MIT Project Athena |
---|
3045 | @item David Jedlinsky, MIT Project Athena |
---|
3046 | @item Douglas A. Church, MIT Project Athena |
---|
3047 | @item Emanuel Jay Berkenbilt, MIT Project Athena |
---|
3048 | @item Jeffrey I. Schiller, MIT Project Athena |
---|
3049 | @item Jennifer Steiner, MIT Project Athena |
---|
3050 | @item Jim Aspnes, MIT Project Athena |
---|
3051 | @item Jim Bloom |
---|
3052 | @item John Barba |
---|
3053 | @item John T. Kohl, Project Athena/Digital Equipment Corporation |
---|
3054 | @item John Kubiatowicz, MIT Project Athena |
---|
3055 | @item Jon Rochlis, MIT Project Athena |
---|
3056 | @item Ken Raeburn, MIT Project Athena (Now at Cygnus Support) |
---|
3057 | @item Mark Eichin, Cygnus Support |
---|
3058 | @item Mike Shanzer, MIT Project Athena |
---|
3059 | @item Richard Basch, MIT Project Athena |
---|
3060 | @item Rob French, MIT Project Athena |
---|
3061 | @item Steve Miller, MIT Project Athena/Digital Equipment Corporation |
---|
3062 | @item Ted Ts'o, MIT Project Athena |
---|
3063 | @item Win Treese, MIT Project Athena/Digital Equipment Corporation |
---|
3064 | @end itemize |
---|
3065 | |
---|
3066 | The POP Mail server was the work of: |
---|
3067 | |
---|
3068 | Bob Campbell, Edward Moy, Austin Shelton, Marshall T. Rose, and cast of |
---|
3069 | thousands at Rand, UDel, UCI, and elsewhere. Kerberos authentication |
---|
3070 | added by Tom Coppeto---MIT Network Services. |
---|
3071 | |
---|
3072 | Documentation credits include: |
---|
3073 | @itemize @bullet |
---|
3074 | @item Massachusetts Institute of Technology, for the @strong{man} pages which |
---|
3075 | formed the basis of some sections of this documentation. |
---|
3076 | @item John Gilmore, Mark Eichin and Ken Raeburn of Cygnus Support. |
---|
3077 | @item Kerberos Users' Frequently Asked Questions Guide, compiled by: |
---|
3078 | Barry Jaspan, <bjaspan@@security.ov.com>, OpenVision Technologies. |
---|
3079 | @end itemize |
---|
3080 | |
---|
3081 | @node Appendix |
---|
3082 | @appendix SecureNet Key Authentication Device |
---|
3083 | |
---|
3084 | @menu |
---|
3085 | * Intro:: A brief introduction |
---|
3086 | * SecureNet Key Device:: Describes the hardware device |
---|
3087 | * Example of Use:: How it looks to the user |
---|
3088 | * Protocol Design:: The cryptographic protocol we use |
---|
3089 | * Cryptographic Design:: Analysis of the protocol's strength |
---|
3090 | * Implementation:: How we implemented it in Kerberos V4 |
---|
3091 | @end menu |
---|
3092 | |
---|
3093 | @node Intro |
---|
3094 | @section Kerberos SecureNet Extension |
---|
3095 | |
---|
3096 | We at Cygnus Support have designed a simple extension to the Kerberos IV |
---|
3097 | protocol to support the use of a particular challenge-response |
---|
3098 | authenticator device, the SecureNet Key. The device uses DES to encrypt |
---|
3099 | a randomly generated challenge, producing an 8 decimal digit response. |
---|
3100 | |
---|
3101 | @node SecureNet Key Device |
---|
3102 | @section The SecureNet Key Devise |
---|
3103 | |
---|
3104 | The SecureNet Key device (SNK4) is a product of Digital Pathways. The |
---|
3105 | function of the device is simple. |
---|
3106 | |
---|
3107 | @table @emph |
---|
3108 | @item Initialization |
---|
3109 | At first application of power, it is loaded with a DES key, and then a |
---|
3110 | PIN. The PIN can be changed later, the DES key can only be changed by |
---|
3111 | removing the batteries from the device. |
---|
3112 | |
---|
3113 | @item Use |
---|
3114 | The device holder is then given a ``challenge,'' consisting of a |
---|
3115 | randomly generated six digit value. They power on the device, enter the |
---|
3116 | PIN, and then enter the challenge. An eight digit response is |
---|
3117 | displayed, which the device holder enters into the system, confirming |
---|
3118 | their identity. |
---|
3119 | |
---|
3120 | @item Theory |
---|
3121 | The challenge is interpreted as six ASCII characters. Two zero bytes |
---|
3122 | are added to the end of this string, producing an eight character |
---|
3123 | plaintext block. This block is fed to the DES ECB encryption function, |
---|
3124 | using the device key to encrypt it. The first four bytes of the |
---|
3125 | resulting block are displayed as the response, as eight hexadecimal |
---|
3126 | digits. |
---|
3127 | |
---|
3128 | The display itself is not complete---when the digits @samp{A}, @samp{B}, |
---|
3129 | or @samp{C} appear, they are replaced by the digit @samp{2}; likewise |
---|
3130 | @samp{D}, @samp{E}, and @samp{F} are replaced by @samp{3}. This permits |
---|
3131 | the response to be entered in using only a numeric keypad, and avoids |
---|
3132 | confusing a user who might not be familiar with non-decimal number |
---|
3133 | systems. |
---|
3134 | |
---|
3135 | @end table |
---|
3136 | |
---|
3137 | @node Example of Use |
---|
3138 | @section Example of SecureNet Key use |
---|
3139 | |
---|
3140 | To use an SNK4 device for Kerberos authentication: |
---|
3141 | |
---|
3142 | @display |
---|
3143 | % kinit -s username |
---|
3144 | Challenge: 123456 |
---|
3145 | Response:12345678 |
---|
3146 | % klist |
---|
3147 | Ticket file: /tmp/tkt86 |
---|
3148 | Principal: username.+SNK4@@REALM.ORG |
---|
3149 | |
---|
3150 | Issued Expires Principal |
---|
3151 | Dec 31 18:35:30 Dec 32 04:35:30 krbtgt.REALM.ORG@@REALM.ORG |
---|
3152 | @end display |
---|
3153 | |
---|
3154 | or |
---|
3155 | |
---|
3156 | @display |
---|
3157 | % kinit -s username |
---|
3158 | Challenge #1: 123456 |
---|
3159 | Response #1:12345678 |
---|
3160 | Challenge #2: 789012 |
---|
3161 | Response #2:78901234 |
---|
3162 | % |
---|
3163 | @end display |
---|
3164 | |
---|
3165 | @node Protocol Design |
---|
3166 | @section Protocol Design for using the SecureNet Key |
---|
3167 | |
---|
3168 | Because of the requirement for replicated Key Distribution Centers, it |
---|
3169 | is impractical to add persistent state about the challenge and response. |
---|
3170 | (It would at first seem an obvious approach---use existing |
---|
3171 | pre-authentication support to get the response from the user---except |
---|
3172 | that if the challenge is not generated by the server, it is vulnerable |
---|
3173 | to replay.) |
---|
3174 | |
---|
3175 | Thus, we use the response directly as a shared secret, as the key for |
---|
3176 | the TGT itself. We have designed two modes, one which uses a single |
---|
3177 | challenge, one which uses two independent challenges. The single |
---|
3178 | challenge is convenient, but is cryptographically weak enough that it |
---|
3179 | should only be used for short-lived TGTs, and perhaps should not even be |
---|
3180 | used there, as it can expose information about challenge-response pairs |
---|
3181 | that can be used to attack the stronger two-challenge system. (Note |
---|
3182 | that the two-challenge version does not cause additional traffic---the |
---|
3183 | TGT is returned with both challenges as part of the package.) |
---|
3184 | |
---|
3185 | @node Cryptographic Design |
---|
3186 | @section Cryptographic Analysis of Protocol Design |
---|
3187 | |
---|
3188 | For this analysis, we assume that the attacker can perform |
---|
3189 | known-plaintext attacks on the ticket-granting ticket at a rate of |
---|
3190 | roughly 25K tries per second. The first block is random (the session |
---|
3191 | key) so the attacker needs to chain to the second block, which has the |
---|
3192 | service principal name, which is known. (In this case, it is the string |
---|
3193 | @samp{krbtgt} followed by a zero byte---the eighth byte of the block is |
---|
3194 | the first character of the realm name, also known.) |
---|
3195 | |
---|
3196 | The SNK4 device takes basically 20 bits of input and produces 26+ bits |
---|
3197 | of output; the input bits are public and shared between the KDC and the |
---|
3198 | user, the output bits are a secret and shared between the KDC and the |
---|
3199 | user (as the original DES key itself is secret.) |
---|
3200 | |
---|
3201 | Simply using the response (padded with zero bits) as a key means that |
---|
3202 | the TGT can be brute forced in roughly an hour, leaving plenty of time |
---|
3203 | to actually use it. Also, a lookup table (for a given user/device) that |
---|
3204 | is indexed by challenge only needs a million 56 bit entries, and would |
---|
3205 | probably provide enough savings over time to be worth keeping. |
---|
3206 | |
---|
3207 | Using additional common information (such as the challenge itself or a |
---|
3208 | common timestamp) for the padding bits would eliminate the advantage of |
---|
3209 | the lookup table, but would not help against the brute force attack |
---|
3210 | itself. |
---|
3211 | |
---|
3212 | Requiring that the user take @emph{two} independent challenges and enter |
---|
3213 | both responses would double the amount of shared secret material, |
---|
3214 | squaring the expense of the brute force attack. This would drive it up |
---|
3215 | closer to twelve thousand years, keeping the original assumptions---54 |
---|
3216 | bits is nearly as good as a single DES key itself. (Put another way, a |
---|
3217 | double challenge takes only one-eighth as long a time to crack as the |
---|
3218 | internal key itself would.) |
---|
3219 | |
---|
3220 | @node Implementation |
---|
3221 | @section Implementation of SecureNet Key in Kerberos V4 |
---|
3222 | |
---|
3223 | There are four parts to this extension: |
---|
3224 | |
---|
3225 | @table @samp |
---|
3226 | @item @code{krb_get_in_tkt} |
---|
3227 | The library function @code{krb_get_in_tkt} already has hooks for a |
---|
3228 | callback function to do the necessary work. Callbacks do not work in |
---|
3229 | Mac drivers, though, so we have split the function around the callback |
---|
3230 | into @code{krb_mk_in_tkt} and @code{krb_parse_in_tkt} to allow the |
---|
3231 | client to do the challenge and response locally, without the callback. |
---|
3232 | @item @code{kinit -s} |
---|
3233 | An alternate mode of use of of @code{kinit} is provided which prompts as |
---|
3234 | before but adds +SNK4 to the instance, allowing the KDC to identify and |
---|
3235 | generate a different response. |
---|
3236 | @item Kerberos (KDC) |
---|
3237 | A modification of the normal KDC which recognizes the @samp{+SNK4} |
---|
3238 | string at the end of an instance and uses the key in the database as the |
---|
3239 | device key instead of the user's key, and then generates a pair of |
---|
3240 | challenges, works out the responses, and uses them for the TGT key |
---|
3241 | instead of the user's key. |
---|
3242 | @item @code{kadmin snk} |
---|
3243 | A new query to the @code{kadmin} program, @code{add_snk_key} or |
---|
3244 | @code{snk} which generates and displays random keys for use initializing |
---|
3245 | or reinitializing SNK4 devices. Includes key verification check. |
---|
3246 | @end table |
---|
3247 | |
---|
3248 | Since the user is authenticated as |
---|
3249 | @var{user}@strong{.+SNK4@@}@var{realm} instead of simply |
---|
3250 | @var{user}@strong{@@}@var{realm} access control can be done using the |
---|
3251 | standard ACL files---@file{~root/.klogin} for example. |
---|
3252 | |
---|
3253 | The protocol changes are simple. |
---|
3254 | @table @emph |
---|
3255 | @item Request |
---|
3256 | The request is unchanged, except for the addition of @samp{+SNK4} to the |
---|
3257 | instance. |
---|
3258 | @item Reply |
---|
3259 | The reply is distinctly different, but should not matter as only |
---|
3260 | @code{kinit -s} ever sees one. |
---|
3261 | |
---|
3262 | The structure is: |
---|
3263 | @table @samp |
---|
3264 | @item version |
---|
3265 | The eight characters @samp{cnssnk01} |
---|
3266 | @item challenge 1 |
---|
3267 | Also eight characters, six digits and two zero bytes. |
---|
3268 | @item challenge 2 |
---|
3269 | Same format as challenge 1. If this is the same string, the user is only |
---|
3270 | issued one challenge. |
---|
3271 | @item encrypted ticket |
---|
3272 | Same as the original protocol raw ticket. |
---|
3273 | @end table |
---|
3274 | @end table |
---|
3275 | |
---|
3276 | Challenge 1 and challenge 2 are encrypted and the first four bytes of |
---|
3277 | each (with the conversion to digits mentioned elsewhere) are used as key |
---|
3278 | material. In order to mix the bits effectively, the two resulting |
---|
3279 | strings are concatenated, producing eight bytes, which we will call key |
---|
3280 | 1. Key 1 is used to encrypt key 1, producing key 2. This avoids losing |
---|
3281 | particular bits of the response when we fix up the parity. |
---|
3282 | |
---|
3283 | If we put this data at the end, a normal @code{kinit} could still |
---|
3284 | decrypt the ticket if it had the right key---but it could not, so we do |
---|
3285 | not do that. |
---|
3286 | |
---|
3287 | @contents |
---|
3288 | @c end of texinfo file |
---|
3289 | @bye |
---|
3290 | |
---|
3291 | |
---|
3292 | @c (modify-syntax-entry ?_ "w" para-mode-syntax-table) |
---|
3293 | @c (modify-syntax-entry ?- "w" para-mode-syntax-table) |
---|
3294 | @c (modify-syntax-entry ?/ "w" para-mode-syntax-table) |
---|