aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/ChangeLog94
-rw-r--r--doc/admin.texinfo75
-rw-r--r--doc/api/ChangeLog4
-rw-r--r--doc/api/krb5.tex31
-rw-r--r--doc/build.texinfo92
-rw-r--r--doc/definitions.texinfo18
-rw-r--r--doc/dnssrv.texinfo4
-rw-r--r--doc/install.texinfo29
-rw-r--r--doc/krb4-xrealm.txt143
-rw-r--r--doc/krb425.texinfo20
-rw-r--r--doc/support-enc.texinfo6
11 files changed, 451 insertions, 65 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 709c559..cafd2a4 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,97 @@
+2004-02-13 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (Solaris 9): Add section describing workaround for
+ Solaris 9 pty-close kernel bug.
+
+2003-07-25 Ken Raeburn <raeburn@mit.edu>
+
+ * admin.texinfo (realms (krb5.conf)): Add description of
+ master_kdc tag.
+ (Sample krb5.conf File): Add it to the example.
+
+2003-07-24 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (realms (kdc.conf)): Remove references to kdc_supported_enctypes
+ (Sample kdc.conf File): Remove kdc_supported_enctypes here too
+
+2003-06-20 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (Installing the Binaries): New node; describe
+ basic "make install", along with "DESTDIR=...".
+
+2003-06-19 Tom Yu <tlyu@mit.edu>
+
+ * build.texinfo (HPUX): Fix typo.
+ (Options to Configure): Note that --with-system-db is unsupported,
+ concerning possible lossage with loading dumpfiles.
+
+2003-06-18 Tom Yu <tlyu@mit.edu>
+
+ * dnssrv.texinfo: Add note about _kerberos-iv._udp SRV records.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo (DefaultCcacheType, DefaultKDCTimesync,
+ DefaultMasterKeyType, DefaultTktLifetime): Updated for code
+ changes.
+ (DefaultCcacheTypeMac, DefaultKDCTimesyncMac): Deleted.
+
+ * admin.texinfo (libdefaults): Update kdc_timesync and ccache_type
+ descriptions to not separate Mac case.
+
+2003-05-30 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (Supported Encryption Types): Document AES interop issues.
+
+ * support-enc.texinfo: Add AES enctypes
+
+2003-05-27 Tom Yu <tlyu@mit.edu>
+
+ * admin.texinfo (realms (kdc.conf)): Update to reflect that
+ kadm5.keytab is only used by legacy admin daemons.
+
+ * install.texinfo (Create a kadmind Keytab (optional)): Update to
+ reflect that kadm5.keytab is only used by legacy admin daemons.
+
+ * build.texinfo (HPUX): Make HPUX compiler flags simpler.
+
+2003-05-23 Ken Raeburn <raeburn@mit.edu>
+
+ * build.texinfo (HPUX, Solaris 2.X, Ultrix 4.2/3 [notdef]):
+ Replace descriptions of old --with- options with VAR=.
+ (Solaris 2.X): Suggest that defining _XOPEN_SOURCE and
+ __EXTENSIONS__ might help for 64-bit mode.
+
+2003-05-23 Tom Yu <tlyu@mit.edu>
+
+ * admin.texinfo (appdefaults): Clarify afs_krb5 slightly.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * admin.texinfo (appdefaults): Describe afs_krb5
+
+ * krb425.texinfo (AFS and the Appdefaults Section): Note about AFS and 2b tokens
+
+2003-05-13 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo: Updated DefaultSupportedEnctypes.
+
+2003-05-12 Sam Hartman <hartmans@mit.edu>
+
+ * definitions.texinfo: Default v4 mode is now none
+
+2003-04-18 Ken Raeburn <raeburn@mit.edu>
+
+ * definitions.texinfo (DefaultETypeList,
+ DefaultSupportedEnctypes): Update for AES.
+ * install.texinfo (Client Machine Configuration Files): Fix typo
+ in variable reference.
+
+2003-04-08 Tom Yu <tlyu@mit.edu>
+
+ * krb4-xrealm.txt: New file. Describe the krb4 cross-realm
+ patchkit. Copied from 2003-004-krb4_patchkit.
+
2003-02-04 Sam Hartman <hartmans@mit.edu>
* krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index a58cf56..ec50002 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -350,6 +350,25 @@ types can be set to some combination of the following strings.
@include support-enc.texinfo
+While aes128-cts and aes256-cts are supported for all Kerberos
+operations, they are not supported by the GSSAPI. AES GSSAPI support
+will be added after the necessary standardization work is
+completed.
+
+By default, AES is enabled on clients and application servers.
+Because of the lack of support for GSSAPI, AES is disabled in the
+default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use
+AES encryption types on their KDCs need to be careful not to give
+GSSAPI services AES keys. If GSSAPI services are given AES keys, then
+services will start to fail in the future when clients supporting AES
+for GSSAPI are deployed before updated servers that support AES for
+GSSAPI. Sites may wish to use AES for user keys and for the ticket
+granting ticket key, although doing so requires specifying what
+encryption types are used as each principal is created. Alternatively
+sites can use the default configuration which will make AES support
+available in clients and servers but not actually use this support
+until a future version of Kerberos adds support to GSSAPI.
+
@node Salts, krb5.conf, Supported Encryption Types, Configuration Files
@section Salts
@@ -425,9 +444,7 @@ If this is set to 1 (for true), then client machines will compute the
difference between their time and the time returned by the KDC in the
timestamps in the tickets and use this value to correct for an
inaccurate system clock. This corrective factor is only used by the
-Kerberos library. The default is @value{DefaultKDCTimesyncMac} for
-Macintosh computers and @value{DefaultKDCTimesync} for all other
-platforms.
+Kerberos library. The default is @value{DefaultKDCTimesync}.
@itemx kdc_req_checksum_type
@itemx ap_req_checksum_type
@@ -466,9 +483,7 @@ type of cache to be created by kinit, or when forwarded tickets are
received. DCE and Kerberos can share the cache, but some versions of
DCE do not support the default cache as created by this version of
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
-DCE 1.1 systems. The default value is @value{DefaultCcacheTypeMac}
-for Macintosh computers and @value{DefaultCcacheType} for other
-platforms.
+DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
@ignore
@itemx tkt_lifetime
@@ -610,6 +625,33 @@ The list of specifiable options for each application may be found in
that application's man pages. The application defaults specified here
are overridden by those specified in the [realms] section.
+A special application name (afs_krb5) is used by the krb524 service to
+know whether new format AFS tokens based on Kerberos 5 can be used
+rather than the older format which used a converted Kerberos 4 ticket.
+The new format allows for cross-realm authentication without
+introducing a security hole. It is used by default. Older AFS
+servers (before OpenAFS 1.2.8) will not support the new format. If
+servers in your cell do not support the new format, you will need to
+add an @code{afs_krb5} relation to the @code{appdefaults} section.
+The following config file shows how to disable new format AFS tickets
+for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
+
+@smallexample
+@group
+[appdefaults]
+ afs_krb5 = @{
+ EXAMPLE.COM = @{
+ afs/afs.example.com = false
+ @}
+ @}
+
+@end group
+@end smallexample
+
+
+
+
+
@node login, realms (krb5.conf), appdefaults, krb5.conf
@subsection [login]
@@ -666,6 +708,15 @@ this tag must be given a value in each realm subsection in the
configuration file, or there must be DNS SRV records specifying the
KDCs (see @ref{Using DNS}).
+@itemx master_kdc
+Identifies the master KDC(s). Currently, this tag is used in only one
+case: If an attempt to get credentials fails because of an invalid
+password, the client software will attempt to contact the master KDC,
+in case the user's password has just been changed, and the updated
+database has not been propagated to the slave servers yet. (We don't
+currently check whether the KDC from which the initial response came
+is on the master KDC list. That may be fixed in the future.)
+
@itemx admin_server
Identifies the host where the administration server is running.
Typically, this is the master Kerberos server. This tag must be given
@@ -995,6 +1046,7 @@ Here is an example of a generic @code{krb5.conf} file:
kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:750
admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+ master_kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
default_domain = @value{PRIMARYDOMAIN}
@}
@value{SECONDREALM} = @{
@@ -1089,9 +1141,9 @@ uses to determine which principals are allowed which permissions on the
database. The default is @code{@value{DefaultAclFile}}.
@itemx admin_keytab
-(String.) Location of the keytab file that kadmin uses to authenticate
-to the database. The default is
-@code{@value{DefaultAdminKeytab}}.
+(String.) Location of the keytab file that the legacy administration
+daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
+the database. The default is @code{@value{DefaultAdminKeytab}}.
@itemx database_name
(String.) Location of the Kerberos database for this realm. The
@@ -1222,10 +1274,6 @@ will have keys of these types. The default value for this tag is
@value{DefaultSupportedEnctypes}. For lists of possible values, see
@ref{Supported Encryption Types} and @ref{Salts}.
-@itemx kdc_supported_enctypes
-Specifies the permitted key/salt combinations of principals for this
-realm. The format is the same as @code{supported_enctypes}.
-
@itemx reject_bad_transit
A boolean value (@code{true}, @code{false}). If set to @code{true}, the
KDC will check the list of transited realms for cross-realm tickets
@@ -1277,7 +1325,6 @@ Here's an example of a @code{kdc.conf} file:
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
- kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
@}
[logging]
diff --git a/doc/api/ChangeLog b/doc/api/ChangeLog
index 3728895..4446ccf 100644
--- a/doc/api/ChangeLog
+++ b/doc/api/ChangeLog
@@ -1,3 +1,7 @@
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * krb5.tex: Update subkey-related information to match code.
+
2002-01-15 Sam Hartman <hartmans@mit.edu>
* krb5.tex (subsubsection{Principal access functions}): krb5_princ_realm returns a pointer.
diff --git a/doc/api/krb5.tex b/doc/api/krb5.tex
index 1574f16..d70910e 100644
--- a/doc/api/krb5.tex
+++ b/doc/api/krb5.tex
@@ -183,28 +183,45 @@ Retrieves the keyblock stored in \funcparam{auth_context}. The memory
allocated in this function should be freed with a call to
\funcname{krb5_free_keyblock}.
-\begin{funcdecl}{krb5_auth_con_getlocalsubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getrecvsubkey}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_auth_context}{auth_context}
\funcout
\funcarg{krb5_keyblock **}{keyblock}
\end{funcdecl}
-Retrieves the local_subkey keyblock stored in
+Retrieves the recv\_subkey keyblock stored in
\funcparam{auth_context}. The memory allocated in this function should
be freed with a call to \funcname{krb5_free_keyblock}.
-\begin{funcdecl}{krb5_auth_con_getremotesubkey}{krb5_error_code}{\funcinout}
+\begin{funcdecl}{krb5_auth_con_getsendsubkey}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
\funcarg{krb5_auth_context}{auth_context}
\funcout
\funcarg{krb5_keyblock **}{keyblock}
\end{funcdecl}
-Retrieves the remote_subkey keyblock stored in
+Retrieves the send\_subkey keyblock stored in
\funcparam{auth_context}. The memory allocated in this function should
be freed with a call to \funcname{krb5_free_keyblock}.
+\begin{funcdecl}{krb5_auth_con_setrecvsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the recv\_subkey keyblock stored in \funcparam{auth_context}.
+
+\begin{funcdecl}{krb5_auth_con_setsendsubkey}{krb5_error_code}{\funcinout}
+\funcarg{krb5_context}{context}
+\funcarg{krb5_auth_context}{auth_context}
+\funcout
+\funcarg{krb5_keyblock *}{keyblock}
+\end{funcdecl}
+
+Sets the send\_subkey keyblock stored in \funcparam{auth_context}.
\begin{funcdecl}{krb5_auth_setcksumtype}{krb5_error_code}{\funcinout}
\funcarg{krb5_context}{context}
@@ -1508,9 +1525,9 @@ Parses a KRB_SAFE message from \funcparam{inbuf}, placing the
data in \funcparam{*outbuf} after verifying its integrity.
The keyblock used for verifying the integrity of the message is taken
-from the \funcparam{auth_context} local_subkey, remote_subkey, or
-keyblock. The keyblock is chosen in the above order by the first one
-which is not NULL.
+from the \funcparam{auth_context} recv\_subkey or keyblock. The
+keyblock is chosen in the above order by the first one which is not
+NULL.
The remote_addr and localaddr portions of the \funcparam{*auth_context}
specify the full addresses (host and port) of the sender and receiver,
diff --git a/doc/build.texinfo b/doc/build.texinfo
index 1f0ef96..14f284d 100644
--- a/doc/build.texinfo
+++ b/doc/build.texinfo
@@ -9,6 +9,7 @@ required in porting Kerberos V5 to a new platform.
build Kerberos.
* Unpacking the Sources:: Preparing the source tree.
* Doing the Build:: Compiling Kerberos.
+* Installing the Binaries:: Installing the compiled binaries.
* Testing the Build:: Making sure Kerberos built correctly.
* Options to Configure:: Command-line options to Configure
* osconf.h:: Header file-specific configurations
@@ -57,15 +58,15 @@ source code for building @value{PRODUCT} on Windows (see windows/README)
@menu
* The appl Directory::
-* The clients Directory::
-* The gen-manpages Directory::
-* The include Directory::
+* The clients Directory::
+* The gen-manpages Directory::
+* The include Directory::
* The kadmin Directory::
* The kdc Directory::
* The krb524 Directory::
-* The lib Directory::
-* The prototype Directory::
-* The slave Directory::
+* The lib Directory::
+* The prototype Directory::
+* The slave Directory::
* The util Directory::
@end menu
@@ -248,7 +249,7 @@ your current directory is @file{/u1} when you unpack the tarfiles, you
will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
-@node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5
+@node Doing the Build, Installing the Binaries, Unpacking the Sources, Building Kerberos V5
@section Doing the Build
You have a number of different options in how to build Kerberos. If you
@@ -335,7 +336,33 @@ makes it fail for relative pathnames. Note that this version differs
from the latest version as distributed and installed by the XConsortium
with X11R6. Either version should be acceptable.
-@node Testing the Build, Options to Configure, Doing the Build, Building Kerberos V5
+@node Installing the Binaries, Testing the Build, Doing the Build, Building Kerberos V5
+@section Installing the Binaries
+
+Once you have built Kerberos, you should install the binaries. You
+can do this by running:
+
+@example
+% make install
+@end example
+
+If you want to install the binaries into a destination directory that
+is not their final destination, which may be convenient if you want to
+build a binary distribution to be deployed on multiple hosts, you may
+use:
+
+@example
+% make install DESTDIR=/path/to/destdir
+@end example
+
+This will install the binaries under @code{DESTDIR/PREFIX}, e.g., the
+user programs will install into @code{DESTDIR/PREFIX/bin}, the
+libraries into @code{DESTDIR/PREFIX/lib}, etc.
+
+Note that if you want to test the build (see @ref{Testing the Build}),
+you usually do not need to do a @code{make install} first.
+
+@node Testing the Build, Options to Configure, Installing the Binaries, Building Kerberos V5
@section Testing the Build
The Kerberos V5 distribution comes with built-in regression tests. To
@@ -569,7 +596,10 @@ This option is ignored if @samp{--with-system-ss} is not specified.
@item --with-system-db
Use an installed version of the Berkeley DB package, which must
-provide an API compatible with version 1.85.
+provide an API compatible with version 1.85. This option is
+@emph{unsupported} and untested. In particular, we do not know if the
+database-rename code used in the dumpfile load operation will behave
+properly.
If this option is not given, a version supplied with the Kerberos
sources will be built and installed. (We are not updating this
@@ -720,6 +750,7 @@ Thanks!
* HPUX::
* Solaris versions 2.0 through 2.3::
* Solaris 2.X::
+* Solaris 9::
* SGI Irix 5.X::
* Ultrix 4.2/3::
@end menu
@@ -769,11 +800,12 @@ NetBSD and FreeBSD.)
@node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities
@subsection HPUX
-The native (bundled) compiler for HPUX currently will not work, because
-it is not a full ANSI C compiler. The optional compiler (c89) should
-work as long as you give it the @samp{-D_HPUX_SOURCE} flag
-(i.e. @samp{./configure --with-cc='c89 -D_HPUX_SOURCE'}). This has only
-been tested recently for HPUX 10.20.
+The native (bundled) compiler for HPUX currently will not work,
+because it is not a full ANSI C compiler. The optional ANSI C
+compiler should work as long as you give it the @samp{-Ae} flag
+(i.e. @samp{./configure CC='cc -Ae'}). This is equivalent to
+@samp{./configure CC='c89 -D_HPUX_SOURCE'}, which was the previous
+recommendation. This has only been tested recently for HPUX 10.20.
@node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
@subsection Solaris versions 2.0 through 2.3
@@ -816,16 +848,38 @@ environment to break or behave differently.
@end enumerate
-@node Solaris 2.X, SGI Irix 5.X, Solaris versions 2.0 through 2.3, OS Incompatibilities
+@node Solaris 2.X, Solaris 9, Solaris versions 2.0 through 2.3, OS Incompatibilities
@subsection Solaris 2.X
You @b{must} compile Kerberos V5 without the UCB compatibility
libraries. This means that @file{/usr/ucblib} must not be in the
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
you can use the @code{-i} option to @samp{cc}, by using the specifying
-@code{--with-ccopts=-i} option to @samp{configure}.
+@code{CFLAGS=-i} option to @samp{configure}.
+
+If you are compiling for a 64-bit execution environment, you may need
+to configure with the option @code{CFLAGS="-D_XOPEN_SOURCE=500
+-D__EXTENSIONS__"}. This is not well tested; at MIT we work primarily
+with the 32-bit execution environment.
+
+@node Solaris 9, SGI Irix 5.X, Solaris 2.X, OS Incompatibilities
+@subsection Solaris 9
+
+Solaris 9 has a kernel race condition which causes the final output
+written to the slave side of a pty to be lost upon the final close()
+of the slave device. This causes the dejagnu-based tests to fail
+intermittently. A workaround exists, but requires some help from the
+scheduler, and the ``make check'' must be executed from a shell with
+elevated priority limits.
+
+Run something like
+
+@code{priocntl -s -c FX -m 30 -p 30 -i pid nnnn}
+
+as root, where @code{nnnn} is the pid of the shell whose priority
+limit you wish to raise.
-@node SGI Irix 5.X, Ultrix 4.2/3, Solaris 2.X, OS Incompatibilities
+@node SGI Irix 5.X, Ultrix 4.2/3, Solaris 9, OS Incompatibilities
@subsection SGI Irix 5.X
If you are building in a tree separate from the source tree, the vendors
@@ -852,8 +906,8 @@ GCC instead.
On the DEC MIPS platform, using the native compiler, @file{md4.c} and
@file{md5.c} can not be compiled with the optimizer set at level 1.
-That is, you must specify either @samp{--with-ccopts=-O} and
-@samp{--with-ccopts=-g} to configure. If you don't specify either, the
+That is, you must specify either @samp{CFLAGS=-O} and
+@samp{CFLAGS=-g} to configure. If you don't specify either, the
compile will never complete.
The optimizer isn't hung; it just takes an exponentially long time.
diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo
index 1acf0f4..1c5ed88 100644
--- a/doc/definitions.texinfo
+++ b/doc/definitions.texinfo
@@ -43,7 +43,7 @@ default was set.
the following should be consistent with the variables set in
krb5/src/lib/krb5/krb/init_ctx.c
@end ignore
-@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
+@set DefaultETypeList aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4
@comment DEFAULT_ETYPE_LIST
@set DefaultDefaultTgsEnctypes @value{DefaultETypeList}
@set DefaultDefaultTktEnctypes @value{DefaultETypeList}
@@ -52,14 +52,14 @@ krb5/src/lib/krb5/krb/init_ctx.c
@comment libdefaults, clockskew
@set DefaultChecksumType RSA MD5
@comment libdefaults, kdc_req_checksum_type, ap_req_checksum_type, safe_checksum_type
-@set DefaultCcacheType 3
+@set DefaultCcacheType 4
@comment DEFAULT_CCACHE_TYPE
-@set DefaultCcacheTypeMac 4
-@comment DEFAULT_CCACHE_TYPE
-@set DefaultTktLifetime 10 hours
+@set DefaultTktLifetime 1 day
@comment libdefaults, tkt_lifetime
-@set DefaultKDCTimesyncMac 1
-@set DefaultKDCTimesync 0
+@comment -- actually, that's not implemented; see
+@comment lib/krb5/krb/get_in_tkt.c, and clients/kinit/kinit.c for krb4
+@comment fallback
+@set DefaultKDCTimesync 1
@comment DEFAULT_KDC_TIMESYNC
@set DefaultKDCDefaultOptions KDC_OPT_RENEWABLE_OK
@comment line 194
@@ -68,7 +68,7 @@ krb5/src/lib/krb5/krb/init_ctx.c
the following defaults should be consistent with default variables set
in krb5/src/include/krb5/stock/osconf.h
@end ignore
-@set DefaultMasterKeyType des-cbc-crc
+@set DefaultMasterKeyType des3-cbc-sha1
@comment DEFAULT_KDC_ENCTYPE
@set DefaultKadmindPort 749
@comment DEFAULT_KADM5_PORT
@@ -146,7 +146,7 @@ krb5/src/appl/bsd/login.c
the following defaults should be consistent with the values set in
krb5/src/kdc/kerberos_v4
@end ignore
-@set DefaultV4Mode nopreauth
+@set DefaultV4Mode none
@comment KDC_V4_DEFAULT_MODE
@ignore
diff --git a/doc/dnssrv.texinfo b/doc/dnssrv.texinfo
index 1a401ac..c969fb2 100644
--- a/doc/dnssrv.texinfo
+++ b/doc/dnssrv.texinfo
@@ -59,6 +59,10 @@ will also need the @code{admin_server} entry in @code{krb5.conf}.
This should list port @value{DefaultKpasswdPort} on your master KDC.
It is used when a user changes her password.
+@item _kerberos-iv._udp
+This should refer to your KDCs that serve Kerberos version 4 requests,
+if you have Kerberos v4 enabled.
+
@end table
Be aware, however, that the DNS SRV specification requires that the
diff --git a/doc/install.texinfo b/doc/install.texinfo
index b105435..f406fdc 100644
--- a/doc/install.texinfo
+++ b/doc/install.texinfo
@@ -374,7 +374,7 @@ first few steps must be done on the master KDC.
* Create the Database::
* Add Administrators to the Acl File::
* Add Administrators to the Kerberos Database::
-* Create a kadmind Keytab::
+* Create a kadmind Keytab (optional)::
* Start the Kerberos Daemons::
@end menu
@@ -516,7 +516,7 @@ filename should match the value you have set for ``acl_file'' in your
@include kadm5acl.texinfo
-@node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC
+@node Add Administrators to the Kerberos Database, Create a kadmind Keytab (optional), Add Administrators to the Acl File, Install the Master KDC
@subsubsection Add Administrators to the Kerberos Database
Next you need to add administrative principals to the Kerberos database.
@@ -551,17 +551,18 @@ kadmin.local:}
-@node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
-@subsubsection Create a kadmind Keytab
+@node Create a kadmind Keytab (optional), Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
+@subsubsection Create a kadmind Keytab (optional)
-The kadmind keytab is the key that kadmind will use to decrypt
-administrators' Kerberos tickets to determine whether or not it should
-give them access to the database. You need to create the kadmin keytab
-with entries for the principals @code{kadmin/admin} and
+The kadmind keytab is the key that the legacy admininstration daemons
+@code{kadmind4} and @code{v5passwdd} will use to decrypt
+administrators' or clients' Kerberos tickets to determine whether or
+not they should have access to the database. You need to create the
+kadmin keytab with entries for the principals @code{kadmin/admin} and
@code{kadmin/changepw}. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
-keytab, run @code{kadmin.local} and use the @code{ktadd} command, as in
-the following example. (The line beginning with @result{} is a
+keytab, run @code{kadmin.local} and use the @code{ktadd} command, as
+in the following example. (The line beginning with @result{} is a
continuation of the previous line.):
@smallexample
@@ -593,7 +594,7 @@ The filename you use must be the one specified in your @code{kdc.conf}
file.
@need 2000
-@node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC
+@node Start the Kerberos Daemons, , Create a kadmind Keytab (optional), Install the Master KDC
@subsubsection Start the Kerberos Daemons on the Master KDC
At this point, you are ready to start the Kerberos daemons on the Master
@@ -973,7 +974,7 @@ On the @emph{new} master KDC:
@enumerate
@item
-Create a database keytab. (@xref{Create a kadmind Keytab}.)
+Create a database keytab. (@xref{Create a kadmind Keytab (optional)}.)
@item
Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.)
@@ -1059,8 +1060,8 @@ kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin
kshell @value{DefaultKshellPort}/tcp cmd # and remote shell
-kerberos-adm @value{DefaultKamdindPort}/tcp # Kerberos 5 admin/changepw
-kerberos-adm @value{DefaultKamdindPort}/udp # Kerberos 5 admin/changepw
+kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw
+kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw
krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
@c kpop 1109/tcp # Pop with Kerberos
eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin
diff --git a/doc/krb4-xrealm.txt b/doc/krb4-xrealm.txt
new file mode 100644
index 0000000..f8c4566
--- /dev/null
+++ b/doc/krb4-xrealm.txt
@@ -0,0 +1,143 @@
+The following text was taken from the patchkit disabling cross-realm
+authentication and triple-DES in krb4.
+
+PATCH KIT DESCRIPTION
+=====================
+
+** FLAG DAY REQUIRED **
+
+One of the things we decided to do (and must do for security reasons)
+was drop support for the 3DES krb4 TGTs. Unfortunately the current
+code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new
+code issues only DES TGTs, the old code will not understand its v4
+TGTs if the site has a 3DES key available for the krbtgt principal.
+The new code will understand and accept both DES and 3DES v4 TGTs.
+
+So, the easiest upgrade option is to deploy the code on all KDCs at
+once, being sure to deploy it on the master KDC last. Under this
+scenario, a brief window exists where slaves may be able to issue
+tickets that the master will not understand. However, the slaves will
+understand tickets issued by the master throughout the upgrade.
+
+An alternate and more annoying upgrade strategy exists. At least one
+max TGT life time before the upgrade, the TGT key can be changed to be
+a single-des key. Since we support adding a new TGT key while
+preserving the old one, this does not create an interruption in
+service. Since no 3DES key is available then both the old and new
+code will issue and accept DES v4 TGTs. After the upgrade, the TGT
+key can again be rekeyed to add 3DES keys. This does require two TGT
+key changes and creates a window where DES is used for the v5 TGT, but
+creates no window in which slaves will issue TGTs the master cannot
+accept.
+
+* What the patch does
+=====================
+
+1) Kerberos 4 cross-realm authentication is disabled by default. A
+ "-X" switch is added to both krb524d and krb5kdc to enable v4
+ cross-realm. This switch logs a note that a security hole has been
+ opened in the KDC log. We said while designing the patch, that we
+ were going to try to allow per-realm configuration; because of a
+ design problem in the kadm5 library, we could not do this without
+ bumping the ABI version of that library. We are unwilling to bump
+ an ABI version in a security patch release to get that feature, so
+ the configuration of v4 cross-realm is a global switch.
+
+2) Code responsible for v5 TGTs has been changed to require that the
+ enctype of the ticket service key be the same as the enctype that
+ would currently be issued for that kvno. This means that even if a
+ service has multiple keys, you cannot use a weak key to fake the
+ KDC into accepting tickets for that service. If you have a non-DES
+ TGT key, this separates keys used for v4 and v5. We actually relax
+ this requirement for cross-realm TGT keys (which in the new code
+ are only used for v5) because we cannot guarantee other Kerberos
+ implementations will choose keys the same way.
+
+3) We no longer issue 3DES v4 tickets either in the KDC or krb524d.
+ We add code to accept either DES or 3DES tickets for v4. None of
+ the attacks discovered so far can be implemented given a KDC that
+ accepts but does not issue 3DES tickets, so we believe that leaving
+ this functionality in as compatibility for a version or two is
+ reasonable. Note however that the attacks described do allow
+ successful attackers to print future tickets, so sites probably
+ want to rekey important keys after installing this update. Note
+ also that even if issuance of 3DES v4 tickets has been disabled,
+ outstanding tickets may be used to perform the 3DES cut-and-paste
+ attack.
+
+* Test Cases
+============
+
+This code is difficult to test for two reasons. First, you need a
+cross-realm relationship between two KDCs. Secondly, you need a KDC
+that will issue 3DES v4 tickets even though the code with the patch
+applied can no longer do this.
+
+I propose to meet these requirements by setting up a cross-realm 3DES
+key between a realm I control and the test environment. In order to
+provide concrete examples of what I plan to test with the automated
+tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the
+test realm PATCH.
+
+In all of the following tests I assume the following configuration.
+A principal v4test@PREPATCH.KRBTEST.COM exists with known password and
+without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will
+issue v4 tickets for this principal. A principal test@PATCH exists
+with known password and without requiring preauthentication. A
+principal service@PATCH exists. The TGT for the PATCH realm has a
+3des and des key. The shared TGT keys between PATCH and
+PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and
+support both 3DES and DES keys.
+
+1) Run krb524d and krb5kdc for PATCH with no special options using a
+ krb5.conf without permitted_enctypes (fully permissive).
+
+
+A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH fails with an unknown principal error and logs an error
+about cross-realm being denied to the PATCH KDC log. This confirms
+that v4 cross-realm is not accepted.
+
+B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH fails with a prohibited by policy error, but that
+klist -5 includes a ticket for service@PATCH. This confirms that v5
+cross-realm works but the krb524d denies converting such a ticket into
+a cross-realm ticket. Note that the krb524init currently in the
+mainline source tree will not be useful for this test because the
+client denies cross-realm for the simple reason that the v4 ticket
+file format is not flexible enough to support it. The krb524init in
+the 1.2.x release is useful for this test.
+
+
+2) Restart the krb5kdc and krb524d for PATCH with the -X option
+ enabling v4 cross-realm.
+
+A) Confirm that the security warning is written to kdc.log.
+
+B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4
+service@PATCH works and leaves a service@PATCH ticket in the cache.
+This confirms that v4 cross-realm works in the KDC. It also confirms
+that the KDC can accept 3DES v4 TGTs. The code path for decrypting a
+TGT is the same for the local realm and for foreign realms, so I don't
+see a need to test local 3DES TGTs in an automated manner although I
+did test it manually.
+
+C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init
+-p service@PATCH works. This confirms that krb524d will issue
+cross-realm tickets. They're completely useless because the v4 ticket
+file can't represent them, but that's not our problem today.
+
+3) Start the kdc and krb524d with a krb5.conf that includes
+ permitted_enctypes only listing des-cbc-crc. Get tickets as
+ test@PATCH. Restart the KDC and confirm that kvno service fails
+ logging an error about permitted enctypes. This confirms that if
+ you manage to obtain a ticket of the wrong enctype it will not be
+ accepted later.
+
+These tests do not check to make sure that 3DES tickets are not
+issued by the v4 code. I'm fairly certain that is true as I've
+physically remove the calls to the routine that generates 3DES tickets
+from the code in both the KDC and krb524d. These tests also do not
+check to make sure that cross-realm TGTs are not required to follow
+the strict enctype policy. I've tested that manually but don't know
+how to test that without significantly complicating the test setup.
diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo
index c239b2f..7a7a808 100644
--- a/doc/krb425.texinfo
+++ b/doc/krb425.texinfo
@@ -17,7 +17,7 @@
@include definitions.texinfo
@set EDITION 1.0
-@set UPDATED October 8, 1996
+@set UPDATED May 22, 2003
@finalout @c don't print black warning boxes
@@ -101,6 +101,7 @@ nonstandard installations.
@menu
* libdefaults::
* realms (krb5.conf)::
+* AFS and the Appdefaults Section::
@end menu
@node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf
@@ -122,7 +123,7 @@ Specifies the location of the Kerberos V4 domain/realm translation
file. Default is @value{DefaultKrb4Realms}.
@end table
-@node realms (krb5.conf), , libdefaults, krb5.conf
+@node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf
@subsection [realms]
In the [realms] section, the following Kerberos V4 tags may be used:
@@ -148,6 +149,21 @@ between the realms.
@end table
+@node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf
+@subsection AFS and the Appdefaults Section
+
+Many Kerberos 4 sites also run the Andrew File System (AFS).
+
+Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format.
+This allows AFS to use Kerberos 5 tickets rather than version 4
+tickets, enabling cross-realm authentication. By default, the
+@file{krb524d} service will issue the new AFS 2b tokens. If you are
+using old AFS servers, you will need to disable these new tokens.
+Please see the documentation of the @code{appdefaults} section of
+@file{krb5.conf} in the Kerberos Administration guide.
+
+
+
@node kdc.conf, , krb5.conf, Configuration Files
@section kdc.conf
diff --git a/doc/support-enc.texinfo b/doc/support-enc.texinfo
index 3f030ba..ca4e8fa 100644
--- a/doc/support-enc.texinfo
+++ b/doc/support-enc.texinfo
@@ -16,6 +16,12 @@ DES cbc mode with RSA-MD5
triple DES cbc mode with HMAC/sha1
@item des-hmac-sha1
DES with HMAC/sha1
+@item aes256-cts-hmac-sha1-96
+@itemx aes256-cts
+AES-256 CTS mode with 96-bit SHA-1 HMAC
+@item aes128-cts-hmac-sha1-96
+@itemx aes128-cts
+AES-128 CTS mode with 96-bit SHA-1 HMAC
@item arcfour-hmac
@itemx rc4-hmac
@itemx arcfour-hmac-md5
generated by cgit v1.1 at 2024-07-08 21:32:59 +0000