From 0b6eac6750fe7af8f2b359a179d027cfeb7917df Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Thu, 16 Jun 1994 04:16:31 +0000 Subject: Adding documentation files... git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3831 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/old-V4-docs/README | 4 + doc/old-V4-docs/installation.PS | 2338 +++++++++++++++++++++++++++++++++ doc/old-V4-docs/installation.mss | 681 ++++++++++ doc/old-V4-docs/operation.PS | 2669 ++++++++++++++++++++++++++++++++++++++ doc/old-V4-docs/operation.mss | 799 ++++++++++++ 5 files changed, 6491 insertions(+) create mode 100644 doc/old-V4-docs/README create mode 100644 doc/old-V4-docs/installation.PS create mode 100644 doc/old-V4-docs/installation.mss create mode 100644 doc/old-V4-docs/operation.PS create mode 100644 doc/old-V4-docs/operation.mss (limited to 'doc/old-V4-docs') diff --git a/doc/old-V4-docs/README b/doc/old-V4-docs/README new file mode 100644 index 0000000..8858655 --- /dev/null +++ b/doc/old-V4-docs/README @@ -0,0 +1,4 @@ +These documentation files are old --- and refer to the Kerberos V4 +implementation. They are included because the equivalent V5 documentation +set have not been written yet, and the concepts contained in these documents +may be helpful. diff --git a/doc/old-V4-docs/installation.PS b/doc/old-V4-docs/installation.PS new file mode 100644 index 0000000..7609d4e --- /dev/null +++ b/doc/old-V4-docs/installation.PS @@ -0,0 +1,2338 @@ +%!PS-Adobe-2.0 +%%Title: installation.mss +%%DocumentFonts: (atend) +%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700) +%%CreationDate: 4 January 1990 11:56 +%%Pages: (atend) +%%EndComments +% PostScript Prelude for Scribe. +/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def +/ES {showpage SV restore} bind def +/SC {setrgbcolor} bind def +/FMTX matrix def +/RDF {WFT SLT 0.0 eq + {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore} + {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore} + ifelse makefont setfont} bind def +/SLT 0.0 def +/SI { /SLT exch cvr def RDF} bind def +/WFT /Courier findfont def +/SF { /WFT exch findfont def RDF} bind def +/SSZ 1000.0 def +/SS { /SSZ exch 100.0 mul def RDF} bind def +/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def +/MT /moveto load def +/XM {currentpoint exch pop moveto} bind def +/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto + setlinewidth 0.0 rlineto stroke grestore} bind def +/LH {gsave newpath moveto setlinewidth + 0.0 rlineto + gsave stroke grestore} bind def +/LV {gsave newpath moveto setlinewidth + 0.0 exch rlineto + gsave stroke grestore} bind def +/BX {gsave newpath moveto setlinewidth + exch + dup 0.0 rlineto + exch 0.0 exch neg rlineto + neg 0.0 rlineto + closepath + gsave stroke grestore} bind def +/BX1 {grestore} bind def +/BX2 {setlinewidth 1 setgray stroke grestore} bind def +/PB {/PV save def newpath translate + 100.0 -100.0 scale pop /showpage {} def} bind def +/PE {PV restore} bind def +/GB {/PV save def newpath translate rotate + div dup scale 100.0 -100.0 scale /showpage {} def} bind def +/GE {PV restore} bind def +/FB {dict dup /FontMapDict exch def begin} bind def +/FM {cvn exch cvn exch def} bind def +/FE {end /original-findfont /findfont load def /findfont + {dup FontMapDict exch known{FontMapDict exch get} if + original-findfont} def} bind def +/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def +/EC /grestore load def +/SH /show load def +/MX {exch show 0.0 rmoveto} bind def +/W {0 32 4 -1 roll widthshow} bind def +/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def +/RC {100.0 -100.0 scale +612.0 0.0 translate +-90.0 rotate +.01 -.01 scale} bind def +/URC {100.0 -100.0 scale +90.0 rotate +-612.0 0.0 translate +.01 -.01 scale} bind def +/RCC {100.0 -100.0 scale +0.0 -792.0 translate 90.0 rotate +.01 -.01 scale} bind def +/URCC {100.0 -100.0 scale +-90.0 rotate 0.0 792.0 translate +.01 -.01 scale} bind def +%%EndProlog +%%Page: 0 1 +BS +0 SI +20 /Times-Bold AF +18823 13788 MT +(Kerberos Installation Notes)SH +27156 15798 MT +(DRAFT)SH +16 /Times-Roman AF +27021 23502 MT +(Bill Bryant)SH +25557 25150 MT +(Jennifer Steiner)SH +27289 26798 MT +(John Kohl)SH +23957 30444 MT +(Project Athena, MIT)SH +/Times-Bold SF +19489 36042 MT +(Initial Release, January 24, 1989)SH +/Times-Italic SF +17558 37690 MT +(\050plus later patches through patchlevel 7\051)SH +11 /Times-Roman AF +7200 45644 MT +(The release consists of three parts.)SH +7200 47942 MT +(The first part consists of the core Kerberos system, which was developed at MIT and does not require)SH +7200 49138 MT +(additional licenses for us to distribute. Included in this part are the Kerberos authentication server, the)SH +7200 50334 MT +(Kerberos library, the)SH +/Times-Italic SF +16606 XM +(ndbm)SH +/Times-Roman SF +19325 XM +(database interface library, user programs, administration programs, manual)SH +7200 51530 MT +(pages, some applications which use Kerberos for authentication, and some utilities.)SH +7200 53828 MT +(The second part is the Data Encryption Standard \050DES\051 library, which we are distributing only within the)SH +7200 55024 MT +(United States.)SH +7200 57322 MT +(The third part contains Kerberos modifications to Sun's NFS, which we distribute as ``context diffs'' to)SH +7200 58518 MT +(the Sun NFS source code. Its distribution is controlled to provide an accounting of who has retrieved the)SH +7200 59714 MT +(patches, so that Project Athena can comply with its agreements with Sun regarding distribution of these)SH +7200 60910 MT +(changes.)SH +ES +%%Page: 1 2 +BS +0 SI +16 /Times-Bold AF +7200 8272 MT +(1. Organization) +400 W( of the Source Directory)SH +11 /Times-Roman AF +7200 10467 MT +(The Kerberos building and installation process, as described in this document, builds the binaries and)SH +7200 11663 MT +(executables from the files contained in the Kerberos source tree, and deposits them in a separate object)SH +7200 12859 MT +(tree. This) +275 W( is intended to easily support several different build trees from a single source tree \050this is useful)SH +7200 14055 MT +(if you support several machine architectures\051. We suggest that you copy the Kerberos sources into a)SH +/Times-Italic SF +7200 15251 MT +(/mit/kerberos/src)SH +/Times-Roman SF +14991 XM +(directory, and create as well a)SH +/Times-Italic SF +28396 XM +(/mit/kerberos/obj)SH +/Times-Roman SF +36249 XM +(directory in which to hold the)SH +7200 16447 MT +(executables. In) +275 W( the rest of this document, we'll refer to the Kerberos source and object directories as)SH +7200 17643 MT +([SOURCE_DIR] and [OBJ_DIR], respectively.)SH +7200 19941 MT +(Below is a brief overview of the organization of the complete source directory. More detailed)SH +7200 21137 MT +(descriptions follow.)SH +/Times-Bold SF +7200 23088 MT +(admin)SH +/Times-Roman SF +18200 XM +(utilities for the Kerberos administrator)SH +/Times-Bold SF +7200 24783 MT +(appl)SH +/Times-Roman SF +18200 XM +(applications that use Kerberos)SH +/Times-Bold SF +7200 26478 MT +(appl/bsd)SH +/Times-Roman SF +18200 XM +(Berkeley's rsh/rlogin suite, using Kerberos)SH +/Times-Bold SF +7200 28173 MT +(appl/knetd)SH +/Times-Roman SF +18200 XM +(\050old\051 software for inetd-like multiplexing of a single TCP listening port)SH +/Times-Bold SF +7200 29868 MT +(appl/sample)SH +/Times-Roman SF +18200 XM +(sample application servers and clients)SH +/Times-Bold SF +7200 31563 MT +(appl/tftp)SH +/Times-Roman SF +18200 XM +(Trivial File Transfer Protocol, using Kerberos)SH +/Times-Bold SF +7200 33258 MT +(include)SH +/Times-Roman SF +18200 XM +(include files)SH +/Times-Bold SF +7200 34953 MT +(kadmin)SH +/Times-Roman SF +18200 XM +(remote administrative interface to the Kerberos master database)SH +/Times-Bold SF +7200 36648 MT +(kuser)SH +/Times-Roman SF +18200 XM +(assorted user programs)SH +/Times-Bold SF +7200 38343 MT +(lib)SH +/Times-Roman SF +18200 XM +(libraries for use with/by Kerberos)SH +/Times-Bold SF +7200 40038 MT +(lib/acl)SH +/Times-Roman SF +18200 XM +(Access Control List library)SH +/Times-Bold SF +7200 41733 MT +(lib/des)SH +/Times-Roman SF +18200 XM +(Data Encryption Standard library \050US only\051)SH +/Times-Bold SF +7200 43428 MT +(lib/kadm)SH +/Times-Roman SF +18200 XM +(administrative interface library)SH +/Times-Bold SF +7200 45123 MT +(lib/kdb)SH +/Times-Roman SF +18200 XM +(Kerberos server library interface to)SH +/Times-Italic SF +33925 XM +(ndbm)SH +/Times-Bold SF +7200 46818 MT +(lib/knet)SH +/Times-Roman SF +18200 XM +(\050old\051 library for use with)SH +/Times-Bold SF +29349 XM +(knetd)SH +7200 48513 MT +(lib/krb)SH +/Times-Roman SF +18200 XM +(Kerberos library)SH +/Times-Bold SF +7200 50208 MT +(man)SH +/Times-Roman SF +18200 XM +(manual pages)SH +/Times-Bold SF +7200 51903 MT +(prototypes)SH +/Times-Roman SF +18200 XM +(sample configuration files)SH +/Times-Bold SF +7200 53598 MT +(server)SH +/Times-Roman SF +18200 XM +(the authentication server)SH +/Times-Bold SF +7200 55293 MT +(slave)SH +/Times-Roman SF +18200 XM +(Kerberos slave database propagation software)SH +/Times-Bold SF +7200 56988 MT +(tools)SH +/Times-Roman SF +18200 XM +(shell scripts for maintaining the source tree)SH +/Times-Bold SF +7200 58683 MT +(util)SH +/Times-Roman SF +18200 XM +(utilities)SH +/Times-Bold SF +7200 60378 MT +(util/imake)SH +/Times-Roman SF +18200 XM +(Imakefile-to-Makefile ``compilation'' tool)SH +/Times-Bold SF +7200 62073 MT +(util/ss)SH +/Times-Roman SF +18200 XM +(Sub-system library \050for command line subsystems\051)SH +/Times-Bold SF +7200 63768 MT +(util/et)SH +/Times-Roman SF +18200 XM +(Error-table library \050for independent, unique error codes\051)SH +/Times-Bold SF +7200 65463 MT +(util/makedepend)SH +/Times-Roman SF +18200 XM +(Makefile dependency generator tool)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(1)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 2 3 +BS +0 SI +14 /Times-Bold AF +7200 8167 MT +(1.1 The)350 W +/Times-BoldItalic SF +12334 XM +(admin)SH +/Times-Bold SF +16340 XM +(Directory)SH +11 /Times-Roman AF +7200 10362 MT +(This directory contains source for the Kerberos master database administration tools.)SH +/Times-Bold SF +7200 12313 MT +(kdb_init)SH +/Times-Roman SF +18200 XM +(This program creates and initializes the Kerberos master database. It prompts)SH +18200 13509 MT +(for a Kerberos realmname, and the Kerberos master password.)SH +/Times-Bold SF +7200 15204 MT +(kstash)SH +/Times-Roman SF +18200 XM +(This program ``stashes'' the master password in the file)SH +/Times-Italic SF +43033 XM +(/.k)SH +/Times-Roman SF +44377 XM +(so that the master)SH +18200 16400 MT +(server machine can restart the Kerberos server automatically after an unattended)SH +18200 17596 MT +(reboot. The) +275 W( hidden password is also available to administrative programs that)SH +18200 18792 MT +(have been set to run automatically.)SH +/Times-Bold SF +7200 20487 MT +(kdb_edit)SH +/Times-Roman SF +18200 XM +(This program is a low-level tool for editing the master database.)SH +/Times-Bold SF +7200 22182 MT +(kdb_destroy)SH +/Times-Roman SF +18200 XM +(This program deletes the master database.)SH +/Times-Bold SF +7200 23877 MT +(kdb_util)SH +/Times-Roman SF +18200 XM +(This program can be used to dump the master database into an ascii file, and can)SH +18200 25073 MT +(also be used to load the ascii file into the master database.)SH +/Times-Bold SF +7200 26768 MT +(ext_srvtab)SH +/Times-Roman SF +18200 XM +(This program extracts information from the master database and creates a host-)SH +18200 27964 MT +(dependent)SH +/Times-Italic SF +22995 XM +(srvtab)SH +/Times-Roman SF +26020 XM +(file. This) +275 W( file contains the Kerberos keys for the host's)SH +18200 29160 MT +(``Kerberized'' services. These services look up their keys in the)SH +/Times-Italic SF +46846 XM +(srvtab)SH +/Times-Roman SF +49871 XM +(file for)SH +18200 30356 MT +(use in the authentication process.)SH +14 /Times-Bold AF +7200 34203 MT +(1.2 The)350 W +/Times-BoldItalic SF +12334 XM +(kuser)SH +/Times-Bold SF +15874 XM +(Directory)SH +11 /Times-Roman AF +7200 36398 MT +(This directory contains the source code for several user-oriented programs.)SH +/Times-Bold SF +7200 38349 MT +(kinit)SH +/Times-Roman SF +18200 XM +(This program prompts users for their usernames and Kerberos passwords, then)SH +18200 39545 MT +(furnishes them with Kerberos ticket-granting tickets.)SH +/Times-Bold SF +7200 41240 MT +(kdestroy)SH +/Times-Roman SF +18200 XM +(This program destroys any active tickets. Users should use)SH +/Times-Italic SF +44563 XM +(kdestroy)SH +/Times-Roman SF +48564 XM +(before they)SH +18200 42436 MT +(log off their workstations.)SH +/Times-Bold SF +7200 44131 MT +(klist)SH +/Times-Roman SF +18200 XM +(This program lists a user's active tickets.)SH +/Times-Bold SF +7200 45826 MT +(ksrvtgt)SH +/Times-Roman SF +18200 XM +(This retrieves a ticket-granting ticket with a life time of five minutes, using a)SH +18200 47022 MT +(server's secret key in lieu of a password. It is primarily for use in shell scripts)SH +18200 48218 MT +(and other batch facilities.)SH +/Times-Bold SF +7200 49913 MT +(ksu)SH +/Times-Roman SF +18200 XM +(Substitute user id, using Kerberos to mediate attempts to change to ``root''.)SH +14 /Times-Bold AF +7200 53760 MT +(1.3 The)350 W +/Times-BoldItalic SF +12334 XM +(appl)SH +/Times-Bold SF +15173 XM +(Directory)SH +11 /Times-Roman AF +7200 55955 MT +(If your site has the appropriate BSD license, your Kerberos release provides certain Unix utilities The)SH +7200 57151 MT +(Berkeley programs that have been modified to use Kerberos authentication are found in the)SH +/Times-Italic SF +47640 XM +(appl/bsd)SH +/Times-Roman SF +7200 58347 MT +(directory. They) +275 W( include)SH +/Times-Italic SF +18043 XM +(login)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +20855 XM +(rlogin)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +24095 XM +(rsh)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +27914 XM +(rcp)SH +/Times-Roman SF +(, as well as the associated daemon programs)SH +/Times-Italic SF +49081 XM +(kshd)SH +/Times-Roman SF +51372 XM +(and)SH +/Times-Italic SF +7200 59543 MT +(klogind)SH +/Times-Roman SF +(. The)275 W +/Times-Italic SF +13310 XM +(login)SH +/Times-Roman SF +15847 XM +(program obtains ticket-granting tickets for users upon login; the other utilities provide)SH +7200 60739 MT +(authenticated Unix network services.)SH +7200 63037 MT +(The)SH +/Times-Italic SF +9185 XM +(appl)SH +/Times-Roman SF +11416 XM +(directory also contains samples Kerberos application client and server programs, an)SH +7200 64233 MT +(authenticated)SH +/Times-Italic SF +13339 XM +(tftp)SH +/Times-Roman SF +15082 XM +(program,)SH +/Times-Italic SF +19358 XM +(knetd)SH +/Times-Roman SF +(, an authenticated inet daemon.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(2)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 3 4 +BS +0 SI +14 /Times-Bold AF +7200 8167 MT +(1.4 The)350 W +/Times-BoldItalic SF +12334 XM +(server)SH +/Times-Bold SF +16185 XM +(Directory)SH +11 /Times-Roman AF +7200 10362 MT +(The)SH +/Times-Italic SF +9185 XM +(server)SH +/Times-Roman SF +12208 XM +(directory contains the Kerberos KDC server, called)SH +/Times-Italic SF +35052 XM +(kerberos)SH +/Times-Roman SF +(. This) +275 W( program manages read-)SH +7200 11558 MT +(only requests made to the master database, distributing tickets and encryption keys to clients requesting)SH +7200 12754 MT +(authentication service.)SH +14 /Times-Bold AF +7200 16601 MT +(1.5 The)350 W +/Times-BoldItalic SF +12334 XM +(kadmin)SH +/Times-Bold SF +17040 XM +(Directory)SH +11 /Times-Roman AF +7200 18796 MT +(The)SH +/Times-Italic SF +9185 XM +(kadmin)SH +/Times-Roman SF +12698 XM +(directory contains the Kerberos administration server and associated client programs. The)SH +7200 19992 MT +(server accepts network requests from the user program)SH +/Times-Italic SF +31570 XM +(kpasswd)SH +/Times-Roman SF +35573 XM +(\050used to change a user's password\051, the)SH +7200 21188 MT +(Kerberos administration program)SH +/Times-Italic SF +22137 XM +(kadmin)SH +/Times-Roman SF +(, and the srvtab utility program)SH +/Times-Italic SF +39276 XM +(ksrvutil)SH +/Times-Roman SF +(. The) +275 W( administration)SH +7200 22384 MT +(server can make modifications to the master database.)SH +14 /Times-Bold AF +7200 26231 MT +(1.6 The)350 W +/Times-BoldItalic SF +12334 XM +(include)SH +/Times-Bold SF +16962 XM +(Directory)SH +11 /Times-Roman AF +7200 28426 MT +(This directory contains the)SH +/Times-Italic SF +19236 XM +(include)SH +/Times-Roman SF +22749 XM +(files needed to build the Kerberos system.)SH +14 /Times-Bold AF +7200 32273 MT +(1.7 The)350 W +/Times-BoldItalic SF +12334 XM +(lib)SH +/Times-Bold SF +14162 XM +(Directory)SH +11 /Times-Roman AF +7200 34468 MT +(The)SH +/Times-Italic SF +9185 XM +(lib)SH +/Times-Roman SF +10622 XM +(directory has six subdirectories:)SH +/Times-Italic SF +25193 XM +(acl)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +27087 XM +(des)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +29103 XM +(kadm)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +32035 XM +(kdb)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +34173 XM +(knet)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +38418 XM +(krb)SH +/Times-Roman SF +(. The)275 W +/Times-Italic SF +42694 XM +(des)SH +/Times-Roman SF +44435 XM +(directory contains)SH +7200 35664 MT +(source for the DES encryption library. The)SH +/Times-Italic SF +26595 XM +(kadm)SH +/Times-Roman SF +29252 XM +(directory contains source for the Kerberos)SH +7200 36860 MT +(administration server utility library. The)SH +/Times-Italic SF +25439 XM +(kdb)SH +/Times-Roman SF +27302 XM +(directory contains source for the Kerberos database routine)SH +7200 38056 MT +(library. The)275 W +/Times-Italic SF +12942 XM +(knet)SH +/Times-Roman SF +15049 XM +(directory contains source for a library used by clients of the)SH +/Times-Italic SF +41530 XM +(knetd)SH +/Times-Roman SF +44187 XM +(server. The)275 W +/Times-Italic SF +49683 XM +(krb)SH +/Times-Roman SF +7200 39252 MT +(directory contains source for the)SH +/Times-Italic SF +21707 XM +(libkrb.a)SH +/Times-Roman SF +25435 XM +(library. This) +275 W( library contains routines that are used by the)SH +7200 40448 MT +(Kerberos server program, and by applications programs that require authentication service.)SH +14 /Times-Bold AF +7200 44295 MT +(1.8 The)350 W +/Times-BoldItalic SF +12334 XM +(man)SH +/Times-Bold SF +15251 XM +(Directory)SH +11 /Times-Roman AF +7200 46490 MT +(This directory contains manual pages for Kerberos programs and library routines.)SH +14 /Times-Bold AF +7200 50337 MT +(1.9 The)350 W +/Times-BoldItalic SF +12334 XM +(prototypes)SH +/Times-Bold SF +18596 XM +(Directory)SH +11 /Times-Roman AF +7200 52532 MT +(This directory contains prototype)SH +/Times-Italic SF +22108 XM +(/etc/services)SH +/Times-Roman SF +27819 XM +(and)SH +/Times-Italic SF +29682 XM +(/etc/krb.conf)SH +/Times-Roman SF +35486 XM +(files. New) +275 W( entries must be added to the)SH +/Times-Italic SF +7200 53728 MT +(/etc/services)SH +/Times-Roman SF +12911 XM +(file for the Kerberos server, and possibly for Kerberized applications \050)SH +/Times-Italic SF +(services.append)SH +/Times-Roman SF +7200 54924 MT +(contains the entries used by the Athena-provided servers & applications, and is suitable for appending to)SH +7200 56120 MT +(your existing)SH +/Times-Italic SF +13250 XM +(/etc/services)SH +/Times-Roman SF +18961 XM +(file.\051. The)275 W +/Times-Italic SF +23878 XM +(/etc/krb.conf)SH +/Times-Roman SF +29682 XM +(file defines the local Kerberos realm for its host and)SH +7200 57316 MT +(lists Kerberos servers for given realms. The)SH +/Times-Italic SF +26961 XM +(/etc/krb.realms)SH +/Times-Roman SF +33865 XM +(file defines exceptions for mapping machine)SH +7200 58512 MT +(names to Kerberos realms.)SH +14 /Times-Bold AF +7200 62359 MT +(1.10 The)350 W +/Times-BoldItalic SF +13034 XM +(tools)SH +/Times-Bold SF +16107 XM +(Directory)SH +11 /Times-Roman AF +7200 64554 MT +(This directory contains a makefile to set up a directory tree for building the software in, and a shell script)SH +7200 65750 MT +(to format code in the style we use.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(3)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 4 5 +BS +0 SI +14 /Times-Bold AF +7200 8167 MT +(1.11 The)350 W +/Times-BoldItalic SF +13034 XM +(util)SH +/Times-Bold SF +15329 XM +(Directory)SH +11 /Times-Roman AF +7200 10362 MT +(This directory contains several utility programs and libraries. Included are Larry Wall's)SH +/Times-Italic SF +46296 XM +(patch)SH +/Times-Roman SF +49015 XM +(program, a)SH +/Times-Italic SF +7200 11558 MT +(make)SH +/Times-Roman SF +9795 XM +(pre-processor program called)SH +/Times-Italic SF +22956 XM +(imake)SH +/Times-Roman SF +(, and a program for generating Makefile dependencies,)SH +/Times-Italic SF +7200 12754 MT +(makedepend)SH +/Times-Roman SF +(, as well as the Sub-system library and utilities \050)SH +/Times-Italic SF +(ss)SH +/Times-Roman SF +(\051, and the Error table library and utilities)SH +7200 13950 MT +(\050)SH +/Times-Italic SF +(et)SH +/Times-Roman SF +(\051.)SH +16 /Times-Bold AF +7200 18622 MT +(2. Preparing) +400 W( for Installation)SH +11 /Times-Roman AF +7200 20817 MT +(This document assumes that you will build the system on the machine on which you plan to install the)SH +7200 22013 MT +(Kerberos master server and its database. You'll need about 10 megabytes for source and executables.)SH +7200 24311 MT +(By default, there must be a)SH +/Times-Italic SF +19327 XM +(/kerberos)SH +/Times-Roman SF +23756 XM +(directory on the master server machine in which to store the)SH +7200 25507 MT +(Kerberos database files. If the master server machine does not have room on its root partition for these)SH +7200 26703 MT +(files, create a)SH +/Times-Italic SF +13306 XM +(/kerberos)SH +/Times-Roman SF +17735 XM +(symbolic link to another file system.)SH +16 /Times-Bold AF +7200 31375 MT +(3. Preparing) +400 W( for the Build)SH +11 /Times-Roman AF +7200 33570 MT +(Before you build the system, you have to choose a)SH +/Times-Bold SF +29653 XM +(realm name)SH +/Times-Roman SF +(, the name that specifies the system's)SH +7200 34766 MT +(administrative domain. Project Athena uses the internet domain name ATHENA.MIT.EDU to specify its)SH +7200 35962 MT +(Kerberos realm name. We recommend using a name of this form.)SH +/Times-Bold SF +36857 XM +(NOTE:)SH +/Times-Roman SF +40616 XM +(the realm-name is case)SH +7200 37158 MT +(sensitive; by convention, we suggest that you use your internet domain name, in capital letters.)SH +7200 39456 MT +(Edit the [SOURCE_DIR]/)SH +/Times-Italic SF +(include/krb.h)SH +/Times-Roman SF +24860 XM +(file and look for the following lines of code:)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(4)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 5 6 +BS +0 SI +11 /Courier AF +8520 7886 MT +(/*)SH +9180 9000 MT +(* Kerberos specific definitions)SH +9180 10114 MT +(*)SH +9180 11228 MT +(* KRBLOG is the log file for the kerberos master server.)SH +9180 12342 MT +(* KRB_CONF is the configuration file where different host)SH +9180 13456 MT +(* machines running master and slave servers can be found.)SH +9180 14570 MT +(* KRB_MASTER is the name of the machine with the master)SH +9180 15684 MT +(* database. The admin_server runs on this machine, and all)SH +9180 16798 MT +(* changes to the db \050as opposed to read-only requests, which)SH +9180 17912 MT +(* can go to slaves\051 must go to it.)SH +9180 19026 MT +(* KRB_HOST is the default machine when looking for a kerberos)SH +9180 20140 MT +(* slave server. Other possibilities are in the KRB_CONF file.)SH +9180 21254 MT +(* KRB_REALM is the name of the realm.)SH +9180 22368 MT +(*/)SH +8520 24596 MT +(#ifdef notdef)SH +8520 25710 MT +(this is server-only, does not belong here;)SH +8520 26824 MT +(#define KRBLOG) +3960 W( "/kerberos/kerberos.log")5940 W +8520 27938 MT +(are these used anyplace '?';)SH +8520 29052 MT +(#define VX_KRB_HSTFILE) +9240 W( "/etc/krbhst")660 W +8520 30166 MT +(#define PC_KRB_HSTFILE) +9240 W( "\134\134kerberos\134\134krbhst")660 W +8520 31280 MT +(#endif)SH +8520 33508 MT +(#define KRB_CONF) +9240 W( "/etc/krb.conf")4620 W +8520 34622 MT +(#define KRB_RLM_TRANS) +9240 W( "/etc/krb.realms")1320 W +8520 35736 MT +(#define KRB_MASTER) +9240 W( "kerberos")3300 W +8520 36850 MT +(#define KRB_HOST) +9240 W( KRB_MASTER)5280 W +8520 37964 MT +(#define KRB_REALM) +9240 W( "ATHENA.MIT.EDU")3960 W +/Times-Roman SF +7200 39559 MT +(Edit the last line as follows:)SH +9400 41510 MT +(1.)SH +10500 XM +(Change the KRB_REALM definition so that it specifies the realm name you have chosen)SH +10500 42706 MT +(for your Kerberos system. This is a default which is usually overridden by a configuration)SH +10500 43902 MT +(file on each machine; however, if that config file is absent, many programs will use this)SH +10500 45098 MT +("built-in" realm name.)SH +14 /Times-Bold AF +7200 48945 MT +(3.1 The)350 W +/Times-BoldItalic SF +12334 XM +(/etc/krb.conf)SH +/Times-Bold SF +19956 XM +(File)SH +11 /Times-Roman AF +7200 51140 MT +(Create a)SH +/Times-Italic SF +11108 XM +(/etc/krb.conf)SH +/Times-Roman SF +16912 XM +(file using the following format:)SH +/Times-BoldItalic SF +8520 52740 MT +(realm_name)SH +8520 53854 MT +(realm_name master_server_name)1045 W +/Courier SF +25594 XM +(admin server)SH +/Times-Roman SF +7200 55449 MT +(where)SH +/Times-Italic SF +10161 XM +(realm_name)SH +/Times-Roman SF +15934 XM +(specifies the system's realm name, and)SH +/Times-Italic SF +33375 XM +(master_server_name)SH +/Times-Roman SF +42874 XM +(specifies the machine)SH +7200 56645 MT +(name on which you will run the master server. The words 'admin server' must appear next to the name of)SH +7200 57841 MT +(the server on which you intend to run the administration server \050which must be a machine with access to)SH +7200 59037 MT +(the database\051.)SH +7200 61335 MT +(For example, if your realm name is)SH +/Times-Italic SF +22962 XM +(tim.edu)SH +/Times-Roman SF +26506 XM +(and your master server's name is)SH +/Times-Italic SF +41288 XM +(kerberos.tim.edu)SH +/Times-Roman SF +(, the file)SH +7200 62531 MT +(should have these contents:)SH +/Courier SF +8520 64057 MT +(tim.edu)SH +8520 65171 MT +(tim.edu kerberos.tim.edu) +660 W( admin server)SH +/Times-Roman SF +7200 67469 MT +(See the [SOURCE_DIR]/)SH +/Times-Italic SF +(prototypes/etc.krb.conf)SH +/Times-Roman SF +28921 XM +(file for an example)SH +/Times-Italic SF +37533 XM +(/etc/krb.conf)SH +/Times-Roman SF +43337 XM +(file. That) +275 W( file has)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(5)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 6 7 +BS +0 SI +11 /Times-Roman AF +7200 7955 MT +(examples of how to provide backup servers for a given realm \050additional lines with the same leading)SH +7200 9151 MT +(realm name\051 and how to designate servers for remote realms.)SH +14 /Times-Bold AF +7200 12998 MT +(3.2 The)350 W +/Times-BoldItalic SF +12334 XM +(/etc/krb.realms)SH +/Times-Bold SF +21280 XM +(File)SH +11 /Times-Roman AF +7200 15193 MT +(In many situations, the default realm in which a host operates will be identical to the domain portion its)SH +7200 16389 MT +(Internet domain name.)SH +7200 18687 MT +(If this is not the case, you will need to establish a translation from host name or domain name to realm)SH +7200 19883 MT +(name. This) +275 W( is accomplished with the)SH +/Times-Italic SF +23820 XM +(/etc/krb.realms)SH +/Times-Roman SF +30724 XM +(file.)SH +7200 22181 MT +(Each line of the translation file specifies either a hostname or domain name, and its associated realm:)SH +/Courier SF +8520 23707 MT +(.domain.name kerberos.realm1)SH +8520 24821 MT +(host.name kerberos.realm2)SH +/Times-Roman SF +7200 26416 MT +(For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1 but the host)SH +7200 27612 MT +(FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read:)SH +/Courier SF +8520 29138 MT +(.LSC.TIM.EDU KRB.REALM1)SH +8520 30252 MT +(FILMS.LSC.TIM.EDU KRB.REALM2)SH +/Times-Roman SF +7200 31847 MT +(If a particular host matches both a domain and a host entry, the host entry takes precedence.)SH +16 /Times-Bold AF +7200 36519 MT +(4. Building) +400 W( the Software)SH +11 /Times-Roman AF +7200 38714 MT +(Before you build the software read the)SH +/Times-Bold SF +24395 XM +(README)SH +/Times-Roman SF +29558 XM +(file in [SOURCE_DIR]. What follows is a more)SH +7200 39910 MT +(detailed description of the instructions listed in README.)SH +9400 41861 MT +(1.)SH +10500 XM +(Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you are about to)SH +10500 43057 MT +(build, for example,)SH +/Times-Italic SF +19145 XM +(/mit/kerberos/obj)SH +/Times-Roman SF +(.)SH +9400 44951 MT +(2.)SH +10500 XM +(Change directory to [OBJ_DIR]. The following command creates directories under)SH +10500 46147 MT +([OBJ_DIR] and installs Makefiles for the final build.)SH +/Courier SF +11820 47724 MT +(host%)SH +/Times-Bold SF +15780 XM +(make -f [SOURCE_DIR]/tools/makeconfig SRCDIR=[SOURCE_DIR])275 W +/Times-Roman SF +9400 49618 MT +(3.)SH +10500 XM +(Change directory to util/imake.includes. Read through config.Imakefile, turning on)SH +10500 50814 MT +(appropriate flags for your installation. Change SRCTOP so that it is set to the top level of)SH +10500 52010 MT +(your source directory.)SH +9400 53904 MT +(4.)SH +10500 XM +(Check that your machine type has a definition in include/osconf.h & related files in the)SH +10500 55100 MT +(source tree \050if it doesn't, then you may need to create your own; if you get successful)SH +10500 56296 MT +(results, please post to kerberos@athena.mit.edu\051)SH +9400 58190 MT +(5.)SH +10500 XM +(Change directory to [OBJ_DIR]. The next command generates new Makefiles based on the)SH +10500 59386 MT +(configuration you selected in config.Imakefile, then adds dependency information to the)SH +10500 60582 MT +(Makefiles, and finally builds the system:)SH +/Courier SF +11820 62159 MT +(host%)SH +/Times-Bold SF +15780 XM +(make world)275 W +/Times-Roman SF +10500 63754 MT +(This command takes a while to complete; you may wish to redirect the output onto a file)SH +10500 64950 MT +(and put the job in the background:)SH +/Courier SF +11820 66527 MT +(host%)SH +/Times-Bold SF +15780 XM +(make world) +275 W( >&WORLDLOG_891201 &)SH +/Times-Roman SF +10500 68122 MT +(If you need to rebuild the Kerberos programs and libraries after making a change, you can)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(6)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 7 8 +BS +0 SI +11 /Times-Roman AF +10500 7955 MT +(usually just type:)SH +/Courier SF +11820 9532 MT +(host%)SH +/Times-Bold SF +15780 XM +(make all)275 W +/Times-Roman SF +10500 11127 MT +(However, if you changed the configuration in config.Imakefile or modified the Imakefiles)SH +10500 12323 MT +(or Makefiles, you should run)SH +/Times-Italic SF +23514 XM +(make world)SH +/Times-Roman SF +28952 XM +(to re-build all the Makefiles and dependency lists.)SH +14 /Times-Bold AF +7200 16141 MT +(4.1 Testing) +350 W( the DES Library)SH +11 /Times-Roman AF +7200 18336 MT +(Use the)SH +/Times-Italic SF +10804 XM +(verify)SH +/Times-Roman SF +13583 XM +(command to test the DES library implementation:)SH +/Courier SF +8520 19913 MT +(host%)SH +/Times-Bold SF +12480 XM +([OBJ_DIR]/lib/des/verify)SH +/Times-Roman SF +7200 21508 MT +(The command should display the following:)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(7)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 8 9 +BS +0 SI +11 /Courier AF +8520 7886 MT +(Examples per FIPS publication 81, keys ivs and cipher)SH +8520 9000 MT +(in hex. These are the correct answers, see below for)SH +8520 10114 MT +(the actual answers.)SH +8520 12342 MT +(Examples per Davies and Price.)SH +8520 14570 MT +(EXAMPLE ECB) +SH( key) +2640 W( = 08192a3b4c5d6e7f)SH +13800 15684 MT +(clear = 0)SH +13800 16798 MT +(cipher = 25 dd ac 3e 96 17 64 67)SH +8520 17912 MT +(ACTUAL ECB)SH +13800 19026 MT +(clear "")SH +13800 20140 MT +(cipher =) +660 W( \050low to high bytes\051)SH +19080 21254 MT +(25 dd ac 3e 96 17 64 67)SH +8520 23482 MT +(EXAMPLE ECB) +SH( key) +2640 W( = 0123456789abcdef)SH +13800 24596 MT +(clear = "Now is the time for all ")SH +13800 25710 MT +(cipher = 3f a4 0e 8a 98 4d 48 15 ...)SH +8520 26824 MT +(ACTUAL ECB)SH +13800 27938 MT +(clear "Now is the time for all ")SH +13800 29052 MT +(cipher =) +660 W( \050low to high bytes\051)SH +19080 30166 MT +(3f a4 0e 8a 98 4d 48 15)SH +8520 32394 MT +(EXAMPLE CBC) +SH( key) +2640 W( = 0123456789abcdef iv = 1234567890abcdef)SH +13800 33508 MT +(clear = "Now is the time for all ")SH +13800 34622 MT +(cipher =) +SH( e5) +4620 W( c7 cd de 87 2b f2 7c)SH +24360 35736 MT +(43 e9 34 00 8c 38 9c 0f)SH +24360 36850 MT +(68 37 88 49 9a 7c 05 f6)SH +8520 37964 MT +(ACTUAL CBC)SH +13800 39078 MT +(clear "Now is the time for all ")SH +13800 40192 MT +(ciphertext = \050low to high bytes\051)SH +19080 41306 MT +(e5 c7 cd de 87 2b f2 7c)SH +19080 42420 MT +(43 e9 34 00 8c 38 9c 0f)SH +19080 43534 MT +(68 37 88 49 9a 7c 05 f6)SH +19080 44648 MT +(00 00 00 00 00 00 00 00)SH +19080 45762 MT +(00 00 00 00 00 00 00 00)SH +19080 46876 MT +(00 00 00 00 00 00 00 00)SH +19080 47990 MT +(00 00 00 00 00 00 00 00)SH +19080 49104 MT +(00 00 00 00 00 00 00 00)SH +13800 50218 MT +(decrypted clear_text = "Now is the time for all ")SH +8520 51332 MT +(EXAMPLE CBC checksum) +SH( key) +1980 W( = 0123456789abcdef iv = 1234567890abcdef)SH +13800 52446 MT +(clear =) +SH( "7654321) +5280 W( Now is the time for ")SH +13800 53560 MT +(checksum 58) +4620 W( d2 e7 7e 86 06 27 33 or some part thereof)SH +8520 54674 MT +(ACTUAL CBC checksum)SH +19080 55788 MT +(encrypted cksum = \050low to high bytes\051)SH +19080 56902 MT +(58 d2 e7 7e 86 06 27 33)SH +/Times-Roman SF +7200 59200 MT +(If the)SH +/Times-Italic SF +9826 XM +(verify)SH +/Times-Roman SF +12605 XM +(command fails to display this information as specified above, the implementation of DES for)SH +7200 60396 MT +(your hardware needs to be adjusted. Your Kerberos system cannot work properly if your DES library)SH +7200 61592 MT +(fails this test.)SH +7200 63890 MT +(When you have finished building the software, you will find the executables in the object tree as follows:)SH +/Times-Bold SF +7200 65841 MT +([OBJ_DIR]/admin)SH +/Times-Italic SF +18200 XM +(ext_srvtab)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +23332 XM +(kdb_destroy)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +29258 XM +(kdb_edit)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +33596 XM +(kdb_init)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +37752 XM +(kdb_util)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +43771 XM +(kstash)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 67536 MT +([OBJ_DIR]/kuser)SH +/Times-Italic SF +18200 XM +(kdestroy)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +22476 XM +(kinit)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +24982 XM +(klist)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +27366 XM +(ksrvtgt)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +32773 XM +(ksu)SH +/Times-Roman SF +(.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(8)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 9 10 +BS +0 SI +11 /Times-Bold AF +7200 7955 MT +([OBJ_DIR]/server)SH +/Times-Italic SF +18200 XM +(kerberos)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 9650 MT +([OBJ_DIR]/appl/bsd)SH +/Times-Italic SF +18200 XM +(klogind)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +22050 XM +(kshd)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +24616 XM +(login.krb)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +29169 XM +(rcp)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +31185 XM +(rlogin)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +36288 XM +(rsh)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 11345 MT +([OBJ_DIR]/appl/knetd)SH +/Times-Italic SF +18200 XM +(knetd)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 13040 MT +([OBJ_DIR]/appl/sample)SH +/Times-Italic SF +18200 14236 MT +(sample_server)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +25164 XM +(sample_client)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +31824 XM +(simple_server)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +40407 XM +(simple_client)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 15931 MT +([OBJ_DIR]/appl/tftp)SH +/Times-Italic SF +18200 XM +(tcom)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +20888 XM +(tftpd)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +25319 XM +(tftp)SH +/Times-Roman SF +(.)SH +/Times-Bold SF +7200 17626 MT +([OBJ_DIR]/slave)SH +/Times-Italic SF +18200 XM +(kprop)SH +/Times-Roman SF +21041 XM +(and)SH +/Times-Italic SF +22904 XM +(kpropd)SH +/Times-Roman SF +(.)SH +16 /Times-Bold AF +7200 22298 MT +(5. Installing) +400 W( the Software)SH +11 /Times-Roman AF +7200 24493 MT +(To install the software, issue the)SH +/Times-Italic SF +21711 XM +(make install)SH +/Times-Roman SF +27333 XM +(command from the [OBJ_DIR] \050you need to be a privileged)SH +7200 25689 MT +(user in order to properly install the programs\051. Programs can either be installed in default directories, or)SH +7200 26885 MT +(under a given root directory, as described below.)SH +14 /Times-Bold AF +7200 30703 MT +(5.1 The) +350 W( ``Standard'' Places)SH +11 /Times-Roman AF +7200 32898 MT +(If you use the)SH +/Times-Italic SF +13492 XM +(make)SH +/Times-Roman SF +16087 XM +(command as follows:)SH +/Courier SF +8520 34475 MT +(host#)SH +/Times-Bold SF +12480 XM +(make install)275 W +/Times-Roman SF +7200 36070 MT +(the installation process will try to install the various parts of the system in ``standard'' directories. This)SH +7200 37266 MT +(process creates the ``standard'' directories as needed.)SH +7200 39564 MT +(The standard installation process copies things as follows:)SH +/Symbol SF +9169 41640 MT +(\267)SH +/Times-Roman SF +9950 XM +(The)SH +/Times-Italic SF +11935 XM +(include)SH +/Times-Roman SF +15448 XM +(files)SH +/Times-Italic SF +17617 XM +(krb.h)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +20458 XM +(des.h)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +23299 XM +(mit-copyright.h)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +30662 XM +(kadm.h)SH +/Times-Roman SF +34144 XM +(and)SH +/Times-Italic SF +36007 XM +(kadm_err.h)SH +/Times-Roman SF +41383 XM +(get copied to the)SH +/Times-Italic SF +9950 42836 MT +(/usr/include)SH +/Times-Roman SF +15481 XM +(directory.)SH +/Symbol SF +9169 44730 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos libraries)SH +/Times-Italic SF +20119 XM +(libdes.a)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +24122 XM +(libkrb.a)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +28125 XM +(libkdb.a)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +32250 XM +(libkadm.a)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +37169 XM +(libknet.a)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +43401 XM +(libacl.a)SH +/Times-Roman SF +47007 XM +(get)SH +9950 45926 MT +(copied to the)SH +/Times-Italic SF +15907 XM +(/usr/athena/lib)SH +/Times-Roman SF +22662 XM +(\050or wherever you pointed LIBDIR in config.Imakefile\051)SH +9950 47122 MT +(directory.)SH +/Symbol SF +9169 49016 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos master database utilities)SH +/Times-Italic SF +27085 XM +(kdb_init)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +31241 XM +(kdb_destroy)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +37167 XM +(kdb_edit)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +41505 XM +(kdb_util)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +45661 XM +(kstash)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +9950 50212 MT +(ext_srvtab)SH +/Times-Roman SF +14807 XM +(get copied to the)SH +/Times-Italic SF +22383 XM +(/usr/etc)SH +/Times-Roman SF +25958 XM +(\050DAEMDIR\051 directory.)SH +/Symbol SF +9169 52106 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos user utilities)SH +/Times-Italic SF +21924 XM +(kinit)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +24430 XM +(kdestroy)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +28706 XM +(klist)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +31090 XM +(ksrvtgt)SH +/Times-Roman SF +34359 XM +(and)SH +/Times-Italic SF +36222 XM +(ksu)SH +/Times-Roman SF +37963 XM +(get copied to the)SH +/Times-Italic SF +45539 XM +(/usr/athena)SH +/Times-Roman SF +9950 53302 MT +(\050PROGDIR\051 directory.)SH +/Symbol SF +9169 55196 MT +(\267)SH +/Times-Roman SF +9950 XM +(The modified Berkeley utilities)SH +/Times-Italic SF +24004 XM +(rsh)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +25960 XM +(rlogin)SH +/Times-Roman SF +28925 XM +(get copied to the)SH +/Times-Italic SF +36501 XM +(/usr/ucb)SH +/Times-Roman SF +40382 XM +(\050UCBDIR\051 directory;)SH +/Times-Italic SF +9950 56392 MT +(rcp)SH +/Times-Roman SF +11691 XM +(gets copied to the)SH +/Times-Italic SF +19695 XM +(/bin)SH +/Times-Roman SF +21682 XM +(\050SLASHBINDIR\051 directory; and)SH +/Times-Italic SF +36375 XM +(rlogind)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +40165 XM +(rshd)SH +/Times-Roman SF +(, and)SH +/Times-Italic SF +44534 XM +(login.krb)SH +/Times-Roman SF +48812 XM +(get)SH +9950 57588 MT +(copied to the)SH +/Times-Italic SF +15907 XM +(/usr/etc)SH +/Times-Roman SF +19482 XM +(\050DAEMDIR\051 directory. The old copies of the user programs are)SH +9950 58784 MT +(renamed)SH +/Times-Italic SF +14011 XM +(rsh.ucb)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +17830 XM +(rlogin.ucb)SH +/Times-Roman SF +22658 XM +(and)SH +/Times-Italic SF +24521 XM +(rcp.ucb)SH +/Times-Roman SF +(, respectively. The Kerberos versions of these)SH +9950 59980 MT +(programs are designed to fall back and execute the original versions if something prevents)SH +9950 61176 MT +(the Kerberos versions from succeeding.)SH +/Symbol SF +9169 63070 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos version of)SH +/Times-Italic SF +20944 XM +(tftp)SH +/Times-Roman SF +22687 XM +(and)SH +/Times-Italic SF +24550 XM +(tcom)SH +/Times-Roman SF +26963 XM +(get copied to the)SH +/Times-Italic SF +34539 XM +(/usr/athena)SH +/Times-Roman SF +39826 XM +(\050PROGDIR\051 directory;)SH +/Times-Italic SF +9950 64266 MT +(tftpd)SH +/Times-Roman SF +12243 XM +(gets copied to the)SH +/Times-Italic SF +20247 XM +(/etc)SH +/Times-Roman SF +22110 XM +(\050ETCDIR\051 directory.)SH +/Times-Italic SF +31884 XM +(tftp)SH +/Times-Roman SF +33627 XM +(and)SH +/Times-Italic SF +35490 XM +(tftpd)SH +/Times-Roman SF +37783 XM +(are installed set-uid to an)SH +9950 65462 MT +(unprivileged user \050user id of DEF_UID\051.)SH +/Symbol SF +9169 67356 MT +(\267)SH +/Times-Roman SF +9950 XM +(The)SH +/Times-Italic SF +11935 XM +(knetd)SH +/Times-Roman SF +14592 XM +(daemon gets copied to the)SH +/Times-Italic SF +26353 XM +(/usr/etc)SH +/Times-Roman SF +29928 XM +(\050DAEMDIR\051 directory.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(9)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 10 11 +BS +0 SI +11 /Symbol AF +9169 8080 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos server)SH +/Times-Italic SF +19201 XM +(kerberos)SH +/Times-Roman SF +(, the slave propagation software)SH +/Times-Italic SF +37343 XM +(kprop)SH +/Times-Roman SF +40184 XM +(and)SH +/Times-Italic SF +42047 XM +(kpropd)SH +/Times-Roman SF +(, and the)SH +9950 9276 MT +(administration server)SH +/Times-Italic SF +19542 XM +(kadmind)SH +/Times-Roman SF +23605 XM +(get copied to the)SH +/Times-Italic SF +31181 XM +(/usr/etc)SH +/Times-Roman SF +34756 XM +(\050SVRDIR, SVRDIR, and)SH +9950 10472 MT +(DAEMDIR\051 directory.)SH +/Symbol SF +9169 12366 MT +(\267)SH +/Times-Roman SF +9950 XM +(The remote administration tools)SH +/Times-Italic SF +24310 XM +(kpasswd)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +28588 XM +(ksrvutil)SH +/Times-Roman SF +32163 XM +(and)SH +/Times-Italic SF +34026 XM +(kadmin)SH +/Times-Roman SF +37539 XM +(get copied to the)SH +/Times-Italic SF +45115 XM +(/usr/athena)SH +/Times-Roman SF +9950 13562 MT +(\050PROGDIR\051 directory.)SH +/Symbol SF +9169 15456 MT +(\267)SH +/Times-Roman SF +9950 XM +(The Kerberos manual pages get installed in the appropriate)SH +/Times-Italic SF +36187 XM +(/usr/man)SH +/Times-Roman SF +40374 XM +(directories. Don't)275 W +9950 16652 MT +(forget to run)SH +/Times-Italic SF +15723 XM +(makewhatis)SH +/Times-Roman SF +21192 XM +(after installing the manual pages.)SH +14 /Times-Bold AF +7200 20470 MT +(5.2 ``Non-Standard'') +350 W( Installation)SH +11 /Times-Roman AF +7200 22665 MT +(If you'd rather install the software in a different location, you can use the)SH +/Times-Italic SF +39667 XM +(make)SH +/Times-Roman SF +42262 XM +(command as follows,)SH +7200 23861 MT +(where [DEST_DIR] specifies an alternate destination directory which will be used as the root for the)SH +7200 25057 MT +(installed programs, i.e. programs that would normally be installed in /usr/athena would be installed in)SH +7200 26253 MT +([DEST_DIR]/usr/athena.)SH +/Courier SF +8520 27830 MT +(host#)SH +/Times-Bold SF +12480 XM +(make install DESTDIR=[DEST_DIR])275 W +16 SS +7200 32502 MT +(6. Conclusion)400 W +11 /Times-Roman AF +7200 34697 MT +(Now that you have built and installed your Kerberos system, use the accompanying Kerberos Operation)SH +4030 50 44224 34897 UL +4398 50 48529 34897 UL +7200 35893 MT +(Notes to create a Kerberos Master database, install authenticated services, and start the Kerberos server.)SH +2566 50 7200 36093 UL +16 /Times-Bold AF +7200 40565 MT +(7. Acknowledgements)400 W +11 /Times-Roman AF +7200 42760 MT +(We'd like to thank Henry Mensch and Jon Rochlis for helping us debug this document.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30100 XM +(10)SH +47890 XM +(4 January 1990)SH +ES +%%Page: i 12 +BS +0 SI +14 /Times-Bold AF +25272 8138 MT +(Table of Contents)SH +13 SS +7200 9781 MT +(1. Organization) +325 W( of the Source Directory)SH +53350 XM +(1)SH +12 /Times-Roman AF +9000 11136 MT +(1.1 The)300 W +/Times-BoldItalic SF +13266 XM +(admin)SH +/Times-Roman SF +16701 XM +(Directory)SH +53400 XM +(2)SH +9000 12491 MT +(1.2 The)300 W +/Times-BoldItalic SF +13266 XM +(kuser)SH +/Times-Roman SF +16300 XM +(Directory)SH +53400 XM +(2)SH +9000 13846 MT +(1.3 The)300 W +/Times-BoldItalic SF +13266 XM +(appl)SH +/Times-Roman SF +15700 XM +(Directory)SH +53400 XM +(2)SH +9000 15201 MT +(1.4 The)300 W +/Times-BoldItalic SF +13266 XM +(server)SH +/Times-Roman SF +16566 XM +(Directory)SH +53400 XM +(3)SH +9000 16556 MT +(1.5 The)300 W +/Times-BoldItalic SF +13266 XM +(kadmin)SH +/Times-Roman SF +17301 XM +(Directory)SH +53400 XM +(3)SH +9000 17911 MT +(1.6 The)300 W +/Times-BoldItalic SF +13266 XM +(include)SH +/Times-Roman SF +17234 XM +(Directory)SH +53400 XM +(3)SH +9000 19266 MT +(1.7 The)300 W +/Times-BoldItalic SF +13266 XM +(lib)SH +/Times-Roman SF +14834 XM +(Directory)SH +53400 XM +(3)SH +9000 20621 MT +(1.8 The)300 W +/Times-BoldItalic SF +13266 XM +(man)SH +/Times-Roman SF +15767 XM +(Directory)SH +53400 XM +(3)SH +9000 21976 MT +(1.9 The)300 W +/Times-BoldItalic SF +13266 XM +(prototypes)SH +/Times-Roman SF +18634 XM +(Directory)SH +53400 XM +(3)SH +9000 23331 MT +(1.10 The)300 W +/Times-BoldItalic SF +13866 XM +(tools)SH +/Times-Roman SF +16501 XM +(Directory)SH +53400 XM +(3)SH +9000 24686 MT +(1.11 The)300 W +/Times-BoldItalic SF +13866 XM +(util)SH +/Times-Roman SF +15835 XM +(Directory)SH +53400 XM +(4)SH +13 /Times-Bold AF +7200 26329 MT +(2. Preparing) +325 W( for Installation)SH +53350 XM +(4)SH +7200 27972 MT +(3. Preparing) +325 W( for the Build)SH +53350 XM +(4)SH +12 /Times-Roman AF +9000 29327 MT +(3.1 The)300 W +/Times-BoldItalic SF +13266 XM +(/etc/krb.conf)SH +/Times-Roman SF +19801 XM +(File)SH +53400 XM +(5)SH +9000 30682 MT +(3.2 The)300 W +/Times-BoldItalic SF +13266 XM +(/etc/krb.realms)SH +/Times-Roman SF +20936 XM +(File)SH +53400 XM +(6)SH +13 /Times-Bold AF +7200 32325 MT +(4. Building) +325 W( the Software)SH +53350 XM +(6)SH +12 /Times-Roman AF +9000 33674 MT +(4.1 Testing) +300 W( the DES Library)SH +53400 XM +(7)SH +13 /Times-Bold AF +7200 35317 MT +(5. Installing) +325 W( the Software)SH +53350 XM +(9)SH +12 /Times-Roman AF +9000 36666 MT +(5.1 The) +300 W( ``Standard'' Places)SH +53400 XM +(9)SH +9000 38015 MT +(5.2 ``Non-Standard'') +300 W( Installation)SH +52800 XM +(10)SH +13 /Times-Bold AF +7200 39658 MT +(6. Conclusion)325 W +52700 XM +(10)SH +7200 41301 MT +(7. Acknowledgements)325 W +52700 XM +(10)SH +10 /Times-Roman AF +7200 75600 MT +(MIT Project Athena)SH +30461 XM +(i)SH +47890 XM +(4 January 1990)SH +ES +%%Trailer +%%Pages: 12 +%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol diff --git a/doc/old-V4-docs/installation.mss b/doc/old-V4-docs/installation.mss new file mode 100644 index 0000000..0a2ae75 --- /dev/null +++ b/doc/old-V4-docs/installation.mss @@ -0,0 +1,681 @@ +@Comment[ $Source$] +@Comment[ $Author$] +@Comment[ $Id$] +@Comment[] +@device[postscript] +@make[report] +@comment[ +@DefineFont(HeadingFont, + P=, + B=, + I=, + R=) +] +@DefineFont(HeadingFont, + P=, + B=, + I=, + R=) +@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I], + IncrementedBy Use,Announced) +@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ], + IncrementedBy Use,Referenced [@1],Announced) +@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ], + IncrementedBy,Referenced [@A],Announced,Alias Chapter) +@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias + Chapter) +@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2, + Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy + Use,Announced) +@Counter(AppendixSection,Within Appendix,TitleEnv HD2, + ContentsEnv tc2, + Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy + Use,Announced) +@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3, + Numbered [@#@:.@1 ],IncrementedBy Use, + Referenced [@#@:.@1 ]) +@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3, + ContentsEnv tc3, + Numbered [@#@:.@1 ],IncrementedBy Use, + Referenced [@#@:.@1 ]) +@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4, + Numbered [@#@:.@1 ],Referenced [@#@:.@1], + IncrementedBy Use) +@modify(CopyrightNotice, Fixed -1 inch, Flushright) +@Modify(Titlebox, Fixed 3.0 inches) +@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off) +@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept) +@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept) +@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line) +@Modify(Tc1, Above .5, Facecode B) +@Modify(Tc2, Above .25, Below .25, Facecode R) +@Modify(Tc3,Facecode R) +@Modify(Tc4,Facecode R) +@Modify(Itemize,Above 1line,Below 1line) +@Modify(Insert,LeftMargin +2, RightMargin +2) +@libraryfile[stable] +@comment[@Style(Font NewCenturySchoolBook, size 11)] +@Style(Font TimesRoman, size 11) +@Style(Spacing 1.1, indent 0) +@Style(leftmargin 1.0inch) +@Style(justification no) +@Style(BottomMargin 1.5inch) +@Style(ChangeBarLocation Right) +@Style(ChangeBars=off) +@pageheading[immediate] +@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)", +right = "@value(date)"] +@set[page = 0] +@blankspace[.5 inches] +@begin[group, size 20] +@begin(center) +@b[Kerberos Installation Notes] +@b[DRAFT] +@end[center] +@end(group) +@blankspace[.5 inches] +@begin[group, size 16] +@begin(center) +Bill Bryant +Jennifer Steiner +John Kohl +@blankspace[1 line] +Project Athena, MIT +@blankspace[.5 inches] +@b[Initial Release, January 24, 1989] +@i[(plus later patches through patchlevel 7)] +@end[center] +@end(group) +@begin[group, size 10] +@end[group] +@blankspace[.75 inches] + + +The release consists of three parts. + +The first part consists of the core Kerberos system, which was developed +at MIT and does not require additional licenses for us to distribute. +Included in this part are the Kerberos authentication server, the +Kerberos library, the +@i[ndbm] +database interface library, user programs, administration programs, +manual pages, some applications which use Kerberos for authentication, +and some utilities. + +The second part is the Data Encryption Standard (DES) library, which we +are distributing only within the United States. + +The third part contains Kerberos modifications to Sun's NFS, which we +distribute as ``context diffs'' to the Sun NFS source code. Its +distribution is controlled to provide an accounting of who has retrieved +the patches, so that Project Athena can comply with its agreements with +Sun regarding distribution of these changes. + +@newpage() +@chapter[Organization of the Source Directory] + +The Kerberos building and installation process, +as described in this document, +builds the binaries and executables from the files contained in the Kerberos +source tree, and deposits them in a separate object tree. +This is intended to easily support several different build trees from a +single source tree (this is useful if you support several machine +architectures). +We suggest that you copy the Kerberos sources into a +@i[/mit/kerberos/src] directory, +and create as well a @i[/mit/kerberos/obj] directory in which +to hold the executables. +In the rest of this document, we'll refer to the Kerberos +source and object directories as [SOURCE_DIR] +and [OBJ_DIR], respectively. + +Below is a brief overview of the organization of the complete +source directory. +More detailed descriptions follow. + +@begin[description] + +@b[admin]@\utilities for the Kerberos administrator + +@b[appl]@\applications that use Kerberos + +@b[appl/bsd]@\Berkeley's rsh/rlogin suite, using Kerberos + +@b[appl/knetd]@\(old) software for inetd-like multiplexing of a single +TCP listening port + +@b[appl/sample]@\sample application servers and clients + +@b[appl/tftp]@\Trivial File Transfer Protocol, using Kerberos + +@b[include]@\include files + +@b[kadmin]@\remote administrative interface to the Kerberos master database + +@b[kuser]@\assorted user programs + +@b[lib]@\libraries for use with/by Kerberos + +@b[lib/acl]@\Access Control List library + +@b[lib/des]@\Data Encryption Standard library (US only) + +@b[lib/kadm]@\administrative interface library + +@b[lib/kdb]@\Kerberos server library interface to @i[ndbm] + +@b[lib/knet]@\(old) library for use with @b[knetd] + +@b[lib/krb]@\Kerberos library + +@b[man]@\manual pages + +@b[prototypes]@\sample configuration files + +@b[server]@\the authentication server + +@b[slave]@\Kerberos slave database propagation software + +@b[tools]@\shell scripts for maintaining the source tree + +@b[util]@\utilities + +@b[util/imake]@\Imakefile-to-Makefile ``compilation'' tool + +@b[util/ss]@\Sub-system library (for command line subsystems) + +@b[util/et]@\Error-table library (for independent, unique error codes) + +@b[util/makedepend]@\Makefile dependency generator tool + +@end[description] + +@section[The @p(admin) Directory] + +This directory contains source for +the Kerberos master database administration tools. +@begin[description] +@b[kdb_init]@\This program creates and initializes the +Kerberos master database. +It prompts for a Kerberos realmname, and the Kerberos master password. + +@b[kstash]@\This program ``stashes'' the master password in the file +@i[/.k] so that the master server machine can restart the Kerberos +server automatically after an unattended reboot. +The hidden password is also available to administrative programs +that have been set to run automatically. + +@b[kdb_edit]@\This program is a low-level tool for editing +the master database. + +@b[kdb_destroy]@\This program deletes the master database. + +@b[kdb_util]@\This program can be used to dump the master database +into an ascii file, and can also be used to load the ascii file +into the master database. + +@b[ext_srvtab]@\This program extracts information from the master +database and creates a host-dependent @i[srvtab] file. +This file contains the Kerberos keys for the host's +``Kerberized'' services. +These services look up their keys in the @i[srvtab] file +for use in the authentication process. +@end[description] + +@section[The @p(kuser) Directory] + +This directory contains the source code for several user-oriented +programs. +@begin[description] +@b[kinit]@\This program prompts users for their usernames and +Kerberos passwords, then furnishes them with Kerberos ticket-granting +tickets. + +@b[kdestroy]@\This program destroys any active tickets. +Users should use @i[kdestroy] before they log off their workstations. + +@b[klist]@\This program lists a user's active tickets. + +@b[ksrvtgt]@\This retrieves a ticket-granting ticket with a life time +of five minutes, using a server's secret key in lieu of a password. It +is primarily for use in shell scripts and other batch facilities. + +@b[ksu]@\Substitute user id, using Kerberos to mediate attempts to +change to ``root''. +@end[description] + +@section[The @p(appl) Directory] + +If your site has the appropriate BSD license, +your Kerberos release provides certain Unix utilities +The Berkeley programs that have been modified to use Kerberos +authentication are found in the @i[appl/bsd] directory. +They include @i[login], @i[rlogin], @i[rsh], and @i[rcp], as well as the +associated daemon programs @i[kshd] and @i[klogind]. +The @i[login] program obtains ticket-granting tickets for users +upon login; the other utilities provide authenticated +Unix network services. + +The @i[appl] directory also contains samples Kerberos application +client and server programs, an authenticated @i[tftp] program, +@i[knetd], an authenticated inet daemon. + +@section[The @p(server) Directory] + +The @i[server] directory contains the Kerberos KDC server, called +@i[kerberos]. +This program manages read-only requests made to the +master database, +distributing tickets and encryption keys to clients requesting +authentication service. + +@section[The @p(kadmin) Directory] + +The @i[kadmin] directory contains the Kerberos administration server and +associated client programs. +The server accepts network requests from the +user program @i[kpasswd] (used to change a user's password), the +Kerberos administration program @i(kadmin), and the srvtab utility +program @i[ksrvutil]. +The administration server can make modifications to the master database. + +@section[The @p(include) Directory] + +This directory contains the @i[include] files needed to +build the Kerberos system. + +@section[The @p(lib) Directory] + +The @i[lib] directory has six subdirectories: +@i[acl], @i[des], @i[kadm], @i[kdb], @i[knet], and @i[krb]. +The @i[des] directory contains source for the DES encryption library. +The @i[kadm] directory contains source for the Kerberos administration +server utility library. +The @i[kdb] directory contains source for the Kerberos database +routine library. +The @i[knet] directory contains source for a library used by clients of +the @i[knetd] server. +The @i[krb] directory contains source for the @i[libkrb.a] +library. +This library contains routines that are used by the Kerberos server program, +and by applications programs that require authentication service. + +@section[The @p(man) Directory] + +This directory contains manual pages for Kerberos programs and +library routines. + +@section[The @p(prototypes) Directory] + +This directory contains prototype +@i[/etc/services] and @i[/etc/krb.conf] files. +New entries must be added to the @i[/etc/services] file for +the Kerberos server, and possibly for Kerberized applications +(@i[services.append] contains the entries used by the Athena-provided +servers & applications, and is suitable for appending to your existing +@i[/etc/services] file.). +The @i[/etc/krb.conf] file defines the local Kerberos realm +for its host and lists Kerberos servers for given realms. +The @i[/etc/krb.realms] file defines exceptions for mapping machine +names to Kerberos realms. + +@section[The @p(tools) Directory] + +This directory contains +a makefile to set up a directory tree +for building the software in, and +a shell script to format code in the +style we use. + + +@section[The @p(util) Directory] + +This directory contains several utility programs and libraries. +Included are Larry Wall's @i[patch] program, a @i[make] pre-processor +program called +@i[imake], and a program for generating Makefile dependencies, +@i[makedepend], as well as the Sub-system library and +utilities (@i[ss]), and the Error table library and utilities (@i[et]). + +@chapter[Preparing for Installation] + +This document assumes that you will build the system +on the machine on which you plan to install +the Kerberos master server and its database. +You'll need about 10 megabytes for source and executables. + +By default, there must be +a @i[/kerberos] directory on the master server machine +in which to store the Kerberos +database files. +If the master server machine does not have room on its root partition +for these files, +create a @i[/kerberos] symbolic link to another file system. + +@chapter[Preparing for the Build] + +Before you build the system, +you have to choose a @b[realm name], +the name that specifies the system's administrative domain. +Project Athena uses the internet domain name ATHENA.MIT.EDU +to specify its Kerberos realm name. +We recommend using a name of this form. +@b[NOTE:] the realm-name is case sensitive; by convention, we suggest +that you use your internet domain name, in capital letters. + +Edit the [SOURCE_DIR]/@i[include/krb.h] file and look for the following +lines of code: +@begin[example] +/* + * Kerberos specific definitions + * + * KRBLOG is the log file for the kerberos master server. + * KRB_CONF is the configuration file where different host + * machines running master and slave servers can be found. + * KRB_MASTER is the name of the machine with the master + * database. The admin_server runs on this machine, and all + * changes to the db (as opposed to read-only requests, which + * can go to slaves) must go to it. + * KRB_HOST is the default machine when looking for a kerberos + * slave server. Other possibilities are in the KRB_CONF file. + * KRB_REALM is the name of the realm. + */ + +#ifdef notdef +this is server-only, does not belong here; +#define KRBLOG "/kerberos/kerberos.log" +are these used anyplace '?'; +#define VX_KRB_HSTFILE "/etc/krbhst" +#define PC_KRB_HSTFILE "\\kerberos\\krbhst" +#endif + +#define KRB_CONF "/etc/krb.conf" +#define KRB_RLM_TRANS "/etc/krb.realms" +#define KRB_MASTER "kerberos" +#define KRB_HOST KRB_MASTER +#define KRB_REALM "ATHENA.MIT.EDU" +@end[example] +Edit the last line as follows: +@begin[enumerate] +Change the KRB_REALM definition so that it specifies the realm name +you have chosen for your Kerberos system. This is a default which is +usually overridden by a configuration file on each machine; however, if +that config file is absent, many programs will use this "built-in" realm +name. +@end[enumerate] + +@section[The @p(/etc/krb.conf) File] + +Create a @i[/etc/krb.conf] file using the following format: +@begin[example] +@p[realm_name] +@p[realm_name] @p[master_server_name] admin server +@end[example] +where @i[realm_name] specifies the system's realm name, +and @i[master_server_name] specifies the machine name on +which you will run the master server. The words 'admin server' must +appear next to the name of the server on which you intend to run the +administration server (which must be a machine with access to the database). + +For example, +if your realm name is @i[tim.edu] and your master server's name is +@i[kerberos.tim.edu], the file should have these contents: +@begin[example] +tim.edu +tim.edu kerberos.tim.edu admin server +@end[example] + +See the [SOURCE_DIR]/@i[prototypes/etc.krb.conf] file for an +example @i[/etc/krb.conf] file. That file has examples of how to +provide backup servers for a given realm (additional lines with the same +leading realm name) and how to designate servers for remote realms. + +@section[The @p(/etc/krb.realms) File] + +In many situations, the default realm in which a host operates will be +identical to the domain portion its Internet domain name. + +If this is not the case, you will need to establish a translation from +host name or domain name to realm name. This is accomplished with the +@i(/etc/krb.realms) file. + +Each line of the translation file specifies either a hostname or domain +name, and its associated realm: +@begin[example] +.domain.name kerberos.realm1 +host.name kerberos.realm2 +@end[example] +For example, to map all hosts in the domain LSC.TIM.EDU to KRB.REALM1 +but the host FILMS.LSC.TIM.EDU to KRB.REALM2 your file would read: +@begin[example] +.LSC.TIM.EDU KRB.REALM1 +FILMS.LSC.TIM.EDU KRB.REALM2 +@end[example] +If a particular host matches both a domain and a host entry, the host +entry takes precedence. + +@chapter[Building the Software] + +Before you build the software +read the @b[README] file in [SOURCE_DIR]. +What follows is a more detailed description of the instructions +listed in README. +@begin[enumerate] +Create an [OBJ_DIR] directory to hold the tree of Kerberos object files you +are about to build, for example, +@i[/mit/kerberos/obj]. + +Change directory to [OBJ_DIR]. +The following command creates directories under [OBJ_DIR] +and installs Makefiles for the final build. +@begin[example, rightmargin -7] +host% @b(make -f [SOURCE_DIR]/tools/makeconfig SRCDIR=[SOURCE_DIR]) +@end[example] + + + +Change directory to util/imake.includes. Read through config.Imakefile, +turning on appropriate flags for your installation. Change SRCTOP so +that it is set to the top level of your source directory. + +Check that your machine type has a definition in include/osconf.h & +related files in the source tree (if it doesn't, then you may need to +create your own; if you get successful results, please post to +kerberos@@athena.mit.edu) + +Change directory to [OBJ_DIR]. The next command generates new Makefiles +based on the configuration you selected in config.Imakefile, then adds +dependency information to the Makefiles, and finally builds the system: +@begin[example, rightmargin -7] +host% @b(make world) +@end[example] +This command takes a while to complete; you may wish to redirect the +output onto a file and put the job in the background: +@begin[example, rightmargin -7] +host% @b(make world >&WORLDLOG_891201 &) +@end[example] +If you need to rebuild the Kerberos programs and libraries after making +a change, you can usually just type: +@begin[example, rightmargin -7] +host% @b(make all) +@end[example] +However, if you changed the configuration in config.Imakefile or modified +the Imakefiles or Makefiles, you should run @i[make world] to re-build +all the Makefiles and dependency lists. +@end(enumerate) + +@section[Testing the DES Library] + +Use the @i[verify] command to test the DES library +implementation: +@begin[example] +host% @b([OBJ_DIR]/lib/des/verify) +@end[example] +The command should display the following: +@begin[example, rightmargin -10] +Examples per FIPS publication 81, keys ivs and cipher +in hex. These are the correct answers, see below for +the actual answers. + +Examples per Davies and Price. + +EXAMPLE ECB key = 08192a3b4c5d6e7f + clear = 0 + cipher = 25 dd ac 3e 96 17 64 67 +ACTUAL ECB + clear "" + cipher = (low to high bytes) + 25 dd ac 3e 96 17 64 67 + +EXAMPLE ECB key = 0123456789abcdef + clear = "Now is the time for all " + cipher = 3f a4 0e 8a 98 4d 48 15 ... +ACTUAL ECB + clear "Now is the time for all " + cipher = (low to high bytes) + 3f a4 0e 8a 98 4d 48 15 + +EXAMPLE CBC key = 0123456789abcdef iv = 1234567890abcdef + clear = "Now is the time for all " + cipher = e5 c7 cd de 87 2b f2 7c + 43 e9 34 00 8c 38 9c 0f + 68 37 88 49 9a 7c 05 f6 +ACTUAL CBC + clear "Now is the time for all " + ciphertext = (low to high bytes) + e5 c7 cd de 87 2b f2 7c + 43 e9 34 00 8c 38 9c 0f + 68 37 88 49 9a 7c 05 f6 + 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 + decrypted clear_text = "Now is the time for all " +EXAMPLE CBC checksum key = 0123456789abcdef iv = 1234567890abcdef + clear = "7654321 Now is the time for " + checksum 58 d2 e7 7e 86 06 27 33 or some part thereof +ACTUAL CBC checksum + encrypted cksum = (low to high bytes) + 58 d2 e7 7e 86 06 27 33 +@end[example] + +If the @i[verify] command fails to display this information as specified +above, the implementation of DES for your hardware needs to +be adjusted. +Your Kerberos system cannot work properly if your DES library +fails this test. + +When you have finished building the software, +you will find the executables in the object tree as follows: +@begin[description] +@b([OBJ_DIR]/admin)@\@i[ext_srvtab], @i[kdb_destroy], +@i[kdb_edit], @i[kdb_init], @i[kdb_util], and @i[kstash]. + +@b([OBJ_DIR]/kuser)@\@i[kdestroy], @i[kinit], @i[klist], @i[ksrvtgt], +and @i[ksu]. + +@b([OBJ_DIR]/server)@\@i[kerberos]. + +@b([OBJ_DIR]/appl/bsd)@\@i[klogind], @i[kshd], @i[login.krb], @i[rcp], +@i[rlogin], and @i[rsh]. + +@b([OBJ_DIR]/appl/knetd)@\@i[knetd]. + +@b([OBJ_DIR]/appl/sample)@\@i[sample_server], @i[sample_client], +@i[simple_server], and @i[simple_client]. + +@b([OBJ_DIR]/appl/tftp)@\@i[tcom], @i[tftpd], and @i[tftp]. + +@b([OBJ_DIR]/slave)@\@i[kprop] and @i[kpropd]. +@end[description] + +@chapter[Installing the Software] + +To install the software, issue the @i[make install] command from +the [OBJ_DIR] (you need to be a privileged user in order to +properly install the programs). +Programs can either be installed in default directories, or under +a given root directory, as described below. + +@section[The ``Standard'' Places] + +If you use the @i[make] command as follows: +@begin[example] +host# @b(make install) +@end[example] +the installation process will try to install the various parts of the +system in ``standard'' directories. +This process creates the ``standard'' directories as needed. + +The standard installation process copies things as follows: +@begin[itemize] +The @i[include] files @i[krb.h], @i[des.h], @i[mit-copyright.h], +@i[kadm.h] and @i[kadm_err.h] get copied to the +@i[/usr/include] directory. + +The Kerberos libraries @i[libdes.a], @i[libkrb.a], @i[libkdb.a], +@i[libkadm.a], @i[libknet.a], and @i[libacl.a] get copied +to the @i[/usr/athena/lib] (or wherever you pointed LIBDIR in +config.Imakefile) directory. + +The Kerberos master database utilities @i[kdb_init], @i[kdb_destroy], +@i[kdb_edit], @i[kdb_util], @i[kstash], and @i[ext_srvtab] get copied to +the @i[/usr/etc] (DAEMDIR) directory. + +The Kerberos user utilities @i[kinit], @i[kdestroy], @i[klist], +@i[ksrvtgt] and @i[ksu] get copied to the @i[/usr/athena] (PROGDIR) +directory. + +The modified Berkeley utilities @i[rsh], @i[rlogin] get copied to the +@i[/usr/ucb] (UCBDIR) directory; @i[rcp] gets copied to the @i[/bin] +(SLASHBINDIR) directory; and @i[rlogind], @i[rshd], and @i[login.krb] +get copied to the @i[/usr/etc] (DAEMDIR) directory. The old copies of +the user programs are renamed @i(rsh.ucb), @i(rlogin.ucb) and +@i(rcp.ucb), respectively. The Kerberos versions of these programs are +designed to fall back and execute the original versions if something +prevents the Kerberos versions from succeeding. + +The Kerberos version of @i[tftp] and @i[tcom] get copied to the +@i[/usr/athena] (PROGDIR) directory; @i[tftpd] gets copied to the +@i[/etc] (ETCDIR) directory. @i[tftp] and @i[tftpd] are installed +set-uid to an unprivileged user (user id of DEF_UID). + +The @i[knetd] daemon gets copied to the @i[/usr/etc] (DAEMDIR) directory. + +The Kerberos server @i[kerberos], the slave propagation software +@i[kprop] and @i[kpropd], and the administration server @i[kadmind] get +copied to the @i[/usr/etc] (SVRDIR, SVRDIR, and DAEMDIR) directory. + +The remote administration tools @i[kpasswd], @i[ksrvutil] and @i[kadmin] +get copied to the @i[/usr/athena] (PROGDIR) directory. + +The Kerberos manual pages get installed in the appropriate +@i[/usr/man] directories. Don't forget to run @i[makewhatis] +after installing the manual pages. + +@end[itemize] + +@section[``Non-Standard'' Installation] + +If you'd rather install the software in a different location, +you can use the @i[make] command as follows, +where [DEST_DIR] specifies an alternate destination directory +which will be used as the root for the installed programs, i.e. programs +that would normally be installed in /usr/athena would be installed in +[DEST_DIR]/usr/athena. +@begin[example] +host# @b(make install DESTDIR=[DEST_DIR]) +@end[example] + +@chapter[Conclusion] + +Now that you have built and installed your Kerberos system, +use the accompanying @u[Kerberos Operation Notes] +to create a Kerberos Master database, install authenticated services, +and start the Kerberos server. + +@chapter [Acknowledgements] + +We'd like to thank Henry Mensch and Jon Rochlis for helping us debug +this document. diff --git a/doc/old-V4-docs/operation.PS b/doc/old-V4-docs/operation.PS new file mode 100644 index 0000000..3afb8cf --- /dev/null +++ b/doc/old-V4-docs/operation.PS @@ -0,0 +1,2669 @@ +%!PS-Adobe-2.0 +%%Title: operation.mss +%%DocumentFonts: (atend) +%%Creator: John T Kohl,,E40-351M,31510,6176432831 and Scribe 7(1700) +%%CreationDate: 4 January 1990 11:55 +%%Pages: (atend) +%%EndComments +% PostScript Prelude for Scribe. +/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def +/ES {showpage SV restore} bind def +/SC {setrgbcolor} bind def +/FMTX matrix def +/RDF {WFT SLT 0.0 eq + {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore} + {SSZ 0.0 SLT neg sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore} + ifelse makefont setfont} bind def +/SLT 0.0 def +/SI { /SLT exch cvr def RDF} bind def +/WFT /Courier findfont def +/SF { /WFT exch findfont def RDF} bind def +/SSZ 1000.0 def +/SS { /SSZ exch 100.0 mul def RDF} bind def +/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def +/MT /moveto load def +/XM {currentpoint exch pop moveto} bind def +/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto + setlinewidth 0.0 rlineto stroke grestore} bind def +/LH {gsave newpath moveto setlinewidth + 0.0 rlineto + gsave stroke grestore} bind def +/LV {gsave newpath moveto setlinewidth + 0.0 exch rlineto + gsave stroke grestore} bind def +/BX {gsave newpath moveto setlinewidth + exch + dup 0.0 rlineto + exch 0.0 exch neg rlineto + neg 0.0 rlineto + closepath + gsave stroke grestore} bind def +/BX1 {grestore} bind def +/BX2 {setlinewidth 1 setgray stroke grestore} bind def +/PB {/PV save def newpath translate + 100.0 -100.0 scale pop /showpage {} def} bind def +/PE {PV restore} bind def +/GB {/PV save def newpath translate rotate + div dup scale 100.0 -100.0 scale /showpage {} def} bind def +/GE {PV restore} bind def +/FB {dict dup /FontMapDict exch def begin} bind def +/FM {cvn exch cvn exch def} bind def +/FE {end /original-findfont /findfont load def /findfont + {dup FontMapDict exch known{FontMapDict exch get} if + original-findfont} def} bind def +/BC {gsave moveto dup 0 exch rlineto exch 0 rlineto neg 0 exch rlineto closepath clip} bind def +/EC /grestore load def +/SH /show load def +/MX {exch show 0.0 rmoveto} bind def +/W {0 32 4 -1 roll widthshow} bind def +/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def +/RC {100.0 -100.0 scale +612.0 0.0 translate +-90.0 rotate +.01 -.01 scale} bind def +/URC {100.0 -100.0 scale +90.0 rotate +-612.0 0.0 translate +.01 -.01 scale} bind def +/RCC {100.0 -100.0 scale +0.0 -792.0 translate 90.0 rotate +.01 -.01 scale} bind def +/URCC {100.0 -100.0 scale +-90.0 rotate 0.0 792.0 translate +.01 -.01 scale} bind def +%%EndProlog +%%Page: 0 1 +BS +0 SI +20 /Times-Bold AF +19324 13788 MT +(Kerberos Operation Notes)SH +27156 15798 MT +(DRAFT)SH +16 /Times-Roman AF +27021 23502 MT +(Bill Bryant)SH +27289 25150 MT +(John Kohl)SH +23957 26798 MT +(Project Athena, MIT)SH +/Times-Bold SF +19489 32396 MT +(Initial Release, January 24, 1989)SH +/Times-Italic SF +17558 34044 MT +(\050plus later patches through patchlevel 7\051)SH +11 /Times-Roman AF +7200 43798 MT +(These notes assume that you have used the)SH +/Times-Italic SF +26322 XM +(Kerberos Installation Notes)SH +/Times-Roman SF +38821 XM +(to build and install your Kerberos)SH +7200 44994 MT +(system. As) +275 W( in that document, we refer to the directory that contains the built Kerberos binaries as)SH +7200 46190 MT +([OBJ_DIR].)SH +7200 48488 MT +(This document assumes that you are a Unix system manager.)SH +ES +%%Page: 1 2 +BS +0 SI +16 /Times-Bold AF +7200 8272 MT +(1. How) +400 W( Kerberos Works: A Schematic Description)SH +11 /Times-Roman AF +7200 10467 MT +(This section provides a simplified description of a general user's interaction with the Kerberos system.)SH +7200 11663 MT +(This interaction happens transparently--users don't need to know and probably don't care about what's)SH +7200 12859 MT +(going on--but Kerberos administrators might find a schematic description of the process useful. The)SH +7200 14055 MT +(description glosses over a lot of details; for more information, see)SH +/Times-Italic SF +36404 XM +(Kerberos: An Authentication Service)SH +7200 15251 MT +(for Open Network Systems)SH +/Times-Roman SF +(, a paper presented at Winter USENIX 1988, in Dallas, Texas.)SH +14 /Times-Bold AF +7200 19069 MT +(1.1 Network) +350 W( Services and Their Client Programs)SH +11 /Times-Roman AF +7200 21264 MT +(In an environment that provides network services, you use)SH +/Times-Italic SF +33164 XM +(client)SH +/Times-Roman SF +35883 XM +(programs to request service from)SH +/Times-Italic SF +50696 XM +(server)SH +/Times-Roman SF +7200 22460 MT +(programs that are somewhere on the network. Suppose you have logged in to a workstation and you want)SH +7200 23656 MT +(to)SH +/Times-Italic SF +8331 XM +(rlogin)SH +/Times-Roman SF +11296 XM +(to another machine. You use the local)SH +/Times-Italic SF +28493 XM +(rlogin)SH +/Times-Roman SF +31458 XM +(client program to contact the remote machine's)SH +/Times-Italic SF +7200 24852 MT +(rlogin)SH +/Times-Roman SF +10165 XM +(service daemon.)SH +14 /Times-Bold AF +7200 28670 MT +(1.2 Kerberos) +350 W( Tickets)SH +11 /Times-Roman AF +7200 30865 MT +(Under Kerberos, the)SH +/Times-Italic SF +16422 XM +(rlogin)SH +/Times-Roman SF +19387 XM +(service program allows a client to login to a remote machine if it can provide)SH +7200 32061 MT +(a Kerberos)SH +/Times-Bold SF +12268 XM +(ticket)SH +/Times-Roman SF +15169 XM +(for the request. This ticket proves the identity of the person who has used the client)SH +7200 33257 MT +(program to access the server program.)SH +14 /Times-Bold AF +7200 37075 MT +(1.3 The) +350 W( Kerberos Master Database)SH +11 /Times-Roman AF +7200 39270 MT +(Kerberos will give you tickets only if you have an entry in the Kerberos server's)SH +/Times-Bold SF +42845 XM +(master database)SH +/Times-Roman SF +(. Your)275 W +7200 40466 MT +(database entry includes your Kerberos username \050often referred to as your Kerberos)SH +/Times-Bold SF +44394 XM +(principal)SH +/Times-Roman SF +48949 XM +(name\051, and)SH +7200 41662 MT +(your Kerberos password. Every Kerberos user must have an entry in this database.)SH +14 /Times-Bold AF +7200 45480 MT +(1.4 The) +350 W( Ticket-Granting Ticket)SH +11 /Times-Roman AF +7200 47675 MT +(The)SH +/Times-Italic SF +9185 XM +(kinit)SH +/Times-Roman SF +11416 XM +(command prompts for your Kerberos username and password, and if you enter them)SH +7200 48871 MT +(successfully, you will obtain a Kerberos)SH +/Times-Italic SF +25131 XM +(ticket-granting ticket)SH +/Times-Roman SF +(. As) +275 W( illustrated below, client programs use)SH +7200 50067 MT +(this ticket to get other Kerberos tickets as needed.)SH +14 /Times-Bold AF +7200 53885 MT +(1.5 Network) +350 W( Services and the Master Database)SH +11 /Times-Roman AF +7200 56080 MT +(The master database also contains entries for all network services that require Kerberos authentication.)SH +7200 57276 MT +(Suppose for instance that your site has a machine)SH +/Times-Italic SF +29163 XM +(laughter)SH +/Times-Roman SF +33166 XM +(that requires Kerberos authentication from)SH +7200 58472 MT +(anyone who wants to)SH +/Times-Italic SF +16792 XM +(rlogin)SH +/Times-Roman SF +19757 XM +(to it. This service must be registered in the master database. Its entry)SH +7200 59668 MT +(includes the service's principal name, and its)SH +/Times-Bold SF +27238 XM +(instance)SH +/Times-Roman SF +(.)SH +7200 61966 MT +(The)SH +/Times-Italic SF +9185 XM +(instance)SH +/Times-Roman SF +13126 XM +(is the name of the service's machine; in this case, the service's instance is the name)SH +/Times-Italic SF +7200 63162 MT +(laughter)SH +/Times-Roman SF +(. The) +275 W( instance provides a means for Kerberos to distinguish between machines that provide the)SH +7200 64358 MT +(same service. Your site is likely to have more than one machine that provides)SH +/Times-Italic SF +41840 XM +(rlogin)SH +/Times-Roman SF +44805 XM +(service.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(1)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 2 3 +BS +0 SI +14 /Times-Bold AF +7200 8138 MT +(1.6 The) +350 W( User-Kerberos Interaction)SH +11 /Times-Roman AF +7200 10333 MT +(Suppose that you \050in the guise of a general user\051 walk up to a workstation intending to login to it, and)SH +7200 11529 MT +(then)SH +/Times-Italic SF +9369 XM +(rlogin)SH +/Times-Roman SF +12334 XM +(to the machine)SH +/Times-Italic SF +19085 XM +(laughter)SH +/Times-Roman SF +(. Here's) +275 W( what happens.)SH +9400 13480 MT +(1.)SH +10500 XM +(You login to the workstation and use the)SH +/Times-Italic SF +28648 XM +(kinit)SH +/Times-Roman SF +30879 XM +(command to to get a ticket-granting ticket.)SH +10500 14676 MT +(This command prompts you for your username \050your Kerberos Principal Name\051, and your)SH +10500 15872 MT +(Kerberos password [on some systems which use the new version of)SH +/Times-Italic SF +40465 XM +(/bin/login)SH +/Times-Roman SF +(, this may be)SH +10500 17068 MT +(done as part of the login process, not requiring the user to run a separate program].)SH +12762 19019 MT +(a.)SH +13800 XM +(The)SH +/Times-Italic SF +15785 XM +(kinit)SH +/Times-Roman SF +18016 XM +(command sends your request to the Kerberos master server machine. The)SH +13800 20215 MT +(server software looks for your principal name's entry in the Kerberos)SH +/Times-Bold SF +44555 XM +(master)SH +13800 21411 MT +(database)SH +/Times-Roman SF +(.)SH +12700 23305 MT +(b.)SH +13800 XM +(If this entry exists, the Kerberos server creates and returns a)SH +/Times-Italic SF +40430 XM +(ticket-granting ticket)SH +/Times-Roman SF +(,)SH +13800 24501 MT +(encrypted in your password. If)SH +/Times-Italic SF +27819 XM +(kinit)SH +/Times-Roman SF +30050 XM +(can decrypt the Kerberos reply using the)SH +13800 25697 MT +(password you provide, it stores this ticket in a)SH +/Times-Bold SF +34270 XM +(ticket file)SH +/Times-Roman SF +38912 XM +(on your local machine for)SH +13800 26893 MT +(later use. The ticket file to be used can be specified in the)SH +/Times-Bold SF +39609 XM +(KRBTKFILE)SH +/Times-Roman SF +13800 28089 MT +(environment variable. If this variable is not set, the name of the file will be)SH +/Times-Italic SF +13800 29285 MT +(/tmp/tkt)SH +/Times-BoldItalic SF +(uid)SH +/Times-Roman SF +(, where)SH +/Times-BoldItalic SF +22141 XM +(uid)SH +/Times-Roman SF +23884 XM +(is the UNIX user-id, represented in decimal.)SH +9400 31236 MT +(2.)SH +10500 XM +(Now you use the)SH +/Times-Italic SF +18198 XM +(rlogin)SH +/Times-Roman SF +21163 XM +(client to try to access the machine)SH +/Times-Italic SF +36344 XM +(laughter)SH +/Times-Roman SF +(.)SH +/Courier SF +11820 32813 MT +(host%)SH +/Times-Bold SF +15780 XM +(rlogin laughter)275 W +/Times-Roman SF +12762 34764 MT +(a.)SH +13800 XM +(The)SH +/Times-Italic SF +15785 XM +(rlogin)SH +/Times-Roman SF +18750 XM +(client checks your ticket file to see if you have a ticket for)SH +/Times-Italic SF +44559 XM +(laughter)SH +/Times-Roman SF +('s)SH +/Times-Italic SF +13800 35960 MT +(rcmd)SH +/Times-Roman SF +16335 XM +(service \050the rlogin program uses the)SH +/Times-Italic SF +32401 XM +(rcmd)SH +/Times-Roman SF +34936 XM +(service name, mostly for historical)SH +13800 37156 MT +(reasons\051. You) +275 W( don't, so)SH +/Times-Italic SF +24583 XM +(rlogin)SH +/Times-Roman SF +27548 XM +(uses the ticket file's)SH +/Times-Italic SF +36590 XM +(ticket-granting ticket)SH +/Times-Roman SF +46060 XM +(to make a)SH +13800 38352 MT +(request to the master server's ticket-granting service.)SH +12700 40246 MT +(b.)SH +13800 XM +(This ticket-granting service receives the)SH +/Times-Italic SF +31667 XM +(rcmd-laughter)SH +/Times-Roman SF +38296 XM +(request and looks in the)SH +13800 41442 MT +(master database for an)SH +/Times-Italic SF +23938 XM +(rcmd-laughter)SH +/Times-Roman SF +30567 XM +(entry. If) +275 W( that entry exists, the ticket-granting)SH +13800 42638 MT +(service issues you a ticket for that service. That ticket is also cached in your ticket)SH +13800 43834 MT +(file.)SH +12762 45728 MT +(c.)SH +13800 XM +(The)SH +/Times-Italic SF +15785 XM +(rlogin)SH +/Times-Roman SF +18750 XM +(client now uses that ticket to request service from the)SH +/Times-Italic SF +42454 XM +(laughter rlogin)SH +/Times-Roman SF +13800 46924 MT +(service program. The service program lets you)SH +/Times-Italic SF +34843 XM +(rlogin)SH +/Times-Roman SF +37808 XM +(if the ticket is valid.)SH +16 /Times-Bold AF +7200 51596 MT +(2. Setting) +400 W( Up and Testing the Kerberos Server)SH +11 /Times-Roman AF +7200 53791 MT +(The procedure for setting up and testing a Kerberos server is as follows:)SH +9400 55742 MT +(1.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kdb_init)SH +/Times-Roman SF +17985 XM +(command to create and initialize the master database.)SH +9400 57636 MT +(2.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kdb_edit)SH +/Times-Roman SF +18167 XM +(utility to add your username to the master database.)SH +9400 59530 MT +(3.)SH +10500 XM +(Start the Kerberos server.)SH +9400 61424 MT +(4.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kinit)SH +/Times-Roman SF +16335 XM +(command to obtain a Kerberos ticket-granting ticket.)SH +9400 63318 MT +(5.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(klist)SH +/Times-Roman SF +16213 XM +(command to verify that the)SH +/Times-Italic SF +28402 XM +(kinit)SH +/Times-Roman SF +30633 XM +(command authenticated you successfully.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(2)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 3 4 +BS +0 SI +14 /Times-Bold AF +7200 8138 MT +(2.1 Creating) +350 W( and Initializing the Master Database)SH +11 /Times-Roman AF +7200 10333 MT +(Login to the Kerberos master server machine, and use the)SH +/Times-Bold SF +32825 XM +(su)SH +/Times-Roman SF +34140 XM +(command to become root. If you installed)SH +7200 11529 MT +(the Kerberos administration tools with the)SH +/Times-Italic SF +26020 XM +(make install)SH +/Times-Roman SF +31642 XM +(command and the default pathnames, they should)SH +7200 12725 MT +(be in the)SH +/Times-Italic SF +11263 XM +(/usr/etc)SH +/Times-Roman SF +14838 XM +(directory. If) +275 W( you installed the tools in a different directory, hopefully you know what it)SH +7200 13921 MT +(is. From) +275 W( now on, we will refer to this directory as [ADMIN_DIR].)SH +7200 16219 MT +(The)SH +/Times-Italic SF +9185 XM +(kdb_init)SH +/Times-Roman SF +13066 XM +(command creates and initializes the master database. It asks you to enter the system's realm)SH +7200 17415 MT +(name and the database's master password. Do not forget this password. If you do, the database becomes)SH +7200 18611 MT +(useless. \050Your) +275 W( realm name should be substituted for [REALMNAME] below.\051)SH +7200 20909 MT +(Use)SH +/Times-Italic SF +9185 XM +(kdb_init)SH +/Times-Roman SF +13066 XM +(as follows:)SH +/Courier SF +8520 22486 MT +(host#)SH +/Times-Bold SF +12480 XM +([ADMIN_DIR]/kdb_init)SH +/Courier SF +8520 23600 MT +(Realm name \050default XXX\051:)SH +/Times-Bold SF +25680 XM +([REALMNAME])SH +39600 XM +(<--)SH +/Times-BoldItalic SF +41619 XM +(Enter your system's realm name.)SH +/Courier SF +8520 24714 MT +(You will be prompted for the database Master Password.)SH +8520 25828 MT +(It is important that you NOT FORGET this password.)SH +8520 28056 MT +(Enter Kerberos master key:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter the master password.)SH +14 /Times-Bold AF +7200 32988 MT +(2.2 Storing) +350 W( the Master Password)SH +11 /Times-Roman AF +7200 35183 MT +(The)SH +/Times-Italic SF +9185 XM +(kstash)SH +/Times-Roman SF +12210 XM +(command ``stashes'' the master password in the file)SH +/Times-Italic SF +35424 XM +(/.k)SH +/Times-Roman SF +36768 XM +(so that the Kerberos server can be)SH +7200 36379 MT +(started automatically during an unattended reboot of the master server. Other administrative programs)SH +7200 37575 MT +(use this hidden password so that they can access the master database without someone having to manually)SH +7200 38771 MT +(provide the master password. This command is an optional one; if you'd rather enter the master password)SH +7200 39967 MT +(each time you start the Kerberos server, don't use)SH +/Times-Italic SF +29312 XM +(kstash)SH +/Times-Roman SF +(.)SH +7200 42265 MT +(One the one hand, if you use)SH +/Times-Italic SF +20090 XM +(kstash)SH +/Times-Roman SF +(, a copy of the master key will reside on disk which may not be)SH +7200 43461 MT +(acceptable; on the other hand, if you don't use)SH +/Times-Italic SF +27848 XM +(kstash)SH +/Times-Roman SF +(, the server cannot be started unless someone is)SH +7200 44657 MT +(around to type the password in manually.)SH +7200 46955 MT +(The command prompts you twice for the master password:)SH +/Courier SF +8520 48532 MT +(host#)SH +/Times-Bold SF +12480 XM +([ADMIN_DIR]/kstash)SH +/Courier SF +8520 50760 MT +(Enter Kerberos master key:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter the master password.)SH +/Courier SF +8520 51874 MT +(Current Kerberos master key version is 1.)SH +8520 54102 MT +(Master key entered) +SH( BEWARE!)1320 W +/Times-Roman SF +7200 56400 MT +(A note about the Kerberos database master key: if your master key is compromised and the database is)SH +7200 57596 MT +(obtained, the security of your entire authentication system is compromised. The master key must be a)SH +7200 58792 MT +(carefully kept secret. If you keep backups, you must guard all the master keys you use, in case someone)SH +7200 59988 MT +(has stolen an old backup and wants to attack users' whose passwords haven't changed since the backup)SH +7200 61184 MT +(was stolen. This is why we provide the option not to store it on disk.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(3)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 4 5 +BS +0 SI +14 /Times-Bold AF +7200 8167 MT +(2.3 Using)350 W +/Times-BoldItalic SF +13423 XM +(kdb_edit)SH +/Times-Bold SF +18673 XM +(to Add Users to the Master Database)SH +11 /Times-Roman AF +7200 10362 MT +(The)SH +/Times-Italic SF +9185 XM +(kdb_edit)SH +/Times-Roman SF +13248 XM +(program is used to add new users and services to the master database, and to modify)SH +7200 11558 MT +(existing database information. The program prompts you to enter a principal's)SH +/Times-Bold SF +42177 XM +(name)SH +/Times-Roman SF +45018 XM +(and)SH +/Times-Bold SF +46881 XM +(instance)SH +/Times-Roman SF +(.)SH +7200 13856 MT +(A principal name is typically a username or a service program's name. An instance further qualifies the)SH +7200 15052 MT +(principal. If) +275 W( the principal is a service, the instance is used to specify the name of the machine on which)SH +7200 16248 MT +(that service runs. If the principal is a username that has general user privileges, the instance is usually set)SH +7200 17444 MT +(to null.)SH +7200 19742 MT +(The following example shows how to use)SH +/Times-Italic SF +25805 XM +(kdb_edit)SH +/Times-Roman SF +29868 XM +(to add the user)SH +/Times-Italic SF +36588 XM +(wave)SH +/Times-Roman SF +39123 XM +(to the Kerberos database.)SH +/Courier SF +8520 21319 MT +(host#)SH +/Times-Bold SF +12480 XM +([ADMIN_DIR]/kdb_edit)SH +/Courier SF +8520 23547 MT +(Opening database...)SH +8520 25775 MT +(Enter Kerberos master key:)SH +8520 26889 MT +(Verifying, please re-enter)SH +8520 28003 MT +(Enter Kerberos master key:)SH +8520 29117 MT +(Current Kerberos master key version is 1)SH +8520 31345 MT +(Master key entered. BEWARE!)SH +8520 32459 MT +(Previous or default values are in [brackets] ,)SH +8520 33573 MT +(enter return to leave the same, or new value.)SH +8520 35801 MT +(Principal name:)SH +/Times-Bold SF +19080 XM +(wave)SH +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter the username.)SH +/Courier SF +8520 36915 MT +(Instance:)SH +/Times-BoldItalic SF +28800 XM +(<-- Enter a null instance.)SH +/Courier SF +8520 39143 MT +(, Create [y] ?)SH +/Times-Bold SF +25680 XM +(y)SH +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(The user-instance does not exist.)SH +30450 40257 MT +(Enter y to create the user-instance.)SH +/Courier SF +8520 41371 MT +(Principal: wave Instance: m_key_v: 1)SH +8520 42485 MT +(New Password:)SH +/Times-BoldItalic SF +28800 XM +(<-- Enter the user-instance's password.)SH +/Courier SF +8520 43599 MT +(Verifying, please re-enter)SH +8520 44713 MT +(New Password:)SH +8520 45827 MT +(Principal's new key version = 1)SH +8520 46941 MT +(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH +/Times-Bold SF +39600 XM +(<--)SH +/Times-BoldItalic SF +41619 XM +(Enter newlines)SH +/Courier SF +8520 48055 MT +(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH +/Times-Bold SF +39600 XM +(<--)SH +/Times-BoldItalic SF +41619 XM +(to get the)SH +/Courier SF +8520 49169 MT +(Attributes [ 0 ] ?)SH +/Times-Bold SF +30120 XM +(<--)SH +/Times-BoldItalic SF +32139 XM +(default values.)SH +/Courier SF +8520 50283 MT +(Edit O.K.)SH +8520 52511 MT +(Principal name:)SH +/Times-BoldItalic SF +28800 XM +(<-- Enter a newline to exit the program.)SH +/Times-Roman SF +7200 54809 MT +(Use the)SH +/Times-Italic SF +10804 XM +(kdb_edit)SH +/Times-Roman SF +14867 XM +(utility to add your username to the master database.)SH +14 /Times-Bold AF +7200 58627 MT +(2.4 Starting) +350 W( the Kerberos Server)SH +11 /Times-Roman AF +7200 60822 MT +(Change directories to the directory in which you have installed the server program)SH +/Times-Italic SF +43701 XM +(kerberos)SH +/Times-Roman SF +47824 XM +(\050the default)SH +7200 62018 MT +(directory is)SH +/Times-Italic SF +12454 XM +(/usr/etc)SH +/Times-Roman SF +(\051, and start the program as a background process:)SH +/Courier SF +8520 63595 MT +(host#)SH +/Times-Bold SF +12480 XM +(./kerberos &)SH +/Times-Roman SF +7200 65190 MT +(If you have used the)SH +/Times-Italic SF +16393 XM +(kstash)SH +/Times-Roman SF +19418 XM +(command to store the master database password, the server will start)SH +7200 66386 MT +(automatically. If) +275 W( you did not use)SH +/Times-Italic SF +22048 XM +(kstash)SH +/Times-Roman SF +(, use the following command:)SH +/Courier SF +8520 67963 MT +(host#)SH +/Times-Bold SF +12480 XM +(./kerberos -m)SH +10 /Times-Roman AF +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(4)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 5 6 +BS +0 SI +11 /Times-Roman AF +7200 7955 MT +(The server will prompt you to enter the master password before actually starting itself.)SH +14 /Times-Bold AF +7200 11773 MT +(2.5 Testing) +350 W( the Kerberos Server)SH +11 /Times-Roman AF +7200 13968 MT +(Exit the root account and use the)SH +/Times-Italic SF +21893 XM +(kinit)SH +/Times-Roman SF +24124 XM +(command obtain a Kerberos ticket-granting ticket. This command)SH +7200 15164 MT +(creates your ticket file and stores the ticket-granting ticket in it.)SH +7200 17462 MT +(If you used the default)SH +/Times-Italic SF +17371 XM +(make install)SH +/Times-Roman SF +22993 XM +(command and directories to install the Kerberos user utilities,)SH +/Times-Italic SF +50365 XM +(kinit)SH +/Times-Roman SF +7200 18658 MT +(will be in the)SH +/Times-Italic SF +13250 XM +(/usr/athena)SH +/Times-Roman SF +18537 XM +(directory. From now on, we'll refer to the Kerberos user commands directory as)SH +7200 19854 MT +([K_USER].)SH +7200 22152 MT +(Use)SH +/Times-Italic SF +9185 XM +(kinit)SH +/Times-Roman SF +11416 XM +(as follows:)SH +/Courier SF +8520 23729 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/kinit)SH +/Courier SF +8520 24843 MT +(MIT Project Athena, \050ariadne\051)SH +8520 25957 MT +(Kerberos Initialization)SH +8520 27071 MT +(Kerberos name:)SH +/Times-BoldItalic SF +18420 XM +(yourusername)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter your Kerberos username.)SH +/Courier SF +8520 28185 MT +(Password:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter your Kerberos password.)SH +/Times-Roman SF +7200 30483 MT +(Use the)SH +/Times-Italic SF +10804 XM +(klist)SH +/Times-Roman SF +12913 XM +(program to list the contents of your ticket file.)SH +/Courier SF +8520 32060 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/klist)SH +/Times-Roman SF +7200 33655 MT +(The command should display something like the following:)SH +/Courier SF +8520 35181 MT +(Ticket file:) +SH( /tmp/tkt5555)1980 W +8520 36295 MT +(Principal: yourusername@REALMNAME)3300 W +9840 38523 MT +(Issued Expires) +6600 W( Principal)5940 W +8520 39637 MT +(May 6) +660 W( 10:15:23 May 6 18:15:23 krbtgt.REALMNAME@REALMNAME)SH +/Times-Roman SF +7200 41935 MT +(If you have any problems, you can examine the log file)SH +/Times-Italic SF +31758 XM +(/kerberos/kerberos.log)SH +/Times-Roman SF +42022 XM +(on the Kerberos server)SH +7200 43131 MT +(machine to see if there was some sort of error.)SH +16 /Times-Bold AF +7200 47803 MT +(3. Setting) +400 W( up and testing the Administration server)SH +11 /Times-Roman AF +7200 49998 MT +(The procedure for setting up and testing the Kerberos administration server is as follows:)SH +9400 51949 MT +(1.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kdb_edit)SH +/Times-Roman SF +18167 XM +(utility to add your username with an administration instance to the master)SH +10500 53145 MT +(database.)SH +9400 55039 MT +(2.)SH +10500 XM +(Edit the access control lists for the administration server)SH +9400 56933 MT +(3.)SH +10500 XM +(Start the Kerberos administration server.)SH +9400 58827 MT +(4.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kpasswd)SH +/Times-Roman SF +18107 XM +(command to change your password.)SH +9400 60721 MT +(5.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kadmin)SH +/Times-Roman SF +17617 XM +(command to add new entries to the database.)SH +9400 62615 MT +(6.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(kinit)SH +/Times-Roman SF +16335 XM +(command to verify that the)SH +/Times-Italic SF +28524 XM +(kadmin)SH +/Times-Roman SF +32037 XM +(command correctly added new entries to)SH +10500 63811 MT +(the database.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(5)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 6 7 +BS +0 SI +14 /Times-Bold AF +7200 8138 MT +(3.1 Adding) +350 W( an administration instance for the administrator)SH +11 /Times-Roman AF +7200 10333 MT +(Login to the Kerberos master server machine, and use the)SH +/Times-Bold SF +32825 XM +(su)SH +/Times-Roman SF +34140 XM +(command to become root. Use the)SH +/Times-Italic SF +49780 XM +(kdb_edit)SH +/Times-Roman SF +7200 11529 MT +(program to create an entry for each administrator with the instance ``)SH +/Times-BoldItalic SF +(admin)SH +/Times-Roman SF +(''.)SH +/Courier SF +8520 13106 MT +(host#)SH +/Times-Bold SF +12480 XM +([ADMIN_DIR]/kdb_edit)SH +/Courier SF +8520 15334 MT +(Opening database...)SH +8520 17562 MT +(Enter Kerberos master key:)SH +8520 18676 MT +(Verifying, please re-enter)SH +8520 19790 MT +(Enter Kerberos master key:)SH +8520 20904 MT +(Current Kerberos master key version is 1)SH +8520 23132 MT +(Master key entered. BEWARE!)SH +8520 24246 MT +(Previous or default values are in [brackets] ,)SH +8520 25360 MT +(enter return to leave the same, or new value.)SH +8520 27588 MT +(Principal name:)SH +/Times-Bold SF +19080 XM +(wave)SH +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter the username.)SH +/Courier SF +8520 28702 MT +(Instance:)SH +/Times-Bold SF +(admin)SH +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter ``admin''.)SH +/Courier SF +8520 30930 MT +(, Create [y] ?)SH +/Times-Bold SF +25680 XM +(y)SH +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(The user-instance does not exist.)SH +30450 32044 MT +(Enter y to create the user-instance.)SH +/Courier SF +8520 33158 MT +(Principal: wave Instance: admin m_key_v: 1)SH +8520 34272 MT +(New Password:)SH +/Times-BoldItalic SF +28800 XM +(<-- Enter the user-instance's password.)SH +/Courier SF +8520 35386 MT +(Verifying, please re-enter)SH +8520 36500 MT +(New Password:)SH +8520 37614 MT +(Principal's new key version = 1)SH +8520 38728 MT +(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH +/Times-Bold SF +39600 XM +(<--)SH +/Times-BoldItalic SF +41619 XM +(Enter newlines)SH +/Courier SF +8520 39842 MT +(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH +/Times-Bold SF +39600 XM +(<--)SH +/Times-BoldItalic SF +41619 XM +(to get the)SH +/Courier SF +8520 40956 MT +(Attributes [ 0 ] ?)SH +/Times-Bold SF +30120 XM +(<--)SH +/Times-BoldItalic SF +32139 XM +(default values.)SH +/Courier SF +8520 42070 MT +(Edit O.K.)SH +8520 44298 MT +(Principal name:)SH +/Times-BoldItalic SF +28800 XM +(<-- Enter a newline to exit the program.)SH +14 /Times-Bold AF +7200 48116 MT +(3.2 The) +350 W( Access Control Lists)SH +11 /Times-Roman AF +7200 50311 MT +(The Kerberos administration server uses three access control lists to determine who is authorized to make)SH +7200 51507 MT +(certain requests. The access control lists are stored on the master Kerberos server in the same directory as)SH +7200 52703 MT +(the principal database,)SH +/Times-Italic SF +17340 XM +(/kerberos)SH +/Times-Roman SF +(. The) +275 W( access control lists are simple ASCII text files, with each line)SH +7200 53899 MT +(specifying the name of one principal who is allowed the particular function. To allow several people to)SH +7200 55095 MT +(perform the same function, put their principal names on separate lines in the same file.)SH +7200 57393 MT +(The first list,)SH +/Times-Italic SF +13128 XM +(/kerberos/admin_acl.mod)SH +/Times-Roman SF +(, is a list of principals which are authorized to change entries in the)SH +7200 58589 MT +(database. To) +275 W( allow the administrator `)SH +/Times-Bold SF +(wave)SH +/Times-Roman SF +(' to modify entries in the database for the realm `)SH +/Times-Bold SF +(TIM.EDU)SH +/Times-Roman SF +(',)SH +7200 59785 MT +(you would put the following line into the file)SH +/Times-Italic SF +27275 XM +(/kerberos/admin_acl.mod)SH +/Times-Roman SF +(:)SH +/Courier SF +8520 61311 MT +(wave.admin@TIM.EDU)SH +/Times-Roman SF +7200 63609 MT +(The second list,)SH +/Times-Italic SF +14410 XM +(/kerberos/admin_acl.get)SH +/Times-Roman SF +(, is a list of principals which are authorized to retrieve entries)SH +7200 64805 MT +(from the database.)SH +7200 67103 MT +(The third list,)SH +/Times-Italic SF +13434 XM +(/kerberos/admin_acl.add)SH +/Times-Roman SF +(, is a list of principals which are authorized to add new entries to)SH +7200 68299 MT +(the database.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(6)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 7 8 +BS +0 SI +14 /Times-Bold AF +7200 8138 MT +(3.3 Starting) +350 W( the administration server)SH +11 /Times-Roman AF +7200 10333 MT +(Change directories to the directory in which you have installed the administration server program)SH +/Times-Italic SF +7200 11529 MT +(kadmind)SH +/Times-Roman SF +11263 XM +(\050the default directory is)SH +/Times-Italic SF +21831 XM +(/usr/etc)SH +/Times-Roman SF +(\051, and start the program as a background process:)SH +/Courier SF +8520 13106 MT +(host#)SH +/Times-Bold SF +12480 XM +(./kadmind -n&)SH +/Times-Roman SF +7200 14701 MT +(If you have used the)SH +/Times-Italic SF +16393 XM +(kstash)SH +/Times-Roman SF +19418 XM +(command to store the master database password, the server will start)SH +7200 15897 MT +(automatically. If) +275 W( you did not use)SH +/Times-Italic SF +22048 XM +(kstash)SH +/Times-Roman SF +(, use the following command:)SH +/Courier SF +8520 17474 MT +(host#)SH +/Times-Bold SF +12480 XM +(./kadmind)SH +/Times-Roman SF +7200 19069 MT +(The server will prompt you to enter the master password before actually starting itself; after it starts, you)SH +7200 20265 MT +(should suspend it and put it in the background \050usually this is done by typing control-Z and then)SH +/Times-Bold SF +49792 XM +(bg)SH +/Times-Roman SF +(\051.)SH +14 /Times-Bold AF +7200 24112 MT +(3.4 Testing)350 W +/Times-BoldItalic SF +14434 XM +(kpasswd)SH +11 /Times-Roman AF +7200 26307 MT +(To test the administration server, you should try changing your password with the)SH +/Times-Italic SF +43494 XM +(kpasswd)SH +/Times-Roman SF +47497 XM +(command, and)SH +7200 27503 MT +(you should try adding new users with the)SH +/Times-Italic SF +25592 XM +(kadmin)SH +/Times-Roman SF +29105 XM +(command \050both commands are installed into)SH +/Times-Italic SF +48963 XM +(/usr/athena)SH +/Times-Roman SF +7200 28699 MT +(by default\051.)SH +7200 30997 MT +(Before testing, you should exit the root account.)SH +7200 33295 MT +(To change your password, run the)SH +/Times-Italic SF +22441 XM +(kpasswd)SH +/Times-Roman SF +26444 XM +(command:)SH +/Courier SF +8520 34872 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/kpasswd)SH +/Courier SF +8520 35986 MT +(Old password for wave@TIM.EDU:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +(Enter your password)SH +/Courier SF +8520 37100 MT +(New Password for wave@TIM.EDU:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +(Enter a new password)SH +/Courier SF +8520 38214 MT +(Verifying, please re-enter New Password for wave@TIM.EDU:)SH +/Times-Bold SF +28800 39328 MT +(<--)SH +/Times-BoldItalic SF +(Enter new password again)SH +/Courier SF +8520 40442 MT +(Password changed.)SH +/Times-Roman SF +7200 42037 MT +(Once you have changed your password, use the)SH +/Times-Italic SF +28365 XM +(kinit)SH +/Times-Roman SF +30596 XM +(program as shown above to verify that the password)SH +7200 43233 MT +(was properly changed.)SH +14 /Times-Bold AF +7200 47080 MT +(3.5 Testing)350 W +/Times-BoldItalic SF +14434 XM +(kadmin)SH +11 /Times-Roman AF +7200 49275 MT +(You should also test the function of the)SH +/Times-Italic SF +24798 XM +(kadmin)SH +/Times-Roman SF +28311 XM +(program, by adding a new user \050here named)SH +7200 50471 MT +(``)SH +/Courier SF +(username)SH +/Times-Roman SF +(''\051:)SH +/Courier SF +8520 52048 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/kadmin)SH +/Courier SF +8520 53162 MT +(Welcome to the Kerberos Administration Program, version 2)SH +8520 54276 MT +(Type "help" if you need it.)SH +8520 55390 MT +(admin:)SH +/Times-Bold SF +13800 XM +(ank username)SH +/Times-BoldItalic SF +28800 XM +(`ank' stands for Add New Key)SH +/Courier SF +8520 56504 MT +(Admin password:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +(enter the password)SH +28800 57618 MT +(you chose above for wave.admin)SH +/Courier SF +8520 58732 MT +(Password for username:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +(Enter the user's initial password)SH +/Courier SF +8520 59846 MT +(Verifying, please re-enter Password for username:)SH +/Times-Bold SF +40920 XM +(<--)SH +/Times-BoldItalic SF +(enter it again)SH +/Courier SF +8520 60960 MT +(username added to database.)SH +8520 63188 MT +(admin: quit)660 W +8520 64302 MT +(Cleaning up and exiting.)SH +10 /Times-Roman AF +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(7)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 8 9 +BS +0 SI +14 /Times-Bold AF +7200 8167 MT +(3.6 Verifying) +350 W( with)SH +/Times-BoldItalic SF +18671 XM +(kinit)SH +11 /Times-Roman AF +7200 10362 MT +(Once you've added a new user, you should test to make sure it was added properly by using)SH +/Times-Italic SF +47917 XM +(kinit)SH +/Times-Roman SF +(, and)SH +7200 11558 MT +(trying to get tickets for that user:)SH +/Courier SF +8520 13135 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/kinit username)SH +/Courier SF +8520 14249 MT +(MIT Project Athena \050ariadne\051)SH +8520 15363 MT +(Kerberos Initialization for "username@TIM.EDU")SH +8520 16477 MT +(Password:)SH +/Times-Bold SF +15120 XM +(<--)SH +/Times-BoldItalic SF +(Enter the user's password you used above)SH +/Courier SF +8520 17591 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/klist)SH +/Courier SF +8520 18705 MT +(Ticket file:) +SH( /tmp/tkt_5509_spare1)1980 W +8520 19819 MT +(Principal: username@TIM.MIT.EDU)3300 W +9840 22047 MT +(Issued Expires) +6600 W( Principal)5940 W +8520 23161 MT +(Nov 20 15:58:52 Nov 20 23:58:52 krbtgt.TIM.EDU@TIM.EDU)SH +/Times-Roman SF +7200 25459 MT +(If you have any problems, you can examine the log files)SH +/Times-Italic SF +32186 XM +(/kerberos/kerberos.log)SH +/Times-Roman SF +42450 XM +(and)SH +/Times-Italic SF +7200 26655 MT +(/kerberos/admin_server.syslog)SH +/Times-Roman SF +21008 XM +(on the Kerberos server machine to see if there was some sort of error.)SH +16 /Times-Bold AF +7200 31327 MT +(4. Setting) +400 W( up and testing slave server\050s\051)SH +11 /Times-Roman AF +7200 33522 MT +([Unfortunately, this chapter is not yet ready. Sorry. -ed])SH +16 /Times-Bold AF +7200 38194 MT +(5. A) +400 W( Sample Application)SH +11 /Times-Roman AF +7200 40389 MT +(This release of Kerberos comes with a sample application server and a corresponding client program.)SH +7200 41585 MT +(You will find this software in the [OBJ_DIR])SH +/Times-Italic SF +(/appl/sample)SH +/Times-Roman SF +33170 XM +(directory. The) +275 W( file)SH +/Times-Italic SF +41691 XM +(sample_client)SH +/Times-Roman SF +48076 XM +(contains the)SH +7200 42781 MT +(client program's executable code, the file)SH +/Times-Italic SF +25677 XM +(sample_server)SH +/Times-Roman SF +32366 XM +(contains the server's executable.)SH +7200 45079 MT +(The programs are rudimentary. When they have been installed \050the installation procedure is described in)SH +7200 46275 MT +(detail later\051, they work as follows:)SH +/Symbol SF +9169 48351 MT +(\267)SH +/Times-Roman SF +9950 XM +(The user starts)SH +/Times-Italic SF +16639 XM +(sample_client)SH +/Times-Roman SF +23024 XM +(and provides as arguments to the command the name of the)SH +9950 49547 MT +(server machine and a checksum. For instance:)SH +/Courier SF +11270 51147 MT +(host%)SH +/Times-Bold SF +15230 XM +(sample_client)SH +/Times-BoldItalic SF +22966 XM +(servername 43)385 W +/Symbol SF +9169 53041 MT +(\267)SH +/Times-Italic SF +9950 XM +(Sample_client)SH +/Times-Roman SF +16457 XM +(contacts the server machine and authenticates the user to)SH +/Times-Italic SF +41654 XM +(sample_server)SH +/Times-Roman SF +(.)SH +/Symbol SF +9169 54935 MT +(\267)SH +/Times-Italic SF +9950 XM +(Sample_server)SH +/Times-Roman SF +16761 XM +(authenticates itself to)SH +/Times-Italic SF +26384 XM +(sample_client)SH +/Times-Roman SF +(, then returns a message to the client)SH +9950 56131 MT +(program. This) +275 W( message contains diagnostic information that includes the user's username,)SH +9950 57327 MT +(the Kerberos realm, and the user's workstation address.)SH +/Symbol SF +9169 59221 MT +(\267)SH +/Times-Italic SF +9950 XM +(Sample_client)SH +/Times-Roman SF +16457 XM +(displays the server's message on the user's terminal screen.)SH +14 /Times-Bold AF +7200 63039 MT +(5.1 The) +350 W( Installation Process)SH +11 /Times-Roman AF +7200 65234 MT +(In general, you use the following procedure to install a Kerberos-authenticated server-client system.)SH +9400 67185 MT +(1.)SH +10500 XM +(Add the appropriate entry to the Kerberos database using)SH +/Times-Italic SF +35881 XM +(kdb_edit)SH +/Times-Roman SF +39944 XM +(or)SH +/Times-Italic SF +41135 XM +(kadmin)SH +/Times-Roman SF +44648 XM +(\050described)SH +10500 68381 MT +(below\051.)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(8)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 9 10 +BS +0 SI +11 /Times-Roman AF +9400 7955 MT +(2.)SH +10500 XM +(Create a)SH +/Times-Italic SF +14408 XM +(/etc/srvtab)SH +/Times-Roman SF +19327 XM +(file for the server machine.)SH +9400 9849 MT +(3.)SH +10500 XM +(Install the service program and the)SH +/Times-Italic SF +26016 XM +(/etc/srvtab)SH +/Times-Roman SF +30935 XM +(file on the server machine.)SH +9400 11743 MT +(4.)SH +10500 XM +(Install the client program on the client machine.)SH +9400 13637 MT +(5.)SH +10500 XM +(Update the)SH +/Times-Italic SF +15570 XM +(/etc/services)SH +/Times-Roman SF +21281 XM +(file on the client and server machines.)SH +7200 15935 MT +(We will use the sample application as an example, although the procedure used to install)SH +/Times-Italic SF +46484 XM +(sample_server)SH +/Times-Roman SF +7200 17131 MT +(differs slightly from the general case because the)SH +/Times-Italic SF +29006 XM +(sample_server)SH +/Times-Roman SF +35695 XM +(takes requests via the)SH +/Times-Italic SF +45347 XM +(inetd)SH +/Times-Roman SF +47822 XM +(program.)SH +/Times-Italic SF +7200 18327 MT +(Inetd)SH +/Times-Roman SF +9735 XM +(starts)SH +/Times-Italic SF +12332 XM +(sample_server)SH +/Times-Roman SF +19021 XM +(each time a client process contacts the server machine.)SH +/Times-Italic SF +43606 XM +(Sample_server)SH +/Times-Roman SF +7200 19523 MT +(processes the request, terminiates, then is restarted when)SH +/Times-Italic SF +32368 XM +(inetd)SH +/Times-Roman SF +34843 XM +(receives another)SH +/Times-Italic SF +42293 XM +(sample_client)SH +/Times-Roman SF +48678 XM +(request.)SH +7200 20719 MT +(When you install the program on the server, you must add a)SH +/Times-Italic SF +33807 XM +(sample)SH +/Times-Roman SF +37198 XM +(entry to the server machine's)SH +/Times-Italic SF +7200 21915 MT +(/etc/inetd.conf)SH +/Times-Roman SF +13738 XM +(file.)SH +7200 24213 MT +(The following description assumes that you are installing)SH +/Times-Italic SF +32680 XM +(sample_server)SH +/Times-Roman SF +39369 XM +(on the machine)SH +/Times-Italic SF +46364 XM +(ariadne.tim.edu)SH +/Times-Roman SF +(.)SH +7200 25409 MT +(Here's the process, step by step:)SH +9400 27360 MT +(1.)SH +10500 XM +(Login as or)SH +/Times-Italic SF +15785 XM +(su)SH +/Times-Roman SF +17038 XM +(to root on the Kerberos server machine. Use the)SH +/Times-Italic SF +38631 XM +(kdb_edit)SH +/Times-Roman SF +42694 XM +(or)SH +/Times-Italic SF +43885 XM +(kadmin)SH +/Times-Roman SF +47398 XM +(program)SH +10500 28556 MT +(to create an entry for)SH +/Times-Italic SF +19935 XM +(sample)SH +/Times-Roman SF +23326 XM +(in the Kerberos database:)SH +/Courier SF +11820 30133 MT +(host#)SH +/Times-Bold SF +15780 XM +([ADMIN_DIR]/kdb_edit)SH +/Courier SF +11820 32361 MT +(Opening database...)SH +11820 34589 MT +(Enter Kerberos master key:)SH +11820 35703 MT +(Verifying, please re-enter)SH +11820 36817 MT +(master key entered. BEWARE!)SH +11820 37931 MT +(Previous or default values are in [brackets] ,)SH +11820 39045 MT +(enter return to leave the same, or new value.)SH +11820 41273 MT +(Principal name:)SH +/Times-Bold SF +22380 XM +(sample)SH +26220 XM +(<--)SH +/Times-BoldItalic SF +28239 XM +(Enter the principal name.)SH +/Courier SF +11820 42387 MT +(Instance:)SH +/Times-Bold SF +18420 XM +(ariadne)SH +26220 XM +(<--)SH +/Times-BoldItalic SF +28239 XM +(Instances cannot have periods in them.)SH +/Courier SF +11820 44615 MT +(, Create [y] ?)SH +/Times-Bold SF +28980 XM +(y)SH +/Courier SF +11820 46843 MT +(Principal: sample_server Instance: ariadne m_key_v: 1)SH +11820 47957 MT +(New Password:)SH +/Times-Bold SF +26220 XM +(<--)SH +/Times-BoldItalic SF +28239 XM +(Enter ``RANDOM'' to get random password.)SH +/Courier SF +11820 49071 MT +(Verifying, please re-enter)SH +11820 50185 MT +(New Password:)SH +/Times-Bold SF +26220 XM +(<--)SH +/Times-BoldItalic SF +28239 XM +(Enter ``RANDOM'' again.)SH +/Courier SF +11820 51299 MT +(Random password [y] ?)SH +/Times-Bold SF +26340 XM +(y)SH +/Courier SF +11820 53527 MT +(Principal's new key version = 1)SH +11820 54641 MT +(Expiration date \050enter dd-mm-yy\051 [ 12/31/99 ] ?)SH +11820 55755 MT +(Max ticket lifetime \050*5 minutes\051 [ 255 ] ?)SH +11820 56869 MT +(Attributes [ 0 ] ?)SH +11820 57983 MT +(Edit O.K.)SH +11820 60211 MT +(Principal name:)SH +/Times-Bold SF +26220 XM +(<--)SH +/Times-BoldItalic SF +28239 XM +(Enter newline to exit kdb_edit.)SH +/Times-Roman SF +9400 62105 MT +(2.)SH +10500 XM +(Use the)SH +/Times-Italic SF +14104 XM +(ext_srvtab)SH +/Times-Roman SF +18961 XM +(program to create a)SH +/Times-Italic SF +27755 XM +(srvtab)SH +/Times-Roman SF +30780 XM +(file for)SH +/Times-Italic SF +34078 XM +(sample_server)SH +/Times-Roman SF +('s host machine:)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30350 XM +(9)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 10 11 +BS +0 SI +11 /Courier AF +11820 7937 MT +(host#)SH +/Times-Bold SF +15780 XM +([ADMIN_DIR]/ext_srvtab ariadne)275 W +/Courier SF +11820 10165 MT +(Enter Kerberos master key:)SH +11820 11279 MT +(Current Kerberos master key version is 1.)SH +11820 13507 MT +(Generating 'ariadne-new-srvtab'....)SH +/Times-Roman SF +10500 15102 MT +(Transfer the)SH +/Times-Italic SF +16118 XM +(ariadne-new-srvtab)SH +/Times-Roman SF +25069 XM +(file to)SH +/Times-Italic SF +27941 XM +(ariadne)SH +/Times-Roman SF +31638 XM +(and install it as)SH +/Times-Italic SF +38544 XM +(/etc/srvtab)SH +/Times-Roman SF +(. Note) +275 W( that this)SH +10500 16298 MT +(file is equivalent to the service's password and should be treated with care. For example, it)SH +10500 17494 MT +(could be transferred by removable media, but should not be sent over an open network in)SH +10500 18690 MT +(the clear. Once installed, this file should be readable only by root.)SH +9400 20584 MT +(3.)SH +10500 XM +(Add the following line to the)SH +/Times-Italic SF +23516 XM +(/etc/services)SH +/Times-Roman SF +29227 XM +(file on)SH +/Times-Italic SF +32343 XM +(ariadne)SH +/Times-Roman SF +(, and on all machines that will run)SH +10500 21780 MT +(the)SH +/Times-Italic SF +12119 XM +(sample_client)SH +/Times-Roman SF +18504 XM +(program:)SH +/Courier SF +11820 23306 MT +(sample 906/tcp) +2640 W( #) +3960 W( Kerberos sample app server)SH +/Times-Roman SF +9400 25200 MT +(4.)SH +10500 XM +(Add a line similar to the following line to the)SH +/Times-Italic SF +30666 XM +(/etc/inetd.conf)SH +/Times-Roman SF +37204 XM +(file on)SH +/Times-Italic SF +40320 XM +(sample_server)SH +/Times-Roman SF +('s)SH +10500 26396 MT +(machine:)SH +/Courier SF +11820 27922 MT +(sample stream tcp nowait switched root)1320 W +14460 29036 MT +([PATH]/sample_server sample_server)SH +/Times-Roman SF +10500 30631 MT +(where [PATH] should be substituted with the path to the)SH +/Times-Italic SF +35674 XM +(sample_server)SH +/Times-Roman SF +42363 XM +(program. \050This)275 W +/Times-Italic SF +10500 31827 MT +(inetd.conf)SH +/Times-Roman SF +15144 XM +(information should be placed on one line.\051 You should examine existing lines in)SH +/Times-Italic SF +10500 33023 MT +(/etc/inetd.conf)SH +/Times-Roman SF +17038 XM +(and use the same format used by other entries \050e.g. for telnet\051. Most systems)SH +10500 34219 MT +(do not have a column for the `switched' keyword, and some do not have a column for the)SH +10500 35415 MT +(username \050usually `root', as above\051.)SH +9400 37309 MT +(5.)SH +10500 XM +(Restart)SH +/Times-Italic SF +13891 XM +(inetd)SH +/Times-Roman SF +16366 XM +(by sending the current)SH +/Times-Italic SF +26446 XM +(inetd)SH +/Times-Roman SF +28921 XM +(process a hangup signal:)SH +/Courier SF +11820 38909 MT +(host#)SH +/Times-Bold SF +15780 XM +(kill -HUP)275 W +/Times-BoldItalic SF +21373 XM +(process_id_number)SH +/Times-Roman SF +9400 40803 MT +(6.)SH +10500 XM +(The)SH +/Times-Italic SF +12485 XM +(sample_server)SH +/Times-Roman SF +19174 XM +(is now ready to take)SH +/Times-Italic SF +28307 XM +(sample_client)SH +/Times-Roman SF +34692 XM +(requests.)SH +14 /Times-Bold AF +7200 44621 MT +(5.2 Testing) +350 W( the Sample Server)SH +11 /Times-Roman AF +7200 46816 MT +(Assume that you have installed)SH +/Times-Italic SF +21223 XM +(sample_server)SH +/Times-Roman SF +27912 XM +(on)SH +/Times-Italic SF +29287 XM +(ariadne)SH +/Times-Roman SF +(.)SH +7200 49114 MT +(Login to your workstation and use the)SH +/Times-Italic SF +24217 XM +(kinit)SH +/Times-Roman SF +26448 XM +(command to obtain a Kerberos ticket-granting ticket:)SH +/Courier SF +8520 50691 MT +(host%)SH +/Times-Bold SF +12480 XM +([K_USER]/kinit)SH +/Courier SF +8520 51805 MT +(MIT Project Athena, \050your_workstation\051)SH +8520 52919 MT +(Kerberos Initialization)SH +8520 54033 MT +(Kerberos name:)SH +/Times-BoldItalic SF +18420 XM +(yourusername)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter your Kerberos username.)SH +/Courier SF +8520 55147 MT +(Password:)SH +/Times-Bold SF +28800 XM +(<--)SH +/Times-BoldItalic SF +30819 XM +(Enter your Kerberos password.)SH +/Times-Roman SF +7200 57445 MT +(Now use the)SH +/Times-Italic SF +12973 XM +(sample_client)SH +/Times-Roman SF +19358 XM +(program as follows:)SH +/Courier SF +8520 59022 MT +(host%)SH +/Times-Bold SF +12480 XM +([PATH]/sample_client ariadne)275 W +/Times-Roman SF +7200 60617 MT +(The command should display something like the following:)SH +/Courier SF +8520 62143 MT +(The server says:)SH +8520 63257 MT +(You are)SH +/Times-BoldItalic SF +13800 XM +(yourusername)SH +/Courier SF +(.@REALMNAME \050local name)SH +/Times-BoldItalic SF +36180 XM +(yourusername)SH +/Courier SF +(\051,)SH +9180 64371 MT +(at address)SH +/Times-BoldItalic SF +16440 XM +(yournetaddress)SH +/Courier SF +(, version VERSION9, cksum 997)SH +10 /Times-Roman AF +7200 75600 MT +(MIT Project Athena)SH +30100 XM +(10)SH +47890 XM +(4 January 1990)SH +ES +%%Page: 11 12 +BS +0 SI +16 /Times-Bold AF +7200 8272 MT +(6. Service) +400 W( names and other services)SH +14 SS +7200 12090 MT +(6.1 rlogin,) +350 W( rsh, rcp, tftp, and others)SH +11 /Times-Roman AF +7200 14285 MT +(Many services use a common principal name for authentication purposes.)SH +/Times-Italic SF +40128 XM +(rlogin)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +43368 XM +(rsh)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +45324 XM +(rcp)SH +/Times-Roman SF +(,)SH +/Times-Italic SF +47340 XM +(tftp)SH +/Times-Roman SF +49083 XM +(and others)SH +7200 15481 MT +(use the principal name ``)SH +/Courier SF +(rcmd)SH +/Times-Roman SF +(''. For) +275 W( example, to set up the machine)SH +/Times-Italic SF +38033 XM +(ariadne)SH +/Times-Roman SF +41730 XM +(to support Kerberos rlogin,)SH +7200 16677 MT +(it needs to have a service key for principal ``)SH +/Courier SF +(rcmd)SH +/Times-Roman SF +('', instance ``)SH +/Courier SF +(ariadne)SH +/Times-Roman SF +(''. You) +275 W( create this key in the)SH +7200 17873 MT +(same way as shown above for the sample service.)SH +7200 20171 MT +(After creating this key, you need to run the)SH +/Times-Italic SF +26382 XM +(ext_srvtab)SH +/Times-Roman SF +31239 XM +(program again to generate a new srvtab file for)SH +7200 21367 MT +(ariadne.)SH +14 /Times-Bold AF +7200 25185 MT +(6.2 NFS) +350 W( modifications)SH +11 /Times-Roman AF +7200 27380 MT +(The NFS modifications distributed separately use the service name ``)SH +/Courier SF +(rvdsrv)SH +/Times-Roman SF +('' with the instance set to)SH +7200 28576 MT +(the machine name \050as for the sample server and the rlogin, rsh, rcp and tftp services\051.)SH +14 /Times-Bold AF +7200 32394 MT +(6.3 inetd.conf) +350 W( entries)SH +11 /Times-Roman AF +7200 34589 MT +(The following are the)SH +/Times-Italic SF +16974 XM +(/etc/inetd.conf)SH +/Times-Roman SF +23512 XM +(entries necessary to support rlogin, encrypted rlogin, rsh, and rcp)SH +7200 35785 MT +(services on a server machine. As above, your)SH +/Times-Italic SF +27631 XM +(inetd.conf)SH +/Times-Roman SF +32275 XM +(may not support all the fields shown here.)SH +/Courier SF +8520 37311 MT +(eklogin stream) +660 W( tcp nowait unswitched root)1320 W +11160 38425 MT +([PATH]/klogind eklogind)1320 W +8520 39539 MT +(kshell stream tcp nowait unswitched root)1320 W +11160 40653 MT +([PATH]/kshd kshd)1320 W +8520 41767 MT +(klogin stream tcp nowait unswitched root)1320 W +11160 42881 MT +([PATH]/klogind klogind)1320 W +10 /Times-Roman AF +7200 75600 MT +(MIT Project Athena)SH +30100 XM +(11)SH +47890 XM +(4 January 1990)SH +ES +%%Page: i 13 +BS +0 SI +14 /Times-Bold AF +25272 8138 MT +(Table of Contents)SH +13 SS +7200 9781 MT +(1. How) +325 W( Kerberos Works: A Schematic Description)SH +53350 XM +(1)SH +12 /Times-Roman AF +9000 11130 MT +(1.1 Network) +300 W( Services and Their Client Programs)SH +53400 XM +(1)SH +9000 12479 MT +(1.2 Kerberos) +300 W( Tickets)SH +53400 XM +(1)SH +9000 13828 MT +(1.3 The) +300 W( Kerberos Master Database)SH +53400 XM +(1)SH +9000 15177 MT +(1.4 The) +300 W( Ticket-Granting Ticket)SH +53400 XM +(1)SH +9000 16526 MT +(1.5 Network) +300 W( Services and the Master Database)SH +53400 XM +(1)SH +9000 17875 MT +(1.6 The) +300 W( User-Kerberos Interaction)SH +53400 XM +(2)SH +13 /Times-Bold AF +7200 19518 MT +(2. Setting) +325 W( Up and Testing the Kerberos Server)SH +53350 XM +(2)SH +12 /Times-Roman AF +9000 20867 MT +(2.1 Creating) +300 W( and Initializing the Master Database)SH +53400 XM +(3)SH +9000 22216 MT +(2.2 Storing) +300 W( the Master Password)SH +53400 XM +(3)SH +9000 23571 MT +(2.3 Using)300 W +/Times-BoldItalic SF +14267 XM +(kdb_edit)SH +/Times-Roman SF +18768 XM +(to Add Users to the Master Database)SH +53400 XM +(4)SH +9000 24920 MT +(2.4 Starting) +300 W( the Kerberos Server)SH +53400 XM +(4)SH +9000 26269 MT +(2.5 Testing) +300 W( the Kerberos Server)SH +53400 XM +(5)SH +13 /Times-Bold AF +7200 27912 MT +(3. Setting) +325 W( up and testing the Administration server)SH +53350 XM +(5)SH +12 /Times-Roman AF +9000 29261 MT +(3.1 Adding) +300 W( an administration instance for the administrator)SH +53400 XM +(6)SH +9000 30610 MT +(3.2 The) +300 W( Access Control Lists)SH +53400 XM +(6)SH +9000 31959 MT +(3.3 Starting) +300 W( the administration server)SH +53400 XM +(7)SH +9000 33314 MT +(3.4 Testing)300 W +/Times-BoldItalic SF +15001 XM +(kpasswd)SH +/Times-Roman SF +53400 XM +(7)SH +9000 34669 MT +(3.5 Testing)300 W +/Times-BoldItalic SF +15001 XM +(kadmin)SH +/Times-Roman SF +53400 XM +(7)SH +9000 36024 MT +(3.6 Verifying) +300 W( with)SH +/Times-BoldItalic SF +18501 XM +(kinit)SH +/Times-Roman SF +53400 XM +(8)SH +13 /Times-Bold AF +7200 37667 MT +(4. Setting) +325 W( up and testing slave server\050s\051)SH +53350 XM +(8)SH +7200 39310 MT +(5. A) +325 W( Sample Application)SH +53350 XM +(8)SH +12 /Times-Roman AF +9000 40659 MT +(5.1 The) +300 W( Installation Process)SH +53400 XM +(8)SH +9000 42008 MT +(5.2 Testing) +300 W( the Sample Server)SH +52800 XM +(10)SH +13 /Times-Bold AF +7200 43651 MT +(6. Service) +325 W( names and other services)SH +52700 XM +(11)SH +12 /Times-Roman AF +9000 45000 MT +(6.1 rlogin,) +300 W( rsh, rcp, tftp, and others)SH +52800 XM +(11)SH +9000 46349 MT +(6.2 NFS) +300 W( modifications)SH +52800 XM +(11)SH +9000 47698 MT +(6.3 inetd.conf) +300 W( entries)SH +52800 XM +(11)SH +10 SS +7200 75600 MT +(MIT Project Athena)SH +30461 XM +(i)SH +47890 XM +(4 January 1990)SH +ES +%%Trailer +%%Pages: 13 +%%DocumentFonts: Times-Roman Times-Bold Times-Italic Times-BoldItalic Courier Symbol diff --git a/doc/old-V4-docs/operation.mss b/doc/old-V4-docs/operation.mss new file mode 100644 index 0000000..a35bb9f --- /dev/null +++ b/doc/old-V4-docs/operation.mss @@ -0,0 +1,799 @@ +@Comment[ $Source$] +@Comment[ $Author$] +@Comment[ $Id$] +@Comment[] +@device[postscript] +@make[report] +@comment[ +@DefineFont(HeadingFont, + P=, + B=, + I=, + R=) +] +@DefineFont(HeadingFont, + P=, + B=, + I=, + R=) +@Counter(MajorPart,TitleEnv HD0,ContentsEnv tc0,Numbered [@I], + IncrementedBy Use,Announced) +@Counter(Chapter,TitleEnv HD1,ContentsEnv tc1,Numbered [@1. ], + IncrementedBy Use,Referenced [@1],Announced) +@Counter(Appendix,TitleEnv HD1,ContentsEnv tc1,Numbered [@A. ], + IncrementedBy,Referenced [@A],Announced,Alias Chapter) +@Counter(UnNumbered,TitleEnv HD1,ContentsEnv tc1,Announced,Alias + Chapter) +@Counter(Section,Within Chapter,TitleEnv HD2,ContentsEnv tc2, + Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy + Use,Announced) +@Counter(AppendixSection,Within Appendix,TitleEnv HD2, + ContentsEnv tc2, + Numbered [@#@:.@1 ],Referenced [@#@:.@1],IncrementedBy + Use,Announced) +@Counter(SubSection,Within Section,TitleEnv HD3,ContentsEnv tc3, + Numbered [@#@:.@1 ],IncrementedBy Use, + Referenced [@#@:.@1 ]) +@Counter(AppendixSubSection,Within AppendixSection,TitleEnv HD3, + ContentsEnv tc3, + Numbered [@#@:.@1 ],IncrementedBy Use, + Referenced [@#@:.@1 ]) +@Counter(Paragraph,Within SubSection,TitleEnv HD4,ContentsEnv tc4, + Numbered [@#@:.@1 ],Referenced [@#@:.@1], + IncrementedBy Use) +@modify(CopyrightNotice, Fixed -1 inch, Flushright) +@Modify(Titlebox, Fixed 3.0 inches) +@Modify(hd1, below .2 inch, facecode B, size 16, spaces kept, pagebreak off) +@Modify(hd2, below .2 inch, facecode B, size 14, spaces kept) +@Modify(hd3, below .2 inch, facecode B, size 12, spaces kept) +@Modify(Description, Leftmargin +20, Indent -20,below 1 line, above 1 line) +@Modify(Tc1, Above .5, Facecode B) +@Modify(Tc2, Above .25, Below .25, Facecode R) +@Modify(Tc3,Facecode R) +@Modify(Tc4,Facecode R) +@Modify(Itemize,Above 1line,Below 1line) +@Modify(Insert,LeftMargin +2, RightMargin +2) +@libraryfile[stable] +@comment[@Style(Font NewCenturySchoolBook, size 11)] +@Style(Font TimesRoman, size 11) +@Style(Spacing 1.1, indent 0) +@Style(leftmargin 1.0inch) +@Style(justification no) +@Style(BottomMargin 1.5inch) +@Style(ChangeBarLocation Right) +@Style(ChangeBars=off) +@pageheading[immediate] +@pagefooting[immediate, left = "MIT Project Athena", center = "@value(page)", +right = "@value(date)"] +@set[page = 0] +@blankspace[.5 inches] +@begin[group, size 20] +@begin(center) +@b[Kerberos Operation Notes] +@b[DRAFT] +@end[center] +@blankspace[.5 inches] +@end(group) +@begin[group, size 16] +@begin(center) +Bill Bryant +John Kohl +Project Athena, MIT +@blankspace[.5 inches] +@b[Initial Release, January 24, 1989] +@i[(plus later patches through patchlevel 7)] +@end[center] +@end(group) +@begin[group, size 10] +@end[group] +@blankspace[1inches] + +These notes assume that you have used the +@i[Kerberos Installation Notes] to build and install your +Kerberos system. +As in that document, we refer to the directory that contains +the built Kerberos binaries as [OBJ_DIR]. + +This document assumes that you are a Unix system manager. + +@newpage() +@chapter[How Kerberos Works: A Schematic Description] + +This section provides a simplified description of +a general user's interaction with the Kerberos system. +This interaction happens transparently--users don't need to know +and probably don't care about what's going on--but Kerberos administrators +might find a schematic description of the process useful. +The description glosses over a lot of details; +for more information, see @i[Kerberos: An Authentication +Service for Open Network Systems], +a paper presented at Winter USENIX 1988, in Dallas, Texas. + +@section[Network Services and Their Client Programs] + +In an environment that provides network services, +you use @i[client] programs to request service from +@i[server] programs that are somewhere on the network. +Suppose you have logged in to a workstation +and you want to @i[rlogin] to another machine. +You use the local @i[rlogin] client program to +contact the remote machine's @i[rlogin] service daemon. + +@section[Kerberos Tickets] + +Under Kerberos, the @i[rlogin] service program +allows a client to login to a remote machine if it +can provide +a Kerberos @b[ticket] for the request. +This ticket proves the identity of the person who has used +the client program to access the server program. + +@section[The Kerberos Master Database] + +Kerberos will give you tickets only if you +have an entry in the Kerberos server's +@b[master database]. +Your database entry includes your Kerberos username (often referred to +as your Kerberos @b[principal] name), and your Kerberos password. +Every Kerberos user must have an entry in this database. + +@section[The Ticket-Granting Ticket] + +The @i[kinit] command prompts for your Kerberos username and password, +and if you enter them successfully, you will obtain a Kerberos +@i[ticket-granting ticket]. +As illustrated below, +client programs use this ticket to get other Kerberos tickets as +needed. + +@section[Network Services and the Master Database] + +The master database also contains entries for all network services that +require Kerberos authentication. +Suppose for instance that your site has a machine @i[laughter] +that requires Kerberos authentication from anyone who wants +to @i[rlogin] to it. +This service must be registered in the master database. +Its entry includes the service's principal name, and its @b[instance]. + +The @i[instance] is the name of the service's machine; +in this case, the service's instance is the name @i[laughter]. +The instance provides a means for Kerberos to distinguish between +machines that provide the same service. +Your site is likely to have more than one machine that +provides @i[rlogin] service. + +@section[The User-Kerberos Interaction] + +Suppose that you (in the guise of a general user) walk up to a workstation +intending to login to it, and then @i[rlogin] to the machine @i[laughter]. +Here's what happens. +@begin[enumerate] +You login to the workstation and use the @i[kinit] command +to to get a ticket-granting ticket. +This command prompts you for your username (your Kerberos Principal Name), +and your Kerberos password [on some systems which use the new version of +@i{/bin/login}, this may be done as part of the login process, not +requiring the user to run a separate program]. +@begin[enumerate] +The @i[kinit] command sends your request to the Kerberos master server +machine. +The server software looks for your principal name's entry in the +Kerberos @b[master database]. + +If this entry exists, the +Kerberos server creates and returns a +@i[ticket-granting ticket], encrypted in your password. +If @i[kinit] can decrypt the Kerberos reply using the password you +provide, it stores this ticket in a @b[ticket file] on your +local machine for later use. +The ticket file to be used +can be specified in the @b[KRBTKFILE] environment +variable. If this variable is not set, the name of the file will be +@i[/tmp/tkt@p(uid)], where @p(uid) is the UNIX user-id, represented in decimal. +@end[enumerate] + +Now you use the @i[rlogin] client to try to access the machine @i[laughter]. +@begin[example] +host% @b[rlogin laughter] +@end[example] +@begin[enumerate] +The @i[rlogin] client checks your ticket file to see if you +have a ticket for @i[laughter]'s @i[rcmd] service (the rlogin program +uses the @i[rcmd] service name, mostly for historical reasons). +You don't, so @i[rlogin] uses the ticket file's @i[ticket-granting +ticket] to make a request to the master server's ticket-granting service. + +This ticket-granting service receives the @i[rcmd-laughter] request +and looks in the master database for an @i[rcmd-laughter] entry. +If that entry exists, the ticket-granting service issues you a ticket +for that service. +That ticket is also cached in your ticket file. + +The @i[rlogin] client now uses that ticket to request service from +the @i[laughter] @i[rlogin] service program. +The service program +lets you @i[rlogin] if the ticket is valid. +@end[enumerate] +@end[enumerate] + +@chapter[Setting Up and Testing the Kerberos Server] + +The procedure for setting up and testing a Kerberos server +is as follows: +@begin[enumerate] +Use the @i[kdb_init] command to create and initialize the master database. + +Use the @i[kdb_edit] utility to add your username to the +master database. + +Start the Kerberos server. + +Use the @i[kinit] command to obtain a Kerberos ticket-granting ticket. + +Use the @i[klist] command to verify that the @i[kinit] command +authenticated you successfully. +@end[enumerate] + +@section[Creating and Initializing the Master Database] + +Login to the Kerberos master server machine, +and use the @b[su] command to become root. +If you installed the Kerberos administration tools +with the @i[make install] command and the default pathnames, +they should be in the @i[/usr/etc] directory. +If you installed the tools in a different directory, +hopefully you know what it is. +From now on, we will refer to this directory as [ADMIN_DIR]. + +The @i[kdb_init] command creates and initializes the master database. +It asks you to enter the system's +realm name and the database's master password. +Do not forget this password. +If you do, the database becomes useless. +(Your realm name should be substituted for [REALMNAME] below.) + +Use @i[kdb_init] as follows: +@tabset[3inches, +1.5inches] +@begin[example, rightmargin -10] +host# @b([ADMIN_DIR]/kdb_init) +Realm name (default XXX): @b([REALMNAME])@\@b[<--] @p[Enter your system's realm name.] +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. + +Enter Kerberos master key: @\@b[<--] @p[Enter the master password.] +@comment(this needs to be re-fixed...: +Verifying, please re-enter +Enter Kerberos master key: @\@b[<--] @p[Re-enter it.] +) +@end[example] + +@section[Storing the Master Password] + +The @i[kstash] command ``stashes'' the master password in the file @i[/.k] +so that the Kerberos server can +be started automatically during an unattended reboot of the +master server. +Other administrative programs use this hidden password so that they +can access the master database without someone having to manually +provide the master password. +This command is an optional one; +if you'd rather enter the master password each time you +start the Kerberos server, don't use @i[kstash]. + +One the one hand, if you use @i[kstash], a copy of the master +key will reside +on disk which may not be acceptable; on the other hand, if you don't +use @i[kstash], the server cannot be started unless someone is around to +type the password in manually. + +The command prompts you twice for the master password: +@begin[example] +@tabset[3inches] +host# @b([ADMIN_DIR]/kstash) + +Enter Kerberos master key:@\@b[<--] @p[Enter the master password.] +Current Kerberos master key version is 1. + +Master key entered BEWARE! +@end[example] + +A note about the Kerberos database master key: +if your master key is compromised and the database is obtained, +the security of your entire authentication system is compromised. +The master key must be a carefully kept secret. If you keep backups, +you must guard all the master keys you use, in case someone has stolen +an old backup and wants to attack users' whose passwords haven't changed +since the backup was stolen. +This is why we provide the option not to store it on disk. + +@section[Using @p(kdb_edit) to Add Users to the Master Database] + +The @i[kdb_edit] program is used to add new users and services +to the master database, and to modify existing database information. +The program prompts you to enter a principal's @b[name] and @b[instance]. + +A principal name is typically a username or a service program's name. +An instance further qualifies the principal. +If the principal is a service, +the instance is used to specify the name of the machine on which that +service runs. +If the principal is a username that has general user privileges, +the instance is usually set to null. + +The following example shows how to use @i[kdb_edit] to +add the user @i[wave] to the Kerberos database. +@begin[example, rightmargin -10] +@tabset[3inches, +1.5inches] +host# @b([ADMIN_DIR]/kdb_edit) + +Opening database... + +Enter Kerberos master key: +Verifying, please re-enter +Enter Kerberos master key: +Current Kerberos master key version is 1 + +Master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: @b[wave]@\@b[<--] @p[Enter the username.] +Instance:@\@p[<-- Enter a null instance.] + +, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.] +@\@p[ Enter y to create the user-instance.] +Principal: wave Instance: m_key_v: 1 +New Password: @\@p[<-- Enter the user-instance's password.] +Verifying, please re-enter +New Password: +Principal's new key version = 1 +Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines] +Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the] +Attributes [ 0 ] ? @\@\@b[<--] @p[default values.] +Edit O.K. + +Principal name:@\@p[<-- Enter a newline to exit the program.] +@end[example] + +Use the @i[kdb_edit] utility to add your username to the master database. + +@section[Starting the Kerberos Server] + +Change directories to the directory in which you have installed +the server program @i[kerberos] +(the default directory is @i[/usr/etc]), +and start the program as a background process: +@begin[example] +host# @b[./kerberos &] +@end[example] +If you have used the @i[kstash] command to store the master database password, +the server will start automatically. +If you did not use @i[kstash], +use the following command: +@begin[example] +host# @b[./kerberos -m] +@end[example] +The server will prompt you to enter the master password before actually +starting itself. + +@section[Testing the Kerberos Server] + +Exit the root account and use the @i[kinit] command obtain a Kerberos +ticket-granting ticket. +This command +creates your ticket file +and stores the ticket-granting ticket in it. + +If you used the default @i[make install] command and directories to +install the Kerberos user utilities, @i[kinit] will be in the +@i[/usr/athena] directory. From now on, we'll refer to the Kerberos user +commands directory as [K_USER]. + +Use @i[kinit] as follows: +@begin[example] +@tabset[3 inches] +host% @b([K_USER]/kinit) +MIT Project Athena, (ariadne) +Kerberos Initialization +Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.] +Password: @\@b[<--] @p[Enter your Kerberos password.] +@end[example] + +Use the @i[klist] program to list the contents of your ticket file. +@begin[example] +host% @b([K_USER]/klist) +@end[example] +The command should display something like the following: +@begin[example] +Ticket file: /tmp/tkt5555 +Principal: yourusername@@REALMNAME + + Issued Expires Principal +May 6 10:15:23 May 6 18:15:23 krbtgt.REALMNAME@@REALMNAME +@end[example] + +If you have any problems, you can examine the log file +@i[/kerberos/kerberos.log] on the Kerberos server machine to see if +there was some sort of error. + +@chapter[Setting up and testing the Administration server] + +The procedure for setting up and testing the Kerberos administration server +is as follows: +@begin[enumerate] +Use the @i[kdb_edit] utility to add your username with an administration +instance to the master database. + +Edit the access control lists for the administration server + +Start the Kerberos administration server. + +Use the @i[kpasswd] command to change your password. + +Use the @i[kadmin] command to add new entries to the database. + +Use the @i[kinit] command to verify that the @i[kadmin] command +correctly added new entries to the database. +@end(enumerate) + +@section[Adding an administration instance for the administrator] + +Login to the Kerberos master server machine, +and use the @b[su] command to become root. +Use the @i[kdb_edit] program to create an entry for each administrator +with the instance ``@p(admin)''. +@begin[example] +@tabset[3inches, +1.5inches] +host# @b([ADMIN_DIR]/kdb_edit) + +Opening database... + +Enter Kerberos master key: +Verifying, please re-enter +Enter Kerberos master key: +Current Kerberos master key version is 1 + +Master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: @b[wave]@\@b[<--] @p[Enter the username.] +Instance:@b[admin]@\@b[<--] @p[Enter ``admin''.] + +, Create [y] ? @b[y]@\@b[<--] @p[The user-instance does not exist.] +@\@p[ Enter y to create the user-instance.] +Principal: wave Instance: admin m_key_v: 1 +New Password: @\@p[<-- Enter the user-instance's password.] +Verifying, please re-enter +New Password: +Principal's new key version = 1 +Expiration date (enter dd-mm-yy) [ 12/31/99 ] ?@\@b[<--] @p[Enter newlines] +Max ticket lifetime (*5 minutes) [ 255 ] ? @\@b[<--] @p[to get the] +Attributes [ 0 ] ? @\@\@b[<--] @p[default values.] +Edit O.K. + +Principal name:@\@p[<-- Enter a newline to exit the program.] +@end[example] + +@section[The Access Control Lists] +The Kerberos administration server uses three access control lists to +determine who is authorized to make certain requests. The access +control lists are stored on the master Kerberos server in the same +directory as the principal database, @i(/kerberos). The access control +lists are simple ASCII text files, with each line specifying the name of +one principal who is allowed the particular function. To allow several +people to perform the same function, put their principal names on +separate lines in the same file. + +The first list, @i(/kerberos/admin_acl.mod), is a list of principals +which are authorized to change entries in the database. To allow the +administrator `@b[wave]' to modify entries in the database for the realm +`@b[TIM.EDU]', you would put the following line into the file +@i(/kerberos/admin_acl.mod): +@begin(example) +wave.admin@@TIM.EDU +@end(example) + +The second list, @i(/kerberos/admin_acl.get), is a list of principals +which are authorized to retrieve entries from the database. + +The third list, @i(/kerberos/admin_acl.add), is a list of principals +which are authorized to add new entries to the database. + +@section(Starting the administration server) +Change directories to the directory in which you have installed +the administration server program @i[kadmind] +(the default directory is @i[/usr/etc]), +and start the program as a background process: +@begin[example] +host# @b[./kadmind -n&] +@end[example] +If you have used the @i[kstash] command to store the master database password, +the server will start automatically. +If you did not use @i[kstash], +use the following command: +@begin[example] +host# @b[./kadmind] +@end[example] +The server will prompt you to enter the master password before actually +starting itself; after it starts, you should suspend it and put it in +the background (usually this is done by typing control-Z and then @b(bg)). + +@section(Testing @p[kpasswd]) + +To test the administration server, you should try changing your password +with the @i[kpasswd] command, and you should try adding new users with +the @i[kadmin] command (both commands are installed into @i[/usr/athena] +by default). + +Before testing, you should exit the root account. + +To change your password, run the @i[kpasswd] command: +@begin(example) +@tabset[3inches, +1.5inches] +host% @b([K_USER]/kpasswd) +Old password for wave@@TIM.EDU:@\@b[<--]@p[Enter your password] +New Password for wave@@TIM.EDU:@\@b[<--]@p[Enter a new password] +Verifying, please re-enter New Password for wave@@TIM.EDU: +@\@b[<--]@p[Enter new password again] +Password changed. +@end(example) +Once you have changed your password, use the @i[kinit] program as shown +above to verify that the password was properly changed. + +@section(Testing @p[kadmin]) +You should also test the function of the @i[kadmin] program, by adding a +new user (here named ``@t[username]''): +@begin(example) +@tabset[3inches, +1.5inches] +host% @b([K_USER]/kadmin) +Welcome to the Kerberos Administration Program, version 2 +Type "help" if you need it. +admin: @b(ank username)@\@p[`ank' stands for Add New Key] +Admin password: @\@b[<--]@p[enter the password +@\you chose above for wave.admin] +Password for username:@\@b[<--]@p[Enter the user's initial password] +Verifying, please re-enter Password for username:@\@b[<--]@p[enter it again] +username added to database. + +admin: quit +Cleaning up and exiting. +@end[example] + +@section(Verifying with @p[kinit]) +Once you've added a new user, you should test to make sure it was added +properly by using @i[kinit], and trying to get tickets for that user: + +@begin[example] +@tabset[3inches, +1.5inches] +host% @b([K_USER]/kinit username) +MIT Project Athena (ariadne) +Kerberos Initialization for "username@@TIM.EDU" +Password: @b[<--]@p[Enter the user's password you used above] +host% @b([K_USER]/klist) +Ticket file: /tmp/tkt_5509_spare1 +Principal: username@@TIM.MIT.EDU + + Issued Expires Principal +Nov 20 15:58:52 Nov 20 23:58:52 krbtgt.TIM.EDU@@TIM.EDU +@end[example] + +If you have any problems, you can examine the log files +@i[/kerberos/kerberos.log] and @i[/kerberos/admin_server.syslog] on the +Kerberos server machine to see if there was some sort of error. + +@chapter[Setting up and testing slave server(s)] + +[Unfortunately, this chapter is not yet ready. Sorry. -ed] + +@chapter[A Sample Application] + +This release of Kerberos comes with a sample application +server and a corresponding client program. +You will find this software in the [OBJ_DIR]@i[/appl/sample] directory. +The file @i[sample_client] contains the client program's executable +code, the file @i[sample_server] contains the server's executable. + +The programs are rudimentary. +When they have been installed (the installation procedure is described +in detail later), they work as follows: +@begin[itemize] +The user starts @i[sample_client] and provides as arguments +to the command the name of the server machine and a checksum. +For instance: +@begin[example] +host% @b[sample_client] @p[servername] @p[43] +@end[example] + +@i[Sample_client] contacts the server machine and +authenticates the user to @i[sample_server]. + +@i[Sample_server] authenticates itself to @i[sample_client], +then returns a message to the client program. +This message contains diagnostic information +that includes the user's username, the Kerberos realm, +and the user's workstation address. + +@i[Sample_client] displays the server's message on the user's +terminal screen. +@end[itemize] + +@section[The Installation Process] + +In general, +you use the following procedure to install a Kerberos-authenticated +server-client system. +@begin[enumerate] +Add the appropriate entry to the Kerberos database using @i[kdb_edit] or +@i[kadmin] (described below). + +Create a @i[/etc/srvtab] file for the server machine. + +Install the service program and the @i[/etc/srvtab] +file on the server machine. + +Install the client program on the client machine. + +Update the @i[/etc/services] file on the client and server machines. +@end[enumerate] + +We will use the sample application as an example, although +the procedure used to install @i[sample_server] differs slightly +from the general case because the @i[sample_server] +takes requests via the +@i[inetd] program. +@i[Inetd] starts @i[sample_server] each time +a client process contacts the server machine. +@i[Sample_server] processes the request, +terminiates, then is restarted when @i[inetd] receives another +@i[sample_client] request. +When you install the program on the server, +you must add a @i[sample] entry to the server machine's +@i[/etc/inetd.conf] file. + +The following description assumes that you are installing +@i[sample_server] on the machine @i[ariadne.tim.edu]. +Here's the process, step by step: +@begin[enumerate] +Login as or @i[su] to root on the Kerberos server machine. +Use the @i[kdb_edit] or @i[kadmin] program to create an entry for +@i[sample] in the Kerberos database: +@begin[example, rightmargin -10] +@tabset[2.0inches, +.5inches] +host# @b([ADMIN_DIR]/kdb_edit) + +Opening database... + +Enter Kerberos master key: +Verifying, please re-enter +master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: @b[sample]@\@b[<--] @p[Enter the principal name.] +Instance: @b[ariadne]@\@b[<--] @p[Instances cannot have periods in them.] + +, Create [y] ? @b[y] + +Principal: sample_server Instance: ariadne m_key_v: 1 +New Password:@\@b[<--] @p[Enter ``RANDOM'' to get random password.] +Verifying, please re-enter +New Password:@\@b[<--] @p[Enter ``RANDOM'' again.] +Random password [y] ? @b[y] + +Principal's new key version = 1 +Expiration date (enter dd-mm-yy) [ 12/31/99 ] ? +Max ticket lifetime (*5 minutes) [ 255 ] ? +Attributes [ 0 ] ? +Edit O.K. + +Principal name:@\@b[<--] @p[Enter newline to exit kdb_edit.] +@end[example] + +Use the @i[ext_srvtab] program to create a @i[srvtab] file +for @i[sample_server]'s host machine: +@begin[example] +host# @b([ADMIN_DIR]/ext_srvtab ariadne) + +Enter Kerberos master key: +Current Kerberos master key version is 1. + +Generating 'ariadne-new-srvtab'.... +@end[example] +Transfer the @i[ariadne-new-srvtab] file to @i[ariadne] and install it as +@i[/etc/srvtab]. +Note that this file is equivalent to the service's password and should +be treated with care. +For example, it could be transferred by removable media, but should +not be sent over an open network in the clear. +Once installed, this file should be readable only by root. + +Add the following line to the @i[/etc/services] file on +@i[ariadne], and on all machines that +will run the @i[sample_client] program: +@begin[example] +sample 906/tcp # Kerberos sample app server +@end[example] + +Add a line similar to the following line to the @i[/etc/inetd.conf] +file on @i[sample_server]'s machine: +@begin[example] +sample stream tcp nowait switched root + [PATH]/sample_server sample_server +@end[example] +where [PATH] should be substituted with +the path to the @i[sample_server] program. +(This @i[inetd.conf] information should be placed on one line.) +You should examine existing lines in @i[/etc/inetd.conf] and use the +same format used by other entries (e.g. for telnet). Most systems do +not have a column for the `switched' keyword, and some do not have a +column for the username (usually `root', as above). + +Restart @i[inetd] by sending the current @i[inetd] process +a hangup signal: +@begin[example] +host# @b[kill -HUP @p(process_id_number)] +@end[example] + +The @i[sample_server] is now ready to take @i[sample_client] requests. +@end[enumerate] + +@section[Testing the Sample Server] + +Assume that you have installed @i[sample_server] on @i[ariadne]. + +Login to your workstation and use the @i[kinit] command to +obtain a Kerberos ticket-granting ticket: +@begin[example] +@tabset[3 inches] +host% @b([K_USER]/kinit) +MIT Project Athena, (your_workstation) +Kerberos Initialization +Kerberos name: @p[yourusername]@\@b[<--] @p[Enter your Kerberos username.] +Password: @\@b[<--] @p[Enter your Kerberos password.] +@end[example] + +Now use the @i[sample_client] program as follows: +@begin[example] +host% @b([PATH]/sample_client ariadne) +@end[example] +The command should display something like the following: +@begin[example] +The server says: +You are @p[yourusername].@@REALMNAME (local name @p[yourusername]), + at address @p[yournetaddress], version VERSION9, cksum 997 +@end[example] + +@chapter[Service names and other services] + +@section(rlogin, rsh, rcp, tftp, and others) + +Many services use a common principal name for authentication purposes. +@i[rlogin], @i[rsh], @i[rcp], @i[tftp] and others use the principal name +``@t[rcmd]''. For example, to set up the machine @i[ariadne] to support +Kerberos rlogin, it needs to have a service key for principal +``@t[rcmd]'', instance ``@t[ariadne]''. You create this key in the same +way as shown above for the sample service. + +After creating this key, you need to run the @i[ext_srvtab] program +again to generate a new srvtab file for ariadne. + +@section(NFS modifications) + +The NFS modifications distributed separately use the service name +``@t[rvdsrv]'' with the instance set to the machine name (as for the +sample server and the rlogin, rsh, rcp and tftp services). + +@section(inetd.conf entries) +The following are the @i(/etc/inetd.conf) entries necessary to support +rlogin, encrypted rlogin, rsh, and rcp services on a server machine. As +above, your @i(inetd.conf) may not support all the fields shown here. +@begin[example] +eklogin stream tcp nowait unswitched root + [PATH]/klogind eklogind +kshell stream tcp nowait unswitched root + [PATH]/kshd kshd +klogin stream tcp nowait unswitched root + [PATH]/klogind klogind +@end[example] -- cgit v1.1