source: postlfs/security/heimdal.xml@ 2e3e271

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 2e3e271 was 2e3e271, checked in by Randy McMurchy <randy@…>, 16 years ago

Updated to Heimdal-1.1; removed the Heimdal-Cracklib patches from both packages as Heimdal has been converted to use Cracklib differently; created a patch to change the names of some installed files so they don't conflict with the E2fsprogs package

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@7295 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 44.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY heimdal-download-http "http://www.h5l.org/dist/src/heimdal-&heimdal-version;.tar.gz">
8 <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
9 <!ENTITY heimdal-md5sum "7892e97b346534cc9afeeee461fe3bab">
10 <!ENTITY heimdal-size "3.6 MB">
11 <!ENTITY heimdal-buildsize "136 MB">
12 <!ENTITY heimdal-time "4.0 SBU (additional 1.5 SBU to run the test suite)">
13]>
14
15<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
16 <?dbhtml filename="heimdal.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Heimdal-&heimdal-version;</title>
24
25 <indexterm zone="heimdal">
26 <primary sortas="a-Heimdal">Heimdal</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Heimdal</title>
31
32 <para><application>Heimdal</application> is a free implementation
33 of Kerberos 5 that aims to be compatible with MIT Kerberos 5 and is
34 backward compatible with Kerberos 4. Kerberos is a network authentication
35 protocol. Basically it preserves the integrity of passwords in any
36 untrusted network (like the Internet). Kerberized applications work
37 hand-in-hand with sites that support Kerberos to ensure that passwords
38 cannot be stolen or compromised. A Kerberos installation will make changes
39 to the authentication mechanisms on your network and will overwrite several
40 programs and daemons from the <application>Shadow</application>,
41 <application>Inetutils</application> and
42 <application>Qpopper</application> packages. See
43 <ulink url="&files-anduin;/heimdal-overwrites"/> for a complete list of
44 all the files and commands to rename each of them.</para>
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para>
50 </listitem>
51 <listitem>
52 <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para>
53 </listitem>
54 <listitem>
55 <para>Download MD5 sum: &heimdal-md5sum;</para>
56 </listitem>
57 <listitem>
58 <para>Download size: &heimdal-size;</para>
59 </listitem>
60 <listitem>
61 <para>Estimated disk space required: &heimdal-buildsize;</para>
62 </listitem>
63 <listitem>
64 <para>Estimated build time: &heimdal-time;</para>
65 </listitem>
66 </itemizedlist>
67
68 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
69 <itemizedlist spacing='compact'>
70 <listitem>
71 <para>Required Patch: <ulink
72 url="&patch-root;/heimdal-&heimdal-version;-blfs_docs-1.patch"/></para>
73 </listitem>
74 <listitem>
75 <para>Required Patch: <ulink
76 url="&patch-root;/heimdal-&heimdal-version;-libss-1.patch"/></para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required to Build the Server-Side Tools</bridgehead>
83 <para role="required">
84 <!-- <xref linkend="db"/> -->
85 <xref linkend="db"/> is recommended (installed in LFS)
86 or <xref linkend="gdbm"/></para>
87
88 <bridgehead renderas="sect4">Recommended</bridgehead>
89 <para role="recommended"><xref linkend="openssl"/></para>
90
91 <bridgehead renderas="sect4">Optional</bridgehead>
92 <para role="optional"><xref linkend="linux-pam"/>,
93 <xref linkend="openldap"/>,
94 <xref linkend="x-window-system"/>, and
95 <ulink url="http://packages.debian.org/stable/source/libcap">libcap</ulink></para>
96
97 <note>
98 <para>Some sort of time synchronization facility on your system
99 (like <xref linkend="ntp"/>) is required since Kerberos won't
100 authenticate if the time differential between a kerberized client
101 and the KDC server is more than 5 minutes.</para>
102 </note>
103
104 <para condition="html" role="usernotes">User Notes:
105 <ulink url="&blfs-wiki;/heimdal"/></para>
106
107 </sect2>
108
109 <sect2 role="installation">
110 <title>Installation of Heimdal</title>
111
112 <warning>
113 <para>Ensure you really need a Kerberos installation before you decide
114 to install this package. Failure to install and configure the package
115 correctly can alter your system so that users cannot log in.</para>
116 </warning>
117
118 <para>Install <application>Heimdal</application> by running the following
119 commands:</para>
120
121<screen><userinput>./configure --prefix=/usr \
122 --sysconfdir=/etc/heimdal \
123 --libexecdir=/usr/sbin \
124 --localstatedir=/var/lib/heimdal \
125 --datadir=/var/lib/heimdal \
126 --with-hdbdir=/var/lib/heimdal \
127 --with-readline=/usr \
128 --enable-kcm &amp;&amp;
129make</userinput></screen>
130
131 <para>If you have <xref linkend="tetex"/> installed and wish to create
132 alternate forms of the documentation, change into the
133 <filename class='directory'>doc</filename> directory and issue any or all
134 of the following commands:</para>
135
136<screen><userinput>pushd doc &amp;&amp;
137
138make html &amp;&amp;
139
140texi2pdf heimdal.texi &amp;&amp;
141texi2dvi heimdal.texi &amp;&amp;
142dvips -o heimdal.ps heimdal.dvi &amp;&amp;
143makeinfo --plaintext -o heimdal.txt heimdal.texi &amp;&amp;
144
145texi2pdf hx509.texi &amp;&amp;
146texi2dvi hx509.texi &amp;&amp;
147dvips -o hx509.ps hx509.dvi &amp;&amp;
148makeinfo --plaintext -o hx509.txt hx509.texi &amp;&amp;
149
150popd</userinput></screen>
151
152 <para>To test the results, issue: <command>make -k check</command>. The
153 <command>ipropd</command> test is known to fail but all others should
154 pass.</para>
155
156 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
157
158<!-- <screen role="root"><?dbfo keep-together="auto"?><userinput>mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs &amp;&amp;
159mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs &amp;&amp;
160mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs &amp;&amp;
161mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.e2fsprogs &amp;&amp;
162-->
163
164<screen role="root"><userinput>make install &amp;&amp;
165
166install -v -m755 -d /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
167install -v -m644 doc/{init-creds,layman.asc} \
168 /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
169
170ln -sfv mech.5 /usr/share/man/man5/qop.5 &amp;&amp;
171ln -sfv ../man5/mech.5 /usr/share/man/cat5/qop.5 &amp;&amp;
172ln -sfv ../man5/mech.5 /usr/share/man/cat5 &amp;&amp;
173
174mv -v /bin/login /bin/login.SHADOW &amp;&amp;
175mv -v /bin/su /bin/su.SHADOW &amp;&amp;
176mv -v /usr/bin/{login,su} /bin &amp;&amp;
177ln -v -sf ../../bin/login /usr/bin &amp;&amp;
178
179for LINK in lib{otp,kafs,krb5,hx509,asn1,roken,crypto}; do
180 mv -v /usr/lib/${LINK}.so.* /lib &amp;&amp;
181 ln -v -sf ../../lib/$(readlink /usr/lib/${LINK}.so) \
182 /usr/lib/${LINK}.so
183done &amp;&amp;
184
185mv -v /usr/lib/$(readlink /usr/lib/libdb.so) \
186 /usr/lib/libdb-?.so \
187 /lib &amp;&amp;
188ln -v -sf ../../lib/$(readlink /usr/lib/libdb.so) \
189 /usr/lib/libdb.so &amp;&amp;
190
191ldconfig</userinput></screen>
192
193<!-- mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.heimdal &amp;&amp;
194mv -v /usr/include/ss/ss.h.e2fsprogs /usr/include/ss/ss.h &amp;&amp;
195mv -v /usr/lib/libss.a /usr/lib/libss.a.heimdal &amp;&amp;
196mv -v /usr/lib/libss.a.e2fsprogs /usr/lib/libss.a &amp;&amp;
197mv -v /usr/lib/libss.so /usr/lib/libss.so.heimdal &amp;&amp;
198mv -v /usr/lib/libss.so.e2fsprogs /usr/lib/libss.so &amp;&amp;
199mv -v /usr/lib/libss.la /usr/lib/libss.la.heimdal &amp;&amp;
200mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.heimdal &amp;&amp;
201mv -v /usr/bin/mk_cmds.e2fsprogs /usr/bin/mk_cmds &amp;&amp; -->
202
203 <para>If you built any of the alternate forms of documentation, install it
204 using the following commands as the
205 <systemitem class="username">root</systemitem> user:</para>
206
207<screen role="root"><userinput>install -v -m644 doc/{heimdal,hx509}.{dvi,ps,pdf,html,txt} \
208 /usr/share/doc/heimdal-&heimdal-version;</userinput></screen>
209
210 <para>If you wish to use the <xref linkend="cracklib"/> library to enforce
211 strong passwords in the KDC database, issue the following commands as the
212 <systemitem class="username">root</systemitem> user:</para>
213
214<screen role="root"><userinput>sed -e 's|/usr/pkg|/usr|' \
215 -e 's|/usr/lib/cracklib_dict|/lib/cracklib/pw_dict|' \
216 -e 's|/var/heimdal|/var/lib/heimdal|' \
217 lib/kadm5/check-cracklib.pl \
218 > /bin/krb5-check-cracklib.pl &amp;&amp;
219
220chmod -v 755 /bin/krb5-check-cracklib.pl</userinput></screen>
221
222 </sect2>
223
224 <sect2 role="commands">
225 <title>Command Explanations</title>
226
227 <!-- <para><command>mv -v /usr/include/...</command>,
228 <command>mv -v /usr/lib/libss.* ...</command> and
229 <command>mv -v /usr/bin/mk_cmds ...</command>: The
230 <application>Heimdal</application> installation will overwrite an
231 interface header, static library, library symbolic link and a
232 shell script from the
233 <application>E2fsprogs</application> package. These commands rename the
234 original files before the installation, and then restore them (after
235 renaming the new <application>Heimdal</application> files) after the
236 installation.</para> -->
237
238 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch causes
239 the daemon programs to be installed into
240 <filename class="directory">/usr/sbin</filename>.</para>
241
242 <tip>
243 <para>If you want to preserve all your existing
244 <application>Inetutils</application> package daemons, install the
245 <application>Heimdal</application> daemons into
246 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever
247 you want). Since these programs will be called from
248 <command>(x)inetd</command> or <filename>rc</filename> scripts, it
249 really doesn't matter where they are installed, as long as they are
250 correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
251 and <filename>rc</filename> scripts. If you choose something other than
252 <filename class="directory">/usr/sbin</filename>, you may want to move
253 some of the user programs (such as <command>kadmin</command>) to
254 <filename class="directory">/usr/sbin</filename> manually so they'll be
255 in the privileged user's default <envar>PATH</envar>.</para>
256 </tip>
257
258 <para><parameter>--localstatedir=/var/lib/heimdal</parameter>,
259 <parameter>--datadir=/var/lib/heimdal</parameter> and
260 <parameter>--with-hdbdir=/var/lib/heimdal</parameter>: These parameters
261 are used so that the KDC database and associated files will all reside
262 in <filename class='directory'>/var/lib/heimdal</filename>.</para>
263
264 <para><parameter>--with-readline=/usr</parameter>: This parameter must be
265 used so that the <command>configure</command> script properly locates the
266 installed <application>Readline</application> package.</para>
267
268 <para><parameter>--enable-kcm</parameter>: This parameter enables building
269 the Kerberos Credentials Manager.</para>
270
271 <para><command>ln -sfv .../mech.5 /usr/share/man/...</command>: These
272 commands are used to fix some broken symbolic links.</para>
273
274 <para><command>mv ... ...SHADOW</command>, <command>mv ... /bin</command>
275 and <command> ln ... /usr/bin</command>: The <command>login</command>
276 and <command>su</command> programs installed by
277 <application>Heimdal</application> belong in the
278 <filename class="directory">/bin</filename> directory. The
279 <command>login</command> program is symlinked because
280 <application>Heimdal</application> is expecting to find it in
281 <filename class="directory">/usr/bin</filename>. The old executables from
282 the <application>Shadow</application> package are preserved before the move
283 so that they can be restored if you experience problems logging into the
284 system after the <application>Heimdal</application> package is installed
285 and configured.</para>
286
287 <para><command>for LINK in ...; do ...; done</command>,
288 <command>mv ... /lib</command> and
289 <command>ln ... /usr/lib/libdb.so</command>: The <command>login</command>
290 and <command>su</command> programs previously moved into the
291 <filename class='directory'>/lib</filename> directory link against
292 <application>Heimdal</application> libraries as well as libraries provided
293 by the <application>OpenSSL</application> and
294 <application>Berkeley DB</application> packages. These
295 libraries are also moved to <filename class="directory">/lib</filename>
296 so they are FHS compliant and also in case
297 <filename class="directory">/usr</filename> is located on a separate
298 partition which may not always be mounted.</para>
299
300 </sect2>
301
302 <sect2 role="configuration">
303 <title>Configuring Heimdal</title>
304
305 <sect3 id="heimdal-config">
306 <title>Config Files</title>
307
308 <para><filename>/etc/heimdal/*</filename></para>
309
310 <indexterm zone="heimdal heimdal-config">
311 <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
312 </indexterm>
313
314 </sect3>
315
316 <sect3>
317 <title>Configuration Information</title>
318
319 <note>
320 <para>All the configuration steps shown below must be accomplished
321 by the <systemitem class='username'>root</systemitem> user unless
322 otherwise noted.</para>
323 </note>
324
325 <sect4>
326 <title>Master KDC Server Configuration</title>
327
328 <para>Many of the commands below use
329 <replaceable>&lt;replaceable&gt;</replaceable> tags to identify places
330 where you need to substitute information specific to your network.
331 Ensure you replace everything in these tags (there will be no angle
332 brackets when you are done) with your site-specific information.</para>
333
334 <para>Create the Kerberos configuration file with the following
335 commands:</para>
336
337<screen role="root"><userinput>install -v -m755 -d /etc/heimdal &amp;&amp;
338cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF" &amp;&amp;
339<literal># Begin /etc/heimdal/krb5.conf
340
341[libdefaults]
342 default_realm = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
343 encrypt = true
344
345[realms]
346 <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> = {
347 kdc = <replaceable>&lt;hostname.example.com&gt;</replaceable>
348 admin_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
349 kpasswd_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
350 }
351
352[domain_realm]
353 .<replaceable>&lt;example.com&gt;</replaceable> = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
354
355[logging]
356 kdc = FILE:/var/log/kdc.log
357 admin_server = FILE:/var/log/kadmin.log
358 default = FILE:/var/log/krb.log
359
360# End /etc/heimdal/krb5.conf</literal>
361EOF
362chmod -v 644 /etc/heimdal/krb5.conf</userinput></screen>
363
364 <para>You will need to substitute your domain and proper hostname
365 for the occurrences of the <replaceable>&lt;hostname&gt;</replaceable>
366 and <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> names.</para>
367
368 <para><option>default_realm</option> should be the name of your
369 domain changed to ALL CAPS. This isn't required, but both
370 <application>Heimdal</application> and <application>MIT
371 Kerberos</application> recommend it.</para>
372
373 <para><option>encrypt = true</option> provides encryption of all
374 traffic between kerberized clients and servers. It's not necessary
375 and can be left off. If you leave it off, you can encrypt all traffic
376 from the client to the server using a switch on the client program
377 instead. The <option>[realms]</option> parameters tell the client
378 programs where to look for the KDC authentication services. The
379 <option>[domain_realm]</option> section maps a domain
380 to a realm.</para>
381
382 <para>Store the master password in a key file using the following
383 commands:</para>
384
385<screen role="root"><userinput>install -v -m755 -d /var/lib/heimdal &amp;&amp;
386kstash</userinput></screen>
387
388 <para>Create the KDC database:</para>
389
390<screen role="root"><userinput>kadmin -l</userinput></screen>
391
392 <para>The commands below will prompt you for information about the
393 principles. Choose the defaults for now unless you know what you are
394 doing and need to specify different values. You can go in later and
395 change the defaults, should you feel the need. You may use the up and
396 down arrow keys to use the history feature of <command>kadmin</command>
397 in a similar manner as the <command>bash</command> history
398 feature.</para>
399
400 <para>At the <prompt>kadmin&gt;</prompt> prompt, issue the following
401 statement:</para>
402
403<screen role="root"><userinput>init <replaceable>&lt;EXAMPLE.COM&gt;</replaceable></userinput></screen>
404
405 <para>The database must now be populated with at least one principle
406 (user). For now, just use your regular login name or root. You may
407 create as few, or as many principles as you wish using the following
408 statement:</para>
409
410<screen role="root"><userinput>add <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
411
412 <para>The KDC server and any machine running kerberized
413 server daemons must have a host key installed:</para>
414
415<screen role="root"><userinput>add --random-key host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
416
417 <para>After choosing the defaults when prompted, you will have to
418 export the data to a keytab file:</para>
419
420<screen role="root"><userinput>ext host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
421
422 <para>This should have created two files in
423 <filename class="directory">/etc/heimdal</filename>:
424 <filename>krb5.keytab</filename> (Kerberos 5) and
425 <filename>srvtab</filename> (Kerberos 4). Both files should have 600
426 (root rw only) permissions. Keeping the keytab files from public access
427 is crucial to the overall security of the Kerberos installation.</para>
428
429 <para>Eventually, you'll want to add server daemon principles to the
430 database and extract them to the keytab file. You do this in the same
431 way you created the host principles. Below is an example:</para>
432
433<screen role="root"><userinput>add --random-key ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
434
435 <para>(choose the defaults)</para>
436
437<screen role="root"><userinput>ext ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
438
439 <para>Exit the <command>kadmin</command> program (use
440 <command>quit</command> or <command>exit</command>) and return back
441 to the shell prompt. Start the KDC daemon manually, just to test out
442 the installation:</para>
443
444<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>
445
446 <para>Attempt to get a TGT (ticket granting ticket) with
447 the following command:</para>
448
449<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
450
451 <para>You will be prompted for the password you created. After you get
452 your ticket, you should list it with the following command:</para>
453
454<screen><userinput>klist</userinput></screen>
455
456 <para>Information about the ticket should be displayed on
457 the screen.</para>
458
459 <para>To test the functionality of the <filename>keytab</filename> file,
460 issue the following command:</para>
461
462<screen><userinput>ktutil list</userinput></screen>
463
464 <para>This should dump a list of the host principals, along with the
465 encryption methods used to access the principals.</para>
466
467 <para>At this point, if everything has been successful so far, you
468 can feel fairly confident in the installation, setup and configuration
469 of your new <application>Heimdal</application> Kerberos 5
470 installation.</para>
471
472 <para>If you wish to use the <xref linkend="cracklib"/> library to
473 enforce strong passwords in the KDC database, you must do two things.
474 First, add the following lines to the
475 <filename>/etc/heimdal/krb5.conf</filename> configuration file:</para>
476
477<screen><literal>[password_quality]
478 policies = builtin:external-check
479 external_program = /bin/krb5-check-cracklib.pl</literal></screen>
480
481 <para>Next you must install the
482 <application>Crypt::Cracklib</application>
483 <application>Perl</application> module. Download it from the CPAN
484 site. The URL at the time of this writing is <ulink
485 url="http://cpan.org/authors/id/D/DA/DANIEL/Crypt-Cracklib-1.2.tar.gz"/>.
486 After unpacking the tarball and changing into the newly created
487 directory, issue the following command to add the BLFS
488 <application>Cracklib</application> dictionary location to one of the
489 source files:</para>
490
491<screen><userinput>sed -i 's|pw_dict|&amp;\n\t\t/lib/cracklib/pw_dict|' Cracklib.pm</userinput></screen>
492
493 <para>Then use the standard <command>perl Makefile.PL</command>;
494 <command>make</command>; <command>make test</command>;
495 <command>make install</command> commands. Note that one test fails
496 due to an unknown reason.</para>
497
498 <para id="heimdal-init">Install the
499 <filename>/etc/rc.d/init.d/heimdal</filename> init script included
500 in the <xref linkend="bootscripts"/> package:</para>
501
502 <indexterm zone="heimdal heimdal-init">
503 <primary sortas="f-heimdal">heimdal</primary>
504 </indexterm>
505
506<screen role="root"><userinput>make install-heimdal</userinput></screen>
507
508 </sect4>
509
510 <sect4>
511 <title>Using Kerberized Client Programs</title>
512
513 <para>To use the kerberized client programs (<command>telnet</command>,
514 <command>ftp</command>, <command>rsh</command>,
515 <command>rxterm</command>, <command>rxtelnet</command>,
516 <command>rcp</command>, <command>xnlock</command>), you first must get
517 a TGT. Use the <command>kinit</command> program to get the ticket.
518 After you've acquired the ticket, you can use the kerberized programs
519 to connect to any kerberized server on the network. You will not be
520 prompted for authentication until your ticket expires (default is one
521 day), unless you specify a different user as a command line argument
522 to the program.</para>
523
524 <para>The kerberized programs will connect to non-kerberized daemons,
525 warning you that authentication is not encrypted.</para>
526
527 <para>In order to use the <application>Heimdal</application>
528 <application>X</application> programs, you'll need to add a service
529 port entry to the <filename>/etc/services</filename> file for the
530 <command>kxd</command> server. There is no 'standardized port number'
531 for the 'kx' service in the IANA database, so you'll have to pick an
532 unused port number. Add an entry to the <filename>services</filename>
533 file similar to the entry below (substitute your chosen port number
534 for <replaceable>&lt;49150&gt;</replaceable>):</para>
535
536<screen><literal>kx <replaceable>&lt;49150&gt;</replaceable>/tcp # Heimdal kerberos X
537kx <replaceable>&lt;49150&gt;</replaceable>/udp # Heimdal kerberos X</literal></screen>
538
539 <para>For additional information consult <ulink
540 url="&hints-root;/downloads/files/heimdal.txt">the
541 Heimdal hint</ulink> on which the above instructions are based.</para>
542
543 </sect4>
544
545 </sect3>
546
547 </sect2>
548
549 <sect2 role="content">
550 <title>Contents</title>
551
552 <segmentedlist>
553 <segtitle>Installed Programs</segtitle>
554 <segtitle>Installed Libraries</segtitle>
555 <segtitle>Installed Directories</segtitle>
556
557 <seglistitem>
558 <seg>afslog, ftp, ftpd, gss, hprop, hpropd, hxtool, iprop-log,
559 ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc,
560 kdestroy, kdigest, kf, kfd, kgetcred, kimpersonate, kinit, klist,
561 kpasswd, kpasswdd, krb5-check-cracklib.pl, krb5-config, kstash,
562 ktutil, kx, kxd, login, mk_cmds-krb5, otp, otpprint, pagsh, pfrom,
563 popper, push, rcp, rsh, rshd, rxtelnet, rxterm, string2key, su,
564 telnet, telnetd, tenletxr, verify_krb5_conf and xnlock</seg>
565
566 <seg>hdb_ldap.{so,a}, libasn1.{so,a}, libeditline.{so,a},
567 libgssapi.{so,a}, libhdb.{so,a}, libheimntlm.{so,a}, libhx509.{so,a},
568 libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkafs.{so,a},
569 libkdc.{so,a}, libkrb5.{so,a}, libotp.{so,a}, libroken.{so,a},
570 libsl.{so,a}, libss-krb5.{so,a} and windc.{so,a}</seg>
571
572 <seg>/etc/heimdal, /usr/include/gssapi, /usr/include/kadm5,
573 /usr/include/krb5, /usr/include/roken, /usr/include/ss,
574 /usr/share/doc/heimdal-&heimdal-version; and /var/lib/heimdal</seg>
575 </seglistitem>
576 </segmentedlist>
577
578 <variablelist>
579 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
580 <?dbfo list-presentation="list"?>
581 <?dbhtml list-presentation="table"?>
582
583 <varlistentry id="afslog">
584 <term><command>afslog</command></term>
585 <listitem>
586 <para>obtains AFS tokens for a number of cells.</para>
587 <indexterm zone="heimdal afslog">
588 <primary sortas="b-afslog">afslog</primary>
589 </indexterm>
590 </listitem>
591 </varlistentry>
592
593 <varlistentry id="ftp">
594 <term><command>ftp</command></term>
595 <listitem>
596 <para>is a kerberized FTP client.</para>
597 <indexterm zone="heimdal ftp">
598 <primary sortas="b-ftp">ftp</primary>
599 </indexterm>
600 </listitem>
601 </varlistentry>
602
603 <varlistentry id="ftpd">
604 <term><command>ftpd</command></term>
605 <listitem>
606 <para>is a kerberized FTP daemon.</para>
607 <indexterm zone="heimdal ftpd">
608 <primary sortas="b-ftpd">ftpd</primary>
609 </indexterm>
610 </listitem>
611 </varlistentry>
612
613 <varlistentry id="hprop">
614 <term><command>hprop</command></term>
615 <listitem>
616 <para> takes a principal database in a specified format and converts
617 it into a stream of <application>Heimdal</application> database
618 records.</para>
619 <indexterm zone="heimdal hprop">
620 <primary sortas="b-hprop">hprop</primary>
621 </indexterm>
622 </listitem>
623 </varlistentry>
624
625 <varlistentry id="hpropd">
626 <term><command>hpropd</command></term>
627 <listitem>
628 <para>is a server that receives a database sent by
629 <command>hprop</command> and writes it as a local database.</para>
630 <indexterm zone="heimdal hpropd">
631 <primary sortas="b-hpropd">hpropd</primary>
632 </indexterm>
633 </listitem>
634 </varlistentry>
635
636 <varlistentry id="iprop-log">
637 <term><command>iprop-log</command></term>
638 <listitem>
639 <para>is used to maintain the iprop log file.</para>
640 <indexterm zone="heimdal iprop-log">
641 <primary sortas="b-iprop-log">iprop-log</primary>
642 </indexterm>
643 </listitem>
644 </varlistentry>
645
646 <varlistentry id="ipropd-master">
647 <term><command>ipropd-master</command></term>
648 <listitem>
649 <para>is a daemon which runs on the master KDC
650 server which incrementally propagates changes to the KDC
651 database to the slave KDC servers.</para>
652 <indexterm zone="heimdal ipropd-master">
653 <primary sortas="b-ipropd-master">ipropd-master</primary>
654 </indexterm>
655 </listitem>
656 </varlistentry>
657
658 <varlistentry id="ipropd-slave">
659 <term><command>ipropd-slave</command></term>
660 <listitem>
661 <para>is a daemon which runs on the slave KDC
662 servers which incrementally propagates changes to the KDC
663 database from the master KDC server.</para>
664 <indexterm zone="heimdal ipropd-slave">
665 <primary sortas="b-ipropd-slave">ipropd-slave</primary>
666 </indexterm>
667 </listitem>
668 </varlistentry>
669
670 <varlistentry id="kadmin">
671 <term><command>kadmin</command></term>
672 <listitem>
673 <para>is a utility used to make modifications to the Kerberos
674 database.</para>
675 <indexterm zone="heimdal kadmin">
676 <primary sortas="b-kadmin">kadmin</primary>
677 </indexterm>
678 </listitem>
679 </varlistentry>
680
681 <varlistentry id="kadmind">
682 <term><command>kadmind</command></term>
683 <listitem>
684 <para>is a server for administrative access to the Kerberos
685 database.</para>
686 <indexterm zone="heimdal kadmind">
687 <primary sortas="b-kadmind">kadmind</primary>
688 </indexterm>
689 </listitem>
690 </varlistentry>
691
692 <varlistentry id="kauth">
693 <term><command>kauth</command></term>
694 <listitem>
695 <para>is a symbolic link to the <command>kinit</command>
696 program.</para>
697 <indexterm zone="heimdal kauth">
698 <primary sortas="g-kauth">kauth</primary>
699 </indexterm>
700 </listitem>
701 </varlistentry>
702
703 <varlistentry id="kcm">
704 <term><command>kcm</command></term>
705 <listitem>
706 <para>is a process based credential cache for Kerberos
707 tickets.</para>
708 <indexterm zone="heimdal kcm">
709 <primary sortas="b-kcm">kcm</primary>
710 </indexterm>
711 </listitem>
712 </varlistentry>
713
714 <varlistentry id="kdc">
715 <term><command>kdc</command></term>
716 <listitem>
717 <para>is a Kerberos 5 server.</para>
718 <indexterm zone="heimdal kdc">
719 <primary sortas="b-kdc">kdc</primary>
720 </indexterm>
721 </listitem>
722 </varlistentry>
723
724 <varlistentry id="kdestroy">
725 <term><command>kdestroy</command></term>
726 <listitem>
727 <para>removes a principle's current set of tickets.</para>
728 <indexterm zone="heimdal kdestroy">
729 <primary sortas="b-kdestroy">kdestroy</primary>
730 </indexterm>
731 </listitem>
732 </varlistentry>
733
734 <varlistentry id="kf">
735 <term><command>kf</command></term>
736 <listitem>
737 <para>is a program which forwards tickets to a remote host through
738 an authenticated and encrypted stream.</para>
739 <indexterm zone="heimdal kf">
740 <primary sortas="b-kf">kf</primary>
741 </indexterm>
742 </listitem>
743 </varlistentry>
744
745 <varlistentry id="kfd">
746 <term><command>kfd</command></term>
747 <listitem>
748 <para>is a server used to receive forwarded tickets.</para>
749 <indexterm zone="heimdal kfd">
750 <primary sortas="b-kfd">kfd</primary>
751 </indexterm>
752 </listitem>
753 </varlistentry>
754
755 <varlistentry id="kgetcred">
756 <term><command>kgetcred</command></term>
757 <listitem>
758 <para>obtains a ticket for a service.</para>
759 <indexterm zone="heimdal kgetcred">
760 <primary sortas="b-kgetcred">kgetcred</primary>
761 </indexterm>
762 </listitem>
763 </varlistentry>
764
765 <varlistentry id="kinit">
766 <term><command>kinit</command></term>
767 <listitem>
768 <para>is used to authenticate to the Kerberos server as a principal
769 and acquire a ticket granting ticket that can later be used to obtain
770 tickets for other services.</para>
771 <indexterm zone="heimdal kinit">
772 <primary sortas="b-kinit">kinit</primary>
773 </indexterm>
774 </listitem>
775 </varlistentry>
776
777 <varlistentry id="klist">
778 <term><command>klist</command></term>
779 <listitem>
780 <para>reads and displays the current tickets in the credential
781 cache.</para>
782 <indexterm zone="heimdal klist">
783 <primary sortas="b-klist">klist</primary>
784 </indexterm>
785 </listitem>
786 </varlistentry>
787
788 <varlistentry id="kpasswd">
789 <term><command>kpasswd</command></term>
790 <listitem>
791 <para>is a program for changing Kerberos 5 passwords.</para>
792 <indexterm zone="heimdal kpasswd">
793 <primary sortas="b-kpasswd">kpasswd</primary>
794 </indexterm>
795 </listitem>
796 </varlistentry>
797
798 <varlistentry id="kpasswdd">
799 <term><command>kpasswdd</command></term>
800 <listitem>
801 <para>is a Kerberos 5 password changing server.</para>
802 <indexterm zone="heimdal kpasswdd">
803 <primary sortas="b-kpasswdd">kpasswdd</primary>
804 </indexterm>
805 </listitem>
806 </varlistentry>
807
808 <varlistentry id="krb5-config-prog">
809 <term><command>krb5-config</command></term>
810 <listitem>
811 <para>gives information on how to link programs against
812 <application>Heimdal</application> libraries.</para>
813 <indexterm zone="heimdal krb5-config-prog">
814 <primary sortas="b-krb5-config">krb5-config</primary>
815 </indexterm>
816 </listitem>
817 </varlistentry>
818
819 <varlistentry id="kstash">
820 <term><command>kstash</command></term>
821 <listitem>
822 <para>stores the KDC master password in a file.</para>
823 <indexterm zone="heimdal kstash">
824 <primary sortas="b-kstash">kstash</primary>
825 </indexterm>
826 </listitem>
827 </varlistentry>
828
829 <varlistentry id="ktutil">
830 <term><command>ktutil</command></term>
831 <listitem>
832 <para>is a program for managing Kerberos keytabs.</para>
833 <indexterm zone="heimdal ktutil">
834 <primary sortas="b-ktutil">ktutil</primary>
835 </indexterm>
836 </listitem>
837 </varlistentry>
838
839 <varlistentry id="kx">
840 <term><command>kx</command></term>
841 <listitem>
842 <para>is a program which securely forwards
843 <application>X</application> connections.</para>
844 <indexterm zone="heimdal kx">
845 <primary sortas="b-kx">kx</primary>
846 </indexterm>
847 </listitem>
848 </varlistentry>
849
850 <varlistentry id="kxd">
851 <term><command>kxd</command></term>
852 <listitem>
853 <para>is the daemon for <command>kx</command>.</para>
854 <indexterm zone="heimdal kxd">
855 <primary sortas="b-kxd">kxd</primary>
856 </indexterm>
857 </listitem>
858 </varlistentry>
859
860 <varlistentry id="login">
861 <term><command>login</command></term>
862 <listitem>
863 <para>is a kerberized login program.</para>
864 <indexterm zone="heimdal login">
865 <primary sortas="b-login">login</primary>
866 </indexterm>
867 </listitem>
868 </varlistentry>
869
870 <varlistentry id="otp">
871 <term><command>otp</command></term>
872 <listitem>
873 <para>manages one-time passwords.</para>
874 <indexterm zone="heimdal otp">
875 <primary sortas="b-otp">otp</primary>
876 </indexterm>
877 </listitem>
878 </varlistentry>
879
880 <varlistentry id="otpprint">
881 <term><command>otpprint</command></term>
882 <listitem>
883 <para>prints lists of one-time passwords.</para>
884 <indexterm zone="heimdal otpprint">
885 <primary sortas="b-otpprint">otpprint</primary>
886 </indexterm>
887 </listitem>
888 </varlistentry>
889
890 <varlistentry id="pfrom">
891 <term><command>pfrom</command></term>
892 <listitem>
893 <para>is a script that runs <command>push --from</command>.</para>
894 <indexterm zone="heimdal pfrom">
895 <primary sortas="b-pfrom">pfrom</primary>
896 </indexterm>
897 </listitem>
898 </varlistentry>
899
900 <varlistentry id="popper">
901 <term><command>popper</command></term>
902 <listitem>
903 <para>is a kerberized POP-3 server.</para>
904 <indexterm zone="heimdal popper">
905 <primary sortas="b-popper">popper</primary>
906 </indexterm>
907 </listitem>
908 </varlistentry>
909
910 <varlistentry id="push">
911 <term><command>push</command></term>
912 <listitem>
913 <para>is a kerberized POP mail retrieval client.</para>
914 <indexterm zone="heimdal push">
915 <primary sortas="b-push">push</primary>
916 </indexterm>
917 </listitem>
918 </varlistentry>
919
920 <varlistentry id="rcp">
921 <term><command>rcp</command></term>
922 <listitem>
923 <para>is a kerberized rcp client program.</para>
924 <indexterm zone="heimdal rcp">
925 <primary sortas="b-rcp">rcp</primary>
926 </indexterm>
927 </listitem>
928 </varlistentry>
929
930 <varlistentry id="rsh">
931 <term><command>rsh</command></term>
932 <listitem>
933 <para>is a kerberized rsh client program.</para>
934 <indexterm zone="heimdal rsh">
935 <primary sortas="b-rsh">rsh</primary>
936 </indexterm>
937 </listitem>
938 </varlistentry>
939
940 <varlistentry id="rshd">
941 <term><command>rshd</command></term>
942 <listitem>
943 <para>is a kerberized rsh server.</para>
944 <indexterm zone="heimdal rshd">
945 <primary sortas="b-rshd">rshd</primary>
946 </indexterm>
947 </listitem>
948 </varlistentry>
949
950 <varlistentry id="rxtelnet">
951 <term><command>rxtelnet</command></term>
952 <listitem>
953 <para>starts a secure <command>xterm</command> window with a
954 <command>telnet</command> to a given host and forwards
955 <application>X</application> connections.</para>
956 <indexterm zone="heimdal rxtelnet">
957 <primary sortas="b-rxtelnet">rxtelnet</primary>
958 </indexterm>
959 </listitem>
960 </varlistentry>
961
962 <varlistentry id="rxterm">
963 <term><command>rxterm</command></term>
964 <listitem>
965 <para>starts a secure remote <command>xterm</command>.</para>
966 <indexterm zone="heimdal rxterm">
967 <primary sortas="b-rxterm">rxterm</primary>
968 </indexterm>
969 </listitem>
970 </varlistentry>
971
972 <varlistentry id="string2key">
973 <term><command>string2key</command></term>
974 <listitem>
975 <para>maps a password into a key.</para>
976 <indexterm zone="heimdal string2key">
977 <primary sortas="b-string2key">string2key</primary>
978 </indexterm>
979 </listitem>
980 </varlistentry>
981
982 <varlistentry id="su">
983 <term><command>su</command></term>
984 <listitem>
985 <para>is a kerberized su client program.</para>
986 <indexterm zone="heimdal su">
987 <primary sortas="b-su">su</primary>
988 </indexterm>
989 </listitem>
990 </varlistentry>
991
992 <varlistentry id="telnet">
993 <term><command>telnet</command></term>
994 <listitem>
995 <para>is a kerberized telnet client program.</para>
996 <indexterm zone="heimdal telnet">
997 <primary sortas="b-telnet">telnet</primary>
998 </indexterm>
999 </listitem>
1000 </varlistentry>
1001
1002 <varlistentry id="telnetd">
1003 <term><command>telnetd</command></term>
1004 <listitem>
1005 <para>is a kerberized telnet server.</para>
1006 <indexterm zone="heimdal telnetd">
1007 <primary sortas="b-telnetd">telnetd</primary>
1008 </indexterm>
1009 </listitem>
1010 </varlistentry>
1011
1012 <varlistentry id="tenletxr">
1013 <term><command>tenletxr</command></term>
1014 <listitem>
1015 <para>forwards <application>X</application> connections
1016 backwards.</para>
1017 <indexterm zone="heimdal tenletxr">
1018 <primary sortas="b-tenletxr">tenletxr</primary>
1019 </indexterm>
1020 </listitem>
1021 </varlistentry>
1022
1023 <varlistentry id="verify_krb5_conf">
1024 <term><command>verify_krb5_conf</command></term>
1025 <listitem>
1026 <para>checks <filename>krb5.conf</filename> file for obvious
1027 errors.</para>
1028 <indexterm zone="heimdal verify_krb5_conf">
1029 <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
1030 </indexterm>
1031 </listitem>
1032 </varlistentry>
1033
1034 <varlistentry id="xnlock">
1035 <term><command>xnlock</command></term>
1036 <listitem>
1037 <para>is a program that acts as a secure screen saver for
1038 workstations running <application>X</application>.</para>
1039 <indexterm zone="heimdal xnlock">
1040 <primary sortas="b-xnlock">xnlock</primary>
1041 </indexterm>
1042 </listitem>
1043 </varlistentry>
1044
1045 <varlistentry id="libasn1">
1046 <term><filename class='libraryfile'>libasn1.{so,a}</filename></term>
1047 <listitem>
1048 <para>provides the ASN.1 and DER functions to encode and decode
1049 the Kerberos TGTs.</para>
1050 <indexterm zone="heimdal libasn1">
1051 <primary sortas="c-libasn1">libasn1.{so,a}</primary>
1052 </indexterm>
1053 </listitem>
1054 </varlistentry>
1055
1056 <varlistentry id="libeditline">
1057 <term><filename class='libraryfile'>libeditline.a</filename></term>
1058 <listitem>
1059 <para>is a command-line editing library with history.</para>
1060 <indexterm zone="heimdal libeditline">
1061 <primary sortas="c-libeditline">libeditline.a</primary>
1062 </indexterm>
1063 </listitem>
1064 </varlistentry>
1065
1066 <varlistentry id="libgssapi">
1067 <term><filename class='libraryfile'>libgssapi.{so,a}</filename></term>
1068 <listitem>
1069 <para>contain the Generic Security Service Application Programming
1070 Interface (GSSAPI) functions which provides security
1071 services to callers in a generic fashion, supportable with a range of
1072 underlying mechanisms and technologies and hence allowing source-level
1073 portability of applications to different environments.</para>
1074 <indexterm zone="heimdal libgssapi">
1075 <primary sortas="c-libgssapi">libgssapi.{so,a}</primary>
1076 </indexterm>
1077 </listitem>
1078 </varlistentry>
1079
1080 <varlistentry id="libhdb">
1081 <term><filename class='libraryfile'>libhdb.{so,a}</filename></term>
1082 <listitem>
1083 <para>is a <application>Heimdal</application> Kerberos 5
1084 authentication/authorization database access library.</para>
1085 <indexterm zone="heimdal libhdb">
1086 <primary sortas="c-libhdb">libhdb.{so,a}</primary>
1087 </indexterm>
1088 </listitem>
1089 </varlistentry>
1090
1091 <varlistentry id="libkadm5clnt">
1092 <term><filename class='libraryfile'>libkadm5clnt.{so,a}</filename></term>
1093 <listitem>
1094 <para>contains the administrative authentication and password
1095 checking functions required by Kerberos 5 client-side programs.</para>
1096 <indexterm zone="heimdal libkadm5clnt">
1097 <primary sortas="c-libkadm5clnt">libkadm5clnt.{so,a}</primary>
1098 </indexterm>
1099 </listitem>
1100 </varlistentry>
1101
1102 <varlistentry id="libkadm5srv">
1103 <term><filename class='libraryfile'>libkadm5srv.{so,a}</filename></term>
1104 <listitem>
1105 <para>contain the administrative authentication and password
1106 checking functions required by Kerberos 5 servers.</para>
1107 <indexterm zone="heimdal libkadm5srv">
1108 <primary sortas="c-libkadm5srv">libkadm5srv.{so,a}</primary>
1109 </indexterm>
1110 </listitem>
1111 </varlistentry>
1112
1113 <varlistentry id="libkafs">
1114 <term><filename class='libraryfile'>libkafs.{so,a}</filename></term>
1115 <listitem>
1116 <para>contains the functions required to authenticated to AFS.</para>
1117 <indexterm zone="heimdal libkafs">
1118 <primary sortas="c-libkafs">libkafs.{so,a}</primary>
1119 </indexterm>
1120 </listitem>
1121 </varlistentry>
1122
1123 <varlistentry id="libkrb5">
1124 <term><filename class='libraryfile'>libkrb5.{so,a}</filename></term>
1125 <listitem>
1126 <para>is an all-purpose Kerberos 5 library.</para>
1127 <indexterm zone="heimdal libkrb5">
1128 <primary sortas="c-libkrb5">libkrb5.{so,a}</primary>
1129 </indexterm>
1130 </listitem>
1131 </varlistentry>
1132
1133 <varlistentry id="libotp">
1134 <term><filename class='libraryfile'>libotp.{so,a}</filename></term>
1135 <listitem>
1136 <para>contains the functions required to handle authenticating
1137 one time passwords.</para>
1138 <indexterm zone="heimdal libotp">
1139 <primary sortas="c-libotp">libotp.{so,a}</primary>
1140 </indexterm>
1141 </listitem>
1142 </varlistentry>
1143
1144 <varlistentry id="libroken">
1145 <term><filename class='libraryfile'>libroken.{so,a}</filename></term>
1146 <listitem>
1147 <para>is a library containing Kerberos 5 compatibility
1148 functions.</para>
1149 <indexterm zone="heimdal libroken">
1150 <primary sortas="c-libroken">libroken.{so,a}</primary>
1151 </indexterm>
1152 </listitem>
1153 </varlistentry>
1154
1155 </variablelist>
1156
1157 </sect2>
1158
1159</sect1>
Note: See TracBrowser for help on using the repository browser.