Adding documentation files...

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3831 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 6491 insertions, 0 deletions

diff --git a/doc/old-V4-docs/README b/doc/old-V4-docs/README
new file mode 100644
index 0000000..8858655
--- /dev/null
+++ b/doc/old-V4-docs/README
@@ -0,0 +1,4 @@
+These documentation files are old --- and refer to the Kerberos V4 
+implementation.  They are included because the equivalent V5 documentation
+set have not been written yet, and the concepts contained in these documents
+may be helpful.
diff --git a/doc/old-V4-docs/installation.PS b/doc/old-V4-docs/installation.PS
new file mode 100644
index 0000000..7609d4e
--- /dev/null
+++ b/doc/old-V4-docs/installation.PS
@@ -0,0 +1,2338 @@
+%!PS-Adobe-2.0
+%%Title: installation.mss
+%%DocumentFonts: (atend)
+%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700)
+%%CreationDate: 4 January 1990 11:56
+%%Pages: (atend)
+%%EndComments
+% PostScript Prelude for Scribe.
+/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def
+/ES {showpage SV restore} bind def
+/SC {setrgbcolor} bind def
+/FMTX matrix def
+/RDF {WFT SLT 0.0 eq 
+  {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore}
+  {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore}
+  ifelse makefont setfont} bind def
+/SLT 0.0 def
+/SI { /SLT exch cvr def RDF} bind def
+/WFT /Courier findfont def
+/SF { /WFT exch findfont def RDF} bind def
+/SSZ 1000.0 def
+/SS { /SSZ exch 100.0 mul def RDF} bind def
+/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def
+/MT /moveto load def
+/XM {currentpoint exch pop moveto} bind def
+/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto
+   setlinewidth 0.0 rlineto stroke grestore} bind def
+/LH {gsave newpath moveto setlinewidth
+   0.0 rlineto
+   gsave stroke grestore} bind def
+/LV {gsave newpath moveto setlinewidth
+   0.0 exch rlineto
+   gsave stroke grestore} bind def
+/BX {gsave newpath moveto setlinewidth
+   exch
+   dup 0.0 rlineto
+   exch 0.0 exch neg rlineto
+   neg 0.0 rlineto
+   closepath
+   gsave stroke grestore} bind def
+/BX1 {grestore} bind def
+/BX2 {setlinewidth 1 setgray stroke grestore} bind def
+/PB {/PV save def newpath translate
+    100.0 -100.0 scale pop /showpage {} def} bind def
+/PE {PV restore} bind def
+/GB {/PV save def newpath translate rotate
+    div dup scale 100.0 -100.0 scale /showpage {} def} bind def
+/GE {PV restore} bind def
+/FB {dict dup /FontMapDict exch def begin} bind def
+/FM {cvn exch cvn exch def} bind def
+/FE {end /original-findfont /findfont load def  /findfont
+   {dup FontMapDict exch known{FontMapDict exch get} if
+   original-findfont} def} bind def
+/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def
+/EC /grestore load def
+/SH /show load def
+/MX {exch show 0.0 rmoveto} bind def
+/W {0 32 4 -1 roll widthshow} bind def
+/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def
+/RC {100.0 -100.0 scale
+612.0 0.0 translate
+-90.0 rotate
+.01 -.01 scale} bind def
+/URC {100.0 -100.0 scale
+90.0 rotate
+-612.0 0.0 translate
+.01 -.01 scale} bind def
+/RCC {100.0 -100.0 scale
+0.0 -792.0 translate 90.0 rotate
+.01 -.01 scale} bind def
+/URCC {100.0 -100.0 scale
+-90.0 rotate 0.0 792.0 translate
+.01 -.01 scale} bind def
+%%EndProlog
+%%Page: 0 1
+BS
+0 SI
+20 /Times-Bold AF
+18823 13788 MT
+(Kerberos Installation Notes)SH
+27156 15798 MT
+(DRAFT)SH
+16 /Times-Roman AF
+27021 23502 MT
+(Bill Bryant)SH
+25557 25150 MT
+(Jennifer Steiner)SH
+27289 26798 MT
+(John Kohl)SH
+23957 30444 MT
+(Project Athena, MIT)SH
+/Times-Bold SF
+19489 36042 MT
+(Initial Release, January 24, 1989)SH
+/Times-Italic SF
+17558 37690 MT
+(\050plus later patches through patchlevel 7\051)SH
+11 /Times-Roman AF
+7200 45644 MT
+(The release consists of three parts.)SH
+7200 47942 MT
+(The first part consists of the core Kerberos system, which was developed at MIT and does not require)SH
+7200 49138 MT
+(additional licenses for us to distribute.  Included in this part are the Kerberos authentication server, the)SH
+7200 50334 MT
+(Kerberos library, the)SH
+/Times-Italic SF
+16606 XM
+(ndbm)SH
+/Times-Roman SF
+19325 XM
+(database interface library, user programs, administration programs, manual)SH
+7200 51530 MT
+(pages, some applications which use Kerberos for authentication, and some utilities.)SH
+7200 53828 MT
+(The second part is the Data Encryption Standard \050DES\051 library, which we are distributing only within the)SH
+7200 55024 MT
+(United States.)SH
+7200 57322 MT
+(The third part contains Kerberos modifications to Sun's NFS, which we distribute as ``context diffs'' to)SH
+7200 58518 MT
+(the Sun NFS source code.  Its distribution is controlled to provide an accounting of who has retrieved the)SH
+7200 59714 MT
+(patches, so that Project Athena can comply with its agreements with Sun regarding distribution of these)SH
+7200 60910 MT
+(changes.)SH
+ES
+%%Page: 1 2
+BS
+0 SI
+16 /Times-Bold AF
+7200 8272 MT
+(1. Organization)
+400 W( of the Source Directory)SH
+11 /Times-Roman AF
+7200 10467 MT
+(The Kerberos building and installation process, as described in this document, builds the binaries and)SH
+7200 11663 MT
+(executables from the files contained in the Kerberos source tree, and deposits them in a separate object)SH
+7200 12859 MT
+(tree. This)
+275 W( is intended to easily support several different build trees from a single source tree \050this is useful)SH
+7200 14055 MT
+(if you support several machine architectures\051.  We suggest that you copy the Kerberos sources into a)SH
+/Times-Italic SF
+7200 15251 MT
+(/mit/kerberos/src)SH
+/Times-Roman SF
+14991 XM
+(directory, and create as well a)SH
+/Times-Italic SF
+28396 XM
+(/mit/kerberos/obj)SH
+/Times-Roman SF
+36249 XM
+(directory in which to hold the)SH
+7200 16447 MT
+(executables. In)
+275 W( the rest of this document, we'll refer to the Kerberos source and object directories as)SH
+7200 17643 MT
+([SOURCE_DIR] and [OBJ_DIR], respectively.)SH
+7200 19941 MT
+(Below is a brief overview of the organization of the complete source directory.  More detailed)SH
+7200 21137 MT
+(descriptions follow.)SH
+/Times-Bold SF
+7200 23088 MT
+(admin)SH
+/Times-Roman SF
+18200 XM
+(utilities for the Kerberos administrator)SH
+/Times-Bold SF
+7200 24783 MT
+(appl)SH
+/Times-Roman SF
+18200 XM
+(applications that use Kerberos)SH
+/Times-Bold SF
+7200 26478 MT
+(appl/bsd)SH
+/Times-Roman SF
+18200 XM
+(Berkeley's rsh/rlogin suite, using Kerberos)SH
+/Times-Bold SF
+7200 28173 MT
+(appl/knetd)SH
+/Times-Roman SF
+18200 XM
+(\050old\051 software for inetd-like multiplexing of a single TCP listening port)SH
+/Times-Bold SF
+7200 29868 MT
+(appl/sample)SH
+/Times-Roman SF
+18200 XM
+(sample application servers and clients)SH
+/Times-Bold SF
+7200 31563 MT
+(appl/tftp)SH
+/Times-Roman SF
+18200 XM
+(Trivial File Transfer Protocol, using Kerberos)SH
+/Times-Bold SF
+7200 33258 MT
+(include)SH
+/Times-Roman SF
+18200 XM
+(include files)SH
+/Times-Bold SF
+7200 34953 MT
+(kadmin)SH
+/Times-Roman SF
+18200 XM
+(remote administrative interface to the Kerberos master database)SH
+/Times-Bold SF
+7200 36648 MT
+(kuser)SH
+/Times-Roman SF
+18200 XM
+(assorted user programs)SH
+/Times-Bold SF
+7200 38343 MT
+(lib)SH
+/Times-Roman SF
+18200 XM
+(libraries for use with/by Kerberos)SH
+/Times-Bold SF
+7200 40038 MT
+(lib/acl)SH
+/Times-Roman SF
+18200 XM
+(Access Control List library)SH
+/Times-Bold SF
+7200 41733 MT
+(lib/des)SH
+/Times-Roman SF
+18200 XM
+(Data Encryption Standard library \050US only\051)SH
+/Times-Bold SF
+7200 43428 MT
+(lib/kadm)SH
+/Times-Roman SF
+18200 XM
+(administrative interface library)SH
+/Times-Bold SF
+7200 45123 MT
+(lib/kdb)SH
+/Times-Roman SF
+18200 XM
+(Kerberos server library interface to)SH
+/Times-Italic SF
+33925 XM
+(ndbm)SH
+/Times-Bold SF
+7200 46818 MT
+(lib/knet)SH
+/Times-Roman SF
+18200 XM
+(\050old\051 library for use with)SH
+/Times-Bold SF
+29349 XM
+(knetd)SH
+7200 48513 MT
+(lib/krb)SH
+/Times-Roman SF
+18200 XM
+(Kerberos library)SH
+/Times-Bold SF
+7200 50208 MT
+(man)SH
+/Times-Roman SF
+18200 XM
+(manual pages)SH
+/Times-Bold SF
+7200 51903 MT
+(prototypes)SH
+/Times-Roman SF
+18200 XM
+(sample configuration files)SH
+/Times-Bold SF
+7200 53598 MT
+(server)SH
+/Times-Roman SF
+18200 XM
+(the authentication server)SH
+/Times-Bold SF
+7200 55293 MT
+(slave)SH
+/Times-Roman SF
+18200 XM
+(Kerberos slave database propagation software)SH
+/Times-Bold SF
+7200 56988 MT
+(tools)SH
+/Times-Roman SF
+18200 XM
+(shell scripts for maintaining the source tree)SH
+/Times-Bold SF
+7200 58683 MT
+(util)SH
+/Times-Roman SF
+18200 XM
+(utilities)SH
+/Times-Bold SF
+7200 60378 MT
+(util/imake)SH
+/Times-Roman SF
+18200 XM
+(Imakefile-to-Makefile ``compilation'' tool)SH
+/Times-Bold SF
+7200 62073 MT
+(util/ss)SH
+/Times-Roman SF
+18200 XM
+(Sub-system library \050for command line subsystems\051)SH
+/Times-Bold SF
+7200 63768 MT
+(util/et)SH
+/Times-Roman SF
+18200 XM
+(Error-table library \050for independent, unique error codes\051)SH
+/Times-Bold SF
+7200 65463 MT
+(util/makedepend)SH
+/Times-Roman SF
+18200 XM
+(Makefile dependency generator tool)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(1)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 2 3
+BS
+0 SI
+14 /Times-Bold AF
+7200 8167 MT
+(1.1 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(admin)SH
+/Times-Bold SF
+16340 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 10362 MT
+(This directory contains source for the Kerberos master database administration tools.)SH
+/Times-Bold SF
+7200 12313 MT
+(kdb_init)SH
+/Times-Roman SF
+18200 XM
+(This program creates and initializes the Kerberos master database.  It prompts)SH
+18200 13509 MT
+(for a Kerberos realmname, and the Kerberos master password.)SH
+/Times-Bold SF
+7200 15204 MT
+(kstash)SH
+/Times-Roman SF
+18200 XM
+(This program ``stashes'' the master password in the file)SH
+/Times-Italic SF
+43033 XM
+(/.k)SH
+/Times-Roman SF
+44377 XM
+(so that the master)SH
+18200 16400 MT
+(server machine can restart the Kerberos server automatically after an unattended)SH
+18200 17596 MT
+(reboot. The)
+275 W( hidden password is also available to administrative programs that)SH
+18200 18792 MT
+(have been set to run automatically.)SH
+/Times-Bold SF
+7200 20487 MT
+(kdb_edit)SH
+/Times-Roman SF
+18200 XM
+(This program is a low-level tool for editing the master database.)SH
+/Times-Bold SF
+7200 22182 MT
+(kdb_destroy)SH
+/Times-Roman SF
+18200 XM
+(This program deletes the master database.)SH
+/Times-Bold SF
+7200 23877 MT
+(kdb_util)SH
+/Times-Roman SF
+18200 XM
+(This program can be used to dump the master database into an ascii file, and can)SH
+18200 25073 MT
+(also be used to load the ascii file into the master database.)SH
+/Times-Bold SF
+7200 26768 MT
+(ext_srvtab)SH
+/Times-Roman SF
+18200 XM
+(This program extracts information from the master database and creates a host-)SH
+18200 27964 MT
+(dependent)SH
+/Times-Italic SF
+22995 XM
+(srvtab)SH
+/Times-Roman SF
+26020 XM
+(file. This)
+275 W( file contains the Kerberos keys for the host's)SH
+18200 29160 MT
+(``Kerberized'' services.  These services look up their keys in the)SH
+/Times-Italic SF
+46846 XM
+(srvtab)SH
+/Times-Roman SF
+49871 XM
+(file for)SH
+18200 30356 MT
+(use in the authentication process.)SH
+14 /Times-Bold AF
+7200 34203 MT
+(1.2 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(kuser)SH
+/Times-Bold SF
+15874 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 36398 MT
+(This directory contains the source code for several user-oriented programs.)SH
+/Times-Bold SF
+7200 38349 MT
+(kinit)SH
+/Times-Roman SF
+18200 XM
+(This program prompts users for their usernames and Kerberos passwords, then)SH
+18200 39545 MT
+(furnishes them with Kerberos ticket-granting tickets.)SH
+/Times-Bold SF
+7200 41240 MT
+(kdestroy)SH
+/Times-Roman SF
+18200 XM
+(This program destroys any active tickets.  Users should use)SH
+/Times-Italic SF
+44563 XM
+(kdestroy)SH
+/Times-Roman SF
+48564 XM
+(before they)SH
+18200 42436 MT
+(log off their workstations.)SH
+/Times-Bold SF
+7200 44131 MT
+(klist)SH
+/Times-Roman SF
+18200 XM
+(This program lists a user's active tickets.)SH
+/Times-Bold SF
+7200 45826 MT
+(ksrvtgt)SH
+/Times-Roman SF
+18200 XM
+(This retrieves a ticket-granting ticket with a life time of five minutes, using a)SH
+18200 47022 MT
+(server's secret key in lieu of a password.  It is primarily for use in shell scripts)SH
+18200 48218 MT
+(and other batch facilities.)SH
+/Times-Bold SF
+7200 49913 MT
+(ksu)SH
+/Times-Roman SF
+18200 XM
+(Substitute user id, using Kerberos to mediate attempts to change to ``root''.)SH
+14 /Times-Bold AF
+7200 53760 MT
+(1.3 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(appl)SH
+/Times-Bold SF
+15173 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 55955 MT
+(If your site has the appropriate BSD license, your Kerberos release provides certain Unix utilities The)SH
+7200 57151 MT
+(Berkeley programs that have been modified to use Kerberos authentication are found in the)SH
+/Times-Italic SF
+47640 XM
+(appl/bsd)SH
+/Times-Roman SF
+7200 58347 MT
+(directory. They)
+275 W( include)SH
+/Times-Italic SF
+18043 XM
+(login)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+20855 XM
+(rlogin)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+24095 XM
+(rsh)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+27914 XM
+(rcp)SH
+/Times-Roman SF
+(, as well as the associated daemon programs)SH
+/Times-Italic SF
+49081 XM
+(kshd)SH
+/Times-Roman SF
+51372 XM
+(and)SH
+/Times-Italic SF
+7200 59543 MT
+(klogind)SH
+/Times-Roman SF
+(. The)275 W
+/Times-Italic SF
+13310 XM
+(login)SH
+/Times-Roman SF
+15847 XM
+(program obtains ticket-granting tickets for users upon login; the other utilities provide)SH
+7200 60739 MT
+(authenticated Unix network services.)SH
+7200 63037 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(appl)SH
+/Times-Roman SF
+11416 XM
+(directory also contains samples Kerberos application client and server programs, an)SH
+7200 64233 MT
+(authenticated)SH
+/Times-Italic SF
+13339 XM
+(tftp)SH
+/Times-Roman SF
+15082 XM
+(program,)SH
+/Times-Italic SF
+19358 XM
+(knetd)SH
+/Times-Roman SF
+(, an authenticated inet daemon.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(2)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 3 4
+BS
+0 SI
+14 /Times-Bold AF
+7200 8167 MT
+(1.4 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(server)SH
+/Times-Bold SF
+16185 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 10362 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(server)SH
+/Times-Roman SF
+12208 XM
+(directory contains the Kerberos KDC server, called)SH
+/Times-Italic SF
+35052 XM
+(kerberos)SH
+/Times-Roman SF
+(. This)
+275 W( program manages read-)SH
+7200 11558 MT
+(only requests made to the master database, distributing tickets and encryption keys to clients requesting)SH
+7200 12754 MT
+(authentication service.)SH
+14 /Times-Bold AF
+7200 16601 MT
+(1.5 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(kadmin)SH
+/Times-Bold SF
+17040 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 18796 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(kadmin)SH
+/Times-Roman SF
+12698 XM
+(directory contains the Kerberos administration server and associated client programs.  The)SH
+7200 19992 MT
+(server accepts network requests from the user program)SH
+/Times-Italic SF
+31570 XM
+(kpasswd)SH
+/Times-Roman SF
+35573 XM
+(\050used to change a user's password\051, the)SH
+7200 21188 MT
+(Kerberos administration program)SH
+/Times-Italic SF
+22137 XM
+(kadmin)SH
+/Times-Roman SF
+(, and the srvtab utility program)SH
+/Times-Italic SF
+39276 XM
+(ksrvutil)SH
+/Times-Roman SF
+(. The)
+275 W( administration)SH
+7200 22384 MT
+(server can make modifications to the master database.)SH
+14 /Times-Bold AF
+7200 26231 MT
+(1.6 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(include)SH
+/Times-Bold SF
+16962 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 28426 MT
+(This directory contains the)SH
+/Times-Italic SF
+19236 XM
+(include)SH
+/Times-Roman SF
+22749 XM
+(files needed to build the Kerberos system.)SH
+14 /Times-Bold AF
+7200 32273 MT
+(1.7 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(lib)SH
+/Times-Bold SF
+14162 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 34468 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(lib)SH
+/Times-Roman SF
+10622 XM
+(directory has six subdirectories:)SH
+/Times-Italic SF
+25193 XM
+(acl)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+27087 XM
+(des)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+29103 XM
+(kadm)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+32035 XM
+(kdb)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+34173 XM
+(knet)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+38418 XM
+(krb)SH
+/Times-Roman SF
+(. The)275 W
+/Times-Italic SF
+42694 XM
+(des)SH
+/Times-Roman SF
+44435 XM
+(directory contains)SH
+7200 35664 MT
+(source for the DES encryption library.  The)SH
+/Times-Italic SF
+26595 XM
+(kadm)SH
+/Times-Roman SF
+29252 XM
+(directory contains source for the Kerberos)SH
+7200 36860 MT
+(administration server utility library.  The)SH
+/Times-Italic SF
+25439 XM
+(kdb)SH
+/Times-Roman SF
+27302 XM
+(directory contains source for the Kerberos database routine)SH
+7200 38056 MT
+(library. The)275 W
+/Times-Italic SF
+12942 XM
+(knet)SH
+/Times-Roman SF
+15049 XM
+(directory contains source for a library used by clients of the)SH
+/Times-Italic SF
+41530 XM
+(knetd)SH
+/Times-Roman SF
+44187 XM
+(server. The)275 W
+/Times-Italic SF
+49683 XM
+(krb)SH
+/Times-Roman SF
+7200 39252 MT
+(directory contains source for the)SH
+/Times-Italic SF
+21707 XM
+(libkrb.a)SH
+/Times-Roman SF
+25435 XM
+(library. This)
+275 W( library contains routines that are used by the)SH
+7200 40448 MT
+(Kerberos server program, and by applications programs that require authentication service.)SH
+14 /Times-Bold AF
+7200 44295 MT
+(1.8 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(man)SH
+/Times-Bold SF
+15251 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 46490 MT
+(This directory contains manual pages for Kerberos programs and library routines.)SH
+14 /Times-Bold AF
+7200 50337 MT
+(1.9 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(prototypes)SH
+/Times-Bold SF
+18596 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 52532 MT
+(This directory contains prototype)SH
+/Times-Italic SF
+22108 XM
+(/etc/services)SH
+/Times-Roman SF
+27819 XM
+(and)SH
+/Times-Italic SF
+29682 XM
+(/etc/krb.conf)SH
+/Times-Roman SF
+35486 XM
+(files. New)
+275 W( entries must be added to the)SH
+/Times-Italic SF
+7200 53728 MT
+(/etc/services)SH
+/Times-Roman SF
+12911 XM
+(file for the Kerberos server, and possibly for Kerberized applications \050)SH
+/Times-Italic SF
+(services.append)SH
+/Times-Roman SF
+7200 54924 MT
+(contains the entries used by the Athena-provided servers & applications, and is suitable for appending to)SH
+7200 56120 MT
+(your existing)SH
+/Times-Italic SF
+13250 XM
+(/etc/services)SH
+/Times-Roman SF
+18961 XM
+(file.\051. The)275 W
+/Times-Italic SF
+23878 XM
+(/etc/krb.conf)SH
+/Times-Roman SF
+29682 XM
+(file defines the local Kerberos realm for its host and)SH
+7200 57316 MT
+(lists Kerberos servers for given realms.  The)SH
+/Times-Italic SF
+26961 XM
+(/etc/krb.realms)SH
+/Times-Roman SF
+33865 XM
+(file defines exceptions for mapping machine)SH
+7200 58512 MT
+(names to Kerberos realms.)SH
+14 /Times-Bold AF
+7200 62359 MT
+(1.10 The)350 W
+/Times-BoldItalic SF
+13034 XM
+(tools)SH
+/Times-Bold SF
+16107 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 64554 MT
+(This directory contains a makefile to set up a directory tree for building the software in, and a shell script)SH
+7200 65750 MT
+(to format code in the style we use.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(3)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 4 5
+BS
+0 SI
+14 /Times-Bold AF
+7200 8167 MT
+(1.11 The)350 W
+/Times-BoldItalic SF
+13034 XM
+(util)SH
+/Times-Bold SF
+15329 XM
+(Directory)SH
+11 /Times-Roman AF
+7200 10362 MT
+(This directory contains several utility programs and libraries.  Included are Larry Wall's)SH
+/Times-Italic SF
+46296 XM
+(patch)SH
+/Times-Roman SF
+49015 XM
+(program, a)SH
+/Times-Italic SF
+7200 11558 MT
+(make)SH
+/Times-Roman SF
+9795 XM
+(pre-processor program called)SH
+/Times-Italic SF
+22956 XM
+(imake)SH
+/Times-Roman SF
+(, and a program for generating Makefile dependencies,)SH
+/Times-Italic SF
+7200 12754 MT
+(makedepend)SH
+/Times-Roman SF
+(, as well as the Sub-system library and utilities \050)SH
+/Times-Italic SF
+(ss)SH
+/Times-Roman SF
+(\051, and the Error table library and utilities)SH
+7200 13950 MT
+(\050)SH
+/Times-Italic SF
+(et)SH
+/Times-Roman SF
+(\051.)SH
+16 /Times-Bold AF
+7200 18622 MT
+(2. Preparing)
+400 W( for Installation)SH
+11 /Times-Roman AF
+7200 20817 MT
+(This document assumes that you will build the system on the machine on which you plan to install the)SH
+7200 22013 MT
+(Kerberos master server and its database.  You'll need about 10 megabytes for source and executables.)SH
+7200 24311 MT
+(By default, there must be a)SH
+/Times-Italic SF
+19327 XM
+(/kerberos)SH
+/Times-Roman SF
+23756 XM
+(directory on the master server machine in which to store the)SH
+7200 25507 MT
+(Kerberos database files.  If the master server machine does not have room on its root partition for these)SH
+7200 26703 MT
+(files, create a)SH
+/Times-Italic SF
+13306 XM
+(/kerberos)SH
+/Times-Roman SF
+17735 XM
+(symbolic link to another file system.)SH
+16 /Times-Bold AF
+7200 31375 MT
+(3. Preparing)
+400 W( for the Build)SH
+11 /Times-Roman AF
+7200 33570 MT
+(Before you build the system, you have to choose a)SH
+/Times-Bold SF
+29653 XM
+(realm name)SH
+/Times-Roman SF
+(, the name that specifies the system's)SH
+7200 34766 MT
+(administrative domain.  Project Athena uses the internet domain name ATHENA.MIT.EDU to specify its)SH
+7200 35962 MT
+(Kerberos realm name.  We recommend using a name of this form.)SH
+/Times-Bold SF
+36857 XM
+(NOTE:)SH
+/Times-Roman SF
+40616 XM
+(the realm-name is case)SH
+7200 37158 MT
+(sensitive; by convention, we suggest that you use your internet domain name, in capital letters.)SH
+7200 39456 MT
+(Edit the [SOURCE_DIR]/)SH
+/Times-Italic SF
+(include/krb.h)SH
+/Times-Roman SF
+24860 XM
+(file and look for the following lines of code:)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(4)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 5 6
+BS
+0 SI
+11 /Courier AF
+8520 7886 MT
+(/*)SH
+9180 9000 MT
+(* Kerberos specific definitions)SH
+9180 10114 MT
+(*)SH
+9180 11228 MT
+(* KRBLOG is the log file for the kerberos master server.)SH
+9180 12342 MT
+(* KRB_CONF is the configuration file where different host)SH
+9180 13456 MT
+(* machines running master and slave servers can be found.)SH
+9180 14570 MT
+(* KRB_MASTER is the name of the machine with the master)SH
+9180 15684 MT
+(* database.  The admin_server runs on this machine, and all)SH
+9180 16798 MT
+(* changes to the db \050as opposed to read-only requests, which)SH
+9180 17912 MT
+(* can go to slaves\051 must go to it.)SH
+9180 19026 MT
+(* KRB_HOST is the default machine when looking for a kerberos)SH
+9180 20140 MT
+(* slave server.  Other possibilities are in the KRB_CONF file.)SH
+9180 21254 MT
+(* KRB_REALM is the name of the realm.)SH
+9180 22368 MT
+(*/)SH
+8520 24596 MT
+(#ifdef notdef)SH
+8520 25710 MT
+(this is server-only, does not belong here;)SH
+8520 26824 MT
+(#define KRBLOG)
+3960 W( "/kerberos/kerberos.log")5940 W
+8520 27938 MT
+(are these used anyplace '?';)SH
+8520 29052 MT
+(#define VX_KRB_HSTFILE)
+9240 W( "/etc/krbhst")660 W
+8520 30166 MT
+(#define PC_KRB_HSTFILE)
+9240 W( "\134\134kerberos\134\134krbhst")660 W
+8520 31280 MT
+(#endif)SH
+8520 33508 MT
+(#define KRB_CONF)
+9240 W( "/etc/krb.conf")4620 W
+8520 34622 MT
+(#define KRB_RLM_TRANS)
+9240 W( "/etc/krb.realms")1320 W
+8520 35736 MT
+(#define KRB_MASTER)
+9240 W( "kerberos")3300 W
+8520 36850 MT
+(#define KRB_HOST)
+9240 W( KRB_MASTER)5280 W
+8520 37964 MT
+(#define KRB_REALM)
+9240 W( "ATHENA.MIT.EDU")3960 W
+/Times-Roman SF
+7200 39559 MT
+(Edit the last line as follows:)SH
+9400 41510 MT
+(1.)SH
+10500 XM
+(Change the KRB_REALM definition so that it specifies the realm name you have chosen)SH
+10500 42706 MT
+(for your Kerberos system.  This is a default which is usually overridden by a configuration)SH
+10500 43902 MT
+(file on each machine; however, if that config file is absent, many programs will use this)SH
+10500 45098 MT
+("built-in" realm name.)SH
+14 /Times-Bold AF
+7200 48945 MT
+(3.1 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(/etc/krb.conf)SH
+/Times-Bold SF
+19956 XM
+(File)SH
+11 /Times-Roman AF
+7200 51140 MT
+(Create a)SH
+/Times-Italic SF
+11108 XM
+(/etc/krb.conf)SH
+/Times-Roman SF
+16912 XM
+(file using the following format:)SH
+/Times-BoldItalic SF
+8520 52740 MT
+(realm_name)SH
+8520 53854 MT
+(realm_name master_server_name)1045 W
+/Courier SF
+25594 XM
+(admin server)SH
+/Times-Roman SF
+7200 55449 MT
+(where)SH
+/Times-Italic SF
+10161 XM
+(realm_name)SH
+/Times-Roman SF
+15934 XM
+(specifies the system's realm name, and)SH
+/Times-Italic SF
+33375 XM
+(master_server_name)SH
+/Times-Roman SF
+42874 XM
+(specifies the machine)SH
+7200 56645 MT
+(name on which you will run the master server.  The words 'admin server' must appear next to the name of)SH
+7200 57841 MT
+(the server on which you intend to run the administration server \050which must be a machine with access to)SH
+7200 59037 MT
+(the database\051.)SH
+7200 61335 MT
+(For example, if your realm name is)SH
+/Times-Italic SF
+22962 XM
+(tim.edu)SH
+/Times-Roman SF
+26506 XM
+(and your master server's name is)SH
+/Times-Italic SF
+41288 XM
+(kerberos.tim.edu)SH
+/Times-Roman SF
+(, the file)SH
+7200 62531 MT
+(should have these contents:)SH
+/Courier SF
+8520 64057 MT
+(tim.edu)SH
+8520 65171 MT
+(tim.edu kerberos.tim.edu)
+660 W( admin server)SH
+/Times-Roman SF
+7200 67469 MT
+(See the [SOURCE_DIR]/)SH
+/Times-Italic SF
+(prototypes/etc.krb.conf)SH
+/Times-Roman SF
+28921 XM
+(file for an example)SH
+/Times-Italic SF
+37533 XM
+(/etc/krb.conf)SH
+/Times-Roman SF
+43337 XM
+(file. That)
+275 W( file has)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(5)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 6 7
+BS
+0 SI
+11 /Times-Roman AF
+7200 7955 MT
+(examples of how to provide backup servers for a given realm \050additional lines with the same leading)SH
+7200 9151 MT
+(realm name\051 and how to designate servers for remote realms.)SH
+14 /Times-Bold AF
+7200 12998 MT
+(3.2 The)350 W
+/Times-BoldItalic SF
+12334 XM
+(/etc/krb.realms)SH
+/Times-Bold SF
+21280 XM
+(File)SH
+11 /Times-Roman AF
+7200 15193 MT
+(In many situations, the default realm in which a host operates will be identical to the domain portion its)SH
+7200 16389 MT
+(Internet domain name.)SH
+7200 18687 MT
+(If this is not the case, you will need to establish a translation from host name or domain name to realm)SH
+7200 19883 MT
+(name. This)
+275 W( is accomplished with the)SH
+/Times-Italic SF
+23820 XM
+(/etc/krb.realms)SH
+/Times-Roman SF
+30724 XM
+(file.)SH
+7200 22181 MT
+(Each line of the translation file specifies either a hostname or domain name, and its associated realm:)SH
+/Courier SF
+8520 23707 MT
+(.domain.name kerberos.realm1)SH
+8520 24821 MT
+(host.name kerberos.realm2)SH
+/Times-Roman SF
+7200 26416 MT
+(For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1 but the host)SH
+7200 27612 MT
+(FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read:)SH
+/Courier SF
+8520 29138 MT
+(.LSC.TIM.EDU KRB.REALM1)SH
+8520 30252 MT
+(FILMS.LSC.TIM.EDU KRB.REALM2)SH
+/Times-Roman SF
+7200 31847 MT
+(If a particular host matches both a domain and a host entry, the host entry takes precedence.)SH
+16 /Times-Bold AF
+7200 36519 MT
+(4. Building)
+400 W( the Software)SH
+11 /Times-Roman AF
+7200 38714 MT
+(Before you build the software read the)SH
+/Times-Bold SF
+24395 XM
+(README)SH
+/Times-Roman SF
+29558 XM
+(file in [SOURCE_DIR].  What follows is a more)SH
+7200 39910 MT
+(detailed description of the instructions listed in README.)SH
+9400 41861 MT
+(1.)SH
+10500 XM
+(Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you are about to)SH
+10500 43057 MT
+(build, for example,)SH
+/Times-Italic SF
+19145 XM
+(/mit/kerberos/obj)SH
+/Times-Roman SF
+(.)SH
+9400 44951 MT
+(2.)SH
+10500 XM
+(Change directory to [OBJ_DIR].  The following command creates directories under)SH
+10500 46147 MT
+([OBJ_DIR] and installs Makefiles for the final build.)SH
+/Courier SF
+11820 47724 MT
+(host%)SH
+/Times-Bold SF
+15780 XM
+(make -f [SOURCE_DIR]/tools/makeconfig SRCDIR=[SOURCE_DIR])275 W
+/Times-Roman SF
+9400 49618 MT
+(3.)SH
+10500 XM
+(Change directory to util/imake.includes.  Read through config.Imakefile, turning on)SH
+10500 50814 MT
+(appropriate flags for your installation.  Change SRCTOP so that it is set to the top level of)SH
+10500 52010 MT
+(your source directory.)SH
+9400 53904 MT
+(4.)SH
+10500 XM
+(Check that your machine type has a definition in include/osconf.h & related files in the)SH
+10500 55100 MT
+(source tree \050if it doesn't, then you may need to create your own; if you get successful)SH
+10500 56296 MT
+(results, please post to kerberos@athena.mit.edu\051)SH
+9400 58190 MT
+(5.)SH
+10500 XM
+(Change directory to [OBJ_DIR].  The next command generates new Makefiles based on the)SH
+10500 59386 MT
+(configuration you selected in config.Imakefile, then adds dependency information to the)SH
+10500 60582 MT
+(Makefiles, and finally builds the system:)SH
+/Courier SF
+11820 62159 MT
+(host%)SH
+/Times-Bold SF
+15780 XM
+(make world)275 W
+/Times-Roman SF
+10500 63754 MT
+(This command takes a while to complete; you may wish to redirect the output onto a file)SH
+10500 64950 MT
+(and put the job in the background:)SH
+/Courier SF
+11820 66527 MT
+(host%)SH
+/Times-Bold SF
+15780 XM
+(make world)
+275 W( >&WORLDLOG_891201 &)SH
+/Times-Roman SF
+10500 68122 MT
+(If you need to rebuild the Kerberos programs and libraries after making a change, you can)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(6)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 7 8
+BS
+0 SI
+11 /Times-Roman AF
+10500 7955 MT
+(usually just type:)SH
+/Courier SF
+11820 9532 MT
+(host%)SH
+/Times-Bold SF
+15780 XM
+(make all)275 W
+/Times-Roman SF
+10500 11127 MT
+(However, if you changed the configuration in config.Imakefile or modified the Imakefiles)SH
+10500 12323 MT
+(or Makefiles, you should run)SH
+/Times-Italic SF
+23514 XM
+(make world)SH
+/Times-Roman SF
+28952 XM
+(to re-build all the Makefiles and dependency lists.)SH
+14 /Times-Bold AF
+7200 16141 MT
+(4.1 Testing)
+350 W( the DES Library)SH
+11 /Times-Roman AF
+7200 18336 MT
+(Use the)SH
+/Times-Italic SF
+10804 XM
+(verify)SH
+/Times-Roman SF
+13583 XM
+(command to test the DES library implementation:)SH
+/Courier SF
+8520 19913 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([OBJ_DIR]/lib/des/verify)SH
+/Times-Roman SF
+7200 21508 MT
+(The command should display the following:)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(7)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 8 9
+BS
+0 SI
+11 /Courier AF
+8520 7886 MT
+(Examples per FIPS publication 81, keys ivs and cipher)SH
+8520 9000 MT
+(in hex.  These are the correct answers, see below for)SH
+8520 10114 MT
+(the actual answers.)SH
+8520 12342 MT
+(Examples per Davies and Price.)SH
+8520 14570 MT
+(EXAMPLE ECB)
+SH( key)
+2640 W( = 08192a3b4c5d6e7f)SH
+13800 15684 MT
+(clear = 0)SH
+13800 16798 MT
+(cipher = 25 dd ac 3e 96 17 64 67)SH
+8520 17912 MT
+(ACTUAL ECB)SH
+13800 19026 MT
+(clear "")SH
+13800 20140 MT
+(cipher =)
+660 W( \050low to high bytes\051)SH
+19080 21254 MT
+(25 dd ac 3e 96 17 64 67)SH
+8520 23482 MT
+(EXAMPLE ECB)
+SH( key)
+2640 W( = 0123456789abcdef)SH
+13800 24596 MT
+(clear = "Now is the time for all ")SH
+13800 25710 MT
+(cipher = 3f a4 0e 8a 98 4d 48 15 ...)SH
+8520 26824 MT
+(ACTUAL ECB)SH
+13800 27938 MT
+(clear "Now is the time for all ")SH
+13800 29052 MT
+(cipher =)
+660 W( \050low to high bytes\051)SH
+19080 30166 MT
+(3f a4 0e 8a 98 4d 48 15)SH
+8520 32394 MT
+(EXAMPLE CBC)
+SH( key)
+2640 W( = 0123456789abcdef  iv = 1234567890abcdef)SH
+13800 33508 MT
+(clear = "Now is the time for all ")SH
+13800 34622 MT
+(cipher =)
+SH( e5)
+4620 W( c7 cd de 87 2b f2 7c)SH
+24360 35736 MT
+(43 e9 34 00 8c 38 9c 0f)SH
+24360 36850 MT
+(68 37 88 49 9a 7c 05 f6)SH
+8520 37964 MT
+(ACTUAL CBC)SH
+13800 39078 MT
+(clear "Now is the time for all ")SH
+13800 40192 MT
+(ciphertext = \050low to high bytes\051)SH
+19080 41306 MT
+(e5 c7 cd de 87 2b f2 7c)SH
+19080 42420 MT
+(43 e9 34 00 8c 38 9c 0f)SH
+19080 43534 MT
+(68 37 88 49 9a 7c 05 f6)SH
+19080 44648 MT
+(00 00 00 00 00 00 00 00)SH
+19080 45762 MT
+(00 00 00 00 00 00 00 00)SH
+19080 46876 MT
+(00 00 00 00 00 00 00 00)SH
+19080 47990 MT
+(00 00 00 00 00 00 00 00)SH
+19080 49104 MT
+(00 00 00 00 00 00 00 00)SH
+13800 50218 MT
+(decrypted clear_text = "Now is the time for all ")SH
+8520 51332 MT
+(EXAMPLE CBC checksum)
+SH( key)
+1980 W( =  0123456789abcdef iv =  1234567890abcdef)SH
+13800 52446 MT
+(clear =)
+SH( "7654321)
+5280 W( Now is the time for ")SH
+13800 53560 MT
+(checksum 58)
+4620 W( d2 e7 7e 86 06 27 33  or some part thereof)SH
+8520 54674 MT
+(ACTUAL CBC checksum)SH
+19080 55788 MT
+(encrypted cksum = \050low to high bytes\051)SH
+19080 56902 MT
+(58 d2 e7 7e 86 06 27 33)SH
+/Times-Roman SF
+7200 59200 MT
+(If the)SH
+/Times-Italic SF
+9826 XM
+(verify)SH
+/Times-Roman SF
+12605 XM
+(command fails to display this information as specified above, the implementation of DES for)SH
+7200 60396 MT
+(your hardware needs to be adjusted.  Your Kerberos system cannot work properly if your DES library)SH
+7200 61592 MT
+(fails this test.)SH
+7200 63890 MT
+(When you have finished building the software, you will find the executables in the object tree as follows:)SH
+/Times-Bold SF
+7200 65841 MT
+([OBJ_DIR]/admin)SH
+/Times-Italic SF
+18200 XM
+(ext_srvtab)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+23332 XM
+(kdb_destroy)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+29258 XM
+(kdb_edit)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+33596 XM
+(kdb_init)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+37752 XM
+(kdb_util)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+43771 XM
+(kstash)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 67536 MT
+([OBJ_DIR]/kuser)SH
+/Times-Italic SF
+18200 XM
+(kdestroy)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+22476 XM
+(kinit)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+24982 XM
+(klist)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+27366 XM
+(ksrvtgt)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+32773 XM
+(ksu)SH
+/Times-Roman SF
+(.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(8)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 9 10
+BS
+0 SI
+11 /Times-Bold AF
+7200 7955 MT
+([OBJ_DIR]/server)SH
+/Times-Italic SF
+18200 XM
+(kerberos)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 9650 MT
+([OBJ_DIR]/appl/bsd)SH
+/Times-Italic SF
+18200 XM
+(klogind)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+22050 XM
+(kshd)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+24616 XM
+(login.krb)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+29169 XM
+(rcp)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+31185 XM
+(rlogin)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+36288 XM
+(rsh)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 11345 MT
+([OBJ_DIR]/appl/knetd)SH
+/Times-Italic SF
+18200 XM
+(knetd)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 13040 MT
+([OBJ_DIR]/appl/sample)SH
+/Times-Italic SF
+18200 14236 MT
+(sample_server)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+25164 XM
+(sample_client)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+31824 XM
+(simple_server)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+40407 XM
+(simple_client)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 15931 MT
+([OBJ_DIR]/appl/tftp)SH
+/Times-Italic SF
+18200 XM
+(tcom)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+20888 XM
+(tftpd)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+25319 XM
+(tftp)SH
+/Times-Roman SF
+(.)SH
+/Times-Bold SF
+7200 17626 MT
+([OBJ_DIR]/slave)SH
+/Times-Italic SF
+18200 XM
+(kprop)SH
+/Times-Roman SF
+21041 XM
+(and)SH
+/Times-Italic SF
+22904 XM
+(kpropd)SH
+/Times-Roman SF
+(.)SH
+16 /Times-Bold AF
+7200 22298 MT
+(5. Installing)
+400 W( the Software)SH
+11 /Times-Roman AF
+7200 24493 MT
+(To install the software, issue the)SH
+/Times-Italic SF
+21711 XM
+(make install)SH
+/Times-Roman SF
+27333 XM
+(command from the [OBJ_DIR] \050you need to be a privileged)SH
+7200 25689 MT
+(user in order to properly install the programs\051.  Programs can either be installed in default directories, or)SH
+7200 26885 MT
+(under a given root directory, as described below.)SH
+14 /Times-Bold AF
+7200 30703 MT
+(5.1 The)
+350 W( ``Standard'' Places)SH
+11 /Times-Roman AF
+7200 32898 MT
+(If you use the)SH
+/Times-Italic SF
+13492 XM
+(make)SH
+/Times-Roman SF
+16087 XM
+(command as follows:)SH
+/Courier SF
+8520 34475 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(make install)275 W
+/Times-Roman SF
+7200 36070 MT
+(the installation process will try to install the various parts of the system in ``standard'' directories.  This)SH
+7200 37266 MT
+(process creates the ``standard'' directories as needed.)SH
+7200 39564 MT
+(The standard installation process copies things as follows:)SH
+/Symbol SF
+9169 41640 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The)SH
+/Times-Italic SF
+11935 XM
+(include)SH
+/Times-Roman SF
+15448 XM
+(files)SH
+/Times-Italic SF
+17617 XM
+(krb.h)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+20458 XM
+(des.h)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+23299 XM
+(mit-copyright.h)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+30662 XM
+(kadm.h)SH
+/Times-Roman SF
+34144 XM
+(and)SH
+/Times-Italic SF
+36007 XM
+(kadm_err.h)SH
+/Times-Roman SF
+41383 XM
+(get copied to the)SH
+/Times-Italic SF
+9950 42836 MT
+(/usr/include)SH
+/Times-Roman SF
+15481 XM
+(directory.)SH
+/Symbol SF
+9169 44730 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos libraries)SH
+/Times-Italic SF
+20119 XM
+(libdes.a)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+24122 XM
+(libkrb.a)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+28125 XM
+(libkdb.a)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+32250 XM
+(libkadm.a)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+37169 XM
+(libknet.a)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+43401 XM
+(libacl.a)SH
+/Times-Roman SF
+47007 XM
+(get)SH
+9950 45926 MT
+(copied to the)SH
+/Times-Italic SF
+15907 XM
+(/usr/athena/lib)SH
+/Times-Roman SF
+22662 XM
+(\050or wherever you pointed LIBDIR in config.Imakefile\051)SH
+9950 47122 MT
+(directory.)SH
+/Symbol SF
+9169 49016 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos master database utilities)SH
+/Times-Italic SF
+27085 XM
+(kdb_init)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+31241 XM
+(kdb_destroy)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+37167 XM
+(kdb_edit)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+41505 XM
+(kdb_util)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+45661 XM
+(kstash)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+9950 50212 MT
+(ext_srvtab)SH
+/Times-Roman SF
+14807 XM
+(get copied to the)SH
+/Times-Italic SF
+22383 XM
+(/usr/etc)SH
+/Times-Roman SF
+25958 XM
+(\050DAEMDIR\051 directory.)SH
+/Symbol SF
+9169 52106 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos user utilities)SH
+/Times-Italic SF
+21924 XM
+(kinit)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+24430 XM
+(kdestroy)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+28706 XM
+(klist)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+31090 XM
+(ksrvtgt)SH
+/Times-Roman SF
+34359 XM
+(and)SH
+/Times-Italic SF
+36222 XM
+(ksu)SH
+/Times-Roman SF
+37963 XM
+(get copied to the)SH
+/Times-Italic SF
+45539 XM
+(/usr/athena)SH
+/Times-Roman SF
+9950 53302 MT
+(\050PROGDIR\051 directory.)SH
+/Symbol SF
+9169 55196 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The modified Berkeley utilities)SH
+/Times-Italic SF
+24004 XM
+(rsh)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+25960 XM
+(rlogin)SH
+/Times-Roman SF
+28925 XM
+(get copied to the)SH
+/Times-Italic SF
+36501 XM
+(/usr/ucb)SH
+/Times-Roman SF
+40382 XM
+(\050UCBDIR\051 directory;)SH
+/Times-Italic SF
+9950 56392 MT
+(rcp)SH
+/Times-Roman SF
+11691 XM
+(gets copied to the)SH
+/Times-Italic SF
+19695 XM
+(/bin)SH
+/Times-Roman SF
+21682 XM
+(\050SLASHBINDIR\051 directory; and)SH
+/Times-Italic SF
+36375 XM
+(rlogind)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+40165 XM
+(rshd)SH
+/Times-Roman SF
+(, and)SH
+/Times-Italic SF
+44534 XM
+(login.krb)SH
+/Times-Roman SF
+48812 XM
+(get)SH
+9950 57588 MT
+(copied to the)SH
+/Times-Italic SF
+15907 XM
+(/usr/etc)SH
+/Times-Roman SF
+19482 XM
+(\050DAEMDIR\051 directory.  The old copies of the user programs are)SH
+9950 58784 MT
+(renamed)SH
+/Times-Italic SF
+14011 XM
+(rsh.ucb)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+17830 XM
+(rlogin.ucb)SH
+/Times-Roman SF
+22658 XM
+(and)SH
+/Times-Italic SF
+24521 XM
+(rcp.ucb)SH
+/Times-Roman SF
+(, respectively.  The Kerberos versions of these)SH
+9950 59980 MT
+(programs are designed to fall back and execute the original versions if something prevents)SH
+9950 61176 MT
+(the Kerberos versions from succeeding.)SH
+/Symbol SF
+9169 63070 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos version of)SH
+/Times-Italic SF
+20944 XM
+(tftp)SH
+/Times-Roman SF
+22687 XM
+(and)SH
+/Times-Italic SF
+24550 XM
+(tcom)SH
+/Times-Roman SF
+26963 XM
+(get copied to the)SH
+/Times-Italic SF
+34539 XM
+(/usr/athena)SH
+/Times-Roman SF
+39826 XM
+(\050PROGDIR\051 directory;)SH
+/Times-Italic SF
+9950 64266 MT
+(tftpd)SH
+/Times-Roman SF
+12243 XM
+(gets copied to the)SH
+/Times-Italic SF
+20247 XM
+(/etc)SH
+/Times-Roman SF
+22110 XM
+(\050ETCDIR\051 directory.)SH
+/Times-Italic SF
+31884 XM
+(tftp)SH
+/Times-Roman SF
+33627 XM
+(and)SH
+/Times-Italic SF
+35490 XM
+(tftpd)SH
+/Times-Roman SF
+37783 XM
+(are installed set-uid to an)SH
+9950 65462 MT
+(unprivileged user \050user id of DEF_UID\051.)SH
+/Symbol SF
+9169 67356 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The)SH
+/Times-Italic SF
+11935 XM
+(knetd)SH
+/Times-Roman SF
+14592 XM
+(daemon gets copied to the)SH
+/Times-Italic SF
+26353 XM
+(/usr/etc)SH
+/Times-Roman SF
+29928 XM
+(\050DAEMDIR\051 directory.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(9)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 10 11
+BS
+0 SI
+11 /Symbol AF
+9169 8080 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos server)SH
+/Times-Italic SF
+19201 XM
+(kerberos)SH
+/Times-Roman SF
+(, the slave propagation software)SH
+/Times-Italic SF
+37343 XM
+(kprop)SH
+/Times-Roman SF
+40184 XM
+(and)SH
+/Times-Italic SF
+42047 XM
+(kpropd)SH
+/Times-Roman SF
+(, and the)SH
+9950 9276 MT
+(administration server)SH
+/Times-Italic SF
+19542 XM
+(kadmind)SH
+/Times-Roman SF
+23605 XM
+(get copied to the)SH
+/Times-Italic SF
+31181 XM
+(/usr/etc)SH
+/Times-Roman SF
+34756 XM
+(\050SVRDIR, SVRDIR, and)SH
+9950 10472 MT
+(DAEMDIR\051 directory.)SH
+/Symbol SF
+9169 12366 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The remote administration tools)SH
+/Times-Italic SF
+24310 XM
+(kpasswd)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+28588 XM
+(ksrvutil)SH
+/Times-Roman SF
+32163 XM
+(and)SH
+/Times-Italic SF
+34026 XM
+(kadmin)SH
+/Times-Roman SF
+37539 XM
+(get copied to the)SH
+/Times-Italic SF
+45115 XM
+(/usr/athena)SH
+/Times-Roman SF
+9950 13562 MT
+(\050PROGDIR\051 directory.)SH
+/Symbol SF
+9169 15456 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The Kerberos manual pages get installed in the appropriate)SH
+/Times-Italic SF
+36187 XM
+(/usr/man)SH
+/Times-Roman SF
+40374 XM
+(directories. Don't)275 W
+9950 16652 MT
+(forget to run)SH
+/Times-Italic SF
+15723 XM
+(makewhatis)SH
+/Times-Roman SF
+21192 XM
+(after installing the manual pages.)SH
+14 /Times-Bold AF
+7200 20470 MT
+(5.2 ``Non-Standard'')
+350 W( Installation)SH
+11 /Times-Roman AF
+7200 22665 MT
+(If you'd rather install the software in a different location, you can use the)SH
+/Times-Italic SF
+39667 XM
+(make)SH
+/Times-Roman SF
+42262 XM
+(command as follows,)SH
+7200 23861 MT
+(where [DEST_DIR] specifies an alternate destination directory which will be used as the root for the)SH
+7200 25057 MT
+(installed programs, i.e. programs that would normally be installed in /usr/athena would be installed in)SH
+7200 26253 MT
+([DEST_DIR]/usr/athena.)SH
+/Courier SF
+8520 27830 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(make install DESTDIR=[DEST_DIR])275 W
+16 SS 
+7200 32502 MT
+(6. Conclusion)400 W
+11 /Times-Roman AF
+7200 34697 MT
+(Now that you have built and installed your Kerberos system, use the accompanying Kerberos Operation)SH
+4030 50 44224 34897 UL
+4398 50 48529 34897 UL
+7200 35893 MT
+(Notes to create a Kerberos Master database, install authenticated services, and start the Kerberos server.)SH
+2566 50 7200 36093 UL
+16 /Times-Bold AF
+7200 40565 MT
+(7. Acknowledgements)400 W
+11 /Times-Roman AF
+7200 42760 MT
+(We'd like to thank Henry Mensch and Jon Rochlis for helping us debug this document.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30100 XM
+(10)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: i 12
+BS
+0 SI
+14 /Times-Bold AF
+25272 8138 MT
+(Table of Contents)SH
+13 SS 
+7200 9781 MT
+(1. Organization)
+325 W( of the Source Directory)SH
+53350 XM
+(1)SH
+12 /Times-Roman AF
+9000 11136 MT
+(1.1 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(admin)SH
+/Times-Roman SF
+16701 XM
+(Directory)SH
+53400 XM
+(2)SH
+9000 12491 MT
+(1.2 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(kuser)SH
+/Times-Roman SF
+16300 XM
+(Directory)SH
+53400 XM
+(2)SH
+9000 13846 MT
+(1.3 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(appl)SH
+/Times-Roman SF
+15700 XM
+(Directory)SH
+53400 XM
+(2)SH
+9000 15201 MT
+(1.4 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(server)SH
+/Times-Roman SF
+16566 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 16556 MT
+(1.5 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(kadmin)SH
+/Times-Roman SF
+17301 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 17911 MT
+(1.6 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(include)SH
+/Times-Roman SF
+17234 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 19266 MT
+(1.7 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(lib)SH
+/Times-Roman SF
+14834 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 20621 MT
+(1.8 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(man)SH
+/Times-Roman SF
+15767 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 21976 MT
+(1.9 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(prototypes)SH
+/Times-Roman SF
+18634 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 23331 MT
+(1.10 The)300 W
+/Times-BoldItalic SF
+13866 XM
+(tools)SH
+/Times-Roman SF
+16501 XM
+(Directory)SH
+53400 XM
+(3)SH
+9000 24686 MT
+(1.11 The)300 W
+/Times-BoldItalic SF
+13866 XM
+(util)SH
+/Times-Roman SF
+15835 XM
+(Directory)SH
+53400 XM
+(4)SH
+13 /Times-Bold AF
+7200 26329 MT
+(2. Preparing)
+325 W( for Installation)SH
+53350 XM
+(4)SH
+7200 27972 MT
+(3. Preparing)
+325 W( for the Build)SH
+53350 XM
+(4)SH
+12 /Times-Roman AF
+9000 29327 MT
+(3.1 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(/etc/krb.conf)SH
+/Times-Roman SF
+19801 XM
+(File)SH
+53400 XM
+(5)SH
+9000 30682 MT
+(3.2 The)300 W
+/Times-BoldItalic SF
+13266 XM
+(/etc/krb.realms)SH
+/Times-Roman SF
+20936 XM
+(File)SH
+53400 XM
+(6)SH
+13 /Times-Bold AF
+7200 32325 MT
+(4. Building)
+325 W( the Software)SH
+53350 XM
+(6)SH
+12 /Times-Roman AF
+9000 33674 MT
+(4.1 Testing)
+300 W( the DES Library)SH
+53400 XM
+(7)SH
+13 /Times-Bold AF
+7200 35317 MT
+(5. Installing)
+325 W( the Software)SH
+53350 XM
+(9)SH
+12 /Times-Roman AF
+9000 36666 MT
+(5.1 The)
+300 W( ``Standard'' Places)SH
+53400 XM
+(9)SH
+9000 38015 MT
+(5.2 ``Non-Standard'')
+300 W( Installation)SH
+52800 XM
+(10)SH
+13 /Times-Bold AF
+7200 39658 MT
+(6. Conclusion)325 W
+52700 XM
+(10)SH
+7200 41301 MT
+(7. Acknowledgements)325 W
+52700 XM
+(10)SH
+10 /Times-Roman AF
+7200 75600 MT
+(MIT Project Athena)SH
+30461 XM
+(i)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Trailer
+%%Pages: 12
+%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol
diff --git a/doc/old-V4-docs/installation.mss b/doc/old-V4-docs/installation.mss
new file mode 100644
index 0000000..0a2ae75
--- /dev/null
+++ b/doc/old-V4-docs/installation.mss
@@ -0,0 +1,681 @@
+@Comment[	$Source$]
+@Comment[	$Author$]
+@Comment[	$Id$]
+@Comment[]
+@device[postscript]
+@make[report]
+@comment[
+@DefineFont(HeadingFont,
+      P=<RawFont "NewCenturySchlbkBoldItalic">,
+      B=<RawFont "NewCenturySchlbkBold">,
+      I=<RawFont "NewCenturySchlbkBoldItalic">,
+      R=<RawFont "NewCenturySchlbkRoman">)
+]
+@DefineFont(HeadingFont,
+      P=<RawFont "TimesBoldItalic">,
+      B=<RawFont "TimesBold">,
+      I=<RawFont "TimesItalic">,
+      R=<RawFont "TimesRoman">)
+@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I],
+          IncrementedBy Use,Announced)
+@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ],
+          IncrementedBy Use,Referenced [@1],Announced)
+@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ],
+          IncrementedBy,Referenced [@A],Announced,Alias Chapter)
+@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias 
+           Chapter)
+@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy
+          Use,Announced)
+@Counter(AppendixSection,Within Appendix,TitleEnv HD2,
+          ContentsEnv tc2,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy 
+          Use,Announced)
+@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3,
+          Numbered [@#@:.@1 ],IncrementedBy Use,
+          Referenced [@#@:.@1 ])
+@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3,
+          ContentsEnv tc3,
+          Numbered [@#@:.@1 ],IncrementedBy Use,
+          Referenced [@#@:.@1 ])
+@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],
+          IncrementedBy Use)
+@modify(CopyrightNotice, Fixed -1 inch, Flushright)
+@Modify(Titlebox, Fixed 3.0 inches)
+@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off)
+@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept)
+@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept)
+@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line)
+@Modify(Tc1, Above .5,  Facecode B)
+@Modify(Tc2, Above .25, Below .25, Facecode R)
+@Modify(Tc3,Facecode R)
+@Modify(Tc4,Facecode R)
+@Modify(Itemize,Above 1line,Below 1line)
+@Modify(Insert,LeftMargin +2, RightMargin +2)
+@libraryfile[stable]
+@comment[@Style(Font NewCenturySchoolBook, size 11)]
+@Style(Font TimesRoman, size 11)
+@Style(Spacing 1.1, indent 0)
+@Style(leftmargin 1.0inch)
+@Style(justification no)
+@Style(BottomMargin 1.5inch)
+@Style(ChangeBarLocation Right)
+@Style(ChangeBars=off)
+@pageheading[immediate]
+@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)",
+right = "@value(date)"]
+@set[page = 0]
+@blankspace[.5 inches]
+@begin[group, size 20]
+@begin(center)
+@b[Kerberos Installation Notes]
+@b[DRAFT]
+@end[center]
+@end(group)
+@blankspace[.5 inches]
+@begin[group, size 16]
+@begin(center)
+Bill Bryant
+Jennifer Steiner
+John Kohl
+@blankspace[1 line]
+Project Athena, MIT
+@blankspace[.5 inches]
+@b[Initial Release, January 24, 1989]
+@i[(plus later patches through patchlevel 7)]
+@end[center]
+@end(group)
+@begin[group, size 10]
+@end[group]
+@blankspace[.75 inches]
+
+
+The release consists of three parts.
+
+The first part consists of the core Kerberos system, which was developed
+at MIT and does not require additional licenses for us to distribute.
+Included in this part are the Kerberos authentication server, the
+Kerberos library, the
+@i[ndbm]
+database interface library, user programs, administration programs,
+manual pages, some applications which use Kerberos for authentication,
+and some utilities.
+
+The second part is the Data Encryption Standard (DES) library, which we
+are distributing only within the United States.
+
+The third part contains Kerberos modifications to Sun's NFS, which we
+distribute as ``context diffs'' to the Sun NFS source code.  Its
+distribution is controlled to provide an accounting of who has retrieved
+the patches, so that Project Athena can comply with its agreements with
+Sun regarding distribution of these changes.
+
+@newpage()
+@chapter[Organization of the Source Directory]
+
+The Kerberos building and installation process,
+as described in this document,
+builds the binaries and executables from the files contained in the Kerberos
+source tree, and deposits them in a separate object tree.
+This is intended to easily support several different build trees from a
+single source tree (this is useful if you support several machine
+architectures).
+We suggest that you copy the Kerberos sources into a
+@i[/mit/kerberos/src] directory,
+and create as well a @i[/mit/kerberos/obj] directory in which
+to hold the executables.
+In the rest of this document, we'll refer to the Kerberos
+source and object directories as [SOURCE_DIR]
+and [OBJ_DIR], respectively.
+
+Below is a brief overview of the organization of the complete
+source directory.
+More detailed descriptions follow.
+
+@begin[description]
+
+@b[admin]@\utilities for the Kerberos administrator
+
+@b[appl]@\applications that use Kerberos
+
+@b[appl/bsd]@\Berkeley's rsh/rlogin suite, using Kerberos
+
+@b[appl/knetd]@\(old) software for inetd-like multiplexing of a single
+TCP listening port
+
+@b[appl/sample]@\sample application servers and clients
+
+@b[appl/tftp]@\Trivial File Transfer Protocol, using Kerberos
+
+@b[include]@\include files
+
+@b[kadmin]@\remote administrative interface to the Kerberos master database
+
+@b[kuser]@\assorted user programs
+
+@b[lib]@\libraries for use with/by Kerberos
+
+@b[lib/acl]@\Access Control List library
+
+@b[lib/des]@\Data Encryption Standard library (US only)
+
+@b[lib/kadm]@\administrative interface library
+
+@b[lib/kdb]@\Kerberos server library interface to @i[ndbm]
+
+@b[lib/knet]@\(old) library for use with @b[knetd]
+
+@b[lib/krb]@\Kerberos library
+
+@b[man]@\manual pages
+
+@b[prototypes]@\sample configuration files
+
+@b[server]@\the authentication server
+
+@b[slave]@\Kerberos slave database propagation software
+
+@b[tools]@\shell scripts for maintaining the source tree
+
+@b[util]@\utilities
+
+@b[util/imake]@\Imakefile-to-Makefile ``compilation'' tool
+
+@b[util/ss]@\Sub-system library (for command line subsystems)
+
+@b[util/et]@\Error-table library (for independent, unique error codes)
+
+@b[util/makedepend]@\Makefile dependency generator tool
+
+@end[description]
+
+@section[The @p(admin) Directory]
+
+This directory contains source for
+the Kerberos master database administration tools.
+@begin[description]
+@b[kdb_init]@\This program creates and initializes the
+Kerberos master database.
+It prompts for a Kerberos realmname, and the Kerberos master password.
+
+@b[kstash]@\This program ``stashes'' the master password in the file
+@i[/.k] so that the master server machine can restart the Kerberos
+server automatically after an unattended reboot.
+The hidden password is also available to administrative programs
+that have been set to run automatically.
+
+@b[kdb_edit]@\This program is a low-level tool for editing
+the master database.
+
+@b[kdb_destroy]@\This program deletes the master database.
+
+@b[kdb_util]@\This program can be used to dump the master database
+into an ascii file, and can also be used to load the ascii file
+into the master database.
+
+@b[ext_srvtab]@\This program extracts information from the master
+database and creates a host-dependent @i[srvtab] file.
+This file contains the Kerberos keys for the host's
+``Kerberized'' services.
+These services look up their keys in the @i[srvtab] file
+for use in the authentication process.
+@end[description]
+
+@section[The @p(kuser) Directory]
+
+This directory contains the source code for several user-oriented
+programs.
+@begin[description]
+@b[kinit]@\This program prompts users for their usernames and
+Kerberos passwords, then furnishes them with Kerberos ticket-granting
+tickets.
+
+@b[kdestroy]@\This program destroys any active tickets.
+Users should use @i[kdestroy] before they log off their workstations.
+
+@b[klist]@\This program lists a user's active tickets.
+
+@b[ksrvtgt]@\This retrieves a ticket-granting ticket with a life time
+of five minutes, using a server's secret key in lieu of a password.  It
+is primarily for use in shell scripts and other batch facilities.
+
+@b[ksu]@\Substitute user id, using Kerberos to mediate attempts to
+change to ``root''.
+@end[description]
+
+@section[The @p(appl) Directory]
+
+If your site has the appropriate BSD license,
+your Kerberos release provides certain Unix utilities
+The Berkeley programs that have been modified to use Kerberos
+authentication are found in the @i[appl/bsd] directory.
+They include @i[login], @i[rlogin], @i[rsh], and @i[rcp], as well as the
+associated daemon programs @i[kshd] and @i[klogind].
+The @i[login] program obtains ticket-granting tickets for users
+upon login; the other utilities provide authenticated
+Unix network services.
+
+The @i[appl] directory also contains samples Kerberos application
+client and server programs, an authenticated @i[tftp] program,
+@i[knetd], an authenticated inet daemon.
+
+@section[The @p(server) Directory]
+
+The @i[server] directory contains the Kerberos KDC server, called
+@i[kerberos].
+This program manages read-only requests made to the
+master database,
+distributing tickets and encryption keys to clients requesting
+authentication service.
+
+@section[The @p(kadmin) Directory]
+
+The @i[kadmin] directory contains the Kerberos administration server and
+associated client programs.
+The server accepts network requests from the
+user program @i[kpasswd] (used to change a user's password), the
+Kerberos administration program @i(kadmin), and the srvtab utility
+program @i[ksrvutil].
+The administration server can make modifications to the master database.
+
+@section[The @p(include) Directory]
+
+This directory contains the @i[include] files needed to
+build the Kerberos system.
+
+@section[The @p(lib) Directory]
+
+The @i[lib] directory has six subdirectories:
+@i[acl], @i[des], @i[kadm], @i[kdb], @i[knet], and @i[krb].
+The @i[des] directory contains source for the DES encryption library.
+The @i[kadm] directory contains source for the Kerberos administration
+server utility library.
+The @i[kdb] directory contains source for the Kerberos database
+routine library.
+The @i[knet] directory contains source for a library used by clients of
+the @i[knetd] server.
+The @i[krb] directory contains source for the @i[libkrb.a]
+library.
+This library contains routines that are used by the Kerberos server program,
+and by applications programs that require authentication service.
+
+@section[The @p(man) Directory]
+
+This directory contains manual pages for Kerberos programs and
+library routines.
+
+@section[The @p(prototypes) Directory]
+
+This directory contains prototype
+@i[/etc/services] and @i[/etc/krb.conf] files.
+New entries must be added to the @i[/etc/services] file for
+the Kerberos server, and possibly for Kerberized applications
+(@i[services.append] contains the entries used by the Athena-provided
+servers & applications, and is suitable for appending to your existing
+@i[/etc/services] file.).
+The @i[/etc/krb.conf] file defines the local Kerberos realm
+for its host and lists Kerberos servers for given realms.
+The @i[/etc/krb.realms] file defines exceptions for mapping machine
+names to Kerberos realms.
+
+@section[The @p(tools) Directory]
+
+This directory contains
+a makefile to set up a directory tree
+for building the software in, and
+a shell script to format code in the
+style we use.
+
+
+@section[The @p(util) Directory]
+
+This directory contains several utility programs and libraries.
+Included are Larry Wall's @i[patch] program, a @i[make] pre-processor
+program called
+@i[imake], and a program for generating Makefile dependencies,
+@i[makedepend], as well as the Sub-system library and
+utilities (@i[ss]), and the Error table library and utilities (@i[et]).
+
+@chapter[Preparing for Installation]
+
+This document assumes that you will build the system
+on the machine on which you plan to install
+the Kerberos master server and its database.
+You'll need about 10 megabytes for source and executables.
+
+By default, there must be
+a @i[/kerberos] directory on the master server machine
+in which to store the Kerberos
+database files.
+If the master server machine does not have room on its root partition
+for these files,
+create a @i[/kerberos] symbolic link to another file system.
+
+@chapter[Preparing for the Build]
+
+Before you build the system,
+you have to choose a @b[realm name],
+the name that specifies the system's administrative domain.
+Project Athena uses the internet domain name ATHENA.MIT.EDU
+to specify its Kerberos realm name.
+We recommend using a name of this form.
+@b[NOTE:] the realm-name is case sensitive; by convention, we suggest
+that you use your internet domain name, in capital letters.
+
+Edit the [SOURCE_DIR]/@i[include/krb.h] file and look for the following
+lines of code:
+@begin[example]
+/*
+ * Kerberos specific definitions
+ *
+ * KRBLOG is the log file for the kerberos master server.
+ * KRB_CONF is the configuration file where different host
+ * machines running master and slave servers can be found.
+ * KRB_MASTER is the name of the machine with the master
+ * database.  The admin_server runs on this machine, and all
+ * changes to the db (as opposed to read-only requests, which
+ * can go to slaves) must go to it.
+ * KRB_HOST is the default machine when looking for a kerberos
+ * slave server.  Other possibilities are in the KRB_CONF file.
+ * KRB_REALM is the name of the realm.
+ */
+
+#ifdef notdef
+this is server-only, does not belong here;
+#define       KRBLOG          "/kerberos/kerberos.log"
+are these used anyplace '?';
+#define               VX_KRB_HSTFILE  "/etc/krbhst"
+#define               PC_KRB_HSTFILE  "\\kerberos\\krbhst"
+#endif
+
+#define               KRB_CONF        "/etc/krb.conf"
+#define               KRB_RLM_TRANS   "/etc/krb.realms"
+#define               KRB_MASTER      "kerberos"
+#define               KRB_HOST         KRB_MASTER
+#define               KRB_REALM       "ATHENA.MIT.EDU"
+@end[example]
+Edit the last line as follows:
+@begin[enumerate]
+Change the KRB_REALM definition so that it specifies the realm name
+you have chosen for your Kerberos system.  This is a default which is
+usually overridden by a configuration file on each machine; however, if
+that config file is absent, many programs will use this "built-in" realm
+name.
+@end[enumerate]
+
+@section[The @p(/etc/krb.conf) File]
+
+Create a @i[/etc/krb.conf] file using the following format:
+@begin[example]
+@p[realm_name]
+@p[realm_name]  @p[master_server_name] admin server
+@end[example]
+where @i[realm_name] specifies the system's realm name,
+and @i[master_server_name] specifies the machine name on
+which you will run the master server.  The words 'admin server' must
+appear next to the name of the server on which you intend to run the
+administration server (which must be a machine with access to the database).
+
+For example,
+if your realm name is @i[tim.edu] and your master server's name is
+@i[kerberos.tim.edu], the file should have these contents:
+@begin[example]
+tim.edu
+tim.edu  kerberos.tim.edu admin server
+@end[example]
+
+See the [SOURCE_DIR]/@i[prototypes/etc.krb.conf] file for an
+example @i[/etc/krb.conf] file.  That file has examples of how to
+provide backup servers for a given realm (additional lines with the same
+leading realm name) and how to designate servers for remote realms.
+
+@section[The @p(/etc/krb.realms) File]
+
+In many situations, the default realm in which a host operates will be
+identical to the domain portion its Internet domain name.
+
+If this is not the case, you will need to establish a translation from
+host name or domain name to realm name.  This is accomplished with the
+@i(/etc/krb.realms) file.
+
+Each line of the translation file specifies either a hostname or domain
+name, and its associated realm:
+@begin[example]
+.domain.name kerberos.realm1
+host.name kerberos.realm2
+@end[example]
+For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1
+but the host FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read:
+@begin[example]
+.LSC.TIM.EDU KRB.REALM1
+FILMS.LSC.TIM.EDU KRB.REALM2
+@end[example]
+If a particular host matches both a domain and a host entry, the host
+entry takes precedence.
+
+@chapter[Building the Software]
+
+Before you build the software
+read the @b[README] file in [SOURCE_DIR].
+What follows is a more detailed description of the instructions
+listed in README.
+@begin[enumerate]
+Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you
+are about to build, for example,
+@i[/mit/kerberos/obj].
+
+Change directory to [OBJ_DIR].
+The following command creates directories under [OBJ_DIR]
+and installs Makefiles for the final build.
+@begin[example, rightmargin -7]
+host% @b(make  -f  [SOURCE_DIR]/tools/makeconfig  SRCDIR=[SOURCE_DIR])
+@end[example]
+
+
+
+Change directory to util/imake.includes.  Read through config.Imakefile,
+turning on appropriate flags for your installation.  Change SRCTOP so
+that it is set to the top level of your source directory.
+
+Check that your machine type has a definition in include/osconf.h &
+related files in the source tree (if it doesn't, then you may need to
+create your own; if you get successful results, please post to
+kerberos@@athena.mit.edu)
+
+Change directory to [OBJ_DIR].  The next command generates new Makefiles
+based on the configuration you selected in config.Imakefile, then adds
+dependency information to the Makefiles, and finally builds the system:
+@begin[example, rightmargin -7]
+host% @b(make  world)
+@end[example]
+This command takes a while to complete; you may wish to redirect the
+output onto a file and put the job in the background:
+@begin[example, rightmargin -7]
+host% @b(make  world >&WORLDLOG_891201 &)
+@end[example]
+If you need to rebuild the Kerberos programs and libraries after making
+a change, you can usually just type:
+@begin[example, rightmargin -7]
+host% @b(make  all)
+@end[example]
+However, if you changed the configuration in config.Imakefile or modified
+the Imakefiles or Makefiles, you should run @i[make world] to re-build
+all the Makefiles and dependency lists.
+@end(enumerate)
+
+@section[Testing the DES Library]
+
+Use the @i[verify] command to test the DES library
+implementation:
+@begin[example]
+host% @b([OBJ_DIR]/lib/des/verify)
+@end[example]
+The command should display the following:
+@begin[example, rightmargin -10]
+Examples per FIPS publication 81, keys ivs and cipher
+in hex.  These are the correct answers, see below for
+the actual answers.
+
+Examples per Davies and Price.
+
+EXAMPLE ECB     key = 08192a3b4c5d6e7f
+        clear = 0
+        cipher = 25 dd ac 3e 96 17 64 67
+ACTUAL ECB
+        clear ""
+        cipher  = (low to high bytes)
+                25 dd ac 3e 96 17 64 67 
+
+EXAMPLE ECB     key = 0123456789abcdef
+        clear = "Now is the time for all "
+        cipher = 3f a4 0e 8a 98 4d 48 15 ...
+ACTUAL ECB
+        clear "Now is the time for all "
+        cipher  = (low to high bytes)
+                3f a4 0e 8a 98 4d 48 15 
+
+EXAMPLE CBC     key = 0123456789abcdef  iv = 1234567890abcdef
+        clear = "Now is the time for all "
+        cipher =        e5 c7 cd de 87 2b f2 7c
+                        43 e9 34 00 8c 38 9c 0f
+                        68 37 88 49 9a 7c 05 f6
+ACTUAL CBC
+        clear "Now is the time for all "
+        ciphertext = (low to high bytes)
+                e5 c7 cd de 87 2b f2 7c 
+                43 e9 34 00 8c 38 9c 0f 
+                68 37 88 49 9a 7c 05 f6 
+                00 00 00 00 00 00 00 00 
+                00 00 00 00 00 00 00 00 
+                00 00 00 00 00 00 00 00 
+                00 00 00 00 00 00 00 00 
+                00 00 00 00 00 00 00 00 
+        decrypted clear_text = "Now is the time for all "
+EXAMPLE CBC checksum    key =  0123456789abcdef iv =  1234567890abcdef
+        clear =         "7654321 Now is the time for "
+        checksum        58 d2 e7 7e 86 06 27 33  or some part thereof
+ACTUAL CBC checksum
+                encrypted cksum = (low to high bytes)
+                58 d2 e7 7e 86 06 27 33
+@end[example]
+
+If the @i[verify] command fails to display this information as specified
+above, the implementation of DES for your hardware needs to
+be adjusted.
+Your Kerberos system cannot work properly if your DES library
+fails this test.
+
+When you have finished building the software,
+you will find the executables in the object tree as follows:
+@begin[description]
+@b([OBJ_DIR]/admin)@\@i[ext_srvtab], @i[kdb_destroy],
+@i[kdb_edit], @i[kdb_init], @i[kdb_util], and @i[kstash].
+
+@b([OBJ_DIR]/kuser)@\@i[kdestroy], @i[kinit], @i[klist], @i[ksrvtgt],
+and @i[ksu].
+
+@b([OBJ_DIR]/server)@\@i[kerberos].
+
+@b([OBJ_DIR]/appl/bsd)@\@i[klogind], @i[kshd], @i[login.krb], @i[rcp],
+@i[rlogin], and @i[rsh].
+
+@b([OBJ_DIR]/appl/knetd)@\@i[knetd].
+
+@b([OBJ_DIR]/appl/sample)@\@i[sample_server], @i[sample_client],
+@i[simple_server], and @i[simple_client].
+
+@b([OBJ_DIR]/appl/tftp)@\@i[tcom], @i[tftpd], and @i[tftp].
+
+@b([OBJ_DIR]/slave)@\@i[kprop] and @i[kpropd].
+@end[description]
+
+@chapter[Installing the Software]
+
+To install the software, issue the @i[make install] command from
+the [OBJ_DIR] (you need to be a privileged user in order to
+properly install the programs).
+Programs can either be installed in default directories, or under
+a given root directory, as described below.
+
+@section[The ``Standard'' Places]
+
+If you use the @i[make] command as follows:
+@begin[example]
+host# @b(make  install)
+@end[example]
+the installation process will try to install the various parts of the
+system in ``standard'' directories.
+This process creates the ``standard'' directories as needed.
+
+The standard installation process copies things as follows:
+@begin[itemize]
+The @i[include] files @i[krb.h], @i[des.h], @i[mit-copyright.h],
+@i[kadm.h] and @i[kadm_err.h] get copied to the
+@i[/usr/include] directory.
+
+The Kerberos libraries @i[libdes.a], @i[libkrb.a], @i[libkdb.a],
+@i[libkadm.a], @i[libknet.a], and @i[libacl.a] get copied
+to the @i[/usr/athena/lib] (or wherever you pointed LIBDIR in
+config.Imakefile) directory.
+
+The Kerberos master database utilities @i[kdb_init], @i[kdb_destroy],
+@i[kdb_edit], @i[kdb_util], @i[kstash], and @i[ext_srvtab] get copied to
+the @i[/usr/etc] (DAEMDIR) directory.
+
+The Kerberos user utilities @i[kinit], @i[kdestroy], @i[klist],
+@i[ksrvtgt] and @i[ksu] get copied to the @i[/usr/athena] (PROGDIR)
+directory.
+
+The modified Berkeley utilities @i[rsh], @i[rlogin] get copied to the
+@i[/usr/ucb] (UCBDIR) directory; @i[rcp] gets copied to the @i[/bin]
+(SLASHBINDIR) directory; and @i[rlogind], @i[rshd], and @i[login.krb]
+get copied to the @i[/usr/etc] (DAEMDIR) directory.  The old copies of
+the user programs are renamed @i(rsh.ucb), @i(rlogin.ucb) and
+@i(rcp.ucb), respectively.  The Kerberos versions of these programs are
+designed to fall back and execute the original versions if something
+prevents the Kerberos versions from succeeding.
+
+The Kerberos version of @i[tftp] and @i[tcom] get copied to the
+@i[/usr/athena] (PROGDIR) directory; @i[tftpd] gets copied to the
+@i[/etc] (ETCDIR) directory.  @i[tftp] and @i[tftpd] are installed
+set-uid to an unprivileged user (user id of DEF_UID).
+
+The @i[knetd] daemon gets copied to the @i[/usr/etc] (DAEMDIR) directory.
+
+The Kerberos server @i[kerberos], the slave propagation software
+@i[kprop] and @i[kpropd], and the administration server @i[kadmind] get
+copied to the @i[/usr/etc] (SVRDIR, SVRDIR, and DAEMDIR) directory.
+
+The remote administration tools @i[kpasswd], @i[ksrvutil] and @i[kadmin]
+get copied to the @i[/usr/athena] (PROGDIR) directory.
+
+The Kerberos manual pages get installed in the appropriate
+@i[/usr/man] directories.  Don't forget to run @i[makewhatis]
+after installing the manual pages.
+
+@end[itemize]
+
+@section[``Non-Standard'' Installation]
+
+If you'd rather install the software in a different location,
+you can use the @i[make] command as follows,
+where [DEST_DIR] specifies an alternate destination directory
+which will be used as the root for the installed programs, i.e. programs
+that would normally be installed in /usr/athena would be installed in
+[DEST_DIR]/usr/athena.
+@begin[example]
+host# @b(make  install  DESTDIR=[DEST_DIR])
+@end[example]
+
+@chapter[Conclusion]
+
+Now that you have built and installed your Kerberos system,
+use the accompanying @u[Kerberos Operation Notes]
+to create a Kerberos Master database, install authenticated services,
+and start the Kerberos server.
+
+@chapter [Acknowledgements]
+
+We'd like to thank Henry Mensch and Jon Rochlis for helping us debug
+this document.
diff --git a/doc/old-V4-docs/operation.PS b/doc/old-V4-docs/operation.PS
new file mode 100644
index 0000000..3afb8cf
--- /dev/null
+++ b/doc/old-V4-docs/operation.PS
@@ -0,0 +1,2669 @@
+%!PS-Adobe-2.0
+%%Title: operation.mss
+%%DocumentFonts: (atend)
+%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700)
+%%CreationDate: 4 January 1990 11:55
+%%Pages: (atend)
+%%EndComments
+% PostScript Prelude for Scribe.
+/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def
+/ES {showpage SV restore} bind def
+/SC {setrgbcolor} bind def
+/FMTX matrix def
+/RDF {WFT SLT 0.0 eq 
+  {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore}
+  {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore}
+  ifelse makefont setfont} bind def
+/SLT 0.0 def
+/SI { /SLT exch cvr def RDF} bind def
+/WFT /Courier findfont def
+/SF { /WFT exch findfont def RDF} bind def
+/SSZ 1000.0 def
+/SS { /SSZ exch 100.0 mul def RDF} bind def
+/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def
+/MT /moveto load def
+/XM {currentpoint exch pop moveto} bind def
+/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto
+   setlinewidth 0.0 rlineto stroke grestore} bind def
+/LH {gsave newpath moveto setlinewidth
+   0.0 rlineto
+   gsave stroke grestore} bind def
+/LV {gsave newpath moveto setlinewidth
+   0.0 exch rlineto
+   gsave stroke grestore} bind def
+/BX {gsave newpath moveto setlinewidth
+   exch
+   dup 0.0 rlineto
+   exch 0.0 exch neg rlineto
+   neg 0.0 rlineto
+   closepath
+   gsave stroke grestore} bind def
+/BX1 {grestore} bind def
+/BX2 {setlinewidth 1 setgray stroke grestore} bind def
+/PB {/PV save def newpath translate
+    100.0 -100.0 scale pop /showpage {} def} bind def
+/PE {PV restore} bind def
+/GB {/PV save def newpath translate rotate
+    div dup scale 100.0 -100.0 scale /showpage {} def} bind def
+/GE {PV restore} bind def
+/FB {dict dup /FontMapDict exch def begin} bind def
+/FM {cvn exch cvn exch def} bind def
+/FE {end /original-findfont /findfont load def  /findfont
+   {dup FontMapDict exch known{FontMapDict exch get} if
+   original-findfont} def} bind def
+/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def
+/EC /grestore load def
+/SH /show load def
+/MX {exch show 0.0 rmoveto} bind def
+/W {0 32 4 -1 roll widthshow} bind def
+/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def
+/RC {100.0 -100.0 scale
+612.0 0.0 translate
+-90.0 rotate
+.01 -.01 scale} bind def
+/URC {100.0 -100.0 scale
+90.0 rotate
+-612.0 0.0 translate
+.01 -.01 scale} bind def
+/RCC {100.0 -100.0 scale
+0.0 -792.0 translate 90.0 rotate
+.01 -.01 scale} bind def
+/URCC {100.0 -100.0 scale
+-90.0 rotate 0.0 792.0 translate
+.01 -.01 scale} bind def
+%%EndProlog
+%%Page: 0 1
+BS
+0 SI
+20 /Times-Bold AF
+19324 13788 MT
+(Kerberos Operation Notes)SH
+27156 15798 MT
+(DRAFT)SH
+16 /Times-Roman AF
+27021 23502 MT
+(Bill Bryant)SH
+27289 25150 MT
+(John Kohl)SH
+23957 26798 MT
+(Project Athena, MIT)SH
+/Times-Bold SF
+19489 32396 MT
+(Initial Release, January 24, 1989)SH
+/Times-Italic SF
+17558 34044 MT
+(\050plus later patches through patchlevel 7\051)SH
+11 /Times-Roman AF
+7200 43798 MT
+(These notes assume that you have used the)SH
+/Times-Italic SF
+26322 XM
+(Kerberos Installation Notes)SH
+/Times-Roman SF
+38821 XM
+(to build and install your Kerberos)SH
+7200 44994 MT
+(system. As)
+275 W( in that document, we refer to the directory that contains the built Kerberos binaries as)SH
+7200 46190 MT
+([OBJ_DIR].)SH
+7200 48488 MT
+(This document assumes that you are a Unix system manager.)SH
+ES
+%%Page: 1 2
+BS
+0 SI
+16 /Times-Bold AF
+7200 8272 MT
+(1. How)
+400 W( Kerberos Works: A Schematic Description)SH
+11 /Times-Roman AF
+7200 10467 MT
+(This section provides a simplified description of a general user's interaction with the Kerberos system.)SH
+7200 11663 MT
+(This interaction happens transparently--users don't need to know and probably don't care about what's)SH
+7200 12859 MT
+(going on--but Kerberos administrators might find a schematic description of the process useful.  The)SH
+7200 14055 MT
+(description glosses over a lot of details; for more information, see)SH
+/Times-Italic SF
+36404 XM
+(Kerberos: An Authentication Service)SH
+7200 15251 MT
+(for Open Network Systems)SH
+/Times-Roman SF
+(, a paper presented at Winter USENIX 1988, in Dallas, Texas.)SH
+14 /Times-Bold AF
+7200 19069 MT
+(1.1 Network)
+350 W( Services and Their Client Programs)SH
+11 /Times-Roman AF
+7200 21264 MT
+(In an environment that provides network services, you use)SH
+/Times-Italic SF
+33164 XM
+(client)SH
+/Times-Roman SF
+35883 XM
+(programs to request service from)SH
+/Times-Italic SF
+50696 XM
+(server)SH
+/Times-Roman SF
+7200 22460 MT
+(programs that are somewhere on the network.  Suppose you have logged in to a workstation and you want)SH
+7200 23656 MT
+(to)SH
+/Times-Italic SF
+8331 XM
+(rlogin)SH
+/Times-Roman SF
+11296 XM
+(to another machine.  You use the local)SH
+/Times-Italic SF
+28493 XM
+(rlogin)SH
+/Times-Roman SF
+31458 XM
+(client program to contact the remote machine's)SH
+/Times-Italic SF
+7200 24852 MT
+(rlogin)SH
+/Times-Roman SF
+10165 XM
+(service daemon.)SH
+14 /Times-Bold AF
+7200 28670 MT
+(1.2 Kerberos)
+350 W( Tickets)SH
+11 /Times-Roman AF
+7200 30865 MT
+(Under Kerberos, the)SH
+/Times-Italic SF
+16422 XM
+(rlogin)SH
+/Times-Roman SF
+19387 XM
+(service program allows a client to login to a remote machine if it can provide)SH
+7200 32061 MT
+(a Kerberos)SH
+/Times-Bold SF
+12268 XM
+(ticket)SH
+/Times-Roman SF
+15169 XM
+(for the request.  This ticket proves the identity of the person who has used the client)SH
+7200 33257 MT
+(program to access the server program.)SH
+14 /Times-Bold AF
+7200 37075 MT
+(1.3 The)
+350 W( Kerberos Master Database)SH
+11 /Times-Roman AF
+7200 39270 MT
+(Kerberos will give you tickets only if you have an entry in the Kerberos server's)SH
+/Times-Bold SF
+42845 XM
+(master database)SH
+/Times-Roman SF
+(. Your)275 W
+7200 40466 MT
+(database entry includes your Kerberos username \050often referred to as your Kerberos)SH
+/Times-Bold SF
+44394 XM
+(principal)SH
+/Times-Roman SF
+48949 XM
+(name\051, and)SH
+7200 41662 MT
+(your Kerberos password.  Every Kerberos user must have an entry in this database.)SH
+14 /Times-Bold AF
+7200 45480 MT
+(1.4 The)
+350 W( Ticket-Granting Ticket)SH
+11 /Times-Roman AF
+7200 47675 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(kinit)SH
+/Times-Roman SF
+11416 XM
+(command prompts for your Kerberos username and password, and if you enter them)SH
+7200 48871 MT
+(successfully, you will obtain a Kerberos)SH
+/Times-Italic SF
+25131 XM
+(ticket-granting ticket)SH
+/Times-Roman SF
+(. As)
+275 W( illustrated below, client programs use)SH
+7200 50067 MT
+(this ticket to get other Kerberos tickets as needed.)SH
+14 /Times-Bold AF
+7200 53885 MT
+(1.5 Network)
+350 W( Services and the Master Database)SH
+11 /Times-Roman AF
+7200 56080 MT
+(The master database also contains entries for all network services that require Kerberos authentication.)SH
+7200 57276 MT
+(Suppose for instance that your site has a machine)SH
+/Times-Italic SF
+29163 XM
+(laughter)SH
+/Times-Roman SF
+33166 XM
+(that requires Kerberos authentication from)SH
+7200 58472 MT
+(anyone who wants to)SH
+/Times-Italic SF
+16792 XM
+(rlogin)SH
+/Times-Roman SF
+19757 XM
+(to it.  This service must be registered in the master database.  Its entry)SH
+7200 59668 MT
+(includes the service's principal name, and its)SH
+/Times-Bold SF
+27238 XM
+(instance)SH
+/Times-Roman SF
+(.)SH
+7200 61966 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(instance)SH
+/Times-Roman SF
+13126 XM
+(is the name of the service's machine; in this case, the service's instance is the name)SH
+/Times-Italic SF
+7200 63162 MT
+(laughter)SH
+/Times-Roman SF
+(. The)
+275 W( instance provides a means for Kerberos to distinguish between machines that provide the)SH
+7200 64358 MT
+(same service.  Your site is likely to have more than one machine that provides)SH
+/Times-Italic SF
+41840 XM
+(rlogin)SH
+/Times-Roman SF
+44805 XM
+(service.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(1)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 2 3
+BS
+0 SI
+14 /Times-Bold AF
+7200 8138 MT
+(1.6 The)
+350 W( User-Kerberos Interaction)SH
+11 /Times-Roman AF
+7200 10333 MT
+(Suppose that you \050in the guise of a general user\051 walk up to a workstation intending to login to it, and)SH
+7200 11529 MT
+(then)SH
+/Times-Italic SF
+9369 XM
+(rlogin)SH
+/Times-Roman SF
+12334 XM
+(to the machine)SH
+/Times-Italic SF
+19085 XM
+(laughter)SH
+/Times-Roman SF
+(. Here's)
+275 W( what happens.)SH
+9400 13480 MT
+(1.)SH
+10500 XM
+(You login to the workstation and use the)SH
+/Times-Italic SF
+28648 XM
+(kinit)SH
+/Times-Roman SF
+30879 XM
+(command to to get a ticket-granting ticket.)SH
+10500 14676 MT
+(This command prompts you for your username \050your Kerberos Principal Name\051, and your)SH
+10500 15872 MT
+(Kerberos password [on some systems which use the new version of)SH
+/Times-Italic SF
+40465 XM
+(/bin/login)SH
+/Times-Roman SF
+(, this may be)SH
+10500 17068 MT
+(done as part of the login process, not requiring the user to run a separate program].)SH
+12762 19019 MT
+(a.)SH
+13800 XM
+(The)SH
+/Times-Italic SF
+15785 XM
+(kinit)SH
+/Times-Roman SF
+18016 XM
+(command sends your request to the Kerberos master server machine.  The)SH
+13800 20215 MT
+(server software looks for your principal name's entry in the Kerberos)SH
+/Times-Bold SF
+44555 XM
+(master)SH
+13800 21411 MT
+(database)SH
+/Times-Roman SF
+(.)SH
+12700 23305 MT
+(b.)SH
+13800 XM
+(If this entry exists, the Kerberos server creates and returns a)SH
+/Times-Italic SF
+40430 XM
+(ticket-granting ticket)SH
+/Times-Roman SF
+(,)SH
+13800 24501 MT
+(encrypted in your password.  If)SH
+/Times-Italic SF
+27819 XM
+(kinit)SH
+/Times-Roman SF
+30050 XM
+(can decrypt the Kerberos reply using the)SH
+13800 25697 MT
+(password you provide, it stores this ticket in a)SH
+/Times-Bold SF
+34270 XM
+(ticket file)SH
+/Times-Roman SF
+38912 XM
+(on your local machine for)SH
+13800 26893 MT
+(later use.  The ticket file to be used can be specified in the)SH
+/Times-Bold SF
+39609 XM
+(KRBTKFILE)SH
+/Times-Roman SF
+13800 28089 MT
+(environment variable.  If this variable is not set, the name of the file will be)SH
+/Times-Italic SF
+13800 29285 MT
+(/tmp/tkt)SH
+/Times-BoldItalic SF
+(uid)SH
+/Times-Roman SF
+(, where)SH
+/Times-BoldItalic SF
+22141 XM
+(uid)SH
+/Times-Roman SF
+23884 XM
+(is the UNIX user-id, represented in decimal.)SH
+9400 31236 MT
+(2.)SH
+10500 XM
+(Now you use the)SH
+/Times-Italic SF
+18198 XM
+(rlogin)SH
+/Times-Roman SF
+21163 XM
+(client to try to access the machine)SH
+/Times-Italic SF
+36344 XM
+(laughter)SH
+/Times-Roman SF
+(.)SH
+/Courier SF
+11820 32813 MT
+(host%)SH
+/Times-Bold SF
+15780 XM
+(rlogin laughter)275 W
+/Times-Roman SF
+12762 34764 MT
+(a.)SH
+13800 XM
+(The)SH
+/Times-Italic SF
+15785 XM
+(rlogin)SH
+/Times-Roman SF
+18750 XM
+(client checks your ticket file to see if you have a ticket for)SH
+/Times-Italic SF
+44559 XM
+(laughter)SH
+/Times-Roman SF
+('s)SH
+/Times-Italic SF
+13800 35960 MT
+(rcmd)SH
+/Times-Roman SF
+16335 XM
+(service \050the rlogin program uses the)SH
+/Times-Italic SF
+32401 XM
+(rcmd)SH
+/Times-Roman SF
+34936 XM
+(service name, mostly for historical)SH
+13800 37156 MT
+(reasons\051. You)
+275 W( don't, so)SH
+/Times-Italic SF
+24583 XM
+(rlogin)SH
+/Times-Roman SF
+27548 XM
+(uses the ticket file's)SH
+/Times-Italic SF
+36590 XM
+(ticket-granting ticket)SH
+/Times-Roman SF
+46060 XM
+(to make a)SH
+13800 38352 MT
+(request to the master server's ticket-granting service.)SH
+12700 40246 MT
+(b.)SH
+13800 XM
+(This ticket-granting service receives the)SH
+/Times-Italic SF
+31667 XM
+(rcmd-laughter)SH
+/Times-Roman SF
+38296 XM
+(request and looks in the)SH
+13800 41442 MT
+(master database for an)SH
+/Times-Italic SF
+23938 XM
+(rcmd-laughter)SH
+/Times-Roman SF
+30567 XM
+(entry. If)
+275 W( that entry exists, the ticket-granting)SH
+13800 42638 MT
+(service issues you a ticket for that service.  That ticket is also cached in your ticket)SH
+13800 43834 MT
+(file.)SH
+12762 45728 MT
+(c.)SH
+13800 XM
+(The)SH
+/Times-Italic SF
+15785 XM
+(rlogin)SH
+/Times-Roman SF
+18750 XM
+(client now uses that ticket to request service from the)SH
+/Times-Italic SF
+42454 XM
+(laughter rlogin)SH
+/Times-Roman SF
+13800 46924 MT
+(service program.  The service program lets you)SH
+/Times-Italic SF
+34843 XM
+(rlogin)SH
+/Times-Roman SF
+37808 XM
+(if the ticket is valid.)SH
+16 /Times-Bold AF
+7200 51596 MT
+(2. Setting)
+400 W( Up and Testing the Kerberos Server)SH
+11 /Times-Roman AF
+7200 53791 MT
+(The procedure for setting up and testing a Kerberos server is as follows:)SH
+9400 55742 MT
+(1.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kdb_init)SH
+/Times-Roman SF
+17985 XM
+(command to create and initialize the master database.)SH
+9400 57636 MT
+(2.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kdb_edit)SH
+/Times-Roman SF
+18167 XM
+(utility to add your username to the master database.)SH
+9400 59530 MT
+(3.)SH
+10500 XM
+(Start the Kerberos server.)SH
+9400 61424 MT
+(4.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kinit)SH
+/Times-Roman SF
+16335 XM
+(command to obtain a Kerberos ticket-granting ticket.)SH
+9400 63318 MT
+(5.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(klist)SH
+/Times-Roman SF
+16213 XM
+(command to verify that the)SH
+/Times-Italic SF
+28402 XM
+(kinit)SH
+/Times-Roman SF
+30633 XM
+(command authenticated you successfully.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(2)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 3 4
+BS
+0 SI
+14 /Times-Bold AF
+7200 8138 MT
+(2.1 Creating)
+350 W( and Initializing the Master Database)SH
+11 /Times-Roman AF
+7200 10333 MT
+(Login to the Kerberos master server machine, and use the)SH
+/Times-Bold SF
+32825 XM
+(su)SH
+/Times-Roman SF
+34140 XM
+(command to become root.  If you installed)SH
+7200 11529 MT
+(the Kerberos administration tools with the)SH
+/Times-Italic SF
+26020 XM
+(make install)SH
+/Times-Roman SF
+31642 XM
+(command and the default pathnames, they should)SH
+7200 12725 MT
+(be in the)SH
+/Times-Italic SF
+11263 XM
+(/usr/etc)SH
+/Times-Roman SF
+14838 XM
+(directory. If)
+275 W( you installed the tools in a different directory, hopefully you know what it)SH
+7200 13921 MT
+(is. From)
+275 W( now on, we will refer to this directory as [ADMIN_DIR].)SH
+7200 16219 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(kdb_init)SH
+/Times-Roman SF
+13066 XM
+(command creates and initializes the master database.  It asks you to enter the system's realm)SH
+7200 17415 MT
+(name and the database's master password.  Do not forget this password.  If you do, the database becomes)SH
+7200 18611 MT
+(useless. \050Your)
+275 W( realm name should be substituted for [REALMNAME] below.\051)SH
+7200 20909 MT
+(Use)SH
+/Times-Italic SF
+9185 XM
+(kdb_init)SH
+/Times-Roman SF
+13066 XM
+(as follows:)SH
+/Courier SF
+8520 22486 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+([ADMIN_DIR]/kdb_init)SH
+/Courier SF
+8520 23600 MT
+(Realm name \050default XXX\051:)SH
+/Times-Bold SF
+25680 XM
+([REALMNAME])SH
+39600 XM
+(<--)SH
+/Times-BoldItalic SF
+41619 XM
+(Enter your system's realm name.)SH
+/Courier SF
+8520 24714 MT
+(You will be prompted for the database Master Password.)SH
+8520 25828 MT
+(It is important that you NOT FORGET this password.)SH
+8520 28056 MT
+(Enter Kerberos master key:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter the master password.)SH
+14 /Times-Bold AF
+7200 32988 MT
+(2.2 Storing)
+350 W( the Master Password)SH
+11 /Times-Roman AF
+7200 35183 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(kstash)SH
+/Times-Roman SF
+12210 XM
+(command ``stashes'' the master password in the file)SH
+/Times-Italic SF
+35424 XM
+(/.k)SH
+/Times-Roman SF
+36768 XM
+(so that the Kerberos server can be)SH
+7200 36379 MT
+(started automatically during an unattended reboot of the master server.  Other administrative programs)SH
+7200 37575 MT
+(use this hidden password so that they can access the master database without someone having to manually)SH
+7200 38771 MT
+(provide the master password.  This command is an optional one; if you'd rather enter the master password)SH
+7200 39967 MT
+(each time you start the Kerberos server, don't use)SH
+/Times-Italic SF
+29312 XM
+(kstash)SH
+/Times-Roman SF
+(.)SH
+7200 42265 MT
+(One the one hand, if you use)SH
+/Times-Italic SF
+20090 XM
+(kstash)SH
+/Times-Roman SF
+(, a copy of the master key will reside on disk which may not be)SH
+7200 43461 MT
+(acceptable; on the other hand, if you don't use)SH
+/Times-Italic SF
+27848 XM
+(kstash)SH
+/Times-Roman SF
+(, the server cannot be started unless someone is)SH
+7200 44657 MT
+(around to type the password in manually.)SH
+7200 46955 MT
+(The command prompts you twice for the master password:)SH
+/Courier SF
+8520 48532 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+([ADMIN_DIR]/kstash)SH
+/Courier SF
+8520 50760 MT
+(Enter Kerberos master key:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter the master password.)SH
+/Courier SF
+8520 51874 MT
+(Current Kerberos master key version is 1.)SH
+8520 54102 MT
+(Master key entered)
+SH( BEWARE!)1320 W
+/Times-Roman SF
+7200 56400 MT
+(A note about the Kerberos database master key:  if your master key is compromised and the database is)SH
+7200 57596 MT
+(obtained, the security of your entire authentication system is compromised.  The master key must be a)SH
+7200 58792 MT
+(carefully kept secret.  If you keep backups, you must guard all the master keys you use, in case someone)SH
+7200 59988 MT
+(has stolen an old backup and wants to attack users' whose passwords haven't changed since the backup)SH
+7200 61184 MT
+(was stolen.  This is why we provide the option not to store it on disk.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(3)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 4 5
+BS
+0 SI
+14 /Times-Bold AF
+7200 8167 MT
+(2.3 Using)350 W
+/Times-BoldItalic SF
+13423 XM
+(kdb_edit)SH
+/Times-Bold SF
+18673 XM
+(to Add Users to the Master Database)SH
+11 /Times-Roman AF
+7200 10362 MT
+(The)SH
+/Times-Italic SF
+9185 XM
+(kdb_edit)SH
+/Times-Roman SF
+13248 XM
+(program is used to add new users and services to the master database, and to modify)SH
+7200 11558 MT
+(existing database information.  The program prompts you to enter a principal's)SH
+/Times-Bold SF
+42177 XM
+(name)SH
+/Times-Roman SF
+45018 XM
+(and)SH
+/Times-Bold SF
+46881 XM
+(instance)SH
+/Times-Roman SF
+(.)SH
+7200 13856 MT
+(A principal name is typically a username or a service program's name.  An instance further qualifies the)SH
+7200 15052 MT
+(principal. If)
+275 W( the principal is a service, the instance is used to specify the name of the machine on which)SH
+7200 16248 MT
+(that service runs.  If the principal is a username that has general user privileges, the instance is usually set)SH
+7200 17444 MT
+(to null.)SH
+7200 19742 MT
+(The following example shows how to use)SH
+/Times-Italic SF
+25805 XM
+(kdb_edit)SH
+/Times-Roman SF
+29868 XM
+(to add the user)SH
+/Times-Italic SF
+36588 XM
+(wave)SH
+/Times-Roman SF
+39123 XM
+(to the Kerberos database.)SH
+/Courier SF
+8520 21319 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+([ADMIN_DIR]/kdb_edit)SH
+/Courier SF
+8520 23547 MT
+(Opening database...)SH
+8520 25775 MT
+(Enter Kerberos master key:)SH
+8520 26889 MT
+(Verifying, please re-enter)SH
+8520 28003 MT
+(Enter Kerberos master key:)SH
+8520 29117 MT
+(Current Kerberos master key version is 1)SH
+8520 31345 MT
+(Master key entered.  BEWARE!)SH
+8520 32459 MT
+(Previous or default values are in [brackets] ,)SH
+8520 33573 MT
+(enter return to leave the same, or new value.)SH
+8520 35801 MT
+(Principal name:)SH
+/Times-Bold SF
+19080 XM
+(wave)SH
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter the username.)SH
+/Courier SF
+8520 36915 MT
+(Instance:)SH
+/Times-BoldItalic SF
+28800 XM
+(<-- Enter a null instance.)SH
+/Courier SF
+8520 39143 MT
+(<Not found>, Create [y] ?)SH
+/Times-Bold SF
+25680 XM
+(y)SH
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(The user-instance does not exist.)SH
+30450 40257 MT
+(Enter y to create the user-instance.)SH
+/Courier SF
+8520 41371 MT
+(Principal: wave  Instance:  m_key_v: 1)SH
+8520 42485 MT
+(New Password:)SH
+/Times-BoldItalic SF
+28800 XM
+(<-- Enter the user-instance's password.)SH
+/Courier SF
+8520 43599 MT
+(Verifying, please re-enter)SH
+8520 44713 MT
+(New Password:)SH
+8520 45827 MT
+(Principal's new key version = 1)SH
+8520 46941 MT
+(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH
+/Times-Bold SF
+39600 XM
+(<--)SH
+/Times-BoldItalic SF
+41619 XM
+(Enter newlines)SH
+/Courier SF
+8520 48055 MT
+(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH
+/Times-Bold SF
+39600 XM
+(<--)SH
+/Times-BoldItalic SF
+41619 XM
+(to get the)SH
+/Courier SF
+8520 49169 MT
+(Attributes [ 0 ] ?)SH
+/Times-Bold SF
+30120 XM
+(<--)SH
+/Times-BoldItalic SF
+32139 XM
+(default values.)SH
+/Courier SF
+8520 50283 MT
+(Edit O.K.)SH
+8520 52511 MT
+(Principal name:)SH
+/Times-BoldItalic SF
+28800 XM
+(<-- Enter a newline to exit the program.)SH
+/Times-Roman SF
+7200 54809 MT
+(Use the)SH
+/Times-Italic SF
+10804 XM
+(kdb_edit)SH
+/Times-Roman SF
+14867 XM
+(utility to add your username to the master database.)SH
+14 /Times-Bold AF
+7200 58627 MT
+(2.4 Starting)
+350 W( the Kerberos Server)SH
+11 /Times-Roman AF
+7200 60822 MT
+(Change directories to the directory in which you have installed the server program)SH
+/Times-Italic SF
+43701 XM
+(kerberos)SH
+/Times-Roman SF
+47824 XM
+(\050the default)SH
+7200 62018 MT
+(directory is)SH
+/Times-Italic SF
+12454 XM
+(/usr/etc)SH
+/Times-Roman SF
+(\051, and start the program as a background process:)SH
+/Courier SF
+8520 63595 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(./kerberos &)SH
+/Times-Roman SF
+7200 65190 MT
+(If you have used the)SH
+/Times-Italic SF
+16393 XM
+(kstash)SH
+/Times-Roman SF
+19418 XM
+(command to store the master database password, the server will start)SH
+7200 66386 MT
+(automatically. If)
+275 W( you did not use)SH
+/Times-Italic SF
+22048 XM
+(kstash)SH
+/Times-Roman SF
+(, use the following command:)SH
+/Courier SF
+8520 67963 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(./kerberos -m)SH
+10 /Times-Roman AF
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(4)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 5 6
+BS
+0 SI
+11 /Times-Roman AF
+7200 7955 MT
+(The server will prompt you to enter the master password before actually starting itself.)SH
+14 /Times-Bold AF
+7200 11773 MT
+(2.5 Testing)
+350 W( the Kerberos Server)SH
+11 /Times-Roman AF
+7200 13968 MT
+(Exit the root account and use the)SH
+/Times-Italic SF
+21893 XM
+(kinit)SH
+/Times-Roman SF
+24124 XM
+(command obtain a Kerberos ticket-granting ticket.  This command)SH
+7200 15164 MT
+(creates your ticket file and stores the ticket-granting ticket in it.)SH
+7200 17462 MT
+(If you used the default)SH
+/Times-Italic SF
+17371 XM
+(make install)SH
+/Times-Roman SF
+22993 XM
+(command and directories to install the Kerberos user utilities,)SH
+/Times-Italic SF
+50365 XM
+(kinit)SH
+/Times-Roman SF
+7200 18658 MT
+(will be in the)SH
+/Times-Italic SF
+13250 XM
+(/usr/athena)SH
+/Times-Roman SF
+18537 XM
+(directory. From now on, we'll refer to the Kerberos user commands directory as)SH
+7200 19854 MT
+([K_USER].)SH
+7200 22152 MT
+(Use)SH
+/Times-Italic SF
+9185 XM
+(kinit)SH
+/Times-Roman SF
+11416 XM
+(as follows:)SH
+/Courier SF
+8520 23729 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/kinit)SH
+/Courier SF
+8520 24843 MT
+(MIT Project Athena, \050ariadne\051)SH
+8520 25957 MT
+(Kerberos Initialization)SH
+8520 27071 MT
+(Kerberos name:)SH
+/Times-BoldItalic SF
+18420 XM
+(yourusername)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter your Kerberos username.)SH
+/Courier SF
+8520 28185 MT
+(Password:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter your Kerberos password.)SH
+/Times-Roman SF
+7200 30483 MT
+(Use the)SH
+/Times-Italic SF
+10804 XM
+(klist)SH
+/Times-Roman SF
+12913 XM
+(program to list the contents of your ticket file.)SH
+/Courier SF
+8520 32060 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/klist)SH
+/Times-Roman SF
+7200 33655 MT
+(The command should display something like the following:)SH
+/Courier SF
+8520 35181 MT
+(Ticket file:)
+SH( /tmp/tkt5555)1980 W
+8520 36295 MT
+(Principal: yourusername@REALMNAME)3300 W
+9840 38523 MT
+(Issued Expires)
+6600 W( Principal)5940 W
+8520 39637 MT
+(May 6)
+660 W( 10:15:23  May  6 18:15:23  krbtgt.REALMNAME@REALMNAME)SH
+/Times-Roman SF
+7200 41935 MT
+(If you have any problems, you can examine the log file)SH
+/Times-Italic SF
+31758 XM
+(/kerberos/kerberos.log)SH
+/Times-Roman SF
+42022 XM
+(on the Kerberos server)SH
+7200 43131 MT
+(machine to see if there was some sort of error.)SH
+16 /Times-Bold AF
+7200 47803 MT
+(3. Setting)
+400 W( up and testing the Administration server)SH
+11 /Times-Roman AF
+7200 49998 MT
+(The procedure for setting up and testing the Kerberos administration server is as follows:)SH
+9400 51949 MT
+(1.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kdb_edit)SH
+/Times-Roman SF
+18167 XM
+(utility to add your username with an administration instance to the master)SH
+10500 53145 MT
+(database.)SH
+9400 55039 MT
+(2.)SH
+10500 XM
+(Edit the access control lists for the administration server)SH
+9400 56933 MT
+(3.)SH
+10500 XM
+(Start the Kerberos administration server.)SH
+9400 58827 MT
+(4.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kpasswd)SH
+/Times-Roman SF
+18107 XM
+(command to change your password.)SH
+9400 60721 MT
+(5.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kadmin)SH
+/Times-Roman SF
+17617 XM
+(command to add new entries to the database.)SH
+9400 62615 MT
+(6.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(kinit)SH
+/Times-Roman SF
+16335 XM
+(command to verify that the)SH
+/Times-Italic SF
+28524 XM
+(kadmin)SH
+/Times-Roman SF
+32037 XM
+(command correctly added new entries to)SH
+10500 63811 MT
+(the database.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(5)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 6 7
+BS
+0 SI
+14 /Times-Bold AF
+7200 8138 MT
+(3.1 Adding)
+350 W( an administration instance for the administrator)SH
+11 /Times-Roman AF
+7200 10333 MT
+(Login to the Kerberos master server machine, and use the)SH
+/Times-Bold SF
+32825 XM
+(su)SH
+/Times-Roman SF
+34140 XM
+(command to become root.  Use the)SH
+/Times-Italic SF
+49780 XM
+(kdb_edit)SH
+/Times-Roman SF
+7200 11529 MT
+(program to create an entry for each administrator with the instance ``)SH
+/Times-BoldItalic SF
+(admin)SH
+/Times-Roman SF
+(''.)SH
+/Courier SF
+8520 13106 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+([ADMIN_DIR]/kdb_edit)SH
+/Courier SF
+8520 15334 MT
+(Opening database...)SH
+8520 17562 MT
+(Enter Kerberos master key:)SH
+8520 18676 MT
+(Verifying, please re-enter)SH
+8520 19790 MT
+(Enter Kerberos master key:)SH
+8520 20904 MT
+(Current Kerberos master key version is 1)SH
+8520 23132 MT
+(Master key entered.  BEWARE!)SH
+8520 24246 MT
+(Previous or default values are in [brackets] ,)SH
+8520 25360 MT
+(enter return to leave the same, or new value.)SH
+8520 27588 MT
+(Principal name:)SH
+/Times-Bold SF
+19080 XM
+(wave)SH
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter the username.)SH
+/Courier SF
+8520 28702 MT
+(Instance:)SH
+/Times-Bold SF
+(admin)SH
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter ``admin''.)SH
+/Courier SF
+8520 30930 MT
+(<Not found>, Create [y] ?)SH
+/Times-Bold SF
+25680 XM
+(y)SH
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(The user-instance does not exist.)SH
+30450 32044 MT
+(Enter y to create the user-instance.)SH
+/Courier SF
+8520 33158 MT
+(Principal: wave  Instance: admin m_key_v: 1)SH
+8520 34272 MT
+(New Password:)SH
+/Times-BoldItalic SF
+28800 XM
+(<-- Enter the user-instance's password.)SH
+/Courier SF
+8520 35386 MT
+(Verifying, please re-enter)SH
+8520 36500 MT
+(New Password:)SH
+8520 37614 MT
+(Principal's new key version = 1)SH
+8520 38728 MT
+(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH
+/Times-Bold SF
+39600 XM
+(<--)SH
+/Times-BoldItalic SF
+41619 XM
+(Enter newlines)SH
+/Courier SF
+8520 39842 MT
+(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH
+/Times-Bold SF
+39600 XM
+(<--)SH
+/Times-BoldItalic SF
+41619 XM
+(to get the)SH
+/Courier SF
+8520 40956 MT
+(Attributes [ 0 ] ?)SH
+/Times-Bold SF
+30120 XM
+(<--)SH
+/Times-BoldItalic SF
+32139 XM
+(default values.)SH
+/Courier SF
+8520 42070 MT
+(Edit O.K.)SH
+8520 44298 MT
+(Principal name:)SH
+/Times-BoldItalic SF
+28800 XM
+(<-- Enter a newline to exit the program.)SH
+14 /Times-Bold AF
+7200 48116 MT
+(3.2 The)
+350 W( Access Control Lists)SH
+11 /Times-Roman AF
+7200 50311 MT
+(The Kerberos administration server uses three access control lists to determine who is authorized to make)SH
+7200 51507 MT
+(certain requests.  The access control lists are stored on the master Kerberos server in the same directory as)SH
+7200 52703 MT
+(the principal database,)SH
+/Times-Italic SF
+17340 XM
+(/kerberos)SH
+/Times-Roman SF
+(. The)
+275 W( access control lists are simple ASCII text files, with each line)SH
+7200 53899 MT
+(specifying the name of one principal who is allowed the particular function.  To allow several people to)SH
+7200 55095 MT
+(perform the same function, put their principal names on separate lines in the same file.)SH
+7200 57393 MT
+(The first list,)SH
+/Times-Italic SF
+13128 XM
+(/kerberos/admin_acl.mod)SH
+/Times-Roman SF
+(, is a list of principals which are authorized to change entries in the)SH
+7200 58589 MT
+(database. To)
+275 W( allow the administrator `)SH
+/Times-Bold SF
+(wave)SH
+/Times-Roman SF
+(' to modify entries in the database for the realm `)SH
+/Times-Bold SF
+(TIM.EDU)SH
+/Times-Roman SF
+(',)SH
+7200 59785 MT
+(you would put the following line into the file)SH
+/Times-Italic SF
+27275 XM
+(/kerberos/admin_acl.mod)SH
+/Times-Roman SF
+(:)SH
+/Courier SF
+8520 61311 MT
+(wave.admin@TIM.EDU)SH
+/Times-Roman SF
+7200 63609 MT
+(The second list,)SH
+/Times-Italic SF
+14410 XM
+(/kerberos/admin_acl.get)SH
+/Times-Roman SF
+(, is a list of principals which are authorized to retrieve entries)SH
+7200 64805 MT
+(from the database.)SH
+7200 67103 MT
+(The third list,)SH
+/Times-Italic SF
+13434 XM
+(/kerberos/admin_acl.add)SH
+/Times-Roman SF
+(, is a list of principals which are authorized to add new entries to)SH
+7200 68299 MT
+(the database.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(6)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 7 8
+BS
+0 SI
+14 /Times-Bold AF
+7200 8138 MT
+(3.3 Starting)
+350 W( the administration server)SH
+11 /Times-Roman AF
+7200 10333 MT
+(Change directories to the directory in which you have installed the administration server program)SH
+/Times-Italic SF
+7200 11529 MT
+(kadmind)SH
+/Times-Roman SF
+11263 XM
+(\050the default directory is)SH
+/Times-Italic SF
+21831 XM
+(/usr/etc)SH
+/Times-Roman SF
+(\051, and start the program as a background process:)SH
+/Courier SF
+8520 13106 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(./kadmind -n&)SH
+/Times-Roman SF
+7200 14701 MT
+(If you have used the)SH
+/Times-Italic SF
+16393 XM
+(kstash)SH
+/Times-Roman SF
+19418 XM
+(command to store the master database password, the server will start)SH
+7200 15897 MT
+(automatically. If)
+275 W( you did not use)SH
+/Times-Italic SF
+22048 XM
+(kstash)SH
+/Times-Roman SF
+(, use the following command:)SH
+/Courier SF
+8520 17474 MT
+(host#)SH
+/Times-Bold SF
+12480 XM
+(./kadmind)SH
+/Times-Roman SF
+7200 19069 MT
+(The server will prompt you to enter the master password before actually starting itself; after it starts, you)SH
+7200 20265 MT
+(should suspend it and put it in the background \050usually this is done by typing control-Z and then)SH
+/Times-Bold SF
+49792 XM
+(bg)SH
+/Times-Roman SF
+(\051.)SH
+14 /Times-Bold AF
+7200 24112 MT
+(3.4 Testing)350 W
+/Times-BoldItalic SF
+14434 XM
+(kpasswd)SH
+11 /Times-Roman AF
+7200 26307 MT
+(To test the administration server, you should try changing your password with the)SH
+/Times-Italic SF
+43494 XM
+(kpasswd)SH
+/Times-Roman SF
+47497 XM
+(command, and)SH
+7200 27503 MT
+(you should try adding new users with the)SH
+/Times-Italic SF
+25592 XM
+(kadmin)SH
+/Times-Roman SF
+29105 XM
+(command \050both commands are installed into)SH
+/Times-Italic SF
+48963 XM
+(/usr/athena)SH
+/Times-Roman SF
+7200 28699 MT
+(by default\051.)SH
+7200 30997 MT
+(Before testing, you should exit the root account.)SH
+7200 33295 MT
+(To change your password, run the)SH
+/Times-Italic SF
+22441 XM
+(kpasswd)SH
+/Times-Roman SF
+26444 XM
+(command:)SH
+/Courier SF
+8520 34872 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/kpasswd)SH
+/Courier SF
+8520 35986 MT
+(Old password for wave@TIM.EDU:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+(Enter your password)SH
+/Courier SF
+8520 37100 MT
+(New Password for wave@TIM.EDU:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+(Enter a new password)SH
+/Courier SF
+8520 38214 MT
+(Verifying, please re-enter New Password for wave@TIM.EDU:)SH
+/Times-Bold SF
+28800 39328 MT
+(<--)SH
+/Times-BoldItalic SF
+(Enter new password again)SH
+/Courier SF
+8520 40442 MT
+(Password changed.)SH
+/Times-Roman SF
+7200 42037 MT
+(Once you have changed your password, use the)SH
+/Times-Italic SF
+28365 XM
+(kinit)SH
+/Times-Roman SF
+30596 XM
+(program as shown above to verify that the password)SH
+7200 43233 MT
+(was properly changed.)SH
+14 /Times-Bold AF
+7200 47080 MT
+(3.5 Testing)350 W
+/Times-BoldItalic SF
+14434 XM
+(kadmin)SH
+11 /Times-Roman AF
+7200 49275 MT
+(You should also test the function of the)SH
+/Times-Italic SF
+24798 XM
+(kadmin)SH
+/Times-Roman SF
+28311 XM
+(program, by adding a new user \050here named)SH
+7200 50471 MT
+(``)SH
+/Courier SF
+(username)SH
+/Times-Roman SF
+(''\051:)SH
+/Courier SF
+8520 52048 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/kadmin)SH
+/Courier SF
+8520 53162 MT
+(Welcome to the Kerberos Administration Program, version 2)SH
+8520 54276 MT
+(Type "help" if you need it.)SH
+8520 55390 MT
+(admin:)SH
+/Times-Bold SF
+13800 XM
+(ank username)SH
+/Times-BoldItalic SF
+28800 XM
+(`ank' stands for Add New Key)SH
+/Courier SF
+8520 56504 MT
+(Admin password:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+(enter the password)SH
+28800 57618 MT
+(you chose above for wave.admin)SH
+/Courier SF
+8520 58732 MT
+(Password for username:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+(Enter the user's initial password)SH
+/Courier SF
+8520 59846 MT
+(Verifying, please re-enter Password for username:)SH
+/Times-Bold SF
+40920 XM
+(<--)SH
+/Times-BoldItalic SF
+(enter it again)SH
+/Courier SF
+8520 60960 MT
+(username added to database.)SH
+8520 63188 MT
+(admin: quit)660 W
+8520 64302 MT
+(Cleaning up and exiting.)SH
+10 /Times-Roman AF
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(7)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 8 9
+BS
+0 SI
+14 /Times-Bold AF
+7200 8167 MT
+(3.6 Verifying)
+350 W( with)SH
+/Times-BoldItalic SF
+18671 XM
+(kinit)SH
+11 /Times-Roman AF
+7200 10362 MT
+(Once you've added a new user, you should test to make sure it was added properly by using)SH
+/Times-Italic SF
+47917 XM
+(kinit)SH
+/Times-Roman SF
+(, and)SH
+7200 11558 MT
+(trying to get tickets for that user:)SH
+/Courier SF
+8520 13135 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/kinit username)SH
+/Courier SF
+8520 14249 MT
+(MIT Project Athena \050ariadne\051)SH
+8520 15363 MT
+(Kerberos Initialization for "username@TIM.EDU")SH
+8520 16477 MT
+(Password:)SH
+/Times-Bold SF
+15120 XM
+(<--)SH
+/Times-BoldItalic SF
+(Enter the user's password you used above)SH
+/Courier SF
+8520 17591 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/klist)SH
+/Courier SF
+8520 18705 MT
+(Ticket file:)
+SH( /tmp/tkt_5509_spare1)1980 W
+8520 19819 MT
+(Principal: username@TIM.MIT.EDU)3300 W
+9840 22047 MT
+(Issued Expires)
+6600 W( Principal)5940 W
+8520 23161 MT
+(Nov 20 15:58:52  Nov 20 23:58:52  krbtgt.TIM.EDU@TIM.EDU)SH
+/Times-Roman SF
+7200 25459 MT
+(If you have any problems, you can examine the log files)SH
+/Times-Italic SF
+32186 XM
+(/kerberos/kerberos.log)SH
+/Times-Roman SF
+42450 XM
+(and)SH
+/Times-Italic SF
+7200 26655 MT
+(/kerberos/admin_server.syslog)SH
+/Times-Roman SF
+21008 XM
+(on the Kerberos server machine to see if there was some sort of error.)SH
+16 /Times-Bold AF
+7200 31327 MT
+(4. Setting)
+400 W( up and testing slave server\050s\051)SH
+11 /Times-Roman AF
+7200 33522 MT
+([Unfortunately, this chapter is not yet ready.  Sorry. -ed])SH
+16 /Times-Bold AF
+7200 38194 MT
+(5. A)
+400 W( Sample Application)SH
+11 /Times-Roman AF
+7200 40389 MT
+(This release of Kerberos comes with a sample application server and a corresponding client program.)SH
+7200 41585 MT
+(You will find this software in the [OBJ_DIR])SH
+/Times-Italic SF
+(/appl/sample)SH
+/Times-Roman SF
+33170 XM
+(directory. The)
+275 W( file)SH
+/Times-Italic SF
+41691 XM
+(sample_client)SH
+/Times-Roman SF
+48076 XM
+(contains the)SH
+7200 42781 MT
+(client program's executable code, the file)SH
+/Times-Italic SF
+25677 XM
+(sample_server)SH
+/Times-Roman SF
+32366 XM
+(contains the server's executable.)SH
+7200 45079 MT
+(The programs are rudimentary.  When they have been installed \050the installation procedure is described in)SH
+7200 46275 MT
+(detail later\051, they work as follows:)SH
+/Symbol SF
+9169 48351 MT
+(\267)SH
+/Times-Roman SF
+9950 XM
+(The user starts)SH
+/Times-Italic SF
+16639 XM
+(sample_client)SH
+/Times-Roman SF
+23024 XM
+(and provides as arguments to the command the name of the)SH
+9950 49547 MT
+(server machine and a checksum.  For instance:)SH
+/Courier SF
+11270 51147 MT
+(host%)SH
+/Times-Bold SF
+15230 XM
+(sample_client)SH
+/Times-BoldItalic SF
+22966 XM
+(servername 43)385 W
+/Symbol SF
+9169 53041 MT
+(\267)SH
+/Times-Italic SF
+9950 XM
+(Sample_client)SH
+/Times-Roman SF
+16457 XM
+(contacts the server machine and authenticates the user to)SH
+/Times-Italic SF
+41654 XM
+(sample_server)SH
+/Times-Roman SF
+(.)SH
+/Symbol SF
+9169 54935 MT
+(\267)SH
+/Times-Italic SF
+9950 XM
+(Sample_server)SH
+/Times-Roman SF
+16761 XM
+(authenticates itself to)SH
+/Times-Italic SF
+26384 XM
+(sample_client)SH
+/Times-Roman SF
+(, then returns a message to the client)SH
+9950 56131 MT
+(program. This)
+275 W( message contains diagnostic information that includes the user's username,)SH
+9950 57327 MT
+(the Kerberos realm, and the user's workstation address.)SH
+/Symbol SF
+9169 59221 MT
+(\267)SH
+/Times-Italic SF
+9950 XM
+(Sample_client)SH
+/Times-Roman SF
+16457 XM
+(displays the server's message on the user's terminal screen.)SH
+14 /Times-Bold AF
+7200 63039 MT
+(5.1 The)
+350 W( Installation Process)SH
+11 /Times-Roman AF
+7200 65234 MT
+(In general, you use the following procedure to install a Kerberos-authenticated server-client system.)SH
+9400 67185 MT
+(1.)SH
+10500 XM
+(Add the appropriate entry to the Kerberos database using)SH
+/Times-Italic SF
+35881 XM
+(kdb_edit)SH
+/Times-Roman SF
+39944 XM
+(or)SH
+/Times-Italic SF
+41135 XM
+(kadmin)SH
+/Times-Roman SF
+44648 XM
+(\050described)SH
+10500 68381 MT
+(below\051.)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(8)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 9 10
+BS
+0 SI
+11 /Times-Roman AF
+9400 7955 MT
+(2.)SH
+10500 XM
+(Create a)SH
+/Times-Italic SF
+14408 XM
+(/etc/srvtab)SH
+/Times-Roman SF
+19327 XM
+(file for the server machine.)SH
+9400 9849 MT
+(3.)SH
+10500 XM
+(Install the service program and the)SH
+/Times-Italic SF
+26016 XM
+(/etc/srvtab)SH
+/Times-Roman SF
+30935 XM
+(file on the server machine.)SH
+9400 11743 MT
+(4.)SH
+10500 XM
+(Install the client program on the client machine.)SH
+9400 13637 MT
+(5.)SH
+10500 XM
+(Update the)SH
+/Times-Italic SF
+15570 XM
+(/etc/services)SH
+/Times-Roman SF
+21281 XM
+(file on the client and server machines.)SH
+7200 15935 MT
+(We will use the sample application as an example, although the procedure used to install)SH
+/Times-Italic SF
+46484 XM
+(sample_server)SH
+/Times-Roman SF
+7200 17131 MT
+(differs slightly from the general case because the)SH
+/Times-Italic SF
+29006 XM
+(sample_server)SH
+/Times-Roman SF
+35695 XM
+(takes requests via the)SH
+/Times-Italic SF
+45347 XM
+(inetd)SH
+/Times-Roman SF
+47822 XM
+(program.)SH
+/Times-Italic SF
+7200 18327 MT
+(Inetd)SH
+/Times-Roman SF
+9735 XM
+(starts)SH
+/Times-Italic SF
+12332 XM
+(sample_server)SH
+/Times-Roman SF
+19021 XM
+(each time a client process contacts the server machine.)SH
+/Times-Italic SF
+43606 XM
+(Sample_server)SH
+/Times-Roman SF
+7200 19523 MT
+(processes the request, terminiates, then is restarted when)SH
+/Times-Italic SF
+32368 XM
+(inetd)SH
+/Times-Roman SF
+34843 XM
+(receives another)SH
+/Times-Italic SF
+42293 XM
+(sample_client)SH
+/Times-Roman SF
+48678 XM
+(request.)SH
+7200 20719 MT
+(When you install the program on the server, you must add a)SH
+/Times-Italic SF
+33807 XM
+(sample)SH
+/Times-Roman SF
+37198 XM
+(entry to the server machine's)SH
+/Times-Italic SF
+7200 21915 MT
+(/etc/inetd.conf)SH
+/Times-Roman SF
+13738 XM
+(file.)SH
+7200 24213 MT
+(The following description assumes that you are installing)SH
+/Times-Italic SF
+32680 XM
+(sample_server)SH
+/Times-Roman SF
+39369 XM
+(on the machine)SH
+/Times-Italic SF
+46364 XM
+(ariadne.tim.edu)SH
+/Times-Roman SF
+(.)SH
+7200 25409 MT
+(Here's the process, step by step:)SH
+9400 27360 MT
+(1.)SH
+10500 XM
+(Login as or)SH
+/Times-Italic SF
+15785 XM
+(su)SH
+/Times-Roman SF
+17038 XM
+(to root on the Kerberos server machine.  Use the)SH
+/Times-Italic SF
+38631 XM
+(kdb_edit)SH
+/Times-Roman SF
+42694 XM
+(or)SH
+/Times-Italic SF
+43885 XM
+(kadmin)SH
+/Times-Roman SF
+47398 XM
+(program)SH
+10500 28556 MT
+(to create an entry for)SH
+/Times-Italic SF
+19935 XM
+(sample)SH
+/Times-Roman SF
+23326 XM
+(in the Kerberos database:)SH
+/Courier SF
+11820 30133 MT
+(host#)SH
+/Times-Bold SF
+15780 XM
+([ADMIN_DIR]/kdb_edit)SH
+/Courier SF
+11820 32361 MT
+(Opening database...)SH
+11820 34589 MT
+(Enter Kerberos master key:)SH
+11820 35703 MT
+(Verifying, please re-enter)SH
+11820 36817 MT
+(master key entered.  BEWARE!)SH
+11820 37931 MT
+(Previous or default values are in [brackets] ,)SH
+11820 39045 MT
+(enter return to leave the same, or new value.)SH
+11820 41273 MT
+(Principal name:)SH
+/Times-Bold SF
+22380 XM
+(sample)SH
+26220 XM
+(<--)SH
+/Times-BoldItalic SF
+28239 XM
+(Enter the principal name.)SH
+/Courier SF
+11820 42387 MT
+(Instance:)SH
+/Times-Bold SF
+18420 XM
+(ariadne)SH
+26220 XM
+(<--)SH
+/Times-BoldItalic SF
+28239 XM
+(Instances cannot have periods in them.)SH
+/Courier SF
+11820 44615 MT
+(<Not found>, Create [y] ?)SH
+/Times-Bold SF
+28980 XM
+(y)SH
+/Courier SF
+11820 46843 MT
+(Principal: sample_server  Instance: ariadne m_key_v: 1)SH
+11820 47957 MT
+(New Password:)SH
+/Times-Bold SF
+26220 XM
+(<--)SH
+/Times-BoldItalic SF
+28239 XM
+(Enter ``RANDOM'' to get random password.)SH
+/Courier SF
+11820 49071 MT
+(Verifying, please re-enter)SH
+11820 50185 MT
+(New Password:)SH
+/Times-Bold SF
+26220 XM
+(<--)SH
+/Times-BoldItalic SF
+28239 XM
+(Enter ``RANDOM'' again.)SH
+/Courier SF
+11820 51299 MT
+(Random password [y] ?)SH
+/Times-Bold SF
+26340 XM
+(y)SH
+/Courier SF
+11820 53527 MT
+(Principal's new key version = 1)SH
+11820 54641 MT
+(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH
+11820 55755 MT
+(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH
+11820 56869 MT
+(Attributes [ 0 ] ?)SH
+11820 57983 MT
+(Edit O.K.)SH
+11820 60211 MT
+(Principal name:)SH
+/Times-Bold SF
+26220 XM
+(<--)SH
+/Times-BoldItalic SF
+28239 XM
+(Enter newline to exit kdb_edit.)SH
+/Times-Roman SF
+9400 62105 MT
+(2.)SH
+10500 XM
+(Use the)SH
+/Times-Italic SF
+14104 XM
+(ext_srvtab)SH
+/Times-Roman SF
+18961 XM
+(program to create a)SH
+/Times-Italic SF
+27755 XM
+(srvtab)SH
+/Times-Roman SF
+30780 XM
+(file for)SH
+/Times-Italic SF
+34078 XM
+(sample_server)SH
+/Times-Roman SF
+('s host machine:)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30350 XM
+(9)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 10 11
+BS
+0 SI
+11 /Courier AF
+11820 7937 MT
+(host#)SH
+/Times-Bold SF
+15780 XM
+([ADMIN_DIR]/ext_srvtab ariadne)275 W
+/Courier SF
+11820 10165 MT
+(Enter Kerberos master key:)SH
+11820 11279 MT
+(Current Kerberos master key version is 1.)SH
+11820 13507 MT
+(Generating 'ariadne-new-srvtab'....)SH
+/Times-Roman SF
+10500 15102 MT
+(Transfer the)SH
+/Times-Italic SF
+16118 XM
+(ariadne-new-srvtab)SH
+/Times-Roman SF
+25069 XM
+(file to)SH
+/Times-Italic SF
+27941 XM
+(ariadne)SH
+/Times-Roman SF
+31638 XM
+(and install it as)SH
+/Times-Italic SF
+38544 XM
+(/etc/srvtab)SH
+/Times-Roman SF
+(. Note)
+275 W( that this)SH
+10500 16298 MT
+(file is equivalent to the service's password and should be treated with care.  For example, it)SH
+10500 17494 MT
+(could be transferred by removable media, but should not be sent over an open network in)SH
+10500 18690 MT
+(the clear.  Once installed, this file should be readable only by root.)SH
+9400 20584 MT
+(3.)SH
+10500 XM
+(Add the following line to the)SH
+/Times-Italic SF
+23516 XM
+(/etc/services)SH
+/Times-Roman SF
+29227 XM
+(file on)SH
+/Times-Italic SF
+32343 XM
+(ariadne)SH
+/Times-Roman SF
+(, and on all machines that will run)SH
+10500 21780 MT
+(the)SH
+/Times-Italic SF
+12119 XM
+(sample_client)SH
+/Times-Roman SF
+18504 XM
+(program:)SH
+/Courier SF
+11820 23306 MT
+(sample 906/tcp)
+2640 W( #)
+3960 W( Kerberos sample app server)SH
+/Times-Roman SF
+9400 25200 MT
+(4.)SH
+10500 XM
+(Add a line similar to the following line to the)SH
+/Times-Italic SF
+30666 XM
+(/etc/inetd.conf)SH
+/Times-Roman SF
+37204 XM
+(file on)SH
+/Times-Italic SF
+40320 XM
+(sample_server)SH
+/Times-Roman SF
+('s)SH
+10500 26396 MT
+(machine:)SH
+/Courier SF
+11820 27922 MT
+(sample stream tcp nowait switched root)1320 W
+14460 29036 MT
+([PATH]/sample_server sample_server)SH
+/Times-Roman SF
+10500 30631 MT
+(where [PATH] should be substituted with the path to the)SH
+/Times-Italic SF
+35674 XM
+(sample_server)SH
+/Times-Roman SF
+42363 XM
+(program. \050This)275 W
+/Times-Italic SF
+10500 31827 MT
+(inetd.conf)SH
+/Times-Roman SF
+15144 XM
+(information should be placed on one line.\051  You should examine existing lines in)SH
+/Times-Italic SF
+10500 33023 MT
+(/etc/inetd.conf)SH
+/Times-Roman SF
+17038 XM
+(and use the same format used by other entries \050e.g. for telnet\051.  Most systems)SH
+10500 34219 MT
+(do not have a column for the `switched' keyword, and some do not have a column for the)SH
+10500 35415 MT
+(username \050usually `root', as above\051.)SH
+9400 37309 MT
+(5.)SH
+10500 XM
+(Restart)SH
+/Times-Italic SF
+13891 XM
+(inetd)SH
+/Times-Roman SF
+16366 XM
+(by sending the current)SH
+/Times-Italic SF
+26446 XM
+(inetd)SH
+/Times-Roman SF
+28921 XM
+(process a hangup signal:)SH
+/Courier SF
+11820 38909 MT
+(host#)SH
+/Times-Bold SF
+15780 XM
+(kill -HUP)275 W
+/Times-BoldItalic SF
+21373 XM
+(process_id_number)SH
+/Times-Roman SF
+9400 40803 MT
+(6.)SH
+10500 XM
+(The)SH
+/Times-Italic SF
+12485 XM
+(sample_server)SH
+/Times-Roman SF
+19174 XM
+(is now ready to take)SH
+/Times-Italic SF
+28307 XM
+(sample_client)SH
+/Times-Roman SF
+34692 XM
+(requests.)SH
+14 /Times-Bold AF
+7200 44621 MT
+(5.2 Testing)
+350 W( the Sample Server)SH
+11 /Times-Roman AF
+7200 46816 MT
+(Assume that you have installed)SH
+/Times-Italic SF
+21223 XM
+(sample_server)SH
+/Times-Roman SF
+27912 XM
+(on)SH
+/Times-Italic SF
+29287 XM
+(ariadne)SH
+/Times-Roman SF
+(.)SH
+7200 49114 MT
+(Login to your workstation and use the)SH
+/Times-Italic SF
+24217 XM
+(kinit)SH
+/Times-Roman SF
+26448 XM
+(command to obtain a Kerberos ticket-granting ticket:)SH
+/Courier SF
+8520 50691 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([K_USER]/kinit)SH
+/Courier SF
+8520 51805 MT
+(MIT Project Athena, \050your_workstation\051)SH
+8520 52919 MT
+(Kerberos Initialization)SH
+8520 54033 MT
+(Kerberos name:)SH
+/Times-BoldItalic SF
+18420 XM
+(yourusername)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter your Kerberos username.)SH
+/Courier SF
+8520 55147 MT
+(Password:)SH
+/Times-Bold SF
+28800 XM
+(<--)SH
+/Times-BoldItalic SF
+30819 XM
+(Enter your Kerberos password.)SH
+/Times-Roman SF
+7200 57445 MT
+(Now use the)SH
+/Times-Italic SF
+12973 XM
+(sample_client)SH
+/Times-Roman SF
+19358 XM
+(program as follows:)SH
+/Courier SF
+8520 59022 MT
+(host%)SH
+/Times-Bold SF
+12480 XM
+([PATH]/sample_client ariadne)275 W
+/Times-Roman SF
+7200 60617 MT
+(The command should display something like the following:)SH
+/Courier SF
+8520 62143 MT
+(The server says:)SH
+8520 63257 MT
+(You are)SH
+/Times-BoldItalic SF
+13800 XM
+(yourusername)SH
+/Courier SF
+(.@REALMNAME \050local name)SH
+/Times-BoldItalic SF
+36180 XM
+(yourusername)SH
+/Courier SF
+(\051,)SH
+9180 64371 MT
+(at address)SH
+/Times-BoldItalic SF
+16440 XM
+(yournetaddress)SH
+/Courier SF
+(, version VERSION9, cksum 997)SH
+10 /Times-Roman AF
+7200 75600 MT
+(MIT Project Athena)SH
+30100 XM
+(10)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: 11 12
+BS
+0 SI
+16 /Times-Bold AF
+7200 8272 MT
+(6. Service)
+400 W( names and other services)SH
+14 SS 
+7200 12090 MT
+(6.1 rlogin,)
+350 W( rsh, rcp, tftp, and others)SH
+11 /Times-Roman AF
+7200 14285 MT
+(Many services use a common principal name for authentication purposes.)SH
+/Times-Italic SF
+40128 XM
+(rlogin)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+43368 XM
+(rsh)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+45324 XM
+(rcp)SH
+/Times-Roman SF
+(,)SH
+/Times-Italic SF
+47340 XM
+(tftp)SH
+/Times-Roman SF
+49083 XM
+(and others)SH
+7200 15481 MT
+(use the principal name ``)SH
+/Courier SF
+(rcmd)SH
+/Times-Roman SF
+(''. For)
+275 W( example, to set up the machine)SH
+/Times-Italic SF
+38033 XM
+(ariadne)SH
+/Times-Roman SF
+41730 XM
+(to support Kerberos rlogin,)SH
+7200 16677 MT
+(it needs to have a service key for principal ``)SH
+/Courier SF
+(rcmd)SH
+/Times-Roman SF
+('', instance ``)SH
+/Courier SF
+(ariadne)SH
+/Times-Roman SF
+(''. You)
+275 W( create this key in the)SH
+7200 17873 MT
+(same way as shown above for the sample service.)SH
+7200 20171 MT
+(After creating this key, you need to run the)SH
+/Times-Italic SF
+26382 XM
+(ext_srvtab)SH
+/Times-Roman SF
+31239 XM
+(program again to generate a new srvtab file for)SH
+7200 21367 MT
+(ariadne.)SH
+14 /Times-Bold AF
+7200 25185 MT
+(6.2 NFS)
+350 W( modifications)SH
+11 /Times-Roman AF
+7200 27380 MT
+(The NFS modifications distributed separately use the service name ``)SH
+/Courier SF
+(rvdsrv)SH
+/Times-Roman SF
+('' with the instance set to)SH
+7200 28576 MT
+(the machine name \050as for the sample server and the rlogin, rsh, rcp and tftp services\051.)SH
+14 /Times-Bold AF
+7200 32394 MT
+(6.3 inetd.conf)
+350 W( entries)SH
+11 /Times-Roman AF
+7200 34589 MT
+(The following are the)SH
+/Times-Italic SF
+16974 XM
+(/etc/inetd.conf)SH
+/Times-Roman SF
+23512 XM
+(entries necessary to support rlogin, encrypted rlogin, rsh, and rcp)SH
+7200 35785 MT
+(services on a server machine.  As above, your)SH
+/Times-Italic SF
+27631 XM
+(inetd.conf)SH
+/Times-Roman SF
+32275 XM
+(may not support all the fields shown here.)SH
+/Courier SF
+8520 37311 MT
+(eklogin stream)
+660 W( tcp nowait unswitched root)1320 W
+11160 38425 MT
+([PATH]/klogind eklogind)1320 W
+8520 39539 MT
+(kshell stream tcp nowait unswitched root)1320 W
+11160 40653 MT
+([PATH]/kshd kshd)1320 W
+8520 41767 MT
+(klogin stream tcp nowait unswitched root)1320 W
+11160 42881 MT
+([PATH]/klogind klogind)1320 W
+10 /Times-Roman AF
+7200 75600 MT
+(MIT Project Athena)SH
+30100 XM
+(11)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Page: i 13
+BS
+0 SI
+14 /Times-Bold AF
+25272 8138 MT
+(Table of Contents)SH
+13 SS 
+7200 9781 MT
+(1. How)
+325 W( Kerberos Works: A Schematic Description)SH
+53350 XM
+(1)SH
+12 /Times-Roman AF
+9000 11130 MT
+(1.1 Network)
+300 W( Services and Their Client Programs)SH
+53400 XM
+(1)SH
+9000 12479 MT
+(1.2 Kerberos)
+300 W( Tickets)SH
+53400 XM
+(1)SH
+9000 13828 MT
+(1.3 The)
+300 W( Kerberos Master Database)SH
+53400 XM
+(1)SH
+9000 15177 MT
+(1.4 The)
+300 W( Ticket-Granting Ticket)SH
+53400 XM
+(1)SH
+9000 16526 MT
+(1.5 Network)
+300 W( Services and the Master Database)SH
+53400 XM
+(1)SH
+9000 17875 MT
+(1.6 The)
+300 W( User-Kerberos Interaction)SH
+53400 XM
+(2)SH
+13 /Times-Bold AF
+7200 19518 MT
+(2. Setting)
+325 W( Up and Testing the Kerberos Server)SH
+53350 XM
+(2)SH
+12 /Times-Roman AF
+9000 20867 MT
+(2.1 Creating)
+300 W( and Initializing the Master Database)SH
+53400 XM
+(3)SH
+9000 22216 MT
+(2.2 Storing)
+300 W( the Master Password)SH
+53400 XM
+(3)SH
+9000 23571 MT
+(2.3 Using)300 W
+/Times-BoldItalic SF
+14267 XM
+(kdb_edit)SH
+/Times-Roman SF
+18768 XM
+(to Add Users to the Master Database)SH
+53400 XM
+(4)SH
+9000 24920 MT
+(2.4 Starting)
+300 W( the Kerberos Server)SH
+53400 XM
+(4)SH
+9000 26269 MT
+(2.5 Testing)
+300 W( the Kerberos Server)SH
+53400 XM
+(5)SH
+13 /Times-Bold AF
+7200 27912 MT
+(3. Setting)
+325 W( up and testing the Administration server)SH
+53350 XM
+(5)SH
+12 /Times-Roman AF
+9000 29261 MT
+(3.1 Adding)
+300 W( an administration instance for the administrator)SH
+53400 XM
+(6)SH
+9000 30610 MT
+(3.2 The)
+300 W( Access Control Lists)SH
+53400 XM
+(6)SH
+9000 31959 MT
+(3.3 Starting)
+300 W( the administration server)SH
+53400 XM
+(7)SH
+9000 33314 MT
+(3.4 Testing)300 W
+/Times-BoldItalic SF
+15001 XM
+(kpasswd)SH
+/Times-Roman SF
+53400 XM
+(7)SH
+9000 34669 MT
+(3.5 Testing)300 W
+/Times-BoldItalic SF
+15001 XM
+(kadmin)SH
+/Times-Roman SF
+53400 XM
+(7)SH
+9000 36024 MT
+(3.6 Verifying)
+300 W( with)SH
+/Times-BoldItalic SF
+18501 XM
+(kinit)SH
+/Times-Roman SF
+53400 XM
+(8)SH
+13 /Times-Bold AF
+7200 37667 MT
+(4. Setting)
+325 W( up and testing slave server\050s\051)SH
+53350 XM
+(8)SH
+7200 39310 MT
+(5. A)
+325 W( Sample Application)SH
+53350 XM
+(8)SH
+12 /Times-Roman AF
+9000 40659 MT
+(5.1 The)
+300 W( Installation Process)SH
+53400 XM
+(8)SH
+9000 42008 MT
+(5.2 Testing)
+300 W( the Sample Server)SH
+52800 XM
+(10)SH
+13 /Times-Bold AF
+7200 43651 MT
+(6. Service)
+325 W( names and other services)SH
+52700 XM
+(11)SH
+12 /Times-Roman AF
+9000 45000 MT
+(6.1 rlogin,)
+300 W( rsh, rcp, tftp, and others)SH
+52800 XM
+(11)SH
+9000 46349 MT
+(6.2 NFS)
+300 W( modifications)SH
+52800 XM
+(11)SH
+9000 47698 MT
+(6.3 inetd.conf)
+300 W( entries)SH
+52800 XM
+(11)SH
+10 SS 
+7200 75600 MT
+(MIT Project Athena)SH
+30461 XM
+(i)SH
+47890 XM
+(4 January 1990)SH
+ES
+%%Trailer
+%%Pages: 13
+%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol
diff --git a/doc/old-V4-docs/operation.mss b/doc/old-V4-docs/operation.mss
new file mode 100644
index 0000000..a35bb9f
--- /dev/null
+++ b/doc/old-V4-docs/operation.mss
@@ -0,0 +1,799 @@
+@Comment[	$Source$]
+@Comment[	$Author$]
+@Comment[	$Id$]
+@Comment[]
+@device[postscript]
+@make[report]
+@comment[
+@DefineFont(HeadingFont,
+      P=<RawFont "NewCenturySchlbkBoldItalic">,
+      B=<RawFont "NewCenturySchlbkBold">,
+      I=<RawFont "NewCenturySchlbkBoldItalic">,
+      R=<RawFont "NewCenturySchlbkRoman">)
+]
+@DefineFont(HeadingFont,
+      P=<RawFont "TimesBoldItalic">,
+      B=<RawFont "TimesBold">,
+      I=<RawFont "TimesItalic">,
+      R=<RawFont "TimesRoman">)
+@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I],
+          IncrementedBy Use,Announced)
+@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ],
+          IncrementedBy Use,Referenced [@1],Announced)
+@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ],
+          IncrementedBy,Referenced [@A],Announced,Alias Chapter)
+@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias 
+           Chapter)
+@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy
+          Use,Announced)
+@Counter(AppendixSection,Within Appendix,TitleEnv HD2,
+          ContentsEnv tc2,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy 
+          Use,Announced)
+@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3,
+          Numbered [@#@:.@1 ],IncrementedBy Use,
+          Referenced [@#@:.@1 ])
+@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3,
+          ContentsEnv tc3,
+          Numbered [@#@:.@1 ],IncrementedBy Use,
+          Referenced [@#@:.@1 ])
+@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4,
+          Numbered [@#@:.@1 ],Referenced [@#@:.@1],
+          IncrementedBy Use)
+@modify(CopyrightNotice, Fixed -1 inch, Flushright)
+@Modify(Titlebox, Fixed 3.0 inches)
+@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off)
+@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept)
+@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept)
+@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line)
+@Modify(Tc1, Above .5,  Facecode B)
+@Modify(Tc2, Above .25, Below .25, Facecode R)
+@Modify(Tc3,Facecode R)
+@Modify(Tc4,Facecode R)
+@Modify(Itemize,Above 1line,Below 1line)
+@Modify(Insert,LeftMargin +2, RightMargin +2)
+@libraryfile[stable]
+@comment[@Style(Font NewCenturySchoolBook, size 11)]
+@Style(Font TimesRoman, size 11)
+@Style(Spacing 1.1, indent 0)
+@Style(leftmargin 1.0inch)
+@Style(justification no)
+@Style(BottomMargin 1.5inch)
+@Style(ChangeBarLocation Right)
+@Style(ChangeBars=off)
+@pageheading[immediate]
+@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)",
+right = "@value(date)"]
+@set[page = 0]
+@blankspace[.5 inches]
+@begin[group, size 20]
+@begin(center)
+@b[Kerberos Operation Notes]
+@b[DRAFT]
+@end[center]
+@blankspace[.5 inches]
+@end(group)
+@begin[group, size 16]
+@begin(center)
+Bill Bryant
+John Kohl
+Project Athena, MIT
+@blankspace[.5 inches]
+@b[Initial Release, January 24, 1989]
+@i[(plus later patches through patchlevel 7)]
+@end[center]
+@end(group)
+@begin[group, size 10]
+@end[group]
+@blankspace[1inches]
+
+These notes assume that you have used the
+@i[Kerberos Installation Notes] to build and install your
+Kerberos system.
+As in that document, we refer to the directory that contains
+the built Kerberos binaries as [OBJ_DIR].
+
+This document assumes that you are a Unix system manager.
+
+@newpage()
+@chapter[How Kerberos Works: A Schematic Description]
+
+This section provides a simplified description of
+a general user's interaction with the Kerberos system.
+This interaction happens transparently--users don't need to know
+and probably don't care about what's going on--but Kerberos administrators
+might find a schematic description of the process useful.
+The description glosses over a lot of details;
+for more information, see @i[Kerberos: An Authentication
+Service for Open Network Systems],
+a paper presented at Winter USENIX 1988, in Dallas, Texas.
+
+@section[Network Services and Their Client Programs]
+
+In an environment that provides network services,
+you use @i[client] programs to request service from
+@i[server] programs that are somewhere on the network.
+Suppose you have logged in to a workstation
+and you want to @i[rlogin] to another machine.
+You use the local @i[rlogin] client program to
+contact the remote machine's @i[rlogin] service daemon.
+
+@section[Kerberos Tickets]
+
+Under Kerberos, the @i[rlogin] service program
+allows a client to login to a remote machine if it
+can provide
+a Kerberos @b[ticket] for the request.
+This ticket proves the identity of the person who has used
+the client program to access the server program.
+
+@section[The Kerberos Master Database]
+
+Kerberos will give you tickets only if you
+have an entry in the Kerberos server's
+@b[master database].
+Your database entry includes your Kerberos username (often referred to
+as your Kerberos @b[principal] name), and your Kerberos password.
+Every Kerberos user must have an entry in this database.
+
+@section[The Ticket-Granting Ticket]
+
+The @i[kinit] command prompts for your Kerberos username and password,
+and if you enter them successfully, you will obtain a Kerberos
+@i[ticket-granting ticket].
+As illustrated below,
+client programs use this ticket to get other Kerberos tickets as
+needed.
+
+@section[Network Services and the Master Database]
+
+The master database also contains entries for all network services that
+require Kerberos authentication.
+Suppose for instance that your site has a machine @i[laughter]
+that requires Kerberos authentication from anyone who wants
+to @i[rlogin] to it.
+This service must be registered in the master database.
+Its entry includes the service's principal name, and its @b[instance].
+
+The @i[instance] is the name of the service's machine;
+in this case, the service's instance is the name @i[laughter].
+The instance provides a means for Kerberos to distinguish between
+machines that provide the same service.
+Your site is likely to have more than one machine that
+provides @i[rlogin] service.
+
+@section[The User-Kerberos Interaction]
+
+Suppose that you (in the guise of a general user) walk up to a workstation
+intending to login to it, and then @i[rlogin] to the machine @i[laughter].
+Here's what happens.
+@begin[enumerate]
+You login to the workstation and use the @i[kinit] command
+to to get a ticket-granting ticket.
+This command prompts you for your username (your Kerberos Principal Name),
+and your Kerberos password [on some systems which use the new version of
+@i{/bin/login}, this may be done as part of the login process, not
+requiring the user to run a separate program].
+@begin[enumerate]
+The @i[kinit] command sends your request to the Kerberos master server
+machine.
+The server software looks for your principal name's entry in the
+Kerberos @b[master database].
+
+If this entry exists, the
+Kerberos server creates and returns a
+@i[ticket-granting ticket], encrypted in your password.
+If @i[kinit] can decrypt the Kerberos reply using the password you
+provide, it stores this ticket in a @b[ticket file] on your
+local machine for later use.
+The ticket file to be used
+can be specified in the @b[KRBTKFILE] environment
+variable.  If this variable is not set, the name of the file will be
+@i[/tmp/tkt@p(uid)], where @p(uid) is the UNIX user-id, represented in decimal.
+@end[enumerate]
+
+Now you use the @i[rlogin] client to try to access the machine @i[laughter].
+@begin[example]
+host% @b[rlogin  laughter]
+@end[example]
+@begin[enumerate]
+The @i[rlogin] client checks your ticket file to see if you
+have a ticket for @i[laughter]'s @i[rcmd] service (the rlogin program
+uses the @i[rcmd] service name, mostly for historical reasons).
+You don't, so @i[rlogin] uses the ticket file's @i[ticket-granting
+ticket] to make a request to the master server's ticket-granting service.
+
+This ticket-granting service receives the @i[rcmd-laughter] request
+and looks in the master database for an @i[rcmd-laughter] entry.
+If that entry exists, the ticket-granting service issues you a ticket
+for that service.
+That ticket is also cached in your ticket file.
+
+The @i[rlogin] client now uses that ticket to request service from
+the @i[laughter] @i[rlogin] service program.
+The service program
+lets you @i[rlogin] if the ticket is valid.
+@end[enumerate]
+@end[enumerate]
+
+@chapter[Setting Up and Testing the Kerberos Server]
+
+The procedure for setting up and testing a Kerberos server
+is as follows:
+@begin[enumerate]
+Use the @i[kdb_init] command to create and initialize the master database.
+
+Use the @i[kdb_edit] utility to add your username to the
+master database.
+
+Start the Kerberos server.
+
+Use the @i[kinit] command to obtain a Kerberos ticket-granting ticket.
+
+Use the @i[klist] command to verify that the @i[kinit] command
+authenticated you successfully.
+@end[enumerate]
+
+@section[Creating and Initializing the Master Database]
+
+Login to the Kerberos master server machine,
+and use the @b[su] command to become root.
+If you installed the Kerberos administration tools
+with the @i[make install] command and the default pathnames,
+they should be in the @i[/usr/etc] directory.
+If you installed the tools in a different directory,
+hopefully you know what it is.
+From now on, we will refer to this directory as [ADMIN_DIR].
+
+The @i[kdb_init] command creates and initializes the master database.
+It asks you to enter the system's
+realm name and the database's master password.
+Do not forget this password.
+If you do, the database becomes useless.
+(Your realm name should be substituted for [REALMNAME] below.)
+
+Use @i[kdb_init] as follows:
+@tabset[3inches, +1.5inches]
+@begin[example, rightmargin -10]
+host# @b([ADMIN_DIR]/kdb_init)
+Realm name (default XXX): @b([REALMNAME])@\@b[<--] @p[Enter your system's realm name.]
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+
+Enter Kerberos master key: @\@b[<--] @p[Enter the master password.]
+@comment(this needs to be re-fixed...:
+Verifying, please re-enter
+Enter Kerberos master key: @\@b[<--] @p[Re-enter it.]
+)
+@end[example]
+
+@section[Storing the Master Password]
+
+The @i[kstash] command ``stashes'' the master password in the file @i[/.k]
+so that the Kerberos server can
+be started automatically during an unattended reboot of the
+master server.
+Other administrative programs use this hidden password so that they
+can access the master database without someone having to manually
+provide the master password.
+This command is an optional one;
+if you'd rather enter the master password each time you
+start the Kerberos server, don't use @i[kstash].
+
+One the one hand, if you use @i[kstash], a copy of the master
+key will reside
+on disk which may not be acceptable; on the other hand, if you don't
+use @i[kstash], the server cannot be started unless someone is around to
+type the password in manually.
+
+The command prompts you twice for the master password:
+@begin[example]
+@tabset[3inches]
+host# @b([ADMIN_DIR]/kstash)
+
+Enter Kerberos master key:@\@b[<--] @p[Enter the master password.]
+Current Kerberos master key version is 1.
+
+Master key entered   BEWARE!
+@end[example]
+
+A note about the Kerberos database master key:
+if your master key is compromised and the database is obtained,
+the security of your entire authentication system is compromised.
+The master key must be a carefully kept secret.  If you keep backups,
+you must guard all the master keys you use, in case someone has stolen
+an old backup and wants to attack users' whose passwords haven't changed
+since the backup was stolen.
+This is why we provide the option not to store it on disk.
+
+@section[Using @p(kdb_edit) to Add Users to the Master Database]
+
+The @i[kdb_edit] program is used to add new users and services
+to the master database, and to modify existing database information.
+The program prompts you to enter a principal's @b[name] and @b[instance].
+
+A principal name is typically a username or a service program's name.
+An instance further qualifies the principal.
+If the principal is a service,
+the instance is used to specify the name of the machine on which that
+service runs.
+If the principal is a username that has general user privileges,
+the instance is usually set to null.
+
+The following example shows how to use @i[kdb_edit] to
+add the user @i[wave] to the Kerberos database.
+@begin[example, rightmargin -10]
+@tabset[3inches, +1.5inches]
+host# @b([ADMIN_DIR]/kdb_edit)
+
+Opening database...
+
+Enter Kerberos master key:
+Verifying, please re-enter
+Enter Kerberos master key:
+Current Kerberos master key version is 1
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: @b[wave]@\@b[<--] @p[Enter the username.]
+Instance:@\@p[<-- Enter a null instance.]
+
+<Not found>, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.]
+@\@p[      Enter y to create the user-instance.]
+Principal: wave  Instance:  m_key_v: 1
+New Password: @\@p[<-- Enter the user-instance's password.]
+Verifying, please re-enter 
+New Password:
+Principal's new key version = 1
+Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines]
+Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the]
+Attributes [ 0 ] ? @\@\@b[<--] @p[default values.]
+Edit O.K.
+
+Principal name:@\@p[<-- Enter a newline to exit the program.]
+@end[example]
+
+Use the @i[kdb_edit] utility to add your username to the master database.
+
+@section[Starting the Kerberos Server]
+
+Change directories to the directory in which you have installed
+the server program @i[kerberos]
+(the default directory is @i[/usr/etc]),
+and start the program as a background process:
+@begin[example]
+host# @b[./kerberos &]
+@end[example]
+If you have used the @i[kstash] command to store the master database password,
+the server will start automatically.
+If you did not use @i[kstash],
+use the following command:
+@begin[example]
+host# @b[./kerberos -m]
+@end[example]
+The server will prompt you to enter the master password before actually
+starting itself.
+
+@section[Testing the Kerberos Server]
+
+Exit the root account and use the @i[kinit] command obtain a Kerberos
+ticket-granting ticket.
+This command
+creates your ticket file
+and stores the ticket-granting ticket in it.
+
+If you used the default @i[make install] command and directories to
+install the Kerberos user utilities, @i[kinit] will be in the
+@i[/usr/athena] directory. From now on, we'll refer to the Kerberos user
+commands directory as [K_USER].
+
+Use @i[kinit] as follows:
+@begin[example]
+@tabset[3 inches]
+host% @b([K_USER]/kinit)
+MIT Project Athena, (ariadne)
+Kerberos Initialization
+Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.]
+Password: @\@b[<--] @p[Enter your Kerberos password.]
+@end[example]
+
+Use the @i[klist] program to list the contents of your ticket file.
+@begin[example]
+host% @b([K_USER]/klist)
+@end[example]
+The command should display something like the following:
+@begin[example]
+Ticket file:    /tmp/tkt5555
+Principal:      yourusername@@REALMNAME
+
+  Issued           Expires          Principal
+May  6 10:15:23  May  6 18:15:23  krbtgt.REALMNAME@@REALMNAME
+@end[example]
+
+If you have any problems, you can examine the log file
+@i[/kerberos/kerberos.log] on the Kerberos server machine to see if
+there was some sort of error.
+
+@chapter[Setting up and testing the Administration server]
+
+The procedure for setting up and testing the Kerberos administration server
+is as follows:
+@begin[enumerate]
+Use the @i[kdb_edit] utility to add your username with an administration
+instance to the master database.
+
+Edit the access control lists for the administration server
+
+Start the Kerberos administration server.
+
+Use the @i[kpasswd] command to change your password.
+
+Use the @i[kadmin] command to add new entries to the database.
+
+Use the @i[kinit] command to verify that the @i[kadmin] command
+correctly added new entries to the database.
+@end(enumerate)
+
+@section[Adding an administration instance for the administrator]
+
+Login to the Kerberos master server machine,
+and use the @b[su] command to become root.
+Use the @i[kdb_edit] program to create an entry for each administrator
+with the instance ``@p(admin)''.
+@begin[example]
+@tabset[3inches, +1.5inches]
+host# @b([ADMIN_DIR]/kdb_edit)
+
+Opening database...
+
+Enter Kerberos master key:
+Verifying, please re-enter
+Enter Kerberos master key:
+Current Kerberos master key version is 1
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: @b[wave]@\@b[<--] @p[Enter the username.]
+Instance:@b[admin]@\@b[<--] @p[Enter ``admin''.]
+
+<Not found>, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.]
+@\@p[      Enter y to create the user-instance.]
+Principal: wave  Instance: admin m_key_v: 1
+New Password: @\@p[<-- Enter the user-instance's password.]
+Verifying, please re-enter 
+New Password:
+Principal's new key version = 1
+Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines]
+Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the]
+Attributes [ 0 ] ? @\@\@b[<--] @p[default values.]
+Edit O.K.
+
+Principal name:@\@p[<-- Enter a newline to exit the program.]
+@end[example]
+
+@section[The Access Control Lists]
+The Kerberos administration server uses three access control lists to
+determine who is authorized to make certain requests.  The access
+control lists are stored on the master Kerberos server in the same
+directory as the principal database, @i(/kerberos).  The access control
+lists are simple ASCII text files, with each line specifying the name of
+one principal who is allowed the particular function.  To allow several
+people to perform the same function, put their principal names on
+separate lines in the same file.
+
+The first list, @i(/kerberos/admin_acl.mod), is a list of principals
+which are authorized to change entries in the database.  To allow the
+administrator `@b[wave]' to modify entries in the database for the realm
+`@b[TIM.EDU]', you would put the following line into the file
+@i(/kerberos/admin_acl.mod):
+@begin(example)
+wave.admin@@TIM.EDU
+@end(example)
+
+The second list, @i(/kerberos/admin_acl.get), is a list of principals
+which are authorized to retrieve entries from the database.
+
+The third list, @i(/kerberos/admin_acl.add), is a list of principals
+which are authorized to add new entries to the database.
+
+@section(Starting the administration server)
+Change directories to the directory in which you have installed
+the administration server program @i[kadmind]
+(the default directory is @i[/usr/etc]),
+and start the program as a background process:
+@begin[example]
+host# @b[./kadmind -n&]
+@end[example]
+If you have used the @i[kstash] command to store the master database password,
+the server will start automatically.
+If you did not use @i[kstash],
+use the following command:
+@begin[example]
+host# @b[./kadmind]
+@end[example]
+The server will prompt you to enter the master password before actually
+starting itself; after it starts, you should suspend it and put it in
+the background (usually this is done by typing control-Z and then @b(bg)).
+
+@section(Testing @p[kpasswd])
+
+To test the administration server, you should try changing your password
+with the @i[kpasswd] command, and you should try adding new users with
+the @i[kadmin] command (both commands are installed into @i[/usr/athena]
+by default).
+
+Before testing, you should exit the root account.
+
+To change your password, run the @i[kpasswd] command:
+@begin(example)
+@tabset[3inches, +1.5inches]
+host% @b([K_USER]/kpasswd)
+Old password for wave@@TIM.EDU:@\@b[<--]@p[Enter your password]
+New Password for wave@@TIM.EDU:@\@b[<--]@p[Enter a new password]
+Verifying, please re-enter New Password for wave@@TIM.EDU:
+@\@b[<--]@p[Enter new password again]
+Password changed.
+@end(example)
+Once you have changed your password, use the @i[kinit] program as shown
+above to verify that the password was properly changed.
+
+@section(Testing @p[kadmin])
+You should also test the function of the @i[kadmin] program, by adding a
+new user (here named ``@t[username]''):
+@begin(example)
+@tabset[3inches, +1.5inches]
+host% @b([K_USER]/kadmin)
+Welcome to the Kerberos Administration Program, version 2
+Type "help" if you need it.
+admin:  @b(ank username)@\@p[`ank' stands for Add New Key]
+Admin password: @\@b[<--]@p[enter the password 
+@\you chose above for wave.admin]
+Password for username:@\@b[<--]@p[Enter the user's initial password]
+Verifying, please re-enter Password for username:@\@b[<--]@p[enter it again]
+username added to database.
+
+admin:  quit
+Cleaning up and exiting.
+@end[example]
+
+@section(Verifying with @p[kinit])
+Once you've added a new user, you should test to make sure it was added
+properly by using @i[kinit], and trying to get tickets for that user:
+
+@begin[example]
+@tabset[3inches, +1.5inches]
+host% @b([K_USER]/kinit username)
+MIT Project Athena (ariadne)
+Kerberos Initialization for "username@@TIM.EDU"
+Password: @b[<--]@p[Enter the user's password you used above]
+host% @b([K_USER]/klist)
+Ticket file:    /tmp/tkt_5509_spare1
+Principal:      username@@TIM.MIT.EDU
+
+  Issued           Expires          Principal
+Nov 20 15:58:52  Nov 20 23:58:52  krbtgt.TIM.EDU@@TIM.EDU
+@end[example]
+
+If you have any problems, you can examine the log files
+@i[/kerberos/kerberos.log] and @i[/kerberos/admin_server.syslog] on the
+Kerberos server machine to see if there was some sort of error.
+
+@chapter[Setting up and testing slave server(s)]
+
+[Unfortunately, this chapter is not yet ready.  Sorry. -ed]
+
+@chapter[A Sample Application]
+
+This release of Kerberos comes with a sample application
+server and a corresponding client program.
+You will find this software in the [OBJ_DIR]@i[/appl/sample] directory.
+The file @i[sample_client] contains the client program's executable
+code, the file @i[sample_server] contains the server's executable.
+
+The programs are rudimentary.
+When they have been installed (the installation procedure is described
+in detail later), they work as follows:
+@begin[itemize]
+The user starts @i[sample_client] and provides as arguments
+to the command the name of the server machine and a checksum.
+For instance:
+@begin[example]
+host% @b[sample_client]  @p[servername] @p[43]
+@end[example]
+
+@i[Sample_client] contacts the server machine and
+authenticates the user to @i[sample_server].
+
+@i[Sample_server] authenticates itself to @i[sample_client],
+then returns a message to the client program.
+This message contains diagnostic information
+that includes the user's username, the Kerberos realm,
+and the user's workstation address.
+
+@i[Sample_client] displays the server's message on the user's
+terminal screen.
+@end[itemize]
+
+@section[The Installation Process]
+
+In general,
+you use the following procedure to install a Kerberos-authenticated
+server-client system.
+@begin[enumerate]
+Add the appropriate entry to the Kerberos database using @i[kdb_edit] or
+@i[kadmin] (described below).
+
+Create a @i[/etc/srvtab] file for the server machine.
+
+Install the service program and the @i[/etc/srvtab]
+file on the server machine.
+
+Install the client program on the client machine.
+
+Update the @i[/etc/services] file on the client and server machines.
+@end[enumerate]
+
+We will use the sample application as an example, although
+the procedure used to install @i[sample_server] differs slightly
+from the general case because the @i[sample_server]
+takes requests via the
+@i[inetd] program.
+@i[Inetd] starts @i[sample_server] each time
+a client process contacts the server machine.
+@i[Sample_server] processes the request,
+terminiates, then is restarted when @i[inetd] receives another
+@i[sample_client] request.
+When you install the program on the server,
+you must add a @i[sample] entry to the server machine's
+@i[/etc/inetd.conf] file.
+
+The following description assumes that you are installing
+@i[sample_server] on the machine @i[ariadne.tim.edu].
+Here's the process, step by step:
+@begin[enumerate]
+Login as or @i[su] to root on the Kerberos server machine.
+Use the @i[kdb_edit] or @i[kadmin] program to create an entry for
+@i[sample] in the Kerberos database:
+@begin[example, rightmargin -10]
+@tabset[2.0inches, +.5inches]
+host# @b([ADMIN_DIR]/kdb_edit)
+
+Opening database...
+
+Enter Kerberos master key:
+Verifying, please re-enter
+master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: @b[sample]@\@b[<--] @p[Enter the principal name.]
+Instance: @b[ariadne]@\@b[<--] @p[Instances cannot have periods in them.]
+
+<Not found>, Create [y] ? @b[y]
+
+Principal: sample_server  Instance: ariadne m_key_v: 1
+New Password:@\@b[<--] @p[Enter ``RANDOM'' to get random password.]
+Verifying, please re-enter 
+New Password:@\@b[<--] @p[Enter ``RANDOM'' again.]
+Random password [y] ? @b[y]
+
+Principal's new key version = 1
+Expiration date (enter dd-mm-yy) [ 12/31/99 ] ? 
+Max ticket lifetime (*5 minutes) [ 255 ] ? 
+Attributes [ 0 ] ? 
+Edit O.K.
+
+Principal name:@\@b[<--] @p[Enter newline to exit kdb_edit.]
+@end[example]
+
+Use the @i[ext_srvtab] program to create a @i[srvtab] file
+for @i[sample_server]'s host machine:
+@begin[example]
+host# @b([ADMIN_DIR]/ext_srvtab  ariadne)
+
+Enter Kerberos master key: 
+Current Kerberos master key version is 1.
+
+Generating 'ariadne-new-srvtab'....
+@end[example]
+Transfer the @i[ariadne-new-srvtab] file to @i[ariadne] and install it as
+@i[/etc/srvtab].
+Note that this file is equivalent to the service's password and should
+be treated with care.
+For example, it could be transferred by removable media, but should
+not be sent over an open network in the clear.
+Once installed, this file should be readable only by root.
+
+Add the following line to the @i[/etc/services] file on
+@i[ariadne], and on all machines that
+will run the @i[sample_client] program:
+@begin[example]
+sample     906/tcp       # Kerberos sample app server
+@end[example]
+
+Add a line similar to the following line to the @i[/etc/inetd.conf]
+file on @i[sample_server]'s machine:
+@begin[example]
+sample   stream   tcp   nowait   switched   root
+    [PATH]/sample_server sample_server
+@end[example]
+where [PATH] should be substituted with
+the path to the @i[sample_server] program.
+(This @i[inetd.conf] information should be placed on one line.)
+You should examine existing lines in @i[/etc/inetd.conf] and use the
+same format used by other entries (e.g. for telnet).  Most systems do
+not have a column for the `switched' keyword, and some do not have a
+column for the username (usually `root', as above).
+
+Restart @i[inetd] by sending the current @i[inetd] process
+a hangup signal:
+@begin[example]
+host# @b[kill  -HUP   @p(process_id_number)]
+@end[example]
+
+The @i[sample_server] is now ready to take @i[sample_client] requests.
+@end[enumerate]
+
+@section[Testing the Sample Server]
+
+Assume that you have installed @i[sample_server] on @i[ariadne].
+
+Login to your workstation and use the @i[kinit] command to
+obtain a Kerberos ticket-granting ticket:
+@begin[example]
+@tabset[3 inches]
+host% @b([K_USER]/kinit)
+MIT Project Athena, (your_workstation)
+Kerberos Initialization
+Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.]
+Password: @\@b[<--] @p[Enter your Kerberos password.]
+@end[example]
+
+Now use the @i[sample_client] program as follows:
+@begin[example]
+host% @b([PATH]/sample_client  ariadne)
+@end[example]
+The command should display something like the following:
+@begin[example]
+The server says:
+You are @p[yourusername].@@REALMNAME (local name @p[yourusername]),
+ at address @p[yournetaddress], version VERSION9, cksum 997
+@end[example]
+
+@chapter[Service names and other services]
+
+@section(rlogin, rsh, rcp, tftp, and others)
+
+Many services use a common principal name for authentication purposes.
+@i[rlogin], @i[rsh], @i[rcp], @i[tftp] and others use the principal name
+``@t[rcmd]''.  For example, to set up the machine @i[ariadne] to support
+Kerberos rlogin, it needs to have a service key for principal
+``@t[rcmd]'', instance ``@t[ariadne]''.  You create this key in the same
+way as shown above for the sample service.
+
+After creating this key, you need to run the @i[ext_srvtab] program
+again to generate a new srvtab file for ariadne.
+
+@section(NFS modifications)
+
+The NFS modifications distributed separately use the service name
+``@t[rvdsrv]'' with the instance set to the machine name (as for the
+sample server and the rlogin, rsh, rcp and tftp services).
+
+@section(inetd.conf entries)
+The following are the @i(/etc/inetd.conf) entries necessary to support
+rlogin, encrypted rlogin, rsh, and rcp services on a server machine.  As
+above, your @i(inetd.conf) may not support all the fields shown here.
+@begin[example]
+eklogin  stream   tcp   nowait   unswitched   root
+    [PATH]/klogind   eklogind
+kshell   stream   tcp   nowait   unswitched   root
+    [PATH]/kshd   kshd
+klogin   stream   tcp   nowait   unswitched   root
+    [PATH]/klogind   klogind
+@end[example]