1 | \input texinfo @c -*- texinfo -*- |
---|
2 | @setfilename kerb-mac.info |
---|
3 | |
---|
4 | @ifinfo |
---|
5 | |
---|
6 | @emph{Cygnus Network Security |
---|
7 | Apple Macintosh Client User's Guide} |
---|
8 | January 1995 |
---|
9 | |
---|
10 | Author John Gilmore |
---|
11 | |
---|
12 | |
---|
13 | CNS includes documentation and software developed at the Massachusetts |
---|
14 | Institute of Technology, which includes this copyright information: |
---|
15 | |
---|
16 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
17 | |
---|
18 | @quotation |
---|
19 | Export of software employing encryption from the United States of |
---|
20 | America is assumed to require a specific license from the United States |
---|
21 | Government. It is the responsibility of any person or organization |
---|
22 | contemplating export to obtain such a license before exporting. |
---|
23 | @end quotation |
---|
24 | |
---|
25 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
26 | this software and its documentation for any purpose and without fee is |
---|
27 | hereby granted, provided that the above copyright notice appear in all |
---|
28 | copies and that both that copyright notice and this permission notice |
---|
29 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
30 | used in advertising or publicity pertaining to distribution of the |
---|
31 | software without specific, written prior permission. M.I.T. makes no |
---|
32 | representations about the suitability of this software for any purpose. |
---|
33 | It is provided ``as is'' without express or implied warranty. |
---|
34 | |
---|
35 | Copyright @copyright{} 1991, 1992, 1994, 1995 Cygnus Support |
---|
36 | |
---|
37 | Permission is granted to make and distribute verbatim copies of this |
---|
38 | manual provided the copyright notice and this permission notice are |
---|
39 | preserved on all copies. |
---|
40 | |
---|
41 | @ignore |
---|
42 | Permission is granted to process this file through TeX and print the |
---|
43 | results, provided the printed document carries a copying permission |
---|
44 | notice identical to this one except for the removal of this paragraph |
---|
45 | (this paragraph not being relevant to the printed manual). |
---|
46 | @end ignore |
---|
47 | |
---|
48 | Permission is granted to copy and distribute modified versions of this |
---|
49 | manual under the conditions for verbatim copying, provided also that the |
---|
50 | entire resulting derived work is distributed under the terms of a |
---|
51 | permission notice identical to this one. |
---|
52 | |
---|
53 | Permission is granted to copy and distribute translations of this manual |
---|
54 | into another language, under the above conditions for modified versions. |
---|
55 | @end ifinfo |
---|
56 | |
---|
57 | @setchapternewpage odd |
---|
58 | @settitle Cygnus Network Security |
---|
59 | @titlepage |
---|
60 | @finalout |
---|
61 | @title Cygnus Network Security |
---|
62 | @subtitle Apple Macintosh Client User's Guide |
---|
63 | @sp 2 |
---|
64 | @subtitle January 1995 |
---|
65 | @vfill |
---|
66 | @author John Gilmore |
---|
67 | |
---|
68 | @page |
---|
69 | |
---|
70 | @vskip 0pt plus 1filll |
---|
71 | |
---|
72 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
73 | |
---|
74 | @quotation |
---|
75 | Export of software employing encryption from the United States of |
---|
76 | America is assumed to require a specific license from the United States |
---|
77 | Government. It is the responsibility of any person or organization |
---|
78 | contemplating export to obtain such a license before exporting. |
---|
79 | @end quotation |
---|
80 | |
---|
81 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
82 | this software and its documentation for any purpose and without fee is |
---|
83 | hereby granted, provided that the above copyright notice appear in all |
---|
84 | copies and that both that copyright notice and this permission notice |
---|
85 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
86 | used in advertising or publicity pertaining to distribution of the |
---|
87 | software without specific, written prior permission. M.I.T. makes no |
---|
88 | representations about the suitability of this software for any purpose. |
---|
89 | It is provided ``as is'' without express or implied warranty. |
---|
90 | |
---|
91 | Copyright @copyright{} 1991, 1992, 1994, 1995 Cygnus Support |
---|
92 | |
---|
93 | Permission is granted to make and distribute verbatim copies of this |
---|
94 | manual provided the copyright notice and this permission notice are |
---|
95 | preserved on all copies. |
---|
96 | |
---|
97 | Permission is granted to copy and distribute modified versions of this |
---|
98 | manual under the conditions for verbatim copying, provided also that the |
---|
99 | entire resulting derived work is distributed under the terms of a |
---|
100 | permission notice identical to this one. |
---|
101 | |
---|
102 | Permission is granted to copy and distribute translations of this manual |
---|
103 | into another language, under the above conditions for modified versions. |
---|
104 | |
---|
105 | @end titlepage |
---|
106 | |
---|
107 | @ifinfo |
---|
108 | @node Top |
---|
109 | @top Cygnus Network Security |
---|
110 | |
---|
111 | @menu |
---|
112 | * Introduction:: Introduction to Mac CNS |
---|
113 | * Using CNS on the Macintosh:: Installing and Starting CNS |
---|
114 | * Reading the Online Documentation:: Online doc for Mac CNS |
---|
115 | * Programming Mac CNS:: Building your own applications |
---|
116 | @end menu |
---|
117 | @end ifinfo |
---|
118 | |
---|
119 | @node Introduction |
---|
120 | @chapter Introduction |
---|
121 | |
---|
122 | This is the user's guide to Cygnus Network Security for the |
---|
123 | Apple Macintosh. It runs on Apple 68K and PowerPC Macintoshes |
---|
124 | using MacOS 7.1 and MacTCP. |
---|
125 | |
---|
126 | Cygnus Support developed Cygnus Network Security (CNS) to provide strong |
---|
127 | system access security, with minimal impact on users' ease of access. |
---|
128 | Using Kerberos Version 4 encryption and client-server technology, CNS |
---|
129 | assures that user identities can be checked securely without |
---|
130 | transmitting passwords in clear over the network. |
---|
131 | |
---|
132 | This guide is intended as a companion volume to the main CNS |
---|
133 | documentation. It does not contain a complete introduction to CNS nor |
---|
134 | the Kerberos protocol suite used by CNS. If you want more information |
---|
135 | about CNS, please see those documents, available from your network |
---|
136 | administrator. |
---|
137 | |
---|
138 | CNS is intended to provide a handy desktop accessory for Mac users who |
---|
139 | need to securely access network resources and services. It provides |
---|
140 | authentication across local-area and wide-area networks and |
---|
141 | uses cryptography (the Data Encryption Standard, DES) to prevent third |
---|
142 | parties from impersonating a user. |
---|
143 | |
---|
144 | This guide, like CNS itself, is in development. We welcome helpful |
---|
145 | comments and critiques of this guide as well as of the user interface |
---|
146 | and other aspects of CNS. If you would like to give us comments on this |
---|
147 | program, please contact us at: @strong{support@@cygnus.com} |
---|
148 | |
---|
149 | @node Using CNS on the Macintosh |
---|
150 | @chapter Using CNS on the Macintosh |
---|
151 | |
---|
152 | To use Cygnus Network Security for Macintosh, you must have a Kerberos |
---|
153 | server on your network, and you personally must have a Kerberos |
---|
154 | `principal' (user name) on the server. Your network administrator can |
---|
155 | tell you if these are in place. To use @code{Telnet} to authenticate |
---|
156 | yourself for remote logins, you also need a login account (that matches |
---|
157 | your principal name) on the remote login machine. That machine must run |
---|
158 | a Kerberized @code{Telnet} server which is included in the Unix version |
---|
159 | of this Cygnus Network Security release. |
---|
160 | |
---|
161 | CNS for the Macintosh is intended to be compatible with Mac applications |
---|
162 | written for the @code{KClient} driver interface. It also provides an |
---|
163 | easier-to-use traditional subroutine call interface as well. |
---|
164 | |
---|
165 | @menu |
---|
166 | * Installing CNS:: |
---|
167 | * Configuring CNS:: |
---|
168 | * Logging in to Kerberos:: |
---|
169 | * Logging in to other machines:: |
---|
170 | * Miscellaneous notes:: |
---|
171 | @end menu |
---|
172 | |
---|
173 | @node Installing CNS |
---|
174 | @section Installing CNS |
---|
175 | |
---|
176 | CNS for the Macintosh is distributed either on floppy disks, or in a |
---|
177 | StuffIt archive. If you receive it in a StuffIt archive, unstuff it |
---|
178 | into a new folder first, then follow the instructions below. |
---|
179 | |
---|
180 | @enumerate |
---|
181 | @item Place @file{CNS Kerberos} (an @code{INIT} which loads the Kerberos |
---|
182 | client driver into the system heap) in the Extensions folder, inside the |
---|
183 | System folder. |
---|
184 | |
---|
185 | @item Place the @file{Kerberos Client Preferences} file in the Preferences |
---|
186 | folder, inside the System folder. The Kerberos client driver then loads |
---|
187 | at boot time, and an icon, shaped like a key inside a jigsaw puzzle |
---|
188 | piece, is displayed. |
---|
189 | |
---|
190 | @item Place @code{CNS Telnet} and @code{CNS Config} in a convenient location, |
---|
191 | where you can run them as required. |
---|
192 | |
---|
193 | @item The rest of the files in the release are either documentation |
---|
194 | (@samp{.txt} in ASCII, or @samp{.html} in a form that can be easily read |
---|
195 | in a Web browser with the @samp{Open} menu item); or C include files and |
---|
196 | source files that can be used to build applications that call Kerberos; |
---|
197 | or source code (identical to the Unix source release, since the build |
---|
198 | process requires a Unix system anyway). Move copies of the ones you are |
---|
199 | interested in, onto your hard disk. |
---|
200 | |
---|
201 | @item Reboot to make the installation effective. You should see the |
---|
202 | Kerberos `key' icon appear during startup. If you hold down |
---|
203 | @kbd{option} while booting, the same icon displays during startup with a |
---|
204 | red slash through it, and the CNS @code{INIT} does not load the driver. |
---|
205 | @end enumerate |
---|
206 | |
---|
207 | @node Configuring CNS |
---|
208 | @section Configuring CNS |
---|
209 | |
---|
210 | @code{CNS Config} is the graphical interface for end users. It does not |
---|
211 | need to be installed in any particular place. If you want it to run at |
---|
212 | startup time to remind the user to authenticate, put it in the `Startup |
---|
213 | items' folder in the System folder. |
---|
214 | |
---|
215 | To configure CNS for your environment: |
---|
216 | |
---|
217 | @enumerate |
---|
218 | @item Click on the CNS icon. The `CNS Configuration' opens. |
---|
219 | |
---|
220 | @item Look at the bottom panel that lists `Server IP Address' and |
---|
221 | `Realm Name' information. This panel maps realm names to the names of |
---|
222 | their Kerberos servers. This is the equivalent of the @file{krb.conf} |
---|
223 | file on Unix. If no existing realm names appear in the window, make |
---|
224 | sure that you installed the @file{Kerberos Client Preferences} file into |
---|
225 | the Preferences folder (not the main System Folder), and close and |
---|
226 | reopen the `CNS Config' window; a realm name should appear. |
---|
227 | |
---|
228 | @item Click the bottom `New' button to add your own realm to |
---|
229 | the panel. Type in the `Host IP address' and `Realm name' for |
---|
230 | your local realm. The `Host IP address' is simply the domain name |
---|
231 | of the host (e.g. @samp{kerberos.cygnus.com}); you need not enter a |
---|
232 | numeric IP address. The realm name is case sensitive, and must be in |
---|
233 | all capital letters (e.g., @samp{CYGNUS.COM}). Click the `Admin server' |
---|
234 | box to indicate that this server is the master Kerberos server for your |
---|
235 | realm, and click `OK'. |
---|
236 | |
---|
237 | @item Now, make a table that maps from domain names of hosts |
---|
238 | into which realm that host is in. This is the equivalent of the |
---|
239 | Unix @file{krb.realms} file. Click on the top `New' button. |
---|
240 | |
---|
241 | @item Type in a period and the domain name your realm uses. For |
---|
242 | example, in the CYGNUS.COM realm, this would be @code{.cygnus.com} and |
---|
243 | the realm field would be @samp{CYGNUS.COM}. This says that any hostname |
---|
244 | that ends in @samp{.cygnus.com} is in the @samp{CYGNUS.COM} realm. |
---|
245 | |
---|
246 | @item Select your local realm from the menu at the top of the window. |
---|
247 | @end enumerate |
---|
248 | |
---|
249 | @node Logging in to Kerberos |
---|
250 | @section Logging in to Kerberos |
---|
251 | |
---|
252 | Once you have configured your local realm's information with CNS Config, |
---|
253 | you can use the `Login' or `Change password' buttons. The |
---|
254 | @kbd{command-L} key or the `List credentials' File-menu item may be used |
---|
255 | to show your tickets after you log in. The `Logout' button destroys any |
---|
256 | credentials you have from previous logins. |
---|
257 | |
---|
258 | Click on the `Login' button in |
---|
259 | @code{CNS Config}. Enter a correct Kerberos principal name, |
---|
260 | and the matching password. Click `OK'. |
---|
261 | If the dialog box disappears and you don't get an error message dialog, |
---|
262 | you were successful at getting an initial Kerberos ticket. |
---|
263 | |
---|
264 | If you instead get an error message, here are some possible cures: |
---|
265 | |
---|
266 | @table @emph |
---|
267 | @item Time is out of bounds |
---|
268 | This means that the clock in your Macintosh is not set to within five |
---|
269 | minutes of the clock on your Kerberos server machine. Kerberos requires |
---|
270 | that all machines in your realm know the time to within five minutes of |
---|
271 | each other. Check or adjust time on your local Mac by opening the |
---|
272 | `Date and Time' control panel. |
---|
273 | |
---|
274 | Alternatively, you could be getting this error because your Mac's time |
---|
275 | zone is set wrong. Kerberos uses Greenwich Mean Time for moving |
---|
276 | timestamps across the network, since you may be in a different time zone |
---|
277 | than your Kerberos server machine. Open the `Map' control panel and |
---|
278 | verify that the correct offset from Greenwich time is in effect. For |
---|
279 | example, in the Eastern United States, this value is `5' during Standard |
---|
280 | Time (Eastern Standard Time), or `4' during Daylight Time. |
---|
281 | |
---|
282 | After altering the time or time zone, you can retry by clicking on |
---|
283 | `Login'. |
---|
284 | |
---|
285 | @item Principal unknown |
---|
286 | This means that the user name you entered was mistyped, or that |
---|
287 | your realm name was mistyped, or that your Kerberos administrator |
---|
288 | has never entered you into the Kerberos database. Check particularly |
---|
289 | that there are no extraneous characters in your realm name, such |
---|
290 | as extra periods or spaces. It should be an uppercase name |
---|
291 | like @code{CYGNUS.COM} with no other punctuation. |
---|
292 | |
---|
293 | @item Password incorrect |
---|
294 | Your user name and realm name are okay, but your password was not |
---|
295 | entered properly. Try again, or have your Kerberos administrator |
---|
296 | set your password to a known value. |
---|
297 | @end table |
---|
298 | |
---|
299 | You can list your new ticket with the @kbd{Command-L} key, or the `List |
---|
300 | credentials' item in the File menu. |
---|
301 | |
---|
302 | |
---|
303 | @node Logging in to other machines |
---|
304 | @section Logging in to other machines |
---|
305 | |
---|
306 | We have included a preliminary version of NCSA @code{Telnet} that |
---|
307 | supports Kerberos for authentication. This means you do not have to |
---|
308 | type your password across the net when logging in to remote machines. |
---|
309 | To log in: |
---|
310 | |
---|
311 | @enumerate |
---|
312 | @item Log in to Kerberos, getting an initial ticket, as explained above. |
---|
313 | |
---|
314 | @item Run the @code{CNS Telnet} program. |
---|
315 | |
---|
316 | @item Click on `Open Connection' from the file menu, or press @kbd{Command-O} |
---|
317 | (the `apple' key plus the @emph{letter} `O'). |
---|
318 | |
---|
319 | @item Click on the `authenticate' checkbox. @code{Telnet} negotiates to use |
---|
320 | Kerberos Version 4 authentication with the @code{Telnet} server on the |
---|
321 | machine into which are logging. (The encrypt checkbox does not work in |
---|
322 | this version of @code{Telnet}, though the lower level encryption |
---|
323 | routines in CNS Kerberos are fully functional.) |
---|
324 | |
---|
325 | @item Enter a host name to connect to. (You need not enter a window |
---|
326 | name.) |
---|
327 | |
---|
328 | @item Click `Connect' or press @kbd{Return}. A window appears, |
---|
329 | and initial messages from the remote system are displayed in it. If |
---|
330 | your authentication is successful, you do not get a `login' prompt or |
---|
331 | have to type a password; instead, you see initial system messages and |
---|
332 | then immediately be logged-in, ready to type commands to the remote |
---|
333 | system. |
---|
334 | |
---|
335 | @end enumerate |
---|
336 | |
---|
337 | @strong{WARNING}: @code{Telnet} does not give any error message if the |
---|
338 | remote machine does not support Kerberos. You may log in anyway, but |
---|
339 | you will be typing your password across the network, unencrypted. If |
---|
340 | the remote machine prompts you to `login', or for a user name or |
---|
341 | password in the @code{Telnet} window, do not do it! Be sure that you |
---|
342 | have a current ticket (list your tickets by running @code{CNS Config} |
---|
343 | and keying @kbd{Command-L}). If you have a valid ticket, and you |
---|
344 | checked the Authenticate box when opening the connection, but you still |
---|
345 | get prompted for a login or password, your network administrator has not |
---|
346 | installed a @code{telnet} server that supports Kerberos. Install the |
---|
347 | CNS Kerberos release on the remote machine; it includes the Kerberized |
---|
348 | @code{telnet} server. |
---|
349 | |
---|
350 | @node Miscellaneous notes |
---|
351 | @section Miscellaneous notes |
---|
352 | |
---|
353 | Both @code{CNS Config} and @code{CNS Kerberos} create preferences |
---|
354 | files in the Preferences folder inside the System folder from which |
---|
355 | the Macintosh boots. These are called @file{CNS Config Preferences} and |
---|
356 | @file{Kerberos Client Preferences}, respectively. |
---|
357 | |
---|
358 | If you have technical questions about this release, send them to |
---|
359 | @strong{network-security@@cygnus.com}. |
---|
360 | |
---|
361 | KNOWN BUGS |
---|
362 | |
---|
363 | In this release, @code{CNS Config} has some known bugs. The first time |
---|
364 | it runs, it does not show the realm maps. Simply close it and run it |
---|
365 | again. |
---|
366 | |
---|
367 | If you select the `Change password' button or menu item in @code{CNS |
---|
368 | Config} the first modal dialog that appears is correct. However, when |
---|
369 | you dismiss this dialog a second dialog appears. To circumvent the bug, |
---|
370 | fill in the second dialog as well (using your old password). Changing |
---|
371 | your password also clears your current tickets. |
---|
372 | |
---|
373 | @node Reading the Online Documentation |
---|
374 | @chapter Reading the Online Documentation |
---|
375 | |
---|
376 | Online documentation is provided in both ASCII text files, and in |
---|
377 | HTML files that can be displayed interactively by any Web browser. |
---|
378 | The supplied manuals are: |
---|
379 | |
---|
380 | @table @code |
---|
381 | @item mac.txt, mac.html |
---|
382 | This documentation, which is for end-users and system administrators |
---|
383 | of Macintosh machines. |
---|
384 | @item kerbman.txt, kerbman.html |
---|
385 | The main CNS Kerberos manual for Unix users. |
---|
386 | @item kerbapi.txt, kerbapi.html |
---|
387 | The Application Programmer Interface to Kerberos, for all platforms. |
---|
388 | @item developer-notes.txt, developer-notes.html |
---|
389 | Rough notes for people who are rebuilding CNS Kerberos from source code, |
---|
390 | or fixing bugs or adding features to CNS Kerberos. |
---|
391 | @end table |
---|
392 | |
---|
393 | To read the text files, double-click them; TeachText or SimpleText |
---|
394 | should be able to display them, unless they are too large, in which case |
---|
395 | you must use MPW or a word processor. |
---|
396 | |
---|
397 | To read the HTML files, run a web browser such as NCSA Mosaic or |
---|
398 | Netscape, and select `Open' from the File menu. Specify one of these |
---|
399 | files to the file dialog that comes up. This should give you the table |
---|
400 | of contents of a manual. You can navigate around in the manual by |
---|
401 | clicking on the highlighted areas, or by scrolling or searching the |
---|
402 | document. |
---|
403 | |
---|
404 | @node Programming Mac CNS |
---|
405 | @chapter Programming Mac CNS |
---|
406 | |
---|
407 | Enough files should be provided in this binary release so that you |
---|
408 | can build your own Mac applications that use CNS Kerberos. |
---|
409 | |
---|
410 | The release includes a directory called @file{include} with a set of |
---|
411 | potential include files, and a C source module called |
---|
412 | @file{mac_stubs.c}. Full instructions are provided in the Kerberos API |
---|
413 | manual. |
---|
414 | |
---|
415 | @contents |
---|
416 | @c end of texinfo file |
---|
417 | @bye |
---|