~ubuntu-branches/ubuntu/utopic/krb5/utopic
» Revision
53
: .pc/texinfo-doc-fix.diff/doc/user-guide.texinfo
« back to all changes in this revision
Viewing changes to .pc/texinfo-doc-fix.diff/doc/user-guide.texinfo
- browse files at revision 53
- compare with another revision
- download diff
- download tarball
- view history from revision 53
- Committer: Package Import Robot
- Author(s): Laurent Bigonville
- Date: 2013-07-05 20:55:14 UTC
- Revision ID: package-import@ubuntu.com-20130705205514-of8obgp8tapfkiig
Tags: 1.10.1+dfsg-6.1
* Non-maintainer upload.
* debian/patches/texinfo-doc-fix.diff: Fix FTBFS due to texinfo changes,
thanks to Gianluigi Tiesi <sherpya@netfarm.it> (Closes: #708711)
* debian/patches/texinfo-doc-fix.diff: Fix FTBFS due to texinfo changes,
thanks to Gianluigi Tiesi <sherpya@netfarm.it> (Closes: #708711)
- files added:
- .pc/texinfo-doc-fix.diff
- .pc/texinfo-doc-fix.diff/doc
- files modified:
- .pc/applied-patches
added
removed
.pc/texinfo-doc-fix.diff/doc/user-guide.texinfo
1
\input texinfo @c -*-texinfo-*-
2
@c %**start of header
3
@c guide
4
@setfilename krb5-user.info
5
@settitle Kerberos V5 UNIX User's Guide
6
@setchapternewpage odd @c chapter begins on next odd page
7
@c @setchapternewpage on @c chapter begins on next page
8
@c @smallbook @c Format for 7" X 9.25" paper
9
@documentencoding UTF-8
10
@c %**end of header
11
@copying
12
Copyright @copyright{} 1985-2010 by the Massachusetts Institute of Technology.
13
@end copying
14
15
@paragraphindent 0
16
@iftex
17
@parskip 6pt plus 6pt
18
@end iftex
19
20
@dircategory Kerberos
21
@direntry
22
* krb5-user: (krb5-user). Kerberos V5 UNIX User's Guide
23
@end direntry
24
25
@include definitions.texinfo
26
@set EDITION 1.0
27
28
@finalout @c don't print black warning boxes
29
30
@titlepage
31
@title @value{PRODUCT} UNIX User's Guide
32
@subtitle Release: @value{RELEASE}
33
@subtitle Document Edition: @value{EDITION}
34
@subtitle Last updated: @value{UPDATED}
35
@author @value{COMPANY}
36
37
@page
38
@vskip 0pt plus 1filll
39
@insertcopying
40
@end titlepage
41
42
@comment node-name, next, previous, up
43
@node Top, Introduction, (dir), (dir)
44
45
@ifinfo
46
This file describes how to use the @value{PRODUCT} client programs.
47
48
@insertcopying
49
@end ifinfo
50
51
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
52
@c function. Don't forget to run M-x texinfo-every-node-update after
53
@c you add a new section or subsection, or after you've rearranged the
54
@c comand before each @section or @subsection! All you need to enter
55
@c is:
56
@c
57
@c @section New Section Name
58
@c
59
@c M-x texinfo-every-node-update will take care of calculating the
60
@c node's forward and back pointers.
61
@c
62
@c ---------------------------------------------------------------------
63
64
@menu
65
* Introduction::
66
* Kerberos V5 Tutorial::
67
* Kerberos V5 Reference::
68
* Kerberos Glossary::
69
* Copyright::
70
@end menu
71
72
@node Introduction, Kerberos V5 Tutorial, Top, Top
73
@chapter Introduction
74
75
@ifset CYGNUS
76
@value{PRODUCT} is based on the Kerberos V5 authentication system
77
developed at MIT.
78
@end ifset
79
@ifset MIT
80
Kerberos V5 is an authentication system developed at MIT.
81
@end ifset
82
Kerberos is named for the three-headed watchdog from Greek mythology,
83
who guarded the entrance to the underworld.
84
85
Under Kerberos, a client (generally either a user or a service) sends a
86
request for a ticket to the @i{Key Distribution Center} (KDC). The KDC
87
creates a @dfn{ticket-granting ticket} (TGT) for the client, encrypts it
88
using the client's password as the key, and sends the encrypted TGT back
89
to the client. The client then attempts to decrypt the TGT, using its
90
password. If the client successfully decrypts the TGT (@i{i.e.}, if the
91
client gave the correct password), it keeps the decrypted TGT, which
92
indicates proof of the client's identity.
93
94
The TGT, which expires at a specified time, permits the client to obtain
95
additional tickets, which give permission for specific services. The
96
requesting and granting of these additional tickets is user-transparent.
97
98
Since Kerberos negotiates authenticated, and optionally encrypted,
99
communications between two points anywhere on the internet, it provides
100
a layer of security that is not dependent on which side of a firewall
101
either client is on. Since studies have shown that half of the computer
102
security breaches in industry happen from @i{inside} firewalls,
103
@value{COMPANY}'s @value{PRODUCT} plays a vital role in maintaining your
104
network security.
105
106
The @value{PRODUCT} package is designed to be easy to use. Most of the
107
commands are nearly identical to UNIX network programs you already
108
use. @value{PRODUCT} is a @dfn{single-sign-on} system, which means
109
that you have to type your password only once per session, and Kerberos
110
does the authenticating and encrypting transparently.
111
112
@menu
113
* What is a Ticket?::
114
* What is a Kerberos Principal?::
115
@end menu
116
117
@node What is a Ticket?, What is a Kerberos Principal?, Introduction, Introduction
118
@section What is a Ticket?
119
120
Your Kerberos @dfn{credentials}, or ``@dfn{tickets}'', are a set of
121
electronic information that can be used to verify your identity. Your
122
Kerberos tickets may be stored in a file, or they may exist only in
123
memory.
124
125
The first ticket you obtain is a @dfn{ticket-granting ticket}, which
126
permits you to obtain additional tickets. These additional tickets give
127
you permission for specific services. The requesting and granting of
128
these additional tickets happens transparently.
129
130
A good analogy for the ticket-granting ticket is a three-day ski pass
131
that is good at four different resorts. You show the pass at whichever
132
resort you decide to go to (until it expires), and you receive a lift
133
ticket for that resort. Once you have the lift ticket, you can ski all
134
you want at that resort. If you go to another resort the next day, you
135
once again show your pass, and you get an additional lift ticket for the
136
new resort. The difference is that the @value{PRODUCT} programs notice
137
that you have the weekend ski pass, and get the lift ticket for you, so
138
you don't have to perform the transactions yourself.
139
140
@node What is a Kerberos Principal?, , What is a Ticket?, Introduction
141
@section What is a Kerberos Principal?
142
143
A Kerberos @dfn{principal} is a unique identity to which Kerberos can
144
assign tickets. Principals can have an arbitrary number of
145
components. Each component is separated by a component separator,
146
generally `/'. The last component is the realm, separated from the
147
rest of the principal by the realm separator, generally `@@'. If there
148
is no realm component in the principal, then it will be assumed that
149
the principal is in the default realm for the context in which it is
150
being used.
151
152
Traditionally, a principal is divided into three parts: the
153
@dfn{primary}, the @dfn{instance}, and the @dfn{realm}. The format of
154
a typical Kerberos V5 principal is @code{primary/instance@@REALM}.
155
156
@itemize @bullet
157
@item The @dfn{primary} is the first part of the principal. In the case
158
of a user, it's the same as your username. For a host, the primary is
159
the word @code{host}.
160
161
@item The @dfn{instance} is an optional string that qualifies the
162
primary. The instance is separated from the primary by a slash
163
(@code{/}). In the case of a user, the instance is usually null, but a
164
user might also have an additional principal, with an instance called
165
@samp{admin}, which he/she uses to administrate a database. The
166
principal @code{@value{RANDOMUSER1}@@@value{PRIMARYREALM}} is completely
167
separate from the principal
168
@code{@value{RANDOMUSER1}/admin@@@value{PRIMARYREALM}}, with a separate
169
password, and separate permissions. In the case of a host, the instance
170
is the fully qualified hostname, e.g.,
171
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}.
172
173
@item The @dfn{realm} is your Kerberos realm. In most cases, your
174
Kerberos realm is your domain name, in upper-case letters. For example,
175
the machine @code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} would be in
176
the realm @code{@value{SECONDREALM}}.
177
@end itemize
178
179
@node Kerberos V5 Tutorial, Kerberos V5 Reference, Introduction, Top
180
@chapter Kerberos V5 Tutorial
181
182
This tutorial is intended to familiarize you with the @value{PRODUCT}
183
client programs. We will represent your prompt as ``@code{shell%}''.
184
So an instruction to type the ``@kbd{ls}'' command would be represented as
185
follows:
186
187
@need 600
188
@smallexample
189
@group
190
@b{shell%} ls
191
@end group
192
@end smallexample
193
194
In these examples, we will use sample usernames, such as
195
@code{@value{RANDOMUSER1}} and @code{@value{RANDOMUSER2}}, sample
196
hostnames, such as @code{@value{RANDOMHOST1}} and
197
@code{@value{RANDOMHOST2}}, and sample domain names, such as
198
@code{@value{PRIMARYDOMAIN}} and @code{@value{SECONDDOMAIN}}. When you
199
see one of these, substitute your username, hostname, or domain name
200
accordingly.
201
202
@menu
203
* Setting Up to Use Kerberos V5::
204
* Ticket Management::
205
* Password Management::
206
* Kerberos V5 Applications::
207
@end menu
208
209
@node Setting Up to Use Kerberos V5, Ticket Management, Kerberos V5 Tutorial, Kerberos V5 Tutorial
210
@section Setting Up to Use @value{PRODUCT}
211
212
Your system administrator will have installed the @value{PRODUCT}
213
programs in whichever directory makes the most sense for your system.
214
We will use @code{@value{ROOTDIR}} throughout this guide to refer to the
215
top-level directory @value{PRODUCT} directory. We will therefor use
216
@code{@value{BINDIR}} to denote the location of the @value{PRODUCT} user
217
programs. In your installation, the directory name may be different,
218
but whatever the directory name is, you should make sure it is included
219
in your path. You will probably want to put it @i{ahead of} the
220
directories @code{/bin} and @code{/usr/bin} so you will get the
221
@value{PRODUCT} network programs, rather than the standard UNIX
222
versions, when you type their command names.
223
224
@node Ticket Management, Password Management, Setting Up to Use Kerberos V5, Kerberos V5 Tutorial
225
@section Ticket Management
226
227
On many systems, Kerberos is built into the login program, and you get
228
tickets automatically when you log in. Other programs, such as
229
@code{rsh}, @code{rcp}, @code{telnet}, and @code{rlogin}, can forward
230
copies of your tickets to the remote host. Most of these programs also
231
automatically destroy your tickets when they exit. However,
232
@value{COMPANY} recommends that you explicitly destroy your Kerberos
233
tickets when you are through with them, just to be sure. One way to
234
help ensure that this happens is to add the @code{kdestroy} command to
235
your @code{.logout} file. Additionally, if you are going to be away
236
from your machine and are concerned about an intruder using your
237
permissions, it is safest to either destroy all copies of your tickets,
238
or use a screensaver that locks the screen.
239
240
@need 2000
241
@menu
242
* Kerberos Ticket Properties::
243
* Obtaining Tickets with kinit::
244
* Viewing Your Tickets with klist::
245
* Destroying Your Tickets with kdestroy::
246
@end menu
247
248
@node Kerberos Ticket Properties, Obtaining Tickets with kinit, Ticket Management, Ticket Management
249
@subsection Kerberos Ticket Properties
250
251
@noindent
252
There are various properties that Kerberos tickets can have:
253
254
If a ticket is @dfn{forwardable}, then the KDC can issue a new ticket with
255
a different network address based on the forwardable ticket. This
256
allows for authentication forwarding without requiring a password to be
257
typed in again. For example, if a user with a forwardable TGT logs
258
into a remote system, the KDC could issue a new TGT for that user with
259
the network address of the remote system, allowing authentication on
260
that host to work as though the user were logged in locally.
261
262
When the KDC creates a new ticket based on a forwardable ticket, it
263
sets the @dfn{forwarded} flag on that new ticket. Any tickets that are
264
created based on a ticket with the forwarded flag set will also have
265
their forwarded flags set.
266
267
A @dfn{proxiable} ticket is similar to a forwardable ticket in that it
268
allows a service to take on the identity of the client. Unlike a
269
forwardable ticket, however, a proxiable ticket is only issued for
270
specific services. In other words, a ticket-granting ticket cannot be
271
issued based on a ticket that is proxiable but not forwardable.
272
273
A @dfn{proxy} ticket is one that was issued based on a proxiable ticket.
274
275
A @dfn{postdated} ticket is issued with the @i{invalid} flag set.
276
After the starting time listed on the ticket, it can be presented to
277
the KDC to obtain valid tickets.
278
279
Tickets with the @dfn{postdateable} flag set can be used to issue postdated
280
tickets.
281
282
@dfn{Renewable} tickets can be used to obtain new session keys without
283
the user entering their password again. A renewable ticket has two
284
expiration times. The first is the time at which this particular
285
ticket expires. The second is the latest possible expiration time for
286
any ticket issued based on this renewable ticket.
287
288
A ticket with the @dfn{initial} flag set was issued based on the
289
authentication protocol, and not on a ticket-granting ticket. Clients
290
that wish to ensure that the user's key has been recently presented for
291
verification could specify that this flag must be set to accept the
292
ticket.
293
294
An @dfn{invalid} ticket must be rejected by application servers. Postdated
295
tickets are usually issued with this flag set, and must be validated by
296
the KDC before they can be used.
297
298
A @dfn{preauthenticated} ticket is one that was only issued after the
299
client requesting the ticket had authenticated itself to the KDC.
300
301
The @dfn{hardware authentication} flag is set on a ticket which
302
required the use of hardware for authentication. The hardware is
303
expected to be possessed only by the client which requested the
304
tickets.
305
306
If a ticket has the @dfn{transit policy checked} flag set, then the KDC that
307
issued this ticket implements the transited-realm check policy and
308
checked the transited-realms list on the ticket. The transited-realms
309
list contains a list of all intermediate realms between the realm of the
310
KDC that issued the first ticket and that of the one that issued the
311
current ticket. If this flag is not set, then the application server
312
must check the transited realms itself or else reject the ticket.
313
314
The @dfn{okay as delegate} flag indicates that the server specified in
315
the ticket is suitable as a delegate as determined by the policy of
316
that realm. A server that is acting as a delegate has been granted a
317
proxy or a forwarded TGT. This flag is a new addition to the
318
@value{PRODUCT} protocol and is not yet implemented on MIT servers.
319
320
An @dfn{anonymous} ticket is one in which the named principal is a generic
321
principal for that realm; it does not actually specify the individual
322
that will be using the ticket. This ticket is meant only to securely
323
distribute a session key. This is a new addition to the @value{PRODUCT}
324
protocol and is not yet implemented on MIT servers.
325
326
@node Obtaining Tickets with kinit, Viewing Your Tickets with klist, Kerberos Ticket Properties, Ticket Management
327
@subsection Obtaining Tickets with kinit
328
329
If your site is using the @value{PRODUCT} login program, you will get
330
Kerberos tickets automatically when you log in. If your site uses a
331
different login program, you may need to explicitly obtain your Kerberos
332
tickets, using the @code{kinit} program. Similarly, if your Kerberos
333
tickets expire, use the @code{kinit} program to obtain new ones.
334
335
@need 1500
336
To use the @code{kinit} program, simply type @kbd{kinit} and then type
337
your password at the prompt. For example, Jennifer (whose username is
338
@code{@value{RANDOMUSER1}}) works for Bleep, Inc. (a fictitious company
339
with the domain name @code{@value{PRIMARYDOMAIN}} and the Kerberos realm
340
@code{@value{PRIMARYREALM}}). She would type:
341
342
@smallexample
343
@group
344
@b{shell%} kinit
345
@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type @value{RANDOMUSER1}'s password here.]}
346
@b{shell%}
347
@end group
348
@end smallexample
349
350
@need 1000
351
If you type your password incorrectly, kinit will give you the following
352
error message:
353
354
@smallexample
355
@group
356
@b{shell%} kinit
357
@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type the wrong password here.]}
358
@b{kinit: Password incorrect}
359
@b{shell%}
360
@end group
361
@end smallexample
362
363
@noindent and you won't get Kerberos tickets.
364
365
@noindent Notice that @code{kinit} assumes you want tickets for your own
366
username in your default realm.
367
@need 1500
368
Suppose Jennifer's friend David is visiting, and he wants to borrow a
369
window to check his mail. David needs to get tickets for himself in his
370
own realm, @value{SECONDREALM}.@footnote{Note: the realm
371
@value{SECONDREALM} must be listed in your computer's Kerberos
372
configuration file, @code{/etc/krb5.conf}.} He would type:
373
374
@smallexample
375
@group
376
@b{shell%} kinit @value{RANDOMUSER2}@@@value{SECONDREALM}
377
@b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
378
@b{shell%}
379
@end group
380
@end smallexample
381
382
@noindent David would then have tickets which he could use to log onto
383
his own machine. Note that he typed his password locally on Jennifer's
384
machine, but it never went over the network. Kerberos on the local host
385
performed the authentication to the KDC in the other realm.
386
387
@need 1000
388
If you want to be able to forward your tickets to another host, you need
389
to request @dfn{forwardable} tickets. You do this by specifying the
390
@kbd{-f} option:
391
392
@smallexample
393
@group
394
@b{shell%} kinit -f
395
@b{Password for @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<-- [Type your password here.]}
396
@b{shell%}
397
@end group
398
@end smallexample
399
400
@noindent
401
Note that @code{kinit} does not tell you that it obtained forwardable
402
tickets; you can verify this using the @code{klist} command
403
(@pxref{Viewing Your Tickets with klist}).
404
405
Normally, your tickets are good for your system's default ticket
406
lifetime, which is ten hours on many systems. You can specify a
407
different ticket lifetime with the @samp{-l} option. Add the letter
408
@samp{s} to the value for seconds, @samp{m} for minutes, @samp{h} for
409
hours, or @samp{d} for days.
410
@need 1500
411
For example, to obtain forwardable tickets for
412
@code{@value{RANDOMUSER2}@@@value{SECONDREALM}} that would be good for
413
three hours, you would type:
414
415
@smallexample
416
@group
417
@b{shell%} kinit -f -l 3h @value{RANDOMUSER2}@@@value{SECONDREALM}
418
@b{Password for @value{RANDOMUSER2}@@@value{SECONDREALM}:} @i{<-- [Type @value{RANDOMUSER2}'s password here.]}
419
@b{shell%}
420
@end group
421
@end smallexample
422
423
@noindent
424
You cannot mix units; specifying a lifetime of @samp{3h30m} would result
425
in an error. Note also that most systems specify a maximum ticket
426
lifetime. If you request a longer ticket lifetime, it will be
427
automatically truncated to the maximum lifetime.
428
429
@node Viewing Your Tickets with klist, Destroying Your Tickets with kdestroy, Obtaining Tickets with kinit, Ticket Management
430
@subsection Viewing Your Tickets with klist
431
432
The @code{klist} command shows your tickets. When you first obtain
433
tickets, you will have only the ticket-granting ticket. (@xref{What is
434
a Ticket?}.) The listing would look like this:
435
436
@smallexample
437
@group
438
@b{shell%} klist
439
Ticket cache: /tmp/krb5cc_ttypa
440
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
441
442
Valid starting Expires Service principal
443
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
444
@b{shell%}
445
@end group
446
@end smallexample
447
448
@noindent
449
The ticket cache is the location of your ticket file. In the above
450
example, this file is named @code{/tmp/krb5cc_ttypa}. The default
451
principal is your kerberos @dfn{principal}. (@pxref{What is a Kerberos
452
Principal?})
453
454
The ``valid starting'' and ``expires'' fields describe the period of
455
time during which the ticket is valid. The @dfn{service principal}
456
describes each ticket. The ticket-granting ticket has the primary
457
@code{krbtgt}, and the instance is the realm name.
458
459
@need 2000
460
Now, if @value{RANDOMUSER1} connected to the machine
461
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and then typed
462
@kbd{klist} again, she would have gotten the following result:
463
464
@smallexample
465
@group
466
@b{shell%} klist
467
Ticket cache: /tmp/krb5cc_ttypa
468
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
469
470
Valid starting Expires Service principal
471
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
472
06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
473
@b{shell%}
474
@end group
475
@end smallexample
476
477
@noindent
478
Here's what happened: when @value{RANDOMUSER1} used telnet to connect
479
to the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, the telnet
480
program presented her ticket-granting ticket to the KDC and requested a
481
host ticket for the host
482
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. The KDC sent the host
483
ticket, which telnet then presented to the host
484
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, and she was allowed to
485
log in without typing her password.
486
487
@need 3000
488
Suppose your Kerberos tickets allow you to log into a host in another
489
domain, such as @code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}, which
490
is also in another Kerberos realm, @code{@value{SECONDREALM}}. If you
491
telnet to this host, you will receive a ticket-granting ticket for the
492
realm @code{@value{SECONDREALM}}, plus the new @code{host} ticket for
493
@code{@value{RANDOMHOST2}.@value{SECONDDOMAIN}}. @kbd{klist} will now
494
show:
495
496
@smallexample
497
@group
498
@b{shell%} klist
499
Ticket cache: /tmp/krb5cc_ttypa
500
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
501
502
Valid starting Expires Service principal
503
06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
504
06/07/04 20:22:30 06/08/04 05:49:19 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
505
06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
506
06/07/04 20:24:18 06/08/04 05:49:19 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
507
@b{shell%}
508
@end group
509
@end smallexample
510
511
You can use the @code{-f} option to view the @dfn{flags} that apply to
512
your tickets. The flags are:
513
514
@table @b
515
@itemx F
516
@b{F}orwardable
517
@itemx f
518
@b{f}orwarded
519
@itemx P
520
@b{P}roxiable
521
@itemx p
522
@b{p}roxy
523
@itemx D
524
post@b{D}ateable
525
@itemx d
526
post@b{d}ated
527
@itemx R
528
@b{R}enewable
529
@itemx I
530
@b{I}nitial
531
@itemx i
532
@b{i}nvalid
533
@itemx H
534
@b{H}ardware authenticated
535
@itemx A
536
pre@b{A}uthenticated
537
@itemx T
538
@b{T}ransit policy checked
539
@itemx O
540
@b{O}kay as delegate
541
@itemx a
542
@b{a}nonymous
543
@end table
544
545
@need 1500
546
Here is a sample listing. In this example, the user @value{RANDOMUSER1}
547
obtained her initial tickets (@samp{I}), which are forwardable
548
(@samp{F}) and postdated (@samp{d}) but not yet validated (@samp{i}).
549
(@xref{kinit Reference}, for more information about postdated tickets.)
550
551
@smallexample
552
@group
553
@b{shell%} klist -f
554
@b{Ticket cache: /tmp/krb5cc_320
555
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
556
557
Valid starting Expires Service principal
558
31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
559
Flags: FdiI
560
shell%}
561
@end group
562
@end smallexample
563
564
@need 1500
565
In the following example, the user @value{RANDOMUSER2}'s tickets were
566
forwarded (@samp{f}) to this host from another host. The tickets are
567
reforwardable (@samp{F}).
568
569
@smallexample
570
@group
571
@b{shell%} klist -f
572
@b{Ticket cache: /tmp/krb5cc_p11795
573
Default principal: @value{RANDOMUSER2}@@@value{SECONDREALM}
574
575
Valid starting Expires Service principal
576
07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/@value{SECONDREALM}@@@value{SECONDREALM}
577
Flags: Ff
578
07/31/05 12:03:48 07/31/05 21:11:23 host/@value{RANDOMHOST2}.@value{SECONDDOMAIN}@@@value{SECONDREALM}
579
Flags: Ff
580
shell%}
581
@end group
582
@end smallexample
583
584
@node Destroying Your Tickets with kdestroy, , Viewing Your Tickets with klist, Ticket Management
585
@subsection Destroying Your Tickets with kdestroy
586
587
Your Kerberos tickets are proof that you are indeed yourself, and
588
tickets can be stolen. If this happens, the person who has them can
589
masquerade as you until they expire. For this reason, you should
590
destroy your Kerberos tickets when you are away from your computer.
591
592
@need 1000
593
Destroying your tickets is easy. Simply type @kbd{kdestroy}.
594
595
@smallexample
596
@group
597
@b{shell%} kdestroy
598
@b{shell%}
599
@end group
600
@end smallexample
601
602
@need 1500
603
If @code{kdestroy} fails to destroy your tickets, it will beep and give
604
an error message. For example, if @code{kdestroy} can't find any
605
tickets to destroy, it will give the following message:
606
607
@smallexample
608
@group
609
@b{shell%} kdestroy
610
@b{kdestroy: No credentials cache file found while destroying cache
611
shell%}
612
@end group
613
@end smallexample
614
615
@node Password Management, Kerberos V5 Applications, Ticket Management, Kerberos V5 Tutorial
616
@section Password Management
617
618
Your password is the only way Kerberos has of verifying your identity.
619
If someone finds out your password, that person can masquerade as
620
you---send email that comes from you, read, edit, or delete your files,
621
or log into other hosts as you---and no one will be able to tell the
622
difference. For this reason, it is important that you choose a good
623
password (@pxref{Password Advice}), and keep it secret. If you need to
624
give access to your account to someone else, you can do so through
625
Kerberos. (@xref{Granting Access to Your Account}.) You should
626
@i{never} tell your password to anyone, including your system
627
administrator, for any reason. You should change your password
628
frequently, particularly any time you think someone may have found out
629
what it is.
630
631
@menu
632
* Changing Your Password::
633
* Password Advice::
634
* Granting Access to Your Account::
635
@end menu
636
637
@node Changing Your Password, Password Advice, Password Management, Password Management
638
@subsection Changing Your Password
639
640
@need 2500
641
To change your Kerberos password, use the @code{kpasswd} command. It
642
will ask you for your old password (to prevent someone else from walking
643
up to your computer when you're not there and changing your password),
644
and then prompt you for the new one twice. (The reason you have to type
645
it twice is to make sure you have typed it correctly.) For example,
646
user @code{@value{RANDOMUSER2}} would do the following:
647
648
@smallexample
649
@group
650
@b{shell%} kpasswd
651
@b{Password for @value{RANDOMUSER2}:} @i{<- Type your old password.}
652
@b{Enter new password:} @i{<- Type your new password.}
653
@b{Enter it again:} @i{<- Type the new password again.}
654
@b{Password changed.}
655
@b{shell%}
656
@end group
657
@end smallexample
658
659
@need 1800
660
If @value{RANDOMUSER2} typed the incorrect old password, he would get
661
the following message:
662
663
@smallexample
664
@group
665
@b{shell%} kpasswd
666
@b{Password for @value{RANDOMUSER2}:} @i{<- Type the incorrect old password.}
667
@b{kpasswd: Password incorrect while getting initial ticket
668
shell%}
669
@end group
670
@end smallexample
671
672
@need 2500
673
If you make a mistake and don't type the new password the same way
674
twice, @code{kpasswd} will ask you to try again:
675
676
@smallexample
677
@group
678
@b{shell%} kpasswd
679
@b{Password for @value{RANDOMUSER2}:} @i{<- Type the old password.}
680
@b{Enter new password:} @i{<- Type the new password.}
681
@b{Enter it again:} @i{<- Type a different new password.}
682
@b{kpasswd: Password mismatch while reading password
683
shell%}
684
@end group
685
@end smallexample
686
687
Once you change your password, it takes some time for the change to
688
propagate through the system. Depending on how your system is set up,
689
this might be anywhere from a few minutes to an hour or more. If you
690
need to get new Kerberos tickets shortly after changing your password,
691
try the new password. If the new password doesn't work, try again using
692
the old one.
693
694
@node Password Advice, Granting Access to Your Account, Changing Your Password, Password Management
695
@subsection Password Advice
696
697
Your password can include almost any character you can type (except
698
control keys and the ``enter'' key). A good password is one you can
699
remember, but that no one else can easily guess. Examples of @i{bad}
700
passwords are words that can be found in a dictionary, any common or
701
popular name, especially a famous person (or cartoon character), your
702
name or username in any form (@i{e.g.}, forward, backward, repeated
703
twice, @i{etc.}), your spouse's, child's, or pet's name, your birth
704
date, your social security number, and any sample password that appears
705
in this (or any other) manual.
706
707
@need 2200
708
@value{COMPANY} recommends that your password be at least 6 characters
709
long, and contain UPPER- and lower-case letters, numbers, and/or
710
punctuation marks. Some passwords that would be good if they weren't
711
listed in this manual include:
712
713
@itemize @bullet
714
@item some initials, like ``GykoR-66.'' for ``Get your kicks on Route
715
66.''
716
717
@item an easy-to-pronounce nonsense word, like ``slaRooBey'' or
718
``krang-its''
719
720
@item a misspelled phrase, like ``2HotPeetzas!'' or ``ItzAGurl!!!''
721
@end itemize
722
723
@noindent Note: don't actually use any of the above passwords. They're
724
only meant to show you how to make up a good password. Passwords that
725
appear in a manual are the first ones intruders will try.
726
727
@need 3800
728
@value{PRODUCT} allows your system administrators to automatically
729
reject bad passwords, based on certain criteria, such as a password
730
dictionary or a minimum length. For example, if the user
731
@code{@value{RANDOMUSER1}}, who had a policy "strict" that required a
732
minimum of 8 characaters, chose a password that was less than 8
733
characters, Kerberos would give an error message like the following:
734
735
@smallexample
736
@group
737
@b{shell%} kpasswd
738
@b{Password for @value{RANDOMUSER1}:} @i{<- Type your old password here.}
739
740
@value{RANDOMUSER1}'s password is controlled by the policy strict, which
741
requires a minimum of 8 characters from at least 3 classes (the five classes
742
are lowercase, uppercase, numbers, punctuation, and all other characters).
743
744
@b{Enter new password:} @i{<- Type an insecure new password.}
745
@b{Enter it again:} @i{<- Type it again.}
746
747
kpasswd: Password is too short while attempting to change password.
748
Please choose another password.
749
750
@b{Enter new password:} @i{<- Type a good password here.}
751
@b{Enter it again:} @i{<- Type it again.}
752
@b{Password changed.
753
shell%}
754
@end group
755
@end smallexample
756
757
@noindent Your system administrators can choose the message that is
758
displayed if you choose a bad password, so the message you see may be
759
different from the above example.
760
761
@node Granting Access to Your Account, , Password Advice, Password Management
762
@subsection Granting Access to Your Account
763
764
@need 1800
765
If you need to give someone access to log into your account, you can do
766
so through Kerberos, without telling the person your password. Simply
767
create a file called @code{.k5login} in your home directory. This file
768
should contain the Kerberos principal (@xref{What is a Kerberos
769
Principal?}.) of each person to whom you wish to give access. Each
770
principal must be on a separate line. Here is a sample @code{.k5login}
771
file:
772
773
@smallexample
774
@group
775
@value{RANDOMUSER1}@@@value{PRIMARYREALM}
776
@value{RANDOMUSER2}@@@value{SECONDREALM}
777
@end group
778
@end smallexample
779
780
@noindent This file would allow the users @code{@value{RANDOMUSER1}} and
781
@code{@value{RANDOMUSER2}} to use your user ID, provided that they had
782
Kerberos tickets in their respective realms. If you will be logging
783
into other hosts across a network, you will want to include your own
784
Kerberos principal in your @code{.k5login} file on each of these hosts.
785
786
@need 1000
787
Using a @code{.k5login} file is much safer than giving out your
788
password, because:
789
790
@itemize @bullet
791
@item You can take access away any time simply by removing the principal
792
from your @code{.k5login} file.
793
794
@item Although the user has full access to your account on one
795
particular host (or set of hosts if your @code{.k5login} file is shared,
796
@i{e.g.}, over NFS), that user does not inherit your network privileges.
797
798
@item Kerberos keeps a log of who obtains tickets, so a system
799
administrator could find out, if necessary, who was capable of using
800
your user ID at a particular time.
801
@end itemize
802
803
One common application is to have a @code{.k5login} file in
804
@code{root}'s home directory, giving root access to that machine to the
805
Kerberos principals listed. This allows system administrators to allow
806
users to become root locally, or to log in remotely as @code{root},
807
without their having to give out the root password, and without anyone
808
having to type the root password over the network.
809
810
@node Kerberos V5 Applications, , Password Management, Kerberos V5 Tutorial
811
@section Kerberos V5 Applications
812
813
@value{PRODUCT} is a @dfn{single-sign-on} system. This means that you
814
only have to type your password once, and the @value{PRODUCT} programs
815
do the authenticating (and optionally encrypting) for you. The way this
816
works is that Kerberos has been built into each of a suite of network
817
programs. For example, when you use a @value{PRODUCT} program to
818
connect to a remote host, the program, the KDC, and the remote host
819
perform a set of rapid negotiations. When these negotiations are
820
completed, your program has proven your identity on your behalf to the
821
remote host, and the remote host has granted you access, all in the
822
space of a few seconds.
823
824
The @value{PRODUCT} applications are versions of existing UNIX network
825
programs with the Kerberos features added.
826
827
@menu
828
* Overview of Additional Features::
829
* telnet::
830
* rlogin::
831
* FTP::
832
* rsh::
833
* rcp::
834
* ksu::
835
@end menu
836
837
@node Overview of Additional Features, telnet, Kerberos V5 Applications, Kerberos V5 Applications
838
@subsection Overview of Additional Features
839
840
The @value{PRODUCT} @dfn{network programs} are those programs that
841
connect to another host somewhere on the internet. These programs
842
include @code{rlogin}, @code{telnet}, @code{ftp}, @code{rsh},
843
@code{rcp}, and @code{ksu}. These programs have all of the original
844
features of the corresponding non-Kerberos @code{rlogin}, @code{telnet},
845
@code{ftp}, @code{rsh}, @code{rcp}, and @code{su} programs, plus
846
additional features that transparently use your Kerberos tickets for
847
negotiating authentication and optional encryption with the remote host.
848
In most cases, all you'll notice is that you no longer have to type your
849
password, because Kerberos has already proven your identity.
850
851
The @value{PRODUCT} network programs allow you the options of forwarding
852
your tickets to the remote host (if you obtained forwardable tickets
853
with the @code{kinit} program; @pxref{Obtaining Tickets with kinit}), and
854
encrypting data transmitted between you and the remote host.
855
856
This section of the tutorial assumes you are familiar with the
857
non-Kerberos versions of these programs, and highlights the Kerberos
858
functions added in the @value{PRODUCT} package.
859
860
@node telnet, rlogin, Overview of Additional Features, Kerberos V5 Applications
861
@subsection telnet
862
863
The @value{PRODUCT} @code{telnet} command works exactly like the
864
standard UNIX telnet program, with the following Kerberos options added:
865
866
@table @kbd
867
@itemx -f
868
forwards a copy of your tickets to the remote host.
869
870
@itemx -F
871
forwards a copy of your tickets to the remote host, and marks them
872
re-forwardable from the remote host.
873
874
@itemx -k @i{realm}
875
requests tickets for the remote host in the specified realm, instead of
876
determining the realm itself.
877
878
@itemx -K
879
uses your tickets to authenticate to the remote host, but does not log
880
you in.
881
882
@itemx -a
883
attempt automatic login using your tickets. @code{telnet} will assume
884
the same username unless you explicitly specify another.
885
886
@itemx -x
887
turns on encryption.
888
889
@end table
890
891
@need 4000
892
For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
893
UNIX telnet to connect to the machine
894
@code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}, he would type:
895
896
@smallexample
897
@group
898
@b{shell%} telnet @value{RANDOMHOST1}.@value{SECONDDOMAIN}
899
@b{Trying 128.0.0.5 ...
900
Connected to @value{RANDOMHOST1}.@value{SECONDDOMAIN}.
901
Escape character is '^]'.
902
903
NetBSD/i386 (daffodil) (ttyp3)
904
905
login:} @value{RANDOMUSER2}
906
@b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
907
@b{Last login: Fri Jun 21 17:13:11 from @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
908
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
909
The Regents of the University of California. All rights reserved.
910
911
NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
912
913
Welcome to NetBSD!
914
shell%}
915
@end group
916
@end smallexample
917
918
@noindent Note that the machine
919
@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
920
@code{@value{RANDOMUSER2}}'s password. When he typed it, his password
921
was sent over the network unencrypted. If an intruder were watching
922
network traffic at the time, that intruder would know
923
@code{@value{RANDOMUSER2}}'s password.
924
925
@need 4000
926
If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use the
927
@value{PRODUCT} telnet to connect to the machine
928
@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
929
copy of her tickets, request an encrypted session, and log on as herself
930
as follows:
931
932
@smallexample
933
@group
934
@b{shell%} telnet -a -f -x @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}
935
@b{Trying 128.0.0.5...
936
Connected to @value{RANDOMHOST2}.@value{PRIMARYDOMAIN}.
937
Escape character is '^]'.
938
[ Kerberos V5 accepts you as ``@value{RANDOMUSER1}@@@value{PRIMARYDOMAIN}'' ]
939
[ Kerberos V5 accepted forwarded credentials ]
940
What you type is protected by encryption.
941
Last login: Tue Jul 30 18:47:44 from @value{RANDOMHOST1}.@value{SECONDDOMAIN}
942
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
943
944
shell%}
945
@end group
946
@end smallexample
947
948
@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
949
to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
950
and logged her in automatically as herself. She had an encrypted
951
session, a copy of her tickets already waiting for her, and she never
952
typed her password.
953
954
If you forwarded your Kerberos tickets, @code{telnet} automatically
955
destroys them when it exits. The full set of options to @value{PRODUCT}
956
@code{telnet} are discussed in the Reference section of this manual.
957
(@pxref{telnet Reference})
958
959
@need 2000
960
@node rlogin, FTP, telnet, Kerberos V5 Applications
961
@subsection rlogin
962
963
@need 1000
964
The @value{PRODUCT} @code{rlogin} command works exactly like the
965
standard UNIX rlogin program, with the following Kerberos options added:
966
967
@table @kbd
968
@itemx -f
969
forwards a copy of your tickets to the remote host.
970
971
@itemx -F
972
forwards a copy of your tickets to the remote host, and marks them
973
re-forwardable from the remote host.
974
975
@itemx -k @i{realm}
976
requests tickets for the remote host in the specified realm, instead of
977
determining the realm itself.
978
979
@itemx -x
980
encrypts the input and output data streams (the username is sent unencrypted)
981
982
@end table
983
984
@need 3000
985
For example, if @code{@value{RANDOMUSER2}} wanted to use the standard
986
UNIX rlogin to connect to the machine
987
@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}}, he would type:
988
989
@smallexample
990
@group
991
@b{shell%} rlogin @value{RANDOMHOST1}.@value{SECONDDOMAIN} -l @value{RANDOMUSER2}
992
@b{Password:} @i{<- @value{RANDOMUSER2} types his password here}
993
@b{Last login: Fri Jun 21 10:36:32 from :0.0
994
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
995
The Regents of the University of California. All rights reserved.
996
997
NetBSD 1.1: Tue May 21 00:31:42 EDT 1996
998
999
Welcome to NetBSD!
1000
shell%}
1001
@end group
1002
@end smallexample
1003
1004
@noindent Note that the machine
1005
@code{@value{RANDOMHOST1}.@value{SECONDDOMAIN}} asked for
1006
@code{@value{RANDOMUSER2}}'s password. When he typed it, his password
1007
was sent over the network unencrypted. If an intruder were watching
1008
network traffic at the time, that intruder would know
1009
@code{@value{RANDOMUSER2}}'s password.
1010
1011
@need 4000
1012
If, on the other hand, @code{@value{RANDOMUSER1}} wanted to use
1013
@value{PRODUCT} rlogin to connect to the machine
1014
@code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}}, she could forward a
1015
copy of her tickets, mark them as not forwardable from the remote host,
1016
and request an encrypted session as follows:
1017
1018
@smallexample
1019
@group
1020
@b{shell%} rlogin @value{RANDOMHOST2}.@value{PRIMARYDOMAIN} -f -x
1021
@b{This rlogin session is using DES encryption for all data transmissions.
1022
Last login: Thu Jun 20 16:20:50 from @value{RANDOMHOST1}
1023
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
1024
shell%}
1025
@end group
1026
@end smallexample
1027
1028
@noindent Note that @code{@value{RANDOMUSER1}}'s machine used Kerberos
1029
to authenticate her to @code{@value{RANDOMHOST2}.@value{PRIMARYDOMAIN}},
1030
and logged her in automatically as herself. She had an encrypted
1031
session, a copy of her tickets were waiting for her, and she never typed
1032
her password.
1033
1034
If you forwarded your Kerberos tickets, @code{rlogin} automatically
1035
destroys them when it exits. The full set of options to @value{PRODUCT}
1036
@code{rlogin} are discussed in the Reference section of this manual.
1037
(@pxref{rlogin Reference})
1038
1039
@node FTP, rsh, rlogin, Kerberos V5 Applications
1040
@subsection FTP
1041
1042
@need 1000
1043
The @value{PRODUCT} @code{FTP} program works exactly like the standard
1044
UNIX FTP program, with the following Kerberos features added:
1045
1046
@table @kbd
1047
@itemx -k @i{realm}
1048
requests tickets for the remote host in the specified realm, instead of
1049
determining the realm itself.
1050
1051
@itemx -f
1052
requests that your tickets be forwarded to the remote host. The
1053
@kbd{-f} argument must be the last argument on the command line.
1054
1055
@itemx protect @i{level}
1056
(issued at the @code{ftp>} prompt) sets the protection level. ``Clear''
1057
is no protection; ``safe'' ensures data integrity by verifying the
1058
checksum, and ``private'' encrypts the data. Encryption also ensures
1059
data integrity.
1060
@end table
1061
1062
@need 5000
1063
For example, suppose @code{@value{RANDOMUSER1}} wants to get her
1064
@code{RMAIL} file from the directory @code{~@value{RANDOMUSER1}/Mail},
1065
on the host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}}. She wants
1066
to encrypt the file transfer. The exchange would look like the
1067
following:
1068
1069
@smallexample
1070
@group
1071
@b{shell%} ftp @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}
1072
Connected to @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}.
1073
220 @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} FTP server (Version 5.60) ready.
1074
334 Using authentication type GSSAPI; ADAT must follow
1075
GSSAPI accepted as authentication type
1076
GSSAPI authentication succeeded
1077
200 Data channel protection level set to private.
1078
Name (@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:@value{RANDOMUSER1}):
1079
232 GSSAPI user @value{RANDOMUSER1}@@@value{PRIMARYREALM} is authorized as @value{RANDOMUSER1}
1080
230 User @value{RANDOMUSER1} logged in.
1081
Remote system type is UNIX.
1082
Using binary mode to transfer files.
1083
ftp> protect private
1084
200 Protection level set to Private.
1085
ftp> cd ~@value{RANDOMUSER1}/MAIL
1086
250 CWD command successful.
1087
ftp> get RMAIL
1088
227 Entering Passive Mode (128,0,0,5,16,49)
1089
150 Opening BINARY mode data connection for RMAIL (361662 bytes).
1090
226 Transfer complete.
1091
361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
1092
ftp> quit
1093
@b{shell%}
1094
@end group
1095
@end smallexample
1096
1097
The full set of options to @value{PRODUCT} @code{FTP} are discussed
1098
in the Reference section of this manual. (@pxref{FTP Reference})
1099
1100
@node rsh, rcp, FTP, Kerberos V5 Applications
1101
@subsection rsh
1102
1103
The @value{PRODUCT} @code{rsh} program works exactly like the standard
1104
UNIX rlogin program, with the following Kerberos features added:
1105
1106
@table @kbd
1107
@itemx -f
1108
forwards a copy of your tickets to the remote host.
1109
1110
@itemx -F
1111
forwards a copy of your tickets to the remote host, and marks them
1112
re-forwardable from the remote host.
1113
1114
@itemx -k @i{realm}
1115
requests tickets for the remote host in the specified realm, instead of
1116
determining the realm itself.
1117
1118
@itemx -x
1119
encrypts the input and output data streams (the command line is not encrypted)
1120
1121
@end table
1122
1123
@need 1800
1124
For example, if your Kerberos tickets allowed you to run programs on the
1125
host @* @code{@value{RANDOMHOST2}@@@value{SECONDDOMAIN}} as root, you could
1126
run the @samp{date} program as follows:
1127
1128
@smallexample
1129
@group
1130
@b{shell%} rsh @value{RANDOMHOST2}.@value{SECONDDOMAIN} -l root -x date
1131
@b{This rsh session is using DES encryption for all data transmissions.
1132
Tue Jul 30 19:34:21 EDT 2002
1133
shell%}
1134
@end group
1135
@end smallexample
1136
1137
If you forwarded your Kerberos tickets, @code{rsh} automatically
1138
destroys them when it exits. The full set of options to @value{PRODUCT}
1139
@code{rsh} are discussed in the Reference section of this manual.
1140
(@pxref{rsh Reference})
1141
1142
@node rcp, ksu, rsh, Kerberos V5 Applications
1143
@subsection rcp
1144
1145
@need 1000
1146
The @value{PRODUCT} @code{rcp} program works exactly like the standard
1147
UNIX rcp program, with the following Kerberos features added:
1148
1149
@table @kbd
1150
@itemx -k @i{realm}
1151
requests tickets for the remote host in the specified realm, instead of
1152
determining the realm itself.
1153
1154
@itemx -x
1155
turns on encryption.
1156
@end table
1157
1158
1159
@need 1500
1160
For example, if you wanted to copy the file @code{/etc/motd} from the
1161
host @code{@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}} into the current
1162
directory, via an encrypted connection, you would simply type:
1163
1164
@smallexample
1165
@b{shell%} rcp -x @value{RANDOMHOST1}.@value{PRIMARYDOMAIN}:/etc/motd .
1166
@end smallexample
1167
1168
The @kbd{rcp} program negotiates authentication and encryption
1169
transparently. The full set of options to @value{PRODUCT} @code{rcp}
1170
are discussed in the Reference section of this manual. (@pxref{rcp
1171
Reference})
1172
1173
@node ksu, , rcp, Kerberos V5 Applications
1174
@subsection ksu
1175
1176
The @value{PRODUCT} @code{ksu} program replaces the standard UNIX su
1177
program. @code{ksu} first authenticates you to Kerberos. Depending on
1178
the configuration of your system, @code{ksu} may ask for your Kerberos
1179
password if authentication fails. @emph{Note that you should never type
1180
your password if you are remotely logged in using an unencrypted
1181
connection.}
1182
1183
Once @code{ksu} has authenticated you, if your Kerberos principal
1184
appears in the target's @code{.k5login} file (@pxref{Granting Access to
1185
Your Account}) or in the target's @code{.k5users} file (see below), it
1186
switches your user ID to the target user ID.
1187
1188
@need 2000
1189
For example, @code{@value{RANDOMUSER2}} has put
1190
@code{@value{RANDOMUSER1}}'s Kerberos principal in his @code{.k5login}
1191
file. If @code{@value{RANDOMUSER1}} uses @code{ksu} to become
1192
@code{@value{RANDOMUSER2}}, the exchange would look like this. (To
1193
differentiate between the two shells, @code{@value{RANDOMUSER1}}'s
1194
prompt is represented as @code{@value{RANDOMUSER1}%} and
1195
@code{@value{RANDOMUSER2}}'s prompt is represented as
1196
@code{@value{RANDOMUSER2}%}.)
1197
1198
@smallexample
1199
@group
1200
@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1201
@b{Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} successful
1202
Changing uid to @value{RANDOMUSER2} (3382)
1203
@value{RANDOMUSER2}%}
1204
@end group
1205
@end smallexample
1206
1207
@noindent
1208
Note that the new shell has a copy of @code{@value{RANDOMUSER1}}'s
1209
tickets. The ticket filename contains @code{@value{RANDOMUSER2}}'s UID
1210
with @samp{.1} appended to it:
1211
1212
@smallexample
1213
@group
1214
@b{@value{RANDOMUSER2}%} klist
1215
@b{Ticket cache: /tmp/krb5cc_3382.1
1216
Default principal: @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1217
1218
Valid starting Expires Service principal
1219
07/31/04 21:53:01 08/01/04 07:52:53 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
1220
07/31/04 21:53:39 08/01/04 07:52:53 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
1221
@value{RANDOMUSER2}%}
1222
@end group
1223
@end smallexample
1224
1225
@need 2500
1226
If @code{@value{RANDOMUSER1}} had not appeared in
1227
@code{@value{RANDOMUSER2}}'s @code{.k5login} file (and the system was
1228
configured to ask for a password), the exchange would have looked like
1229
this (assuming @code{@value{RANDOMUSER2}} has taken appropriate
1230
precautions in protecting his password):
1231
1232
@smallexample
1233
@group
1234
@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2}
1235
@b{WARNING: Your password may be exposed if you enter it here and are logged
1236
in remotely using an unsecure (non-encrypted) channel.
1237
Kerberos password for @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<- @code{@value{RANDOMUSER1}} types the wrong password here.}
1238
@b{ksu: Password incorrect
1239
Authentication failed.
1240
@value{RANDOMUSER1}%}
1241
@end group
1242
@end smallexample
1243
1244
Now, suppose @code{@value{RANDOMUSER2}} did not want to give
1245
@code{@value{RANDOMUSER1}} full access to his account, but wanted to
1246
give her permission to list his files and use the "more" command to view
1247
them. He could create a @code{.k5users} file giving her permission to
1248
run only those specific commands.
1249
1250
@need 3500
1251
The @code{.k5users} file is like the @code{.k5login} file, except that
1252
each principal is optionally followed by a list of commands. @code{ksu}
1253
will let those principals execute only the commands listed, using the
1254
@kbd{-e} option. @code{@value{RANDOMUSER2}}'s @code{.k5users} file
1255
might look like the following:
1256
1257
@smallexample
1258
@group
1259
@value{RANDOMUSER1}@@@value{PRIMARYREALM} /bin/ls /usr/bin/more
1260
@value{ADMINUSER}@@@value{PRIMARYREALM} /bin/ls
1261
@value{ADMINUSER}/admin@@@value{PRIMARYREALM} *
1262
@value{RANDOMUSER2}@@@value{SECONDREALM}
1263
@end group
1264
@end smallexample
1265
1266
@noindent The above @code{.k5users} file would let
1267
@code{@value{RANDOMUSER1}} run only the commands @code{/bin/ls} and
1268
@code{/usr/bin/more}. It would let @code{@value{ADMINUSER}} run only
1269
the command @code{/bin/ls} if he had regular tickets, but if he had
1270
tickets for his @code{admin} instance,
1271
@code{@value{ADMINUSER}/admin@@@value{PRIMARYREALM}}, he would be able
1272
to execute any command. The last line gives @code{@value{RANDOMUSER2}}
1273
in the realm @value{SECONDREALM} permission to execute any command.
1274
(@i{I.e.}, having only a Kerberos principal on a line is equivalent to
1275
giving that principal permission to execute @code{*}.) This is so that
1276
@value{RANDOMUSER2} can allow himself to execute commands when he logs
1277
in, using Kerberos, from a machine in the realm @value{SECONDREALM}.
1278
1279
@need 2500
1280
Then, when @code{@value{RANDOMUSER1}} wanted to list his home directory,
1281
she would type:
1282
1283
@smallexample
1284
@group
1285
@b{@value{RANDOMUSER1}%} ksu @value{RANDOMUSER2} -e ls ~@value{RANDOMUSER2}
1286
@b{Authenticated @value{RANDOMUSER1}@@@value{PRIMARYREALM}
1287
Account @value{RANDOMUSER2}: authorization for @value{RANDOMUSER1}@@@value{PRIMARYREALM} for execution of
1288
/bin/ls successful
1289
Changing uid to @value{RANDOMUSER2} (3382)
1290
Mail News Personal misc bin
1291
@value{RANDOMUSER1}%}
1292
@end group
1293
@end smallexample
1294
1295
@noindent If @code{@value{RANDOMUSER1}} had tried to give a different
1296
command to @code{ksu}, it would have prompted for a password as with the
1297
previous example.
1298
1299
Note that unless the @code{.k5users} file gives the target permission to
1300
run any command, the user must use @code{ksu} with the @kbd{-e}
1301
@i{command} option.
1302
1303
@need 1000
1304
The @code{ksu} options you are most likely to use are:
1305
1306
@table @kbd
1307
@itemx -n @i{principal}
1308
specifies which Kerberos principal you want to use for @code{ksu}.
1309
(@i{e.g.}, the user @code{@value{ADMINUSER}} might want to use his
1310
@code{admin} instance. @xref{What is a Ticket?}.)
1311
1312
@itemx -c
1313
specifies the location of your Kerberos credentials cache (ticket file).
1314
1315
@itemx -k
1316
tells @code{ksu} not to destroy your Kerberos tickets when @code{ksu} is
1317
finished.
1318
1319
@itemx -f
1320
requests forwardable tickets. (@xref{Obtaining Tickets with kinit}.) This
1321
is only applicable if @code{ksu} needs to obtain tickets.
1322
1323
@itemx -l @i{lifetime}
1324
sets the ticket lifetime. (@xref{Obtaining Tickets with kinit}.) This is
1325
only applicable if @code{ksu} needs to obtain tickets.
1326
1327
@itemx -z
1328
tells @code{ksu} to copy your Kerberos tickets only if the UID you are
1329
switching is the same as the Kerberos primary (either yours or the one
1330
specified by the @kbd{-n} option).
1331
1332
@itemx -Z
1333
tells @code{ksu} not to copy any Kerberos tickets to the new UID.
1334
1335
@itemx -e @i{command}
1336
tells @code{ksu} to execute @i{command} and then exit. See the
1337
description of the @code{.k5users} file above.
1338
1339
@itemx -a @i{text}
1340
(at the end of the command line) tells @code{ksu} to pass everything
1341
after @samp{-a} to the target shell.
1342
@end table
1343
1344
The full set of options to @value{PRODUCT} @code{ksu} are discussed
1345
in the Reference section of this manual. (@pxref{ksu Reference})
1346
1347
@node Kerberos V5 Reference, Kerberos Glossary, Kerberos V5 Tutorial, Top
1348
@chapter Kerberos V5 Reference
1349
1350
This section will include copies of the manual pages for the
1351
@value{PRODUCT} client programs. You can read the manual entry for any
1352
command by typing @code{man} @i{command}, where @i{command} is the name
1353
of the command for which you want to read the manual entry. For
1354
example, to read the @code{kinit} manual entry, you would type:
1355
1356
@smallexample
1357
@b{shell%} man kinit
1358
@end smallexample
1359
1360
Note: To be able to view the @value{PRODUCT} manual pages on line, you
1361
may need to add the directory @code{@value{ROOTDIR}/man} to your MANPATH
1362
environment variable. (Remember to replace @code{@value{ROOTDIR}} with
1363
the top-level directory in which @value{PRODUCT} is installed.) For
1364
example, if you had the the following line in your @code{.login}
1365
file@footnote{The MANPATH variable may be specified in a different
1366
initialization file, depending on your operating system. Some of the
1367
files in which you might specify environment variables include
1368
@code{.login}, @code{.profile}, or @code{.cshrc}.}:
1369
1370
@smallexample
1371
setenv MANPATH /usr/local/man:/usr/man
1372
@end smallexample
1373
1374
@noindent
1375
and the @value{PRODUCT} man pages were in the directory
1376
@code{/usr/@value{LCPRODUCT}/man}, you would change the line to the following:
1377
1378
@smallexample
1379
setenv MANPATH /usr/@value{LCPRODUCT}/man:/usr/local/man:/usr/man
1380
@end smallexample
1381
1382
@ifinfo
1383
Note to info users: the manual pages are not available within this info
1384
tree. You can read them from emacs with the command:
1385
1386
@smallexample
1387
M-x manual-entry @emph{command}
1388
@end smallexample
1389
@end ifinfo
1390
1391
@page
1392
1393
@menu
1394
* kinit Reference::
1395
* klist Reference::
1396
* ksu Reference::
1397
* kdestroy Reference::
1398
* kpasswd Reference::
1399
* telnet Reference::
1400
* FTP Reference::
1401
* rlogin Reference::
1402
* rsh Reference::
1403
* rcp Reference::
1404
@end menu
1405
1406
@node kinit Reference, klist Reference, Kerberos V5 Reference, Kerberos V5 Reference
1407
@section kinit Reference
1408
1409
@iftex
1410
@special{psfile=kinit1.ps voffset=-700 hoffset=-40}
1411
@centerline{Reference Manual for @code{kinit}}
1412
@page
1413
1414
@special{psfile=kinit2.ps voffset=-700 hoffset=-40}
1415
@centerline{Reference Manual for @code{kinit}}
1416
@page
1417
@end iftex
1418
1419
@ifinfo
1420
Type @kbd{M-x manual-entry kinit} to read this manual page.
1421
@end ifinfo
1422
1423
@ifhtml
1424
@html
1425
<a href="kinit.html"> kinit manpage</a>
1426
@end html
1427
@end ifhtml
1428
1429
@node klist Reference, ksu Reference, kinit Reference, Kerberos V5 Reference
1430
@section klist Reference
1431
1432
@iftex
1433
@special{psfile=klist1.ps voffset=-700 hoffset=-40}
1434
@centerline{Reference Manual for @code{klist}}
1435
@page
1436
@end iftex
1437
1438
@iftex
1439
@special{psfile=klist2.ps voffset=-700 hoffset=-40}
1440
@centerline{Reference Manual for @code{klist}}
1441
@page
1442
@end iftex
1443
1444
@ifinfo
1445
Type @kbd{M-x manual-entry klist} to read this manual page.
1446
@end ifinfo
1447
1448
@ifhtml
1449
@html
1450
<a href="klist.html"> klist manpage</a>
1451
@end html
1452
@end ifhtml
1453
1454
@node ksu Reference, kdestroy Reference, klist Reference, Kerberos V5 Reference
1455
@section ksu Reference
1456
1457
@iftex
1458
@special{psfile=ksu1.ps voffset=-700 hoffset=-40}
1459
@centerline{Reference Manual for @code{ksu}}
1460
@page
1461
1462
@special{psfile=ksu2.ps voffset=-700 hoffset=-40}
1463
@centerline{Reference Manual for @code{ksu}}
1464
@page
1465
1466
@special{psfile=ksu3.ps voffset=-700 hoffset=-40}
1467
@centerline{Reference Manual for @code{ksu}}
1468
@page
1469
1470
@special{psfile=ksu4.ps voffset=-700 hoffset=-40}
1471
@centerline{Reference Manual for @code{ksu}}
1472
@page
1473
1474
@special{psfile=ksu5.ps voffset=-700 hoffset=-40}
1475
@centerline{Reference Manual for @code{ksu}}
1476
@page
1477
@end iftex
1478
1479
@ifinfo
1480
Type @kbd{M-x manual-entry ksu} to read this manual page.
1481
@end ifinfo
1482
1483
@ifhtml
1484
@html
1485
<a href="ksu.html"> ksu manpage</a>
1486
@end html
1487
@end ifhtml
1488
1489
@node kdestroy Reference, kpasswd Reference, ksu Reference, Kerberos V5 Reference
1490
@section kdestroy Reference
1491
1492
@iftex
1493
@special{psfile=kdestroy1.ps voffset=-700 hoffset=-60}
1494
@centerline{Reference Manual for @code{kdestroy}}
1495
@page
1496
@end iftex
1497
1498
@ifinfo
1499
Type @kbd{M-x manual-entry kdestroy} to read this manual page.
1500
@end ifinfo
1501
1502
@ifhtml
1503
@html
1504
<a href="kdestroy.html"> kdestroy manpage</a>
1505
@end html
1506
@end ifhtml
1507
1508
@node kpasswd Reference, telnet Reference, kdestroy Reference, Kerberos V5 Reference
1509
@section kpasswd Reference
1510
1511
@iftex
1512
@special{psfile=kpasswd1.ps voffset=-700 hoffset=-40}
1513
@centerline{Reference Manual for @code{kpasswd}}
1514
@page
1515
@end iftex
1516
1517
@ifinfo
1518
Type @kbd{M-x manual-entry kpasswd} to read this manual page.
1519
@end ifinfo
1520
1521
@ifhtml
1522
@html
1523
<a href="kpasswd.html"> kpasswd manpage</a>
1524
@end html
1525
@end ifhtml
1526
1527
@node telnet Reference, FTP Reference, kpasswd Reference, Kerberos V5 Reference
1528
@section telnet Reference
1529
1530
@iftex
1531
@special{psfile=telnet1.ps voffset=-700 hoffset=-40}
1532
@centerline{Reference Manual for @code{telnet}}
1533
@page
1534
1535
@special{psfile=telnet2.ps voffset=-700 hoffset=-40}
1536
@centerline{Reference Manual for @code{telnet}}
1537
@page
1538
1539
@special{psfile=telnet3.ps voffset=-700 hoffset=-40}
1540
@centerline{Reference Manual for @code{telnet}}
1541
@page
1542
1543
@special{psfile=telnet4.ps voffset=-700 hoffset=-40}
1544
@centerline{Reference Manual for @code{telnet}}
1545
@page
1546
1547
@special{psfile=telnet5.ps voffset=-700 hoffset=-40}
1548
@centerline{Reference Manual for @code{telnet}}
1549
@page
1550
1551
@special{psfile=telnet6.ps voffset=-700 hoffset=-40}
1552
@centerline{Reference Manual for @code{telnet}}
1553
@page
1554
1555
@special{psfile=telnet7.ps voffset=-700 hoffset=-40}
1556
@centerline{Reference Manual for @code{telnet}}
1557
@page
1558
1559
@special{psfile=telnet8.ps voffset=-700 hoffset=-40}
1560
@centerline{Reference Manual for @code{telnet}}
1561
@page
1562
1563
@special{psfile=telnet9.ps voffset=-700 hoffset=-40}
1564
@centerline{Reference Manual for @code{telnet}}
1565
@page
1566
@end iftex
1567
1568
@ifinfo
1569
Type @kbd{M-x manual-entry telnet} to read this manual page.
1570
@end ifinfo
1571
1572
@ifhtml
1573
@html
1574
<a href="telnet.html"> telnet manpage</a>
1575
@end html
1576
@end ifhtml
1577
1578
@node FTP Reference, rlogin Reference, telnet Reference, Kerberos V5 Reference
1579
@section FTP Reference
1580
1581
@iftex
1582
@special{psfile=ftp1.ps voffset=-700 hoffset=-40}
1583
@centerline{Reference Manual for @code{FTP}}
1584
@page
1585
1586
@special{psfile=ftp2.ps voffset=-700 hoffset=-40}
1587
@centerline{Reference Manual for @code{FTP}}
1588
@page
1589
1590
@special{psfile=ftp3.ps voffset=-700 hoffset=-40}
1591
@centerline{Reference Manual for @code{FTP}}
1592
@page
1593
1594
@special{psfile=ftp4.ps voffset=-700 hoffset=-40}
1595
@centerline{Reference Manual for @code{FTP}}
1596
@page
1597
1598
@special{psfile=ftp5.ps voffset=-700 hoffset=-40}
1599
@centerline{Reference Manual for @code{FTP}}
1600
@page
1601
1602
@special{psfile=ftp6.ps voffset=-700 hoffset=-40}
1603
@centerline{Reference Manual for @code{FTP}}
1604
@page
1605
1606
@special{psfile=ftp7.ps voffset=-700 hoffset=-40}
1607
@centerline{Reference Manual for @code{FTP}}
1608
@page
1609
1610
@special{psfile=ftp8.ps voffset=-700 hoffset=-40}
1611
@centerline{Reference Manual for @code{FTP}}
1612
@page
1613
1614
@special{psfile=ftp9.ps voffset=-700 hoffset=-40}
1615
@centerline{Reference Manual for @code{FTP}}
1616
@page
1617
@end iftex
1618
1619
@ifinfo
1620
Type @kbd{M-x manual-entry FTP} to read this manual page.
1621
@end ifinfo
1622
1623
@ifhtml
1624
@html
1625
<a href="ftp.html"> ftp manpage</a>
1626
@end html
1627
@end ifhtml
1628
1629
@node rlogin Reference, rsh Reference, FTP Reference, Kerberos V5 Reference
1630
@section rlogin Reference
1631
1632
@iftex
1633
@special{psfile=rlogin1.ps voffset=-700 hoffset=-40}
1634
@centerline{Reference Manual for @code{rlogin}}
1635
@page
1636
1637
@special{psfile=rlogin2.ps voffset=-700 hoffset=-40}
1638
@centerline{Reference Manual for @code{rlogin}}
1639
@page
1640
@end iftex
1641
1642
@ifinfo
1643
Type @kbd{M-x manual-entry rlogin} to read this manual page.
1644
@end ifinfo
1645
1646
@ifhtml
1647
@html
1648
<a href="rlogin.html"> rlogin manpage</a>
1649
@end html
1650
@end ifhtml
1651
1652
@node rsh Reference, rcp Reference, rlogin Reference, Kerberos V5 Reference
1653
@section rsh Reference
1654
1655
@iftex
1656
@special{psfile=rsh1.ps voffset=-700 hoffset=-40}
1657
@centerline{Reference Manual for @code{rsh}}
1658
@page
1659
1660
@special{psfile=rsh2.ps voffset=-700 hoffset=-40}
1661
@centerline{Reference Manual for @code{rsh}}
1662
@page
1663
@end iftex
1664
1665
@ifinfo
1666
Type @kbd{M-x manual-entry rsh} to read this manual page.
1667
@end ifinfo
1668
1669
@ifhtml
1670
@html
1671
<a href="rsh.html"> rsh manpage</a>
1672
@end html
1673
@end ifhtml
1674
1675
@node rcp Reference, , rsh Reference, Kerberos V5 Reference
1676
@section rcp Reference
1677
1678
@iftex
1679
@special{psfile=rcp1.ps voffset=-700 hoffset=-40}
1680
@centerline{Reference Manual for @code{rcp}}
1681
@page
1682
@end iftex
1683
1684
@iftex
1685
@special{psfile=rcp2.ps voffset=-700 hoffset=-40}
1686
@centerline{Reference Manual for @code{rcp}}
1687
@page
1688
@end iftex
1689
1690
@ifinfo
1691
Type @kbd{M-x manual-entry rcp} to read this manual page.
1692
@end ifinfo
1693
1694
@ifhtml
1695
@html
1696
<a href="rcp.html"> rcp manpage</a>
1697
@end html
1698
@end ifhtml
1699
1700
@node Kerberos Glossary, Copyright, Kerberos V5 Reference, Top
1701
@appendix Kerberos Glossary
1702
1703
@include glossary.texinfo
1704
1705
@node Copyright, , Kerberos Glossary, Top
1706
@appendix Copyright
1707
1708
@include copyright.texinfo
1709
1710
@contents
1711
@bye
Loggerhead is a web-based interface for Breezy
Version: 2.0.1