source: archive/heimdal.xml@ e3167158

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since e3167158 was 556a307a, checked in by Bruce Dubbs <bdubbs@…>, 12 years ago

Move files to archive

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10188 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 44.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY heimdal-download-http "http://www.h5l.org/dist/src/heimdal-&heimdal-version;.tar.gz">
8 <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
9 <!ENTITY heimdal-md5sum "31d08bbf47a77827fe97ef3f52b4c9c4">
10 <!ENTITY heimdal-size "6.0 MB">
11 <!ENTITY heimdal-buildsize "205 MB">
12 <!ENTITY heimdal-time "3.9 SBU (additional 2.3 SBU to run the test suite)">
13]>
14
15<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
16 <?dbhtml filename="heimdal.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Heimdal-&heimdal-version;</title>
24
25 <indexterm zone="heimdal">
26 <primary sortas="a-Heimdal">Heimdal</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Heimdal</title>
31
32 <para><application>Heimdal</application> is a free implementation
33 of Kerberos 5 that aims to be compatible with MIT Kerberos 5 and is
34 backward compatible with Kerberos 4. Kerberos is a network authentication
35 protocol. Basically it preserves the integrity of passwords in any
36 untrusted network (like the Internet). Kerberized applications work
37 hand-in-hand with sites that support Kerberos to ensure that passwords
38 cannot be stolen or compromised. A Kerberos installation will make changes
39 to the authentication mechanisms on your network and will overwrite several
40 programs and daemons from the <application>Shadow</application>,
41 <application>Inetutils</application> and
42 <application>Qpopper</application> packages. See
43 <ulink url="&files-anduin;/heimdal-overwrites"/> for a complete list of
44 all the files and commands to rename each of them.</para>
45
46 <para>&lfssvn_checked;20101029&lfssvn_checked2;</para>
47
48 <bridgehead renderas="sect3">Package Information</bridgehead>
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para>
52 </listitem>
53 <listitem>
54 <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para>
55 </listitem>
56 <listitem>
57 <para>Download MD5 sum: &heimdal-md5sum;</para>
58 </listitem>
59 <listitem>
60 <para>Download size: &heimdal-size;</para>
61 </listitem>
62 <listitem>
63 <para>Estimated disk space required: &heimdal-buildsize;</para>
64 </listitem>
65 <listitem>
66 <para>Estimated build time: &heimdal-time;</para>
67 </listitem>
68 </itemizedlist>
69
70 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
71 <itemizedlist spacing='compact'>
72 <listitem>
73 <para>Required Patch: <ulink
74 url="&patch-root;/heimdal-&heimdal-version;-otp_fixes-1.patch"/></para>
75 </listitem>
76 <!-- <listitem>
77 <para>Required Patch: <ulink
78 url="&patch-root;/heimdal-&heimdal-version;-libss-1.patch"/></para>
79 </listitem> -->
80 </itemizedlist>
81
82 <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>
83
84 <bridgehead renderas="sect4">Required to Build the Server-Side Tools</bridgehead>
85 <para role="required"><xref linkend="db"/></para>
86
87 <bridgehead renderas="sect4">Recommended</bridgehead>
88 <para role="recommended"><xref linkend="openssl"/></para>
89
90 <bridgehead renderas="sect4">Optional</bridgehead>
91 <para role="optional"><xref linkend="openldap"/>,
92 <xref linkend="sqlite"/>,
93 <xref linkend="x-window-system"/>,
94 <xref linkend="libcap2"/>, and
95 <ulink url="http://people.redhat.com/sgrubb/libcap-ng/">libcap-ng</ulink> (with this
96 <ulink url="&patch-root;/libcap-ng-0.6.4-2.6.36_kernel_fix-1.patch">patch</ulink>
97 if the Linux kernel version is &gt;=2.6.36)</para>
98
99 <note>
100 <para>Some sort of time synchronization facility on your system
101 (like <xref linkend="ntp"/>) is required since Kerberos won't
102 authenticate if the time differential between a kerberized client
103 and the KDC server is more than 5 minutes.</para>
104 </note>
105
106 <para condition="html" role="usernotes">User Notes:
107 <ulink url="&blfs-wiki;/heimdal"/></para>
108
109 </sect2>
110
111 <sect2 role="installation">
112 <title>Installation of Heimdal</title>
113
114 <warning>
115 <para>Ensure you really need a Kerberos installation before you decide
116 to install this package. Failure to install and configure the package
117 correctly can alter your system so that users cannot log in.</para>
118 </warning>
119
120 <para>Install <application>Heimdal</application> by running the following
121 commands:</para>
122
123<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-otp_fixes-1.patch &amp;&amp;
124sed -i 's|/var/heimdal|/var/lib/heimdal|' \
125 `grep -lr "/var/heimdal" doc kadmin kdc lib` &amp;&amp;
126
127./configure --prefix=/usr \
128 --sysconfdir=/etc/heimdal \
129 --libexecdir=/usr/sbin \
130 --localstatedir=/var/lib/heimdal \
131 --datadir=/var/lib/heimdal \
132 --with-hdbdir=/var/lib/heimdal \
133 --with-readline=/usr \
134 --enable-kcm &amp;&amp;
135make &amp;&amp;
136
137install -v -m755 -d doc/html &amp;&amp;
138make -C doc html &amp;&amp;
139mv -v doc/heimdal.html doc/html/heimdal &amp;&amp;
140mv -v doc/hx509.html doc/html/hx509 &amp;&amp;
141makeinfo --html --no-split -o doc/heimdal.html doc/heimdal.texi &amp;&amp;
142makeinfo --html --no-split -o doc/hx509.html doc/hx509.texi &amp;&amp;
143makeinfo --plaintext -o doc/heimdal.txt doc/heimdal.texi &amp;&amp;
144makeinfo --plaintext -o doc/hx509.txt doc/hx509.texi</userinput></screen>
145
146 <para>If you have <!--<xref linkend="tetex"/> or--> <xref linkend="texlive"/>
147 installed and wish to create PDF and Postscript forms of the documentation,
148 change into the <filename class='directory'>doc</filename> directory and
149 issue any or all of the following commands:</para>
150
151<screen><userinput>pushd doc &amp;&amp;
152texi2pdf heimdal.texi &amp;&amp;
153texi2dvi heimdal.texi &amp;&amp;
154dvips -o heimdal.ps heimdal.dvi &amp;&amp;
155texi2pdf hx509.texi &amp;&amp;
156texi2dvi hx509.texi &amp;&amp;
157dvips -o hx509.ps hx509.dvi &amp;&amp;
158popd</userinput></screen>
159
160 <para>To test the results, issue: <command>make -k check</command>. The
161 <command>check-iprop</command> test is known to fail but all others should
162 pass.</para>
163
164 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
165
166<screen role="root"><userinput>make install &amp;&amp;
167
168install -v -m755 -d /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
169install -v -m644 doc/{heimdal,hx509}.{html,txt} \
170 doc/{init-creds,layman.asc} \
171 /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
172cp -v -R doc/html \
173 destdir/usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
174
175mv -v /bin/login /bin/login.SHADOW &amp;&amp;
176mv -v /bin/su /bin/su.SHADOW &amp;&amp;
177mv -v /usr/bin/{login,su} /bin &amp;&amp;
178ln -v -sf ../../bin/login /usr/bin &amp;&amp;
179
180for LINK in \
181 lib{otp,kafs,krb5,hx509,sqlite3,asn1,roken,crypto,wind}; do
182 mv -v /usr/lib/${LINK}.so.* /lib &amp;&amp;
183 ln -v -sf ../../lib/$(readlink /usr/lib/${LINK}.so) \
184 /usr/lib/${LINK}.so
185done &amp;&amp;
186
187mv -v /usr/lib/$(readlink /usr/lib/libdb.so) \
188 /usr/lib/libdb-?.so \
189 /lib &amp;&amp;
190ln -v -sf ../../lib/$(readlink /usr/lib/libdb.so) \
191 /usr/lib/libdb.so &amp;&amp;
192
193ldconfig</userinput></screen>
194
195 <para>If you built any of the additional forms of documentation, install it
196 using the following commands as the
197 <systemitem class="username">root</systemitem> user:</para>
198
199<screen role="root"><userinput>install -v -m644 doc/{heimdal,hx509}.{dvi,ps,pdf} \
200 /usr/share/doc/heimdal-&heimdal-version;</userinput></screen>
201
202 <para>If you wish to use the <xref linkend="cracklib"/> library to enforce
203 strong passwords in the KDC database, issue the following commands as the
204 <systemitem class="username">root</systemitem> user:</para>
205
206<screen role="root"><userinput>sed -e 's|/usr/pkg|/usr|' \
207 -e 's|/usr/lib/cracklib_dict|/lib/cracklib/pw_dict|' \
208 -e 's|/var/heimdal|/var/lib/heimdal|' \
209 lib/kadm5/check-cracklib.pl \
210 > /bin/krb5-check-cracklib.pl &amp;&amp;
211
212chmod -v 755 /bin/krb5-check-cracklib.pl</userinput></screen>
213
214 </sect2>
215
216 <sect2 role="commands">
217 <title>Command Explanations</title>
218
219 <para><command>sed -i ... `grep -lr "/var/heimdal"
220 doc kadmin kdc lib`</command>: This command is used to change the
221 hard-coded references in the documentation files from
222 <filename class='directory'>/var/heimdal</filename> to the FHS compliant
223 <filename class='directory'>/var/lib/heimdal</filename> directory
224 name.</para>
225
226 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch causes
227 the daemon programs to be installed into
228 <filename class="directory">/usr/sbin</filename>.</para>
229
230 <tip>
231 <para>If you want to preserve all your existing
232 <application>Inetutils</application> package daemons, install the
233 <application>Heimdal</application> daemons into
234 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever
235 you want). Since these programs will be called from
236 <command>(x)inetd</command> or <filename>rc</filename> scripts, it
237 really doesn't matter where they are installed, as long as they are
238 correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
239 and <filename>rc</filename> scripts. If you choose something other than
240 <filename class="directory">/usr/sbin</filename>, you may want to move
241 some of the user programs (such as <command>kadmin</command>) to
242 <filename class="directory">/usr/sbin</filename> manually so they'll be
243 in the privileged user's default <envar>PATH</envar>.</para>
244 </tip>
245
246 <para><parameter>--localstatedir=/var/lib/heimdal</parameter>,
247 <parameter>--datadir=/var/lib/heimdal</parameter> and
248 <parameter>--with-hdbdir=/var/lib/heimdal</parameter>: These parameters
249 are used so that the KDC database and associated files will all reside
250 in <filename class='directory'>/var/lib/heimdal</filename>.</para>
251
252 <para><parameter>--with-readline=/usr</parameter>: This parameter must be
253 used so that the <command>configure</command> script properly locates the
254 installed <application>Readline</application> package.</para>
255
256 <para><parameter>--enable-kcm</parameter>: This parameter enables building
257 the Kerberos Credentials Manager.</para>
258
259 <para><option>--with-sqlite3=/usr</option>: This parameter must be
260 used so that the <command>configure</command> script properly locates the
261 installed <application>Sqlite3</application> package.</para>
262
263 <para><option>--with-openldap=/usr</option> and
264 <option>--enable-hdb-openldap-module</option>: These parameters must be
265 used so that the <command>configure</command> script properly locates the
266 installed <application>OpenLDAP</application> package in order to build the
267 module allowing an LDAP backend database.</para>
268
269 <para><command>mv ... ...SHADOW</command>, <command>mv ... /bin</command>
270 and <command> ln ... /usr/bin</command>: The <command>login</command>
271 and <command>su</command> programs installed by
272 <application>Heimdal</application> belong in the
273 <filename class="directory">/bin</filename> directory. The
274 <command>login</command> program is symlinked because
275 <application>Heimdal</application> is expecting to find it in
276 <filename class="directory">/usr/bin</filename>. The old executables from
277 the <application>Shadow</application> package are preserved before the move
278 so that they can be restored if you experience problems logging into the
279 system after the <application>Heimdal</application> package is installed
280 and configured.</para>
281
282 <para><command>for LINK in ...; do ...; done</command>,
283 <command>mv ... /lib</command> and
284 <command>ln ... /usr/lib/libdb.so</command>: The <command>login</command>
285 and <command>su</command> programs previously moved into the
286 <filename class='directory'>/lib</filename> directory link against
287 <application>Heimdal</application> libraries as well as libraries provided
288 by the <application>OpenSSL</application> and
289 <application>Berkeley DB</application> packages. These
290 libraries are also moved to <filename class="directory">/lib</filename>
291 so they are FHS compliant and also in case
292 <filename class="directory">/usr</filename> is located on a separate
293 partition which may not always be mounted.</para>
294
295 </sect2>
296
297 <sect2 role="configuration">
298 <title>Configuring Heimdal</title>
299
300 <sect3 id="heimdal-config">
301 <title>Config Files</title>
302
303 <para><filename>/etc/heimdal/*</filename></para>
304
305 <indexterm zone="heimdal heimdal-config">
306 <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
307 </indexterm>
308
309 </sect3>
310
311 <sect3>
312 <title>Configuration Information</title>
313
314 <note>
315 <para>All the configuration steps shown below must be accomplished
316 by the <systemitem class='username'>root</systemitem> user unless
317 otherwise noted.</para>
318 </note>
319
320 <sect4>
321 <title>Master KDC Server Configuration</title>
322
323 <para>Many of the commands below use
324 <replaceable>&lt;replaceable&gt;</replaceable> tags to identify places
325 where you need to substitute information specific to your network.
326 Ensure you replace everything in these tags (there will be no angle
327 brackets when you are done) with your site-specific information.</para>
328
329 <para>Create the Kerberos configuration file with the following
330 commands:</para>
331
332<screen role="root"><userinput>install -v -m755 -d /etc/heimdal &amp;&amp;
333cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF" &amp;&amp;
334<literal># Begin /etc/heimdal/krb5.conf
335
336[libdefaults]
337 default_realm = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
338 encrypt = true
339
340[realms]
341 <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> = {
342 kdc = <replaceable>&lt;hostname.example.com&gt;</replaceable>
343 admin_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
344 kpasswd_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
345 }
346
347[domain_realm]
348 .<replaceable>&lt;example.com&gt;</replaceable> = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
349
350[logging]
351 kdc = FILE:/var/log/kdc.log
352 admin_server = FILE:/var/log/kadmin.log
353 default = FILE:/var/log/krb.log
354
355# End /etc/heimdal/krb5.conf</literal>
356EOF
357chmod -v 644 /etc/heimdal/krb5.conf</userinput></screen>
358
359 <para>You will need to substitute your domain and proper hostname
360 for the occurrences of the <replaceable>&lt;hostname&gt;</replaceable>
361 and <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> names.</para>
362
363 <para><option>default_realm</option> should be the name of your
364 domain changed to ALL CAPS. This isn't required, but both
365 <application>Heimdal</application> and <application>MIT
366 Kerberos</application> recommend it.</para>
367
368 <para><option>encrypt = true</option> provides encryption of all
369 traffic between kerberized clients and servers. It's not necessary
370 and can be left off. If you leave it off, you can encrypt all traffic
371 from the client to the server using a switch on the client program
372 instead. The <option>[realms]</option> parameters tell the client
373 programs where to look for the KDC authentication services. The
374 <option>[domain_realm]</option> section maps a domain
375 to a realm.</para>
376
377 <para>Store the master password in a key file using the following
378 commands:</para>
379
380<screen role="root"><userinput>install -v -m755 -d /var/lib/heimdal &amp;&amp;
381kstash</userinput></screen>
382
383 <para>Create the KDC database:</para>
384
385<screen role="root"><userinput>kadmin -l</userinput></screen>
386
387 <para>The commands below will prompt you for information about the
388 principles. Choose the defaults for now unless you know what you are
389 doing and need to specify different values. You can go in later and
390 change the defaults, should you feel the need. You may use the up and
391 down arrow keys to use the history feature of <command>kadmin</command>
392 in a similar manner as the <command>bash</command> history
393 feature.</para>
394
395 <para>At the <prompt>kadmin&gt;</prompt> prompt, issue the following
396 statement:</para>
397
398<screen role="root"><userinput>init <replaceable>&lt;EXAMPLE.COM&gt;</replaceable></userinput></screen>
399
400 <para>The database must now be populated with at least one principle
401 (user). For now, just use your regular login name or root. You may
402 create as few, or as many principles as you wish using the following
403 statement:</para>
404
405<screen role="root"><userinput>add <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
406
407 <para>The KDC server and any machine running kerberized
408 server daemons must have a host key installed:</para>
409
410<screen role="root"><userinput>add --random-key host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
411
412 <para>After choosing the defaults when prompted, you will have to
413 export the data to a keytab file:</para>
414
415<screen role="root"><userinput>ext host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
416
417 <para>This should have created a file in
418 <filename class="directory">/etc/heimdal</filename> named
419 <filename>krb5.keytab</filename>. This file should have 600
420 (root rw only) permissions. Keeping the keytab file from public access
421 is crucial to the overall security of the Kerberos installation.</para>
422
423 <para>Eventually, you'll want to add server daemon principles to the
424 database and extract them to the keytab file. You do this in the same
425 way you created the host principles. Below is an example:</para>
426
427<screen role="root"><userinput>add --random-key ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
428
429 <para>(choose the defaults)</para>
430
431<screen role="root"><userinput>ext ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
432
433 <para>Exit the <command>kadmin</command> program (use
434 <command>quit</command> or <command>exit</command>) and return back
435 to the shell prompt. Start the KDC daemon manually, just to test out
436 the installation:</para>
437
438<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>
439
440 <para>Attempt to get a TGT (ticket granting ticket) with
441 the following command:</para>
442
443<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
444
445 <para>You will be prompted for the password you created. After you get
446 your ticket, you should list it with the following command:</para>
447
448<screen><userinput>klist</userinput></screen>
449
450 <para>Information about the ticket should be displayed on
451 the screen.</para>
452
453 <para>To test the functionality of the <filename>keytab</filename> file,
454 issue the following command:</para>
455
456<screen><userinput>ktutil list</userinput></screen>
457
458 <para>This should dump a list of the host principals, along with the
459 encryption methods used to access the principals.</para>
460
461 <para>At this point, if everything has been successful so far, you
462 can feel fairly confident in the installation, setup and configuration
463 of your new <application>Heimdal</application> Kerberos 5
464 installation.</para>
465
466 <para>If you wish to use the <xref linkend="cracklib"/> library to
467 enforce strong passwords in the KDC database, you must do two things.
468 First, add the following lines to the
469 <filename>/etc/heimdal/krb5.conf</filename> configuration file:</para>
470
471<screen><literal>[password_quality]
472 policies = builtin:external-check
473 external_program = /bin/krb5-check-cracklib.pl</literal></screen>
474
475 <para>Next you must install the
476 <application>Crypt::Cracklib</application>
477 <application>Perl</application> module. Download it from the CPAN
478 site. The URL at the time of this writing is <ulink
479 url="http://www.cpan.org/authors/id/D/DA/DANIEL/Crypt-Cracklib-1.5.tar.gz"/>.
480 After unpacking the tarball and changing into the newly created
481 directory, issue the following command to add the BLFS
482 <application>Cracklib</application> dictionary location to one of the
483 source files:</para>
484
485<screen><userinput>sed -i 's|pw_dict|&amp;\n\t\t/lib/cracklib/pw_dict|' Cracklib.pm</userinput></screen>
486
487 <para>Then use the standard <command>perl Makefile.PL</command>;
488 <command>make</command>; <command>make test</command>;
489 <command>make install</command> commands.</para>
490
491 <para id="heimdal-init">Install the
492 <filename>/etc/rc.d/init.d/heimdal</filename> init script included
493 in the <xref linkend="bootscripts"/> package:</para>
494
495 <indexterm zone="heimdal heimdal-init">
496 <primary sortas="f-heimdal">heimdal</primary>
497 </indexterm>
498
499<screen role="root"><userinput>make install-heimdal</userinput></screen>
500
501 </sect4>
502
503 <sect4>
504 <title>Using Kerberized Client Programs</title>
505
506 <para>To use the kerberized client programs (<command>telnet</command>,
507 <command>ftp</command>, <command>rsh</command>,
508 <command>rxterm</command>, <command>rxtelnet</command>,
509 <command>rcp</command>, <command>xnlock</command>), you first must get
510 a TGT. Use the <command>kinit</command> program to get the ticket.
511 After you've acquired the ticket, you can use the kerberized programs
512 to connect to any kerberized server on the network. You will not be
513 prompted for authentication until your ticket expires (default is one
514 day), unless you specify a different user as a command line argument
515 to the program.</para>
516
517 <para>The kerberized programs will connect to non-kerberized daemons,
518 warning you that authentication is not encrypted.</para>
519
520 <para>In order to use the <application>Heimdal</application>
521 <application>X</application> programs, you'll need to add a service
522 port entry to the <filename>/etc/services</filename> file for the
523 <command>kxd</command> server. There is no 'standardized port number'
524 for the 'kx' service in the IANA database, so you'll have to pick an
525 unused port number. Add an entry to the <filename>services</filename>
526 file similar to the entry below (substitute your chosen port number
527 for <replaceable>&lt;49150&gt;</replaceable>):</para>
528
529<screen><literal>kx <replaceable>&lt;49150&gt;</replaceable>/tcp # Heimdal kerberos X
530kx <replaceable>&lt;49150&gt;</replaceable>/udp # Heimdal kerberos X</literal></screen>
531
532 <para>For additional information consult <ulink
533 url="&hints-root;/downloads/files/heimdal.txt">the
534 Heimdal hint</ulink> on which the above instructions are based.</para>
535
536 </sect4>
537
538 </sect3>
539
540 </sect2>
541
542 <sect2 role="content">
543 <title>Contents</title>
544
545 <segmentedlist>
546 <segtitle>Installed Programs</segtitle>
547 <segtitle>Installed Libraries</segtitle>
548 <segtitle>Installed Directories</segtitle>
549
550 <seglistitem>
551 <seg>afslog, ftp, ftpd, gss, hprop, hpropd, hxtool, iprop-log,
552 ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc,
553 kdestroy, kdigest, kf, kfd, kgetcred, kimpersonate, kinit, klist,
554 kpasswd, kpasswdd, krb5-check-cracklib.pl, krb5-config, kstash,
555 ktutil, kx, kxd, login, mk_cmds-krb5, otp, otpprint, pagsh, pfrom,
556 popper, push, rcp, rsh, rshd, rxtelnet, rxterm, string2key, su,
557 telnet, telnetd, tenletxr, verify_krb5_conf and xnlock</seg>
558
559 <seg>hdb_ldap.{so,a}, libasn1.{so,a},
560 libgssapi.{so,a}, libhdb.{so,a}, libheimntlm.{so,a}, libhx509.{so,a},
561 libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkafs.{so,a},
562 libkdc.{so,a}, libkrb5.{so,a}, libotp.{so,a}, libroken.{so,a},
563 libsl.{so,a}, libss-krb5.{so,a} and wind.{so,a}</seg>
564
565 <seg>/etc/heimdal, /usr/include/gssapi, /usr/include/kadm5,
566 /usr/include/krb5, /usr/include/roken,
567 /usr/share/doc/heimdal-&heimdal-version; and /var/lib/heimdal</seg>
568 </seglistitem>
569 </segmentedlist>
570
571 <variablelist>
572 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
573 <?dbfo list-presentation="list"?>
574 <?dbhtml list-presentation="table"?>
575
576 <varlistentry id="afslog">
577 <term><command>afslog</command></term>
578 <listitem>
579 <para>obtains AFS tokens for a number of cells.</para>
580 <indexterm zone="heimdal afslog">
581 <primary sortas="b-afslog">afslog</primary>
582 </indexterm>
583 </listitem>
584 </varlistentry>
585
586 <varlistentry id="ftp">
587 <term><command>ftp</command></term>
588 <listitem>
589 <para>is a kerberized FTP client.</para>
590 <indexterm zone="heimdal ftp">
591 <primary sortas="b-ftp">ftp</primary>
592 </indexterm>
593 </listitem>
594 </varlistentry>
595
596 <varlistentry id="ftpd">
597 <term><command>ftpd</command></term>
598 <listitem>
599 <para>is a kerberized FTP daemon.</para>
600 <indexterm zone="heimdal ftpd">
601 <primary sortas="b-ftpd">ftpd</primary>
602 </indexterm>
603 </listitem>
604 </varlistentry>
605
606 <varlistentry id="hprop">
607 <term><command>hprop</command></term>
608 <listitem>
609 <para> takes a principal database in a specified format and converts
610 it into a stream of <application>Heimdal</application> database
611 records.</para>
612 <indexterm zone="heimdal hprop">
613 <primary sortas="b-hprop">hprop</primary>
614 </indexterm>
615 </listitem>
616 </varlistentry>
617
618 <varlistentry id="hpropd">
619 <term><command>hpropd</command></term>
620 <listitem>
621 <para>is a server that receives a database sent by
622 <command>hprop</command> and writes it as a local database.</para>
623 <indexterm zone="heimdal hpropd">
624 <primary sortas="b-hpropd">hpropd</primary>
625 </indexterm>
626 </listitem>
627 </varlistentry>
628
629 <varlistentry id="iprop-log">
630 <term><command>iprop-log</command></term>
631 <listitem>
632 <para>is used to maintain the iprop log file.</para>
633 <indexterm zone="heimdal iprop-log">
634 <primary sortas="b-iprop-log">iprop-log</primary>
635 </indexterm>
636 </listitem>
637 </varlistentry>
638
639 <varlistentry id="ipropd-master">
640 <term><command>ipropd-master</command></term>
641 <listitem>
642 <para>is a daemon which runs on the master KDC
643 server which incrementally propagates changes to the KDC
644 database to the slave KDC servers.</para>
645 <indexterm zone="heimdal ipropd-master">
646 <primary sortas="b-ipropd-master">ipropd-master</primary>
647 </indexterm>
648 </listitem>
649 </varlistentry>
650
651 <varlistentry id="ipropd-slave">
652 <term><command>ipropd-slave</command></term>
653 <listitem>
654 <para>is a daemon which runs on the slave KDC
655 servers which incrementally propagates changes to the KDC
656 database from the master KDC server.</para>
657 <indexterm zone="heimdal ipropd-slave">
658 <primary sortas="b-ipropd-slave">ipropd-slave</primary>
659 </indexterm>
660 </listitem>
661 </varlistentry>
662
663 <varlistentry id="kadmin">
664 <term><command>kadmin</command></term>
665 <listitem>
666 <para>is a utility used to make modifications to the Kerberos
667 database.</para>
668 <indexterm zone="heimdal kadmin">
669 <primary sortas="b-kadmin">kadmin</primary>
670 </indexterm>
671 </listitem>
672 </varlistentry>
673
674 <varlistentry id="kadmind">
675 <term><command>kadmind</command></term>
676 <listitem>
677 <para>is a server for administrative access to the Kerberos
678 database.</para>
679 <indexterm zone="heimdal kadmind">
680 <primary sortas="b-kadmind">kadmind</primary>
681 </indexterm>
682 </listitem>
683 </varlistentry>
684
685 <varlistentry id="kauth">
686 <term><command>kauth</command></term>
687 <listitem>
688 <para>is a symbolic link to the <command>kinit</command>
689 program.</para>
690 <indexterm zone="heimdal kauth">
691 <primary sortas="g-kauth">kauth</primary>
692 </indexterm>
693 </listitem>
694 </varlistentry>
695
696 <varlistentry id="kcm">
697 <term><command>kcm</command></term>
698 <listitem>
699 <para>is a process based credential cache for Kerberos
700 tickets.</para>
701 <indexterm zone="heimdal kcm">
702 <primary sortas="b-kcm">kcm</primary>
703 </indexterm>
704 </listitem>
705 </varlistentry>
706
707 <varlistentry id="kdc">
708 <term><command>kdc</command></term>
709 <listitem>
710 <para>is a Kerberos 5 server.</para>
711 <indexterm zone="heimdal kdc">
712 <primary sortas="b-kdc">kdc</primary>
713 </indexterm>
714 </listitem>
715 </varlistentry>
716
717 <varlistentry id="kdestroy">
718 <term><command>kdestroy</command></term>
719 <listitem>
720 <para>removes a principle's current set of tickets.</para>
721 <indexterm zone="heimdal kdestroy">
722 <primary sortas="b-kdestroy">kdestroy</primary>
723 </indexterm>
724 </listitem>
725 </varlistentry>
726
727 <varlistentry id="kf">
728 <term><command>kf</command></term>
729 <listitem>
730 <para>is a program which forwards tickets to a remote host through
731 an authenticated and encrypted stream.</para>
732 <indexterm zone="heimdal kf">
733 <primary sortas="b-kf">kf</primary>
734 </indexterm>
735 </listitem>
736 </varlistentry>
737
738 <varlistentry id="kfd">
739 <term><command>kfd</command></term>
740 <listitem>
741 <para>is a server used to receive forwarded tickets.</para>
742 <indexterm zone="heimdal kfd">
743 <primary sortas="b-kfd">kfd</primary>
744 </indexterm>
745 </listitem>
746 </varlistentry>
747
748 <varlistentry id="kgetcred">
749 <term><command>kgetcred</command></term>
750 <listitem>
751 <para>obtains a ticket for a service.</para>
752 <indexterm zone="heimdal kgetcred">
753 <primary sortas="b-kgetcred">kgetcred</primary>
754 </indexterm>
755 </listitem>
756 </varlistentry>
757
758 <varlistentry id="kinit">
759 <term><command>kinit</command></term>
760 <listitem>
761 <para>is used to authenticate to the Kerberos server as a principal
762 and acquire a ticket granting ticket that can later be used to obtain
763 tickets for other services.</para>
764 <indexterm zone="heimdal kinit">
765 <primary sortas="b-kinit">kinit</primary>
766 </indexterm>
767 </listitem>
768 </varlistentry>
769
770 <varlistentry id="klist">
771 <term><command>klist</command></term>
772 <listitem>
773 <para>reads and displays the current tickets in the credential
774 cache.</para>
775 <indexterm zone="heimdal klist">
776 <primary sortas="b-klist">klist</primary>
777 </indexterm>
778 </listitem>
779 </varlistentry>
780
781 <varlistentry id="kpasswd">
782 <term><command>kpasswd</command></term>
783 <listitem>
784 <para>is a program for changing Kerberos 5 passwords.</para>
785 <indexterm zone="heimdal kpasswd">
786 <primary sortas="b-kpasswd">kpasswd</primary>
787 </indexterm>
788 </listitem>
789 </varlistentry>
790
791 <varlistentry id="kpasswdd">
792 <term><command>kpasswdd</command></term>
793 <listitem>
794 <para>is a Kerberos 5 password changing server.</para>
795 <indexterm zone="heimdal kpasswdd">
796 <primary sortas="b-kpasswdd">kpasswdd</primary>
797 </indexterm>
798 </listitem>
799 </varlistentry>
800
801 <varlistentry id="krb5-config-prog">
802 <term><command>krb5-config</command></term>
803 <listitem>
804 <para>gives information on how to link programs against
805 <application>Heimdal</application> libraries.</para>
806 <indexterm zone="heimdal krb5-config-prog">
807 <primary sortas="b-krb5-config">krb5-config</primary>
808 </indexterm>
809 </listitem>
810 </varlistentry>
811
812 <varlistentry id="kstash">
813 <term><command>kstash</command></term>
814 <listitem>
815 <para>stores the KDC master password in a file.</para>
816 <indexterm zone="heimdal kstash">
817 <primary sortas="b-kstash">kstash</primary>
818 </indexterm>
819 </listitem>
820 </varlistentry>
821
822 <varlistentry id="ktutil">
823 <term><command>ktutil</command></term>
824 <listitem>
825 <para>is a program for managing Kerberos keytabs.</para>
826 <indexterm zone="heimdal ktutil">
827 <primary sortas="b-ktutil">ktutil</primary>
828 </indexterm>
829 </listitem>
830 </varlistentry>
831
832 <varlistentry id="kx">
833 <term><command>kx</command></term>
834 <listitem>
835 <para>is a program which securely forwards
836 <application>X</application> connections.</para>
837 <indexterm zone="heimdal kx">
838 <primary sortas="b-kx">kx</primary>
839 </indexterm>
840 </listitem>
841 </varlistentry>
842
843 <varlistentry id="kxd">
844 <term><command>kxd</command></term>
845 <listitem>
846 <para>is the daemon for <command>kx</command>.</para>
847 <indexterm zone="heimdal kxd">
848 <primary sortas="b-kxd">kxd</primary>
849 </indexterm>
850 </listitem>
851 </varlistentry>
852
853 <varlistentry id="login">
854 <term><command>login</command></term>
855 <listitem>
856 <para>is a kerberized login program.</para>
857 <indexterm zone="heimdal login">
858 <primary sortas="b-login">login</primary>
859 </indexterm>
860 </listitem>
861 </varlistentry>
862
863 <varlistentry id="otp">
864 <term><command>otp</command></term>
865 <listitem>
866 <para>manages one-time passwords.</para>
867 <indexterm zone="heimdal otp">
868 <primary sortas="b-otp">otp</primary>
869 </indexterm>
870 </listitem>
871 </varlistentry>
872
873 <varlistentry id="otpprint">
874 <term><command>otpprint</command></term>
875 <listitem>
876 <para>prints lists of one-time passwords.</para>
877 <indexterm zone="heimdal otpprint">
878 <primary sortas="b-otpprint">otpprint</primary>
879 </indexterm>
880 </listitem>
881 </varlistentry>
882
883 <varlistentry id="pfrom">
884 <term><command>pfrom</command></term>
885 <listitem>
886 <para>is a script that runs <command>push --from</command>.</para>
887 <indexterm zone="heimdal pfrom">
888 <primary sortas="b-pfrom">pfrom</primary>
889 </indexterm>
890 </listitem>
891 </varlistentry>
892
893 <varlistentry id="popper">
894 <term><command>popper</command></term>
895 <listitem>
896 <para>is a kerberized POP-3 server.</para>
897 <indexterm zone="heimdal popper">
898 <primary sortas="b-popper">popper</primary>
899 </indexterm>
900 </listitem>
901 </varlistentry>
902
903 <varlistentry id="push">
904 <term><command>push</command></term>
905 <listitem>
906 <para>is a kerberized POP mail retrieval client.</para>
907 <indexterm zone="heimdal push">
908 <primary sortas="b-push">push</primary>
909 </indexterm>
910 </listitem>
911 </varlistentry>
912
913 <varlistentry id="rcp">
914 <term><command>rcp</command></term>
915 <listitem>
916 <para>is a kerberized rcp client program.</para>
917 <indexterm zone="heimdal rcp">
918 <primary sortas="b-rcp">rcp</primary>
919 </indexterm>
920 </listitem>
921 </varlistentry>
922
923 <varlistentry id="rsh">
924 <term><command>rsh</command></term>
925 <listitem>
926 <para>is a kerberized rsh client program.</para>
927 <indexterm zone="heimdal rsh">
928 <primary sortas="b-rsh">rsh</primary>
929 </indexterm>
930 </listitem>
931 </varlistentry>
932
933 <varlistentry id="rshd">
934 <term><command>rshd</command></term>
935 <listitem>
936 <para>is a kerberized rsh server.</para>
937 <indexterm zone="heimdal rshd">
938 <primary sortas="b-rshd">rshd</primary>
939 </indexterm>
940 </listitem>
941 </varlistentry>
942
943 <varlistentry id="rxtelnet">
944 <term><command>rxtelnet</command></term>
945 <listitem>
946 <para>starts a secure <command>xterm</command> window with a
947 <command>telnet</command> to a given host and forwards
948 <application>X</application> connections.</para>
949 <indexterm zone="heimdal rxtelnet">
950 <primary sortas="b-rxtelnet">rxtelnet</primary>
951 </indexterm>
952 </listitem>
953 </varlistentry>
954
955 <varlistentry id="rxterm">
956 <term><command>rxterm</command></term>
957 <listitem>
958 <para>starts a secure remote <command>xterm</command>.</para>
959 <indexterm zone="heimdal rxterm">
960 <primary sortas="b-rxterm">rxterm</primary>
961 </indexterm>
962 </listitem>
963 </varlistentry>
964
965 <varlistentry id="string2key">
966 <term><command>string2key</command></term>
967 <listitem>
968 <para>maps a password into a key.</para>
969 <indexterm zone="heimdal string2key">
970 <primary sortas="b-string2key">string2key</primary>
971 </indexterm>
972 </listitem>
973 </varlistentry>
974
975 <varlistentry id="su">
976 <term><command>su</command></term>
977 <listitem>
978 <para>is a kerberized su client program.</para>
979 <indexterm zone="heimdal su">
980 <primary sortas="b-su">su</primary>
981 </indexterm>
982 </listitem>
983 </varlistentry>
984
985 <varlistentry id="telnet">
986 <term><command>telnet</command></term>
987 <listitem>
988 <para>is a kerberized telnet client program.</para>
989 <indexterm zone="heimdal telnet">
990 <primary sortas="b-telnet">telnet</primary>
991 </indexterm>
992 </listitem>
993 </varlistentry>
994
995 <varlistentry id="telnetd">
996 <term><command>telnetd</command></term>
997 <listitem>
998 <para>is a kerberized telnet server.</para>
999 <indexterm zone="heimdal telnetd">
1000 <primary sortas="b-telnetd">telnetd</primary>
1001 </indexterm>
1002 </listitem>
1003 </varlistentry>
1004
1005 <varlistentry id="tenletxr">
1006 <term><command>tenletxr</command></term>
1007 <listitem>
1008 <para>forwards <application>X</application> connections
1009 backwards.</para>
1010 <indexterm zone="heimdal tenletxr">
1011 <primary sortas="b-tenletxr">tenletxr</primary>
1012 </indexterm>
1013 </listitem>
1014 </varlistentry>
1015
1016 <varlistentry id="verify_krb5_conf">
1017 <term><command>verify_krb5_conf</command></term>
1018 <listitem>
1019 <para>checks <filename>krb5.conf</filename> file for obvious
1020 errors.</para>
1021 <indexterm zone="heimdal verify_krb5_conf">
1022 <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
1023 </indexterm>
1024 </listitem>
1025 </varlistentry>
1026
1027 <varlistentry id="xnlock">
1028 <term><command>xnlock</command></term>
1029 <listitem>
1030 <para>is a program that acts as a secure screen saver for
1031 workstations running <application>X</application>.</para>
1032 <indexterm zone="heimdal xnlock">
1033 <primary sortas="b-xnlock">xnlock</primary>
1034 </indexterm>
1035 </listitem>
1036 </varlistentry>
1037
1038 <varlistentry id="libasn1">
1039 <term><filename class='libraryfile'>libasn1.{so,a}</filename></term>
1040 <listitem>
1041 <para>provides the ASN.1 and DER functions to encode and decode
1042 the Kerberos TGTs.</para>
1043 <indexterm zone="heimdal libasn1">
1044 <primary sortas="c-libasn1">libasn1.{so,a}</primary>
1045 </indexterm>
1046 </listitem>
1047 </varlistentry>
1048
1049 <varlistentry id="libgssapi">
1050 <term><filename class='libraryfile'>libgssapi.{so,a}</filename></term>
1051 <listitem>
1052 <para>contain the Generic Security Service Application Programming
1053 Interface (GSSAPI) functions which provides security
1054 services to callers in a generic fashion, supportable with a range of
1055 underlying mechanisms and technologies and hence allowing source-level
1056 portability of applications to different environments.</para>
1057 <indexterm zone="heimdal libgssapi">
1058 <primary sortas="c-libgssapi">libgssapi.{so,a}</primary>
1059 </indexterm>
1060 </listitem>
1061 </varlistentry>
1062
1063 <varlistentry id="libhdb">
1064 <term><filename class='libraryfile'>libhdb.{so,a}</filename></term>
1065 <listitem>
1066 <para>is a <application>Heimdal</application> Kerberos 5
1067 authentication/authorization database access library.</para>
1068 <indexterm zone="heimdal libhdb">
1069 <primary sortas="c-libhdb">libhdb.{so,a}</primary>
1070 </indexterm>
1071 </listitem>
1072 </varlistentry>
1073
1074 <varlistentry id="libkadm5clnt">
1075 <term><filename class='libraryfile'>libkadm5clnt.{so,a}</filename></term>
1076 <listitem>
1077 <para>contains the administrative authentication and password
1078 checking functions required by Kerberos 5 client-side programs.</para>
1079 <indexterm zone="heimdal libkadm5clnt">
1080 <primary sortas="c-libkadm5clnt">libkadm5clnt.{so,a}</primary>
1081 </indexterm>
1082 </listitem>
1083 </varlistentry>
1084
1085 <varlistentry id="libkadm5srv">
1086 <term><filename class='libraryfile'>libkadm5srv.{so,a}</filename></term>
1087 <listitem>
1088 <para>contain the administrative authentication and password
1089 checking functions required by Kerberos 5 servers.</para>
1090 <indexterm zone="heimdal libkadm5srv">
1091 <primary sortas="c-libkadm5srv">libkadm5srv.{so,a}</primary>
1092 </indexterm>
1093 </listitem>
1094 </varlistentry>
1095
1096 <varlistentry id="libkafs">
1097 <term><filename class='libraryfile'>libkafs.{so,a}</filename></term>
1098 <listitem>
1099 <para>contains the functions required to authenticated to AFS.</para>
1100 <indexterm zone="heimdal libkafs">
1101 <primary sortas="c-libkafs">libkafs.{so,a}</primary>
1102 </indexterm>
1103 </listitem>
1104 </varlistentry>
1105
1106 <varlistentry id="libkrb5">
1107 <term><filename class='libraryfile'>libkrb5.{so,a}</filename></term>
1108 <listitem>
1109 <para>is an all-purpose Kerberos 5 library.</para>
1110 <indexterm zone="heimdal libkrb5">
1111 <primary sortas="c-libkrb5">libkrb5.{so,a}</primary>
1112 </indexterm>
1113 </listitem>
1114 </varlistentry>
1115
1116 <varlistentry id="libotp">
1117 <term><filename class='libraryfile'>libotp.{so,a}</filename></term>
1118 <listitem>
1119 <para>contains the functions required to handle authenticating
1120 one time passwords.</para>
1121 <indexterm zone="heimdal libotp">
1122 <primary sortas="c-libotp">libotp.{so,a}</primary>
1123 </indexterm>
1124 </listitem>
1125 </varlistentry>
1126
1127 <varlistentry id="libroken">
1128 <term><filename class='libraryfile'>libroken.{so,a}</filename></term>
1129 <listitem>
1130 <para>is a library containing Kerberos 5 compatibility
1131 functions.</para>
1132 <indexterm zone="heimdal libroken">
1133 <primary sortas="c-libroken">libroken.{so,a}</primary>
1134 </indexterm>
1135 </listitem>
1136 </varlistentry>
1137
1138 </variablelist>
1139
1140 </sect2>
1141
1142</sect1>
Note: See TracBrowser for help on using the repository browser.