source: postlfs/security/heimdal.xml@ 6a829b3

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 6a829b3 was 6a829b3, checked in by Randy McMurchy <randy@…>, 16 years ago

Added missing patch commands to the Heimdal instructions

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@7406 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 44.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY heimdal-download-http "http://www.h5l.org/dist/src/heimdal-&heimdal-version;.tar.gz">
8 <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
9 <!ENTITY heimdal-md5sum "7892e97b346534cc9afeeee461fe3bab">
10 <!ENTITY heimdal-size "3.6 MB">
11 <!ENTITY heimdal-buildsize "136 MB">
12 <!ENTITY heimdal-time "4.0 SBU (additional 1.5 SBU to run the test suite)">
13]>
14
15<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
16 <?dbhtml filename="heimdal.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Heimdal-&heimdal-version;</title>
24
25 <indexterm zone="heimdal">
26 <primary sortas="a-Heimdal">Heimdal</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to Heimdal</title>
31
32 <para><application>Heimdal</application> is a free implementation
33 of Kerberos 5 that aims to be compatible with MIT Kerberos 5 and is
34 backward compatible with Kerberos 4. Kerberos is a network authentication
35 protocol. Basically it preserves the integrity of passwords in any
36 untrusted network (like the Internet). Kerberized applications work
37 hand-in-hand with sites that support Kerberos to ensure that passwords
38 cannot be stolen or compromised. A Kerberos installation will make changes
39 to the authentication mechanisms on your network and will overwrite several
40 programs and daemons from the <application>Shadow</application>,
41 <application>Inetutils</application> and
42 <application>Qpopper</application> packages. See
43 <ulink url="&files-anduin;/heimdal-overwrites"/> for a complete list of
44 all the files and commands to rename each of them.</para>
45
46 <bridgehead renderas="sect3">Package Information</bridgehead>
47 <itemizedlist spacing="compact">
48 <listitem>
49 <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para>
50 </listitem>
51 <listitem>
52 <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para>
53 </listitem>
54 <listitem>
55 <para>Download MD5 sum: &heimdal-md5sum;</para>
56 </listitem>
57 <listitem>
58 <para>Download size: &heimdal-size;</para>
59 </listitem>
60 <listitem>
61 <para>Estimated disk space required: &heimdal-buildsize;</para>
62 </listitem>
63 <listitem>
64 <para>Estimated build time: &heimdal-time;</para>
65 </listitem>
66 </itemizedlist>
67
68 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
69 <itemizedlist spacing='compact'>
70 <listitem>
71 <para>Required Patch: <ulink
72 url="&patch-root;/heimdal-&heimdal-version;-blfs_docs-1.patch"/></para>
73 </listitem>
74 <listitem>
75 <para>Required Patch: <ulink
76 url="&patch-root;/heimdal-&heimdal-version;-libss-1.patch"/></para>
77 </listitem>
78 </itemizedlist>
79
80 <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>
81
82 <bridgehead renderas="sect4">Required to Build the Server-Side Tools</bridgehead>
83 <para role="required">
84 <!-- <xref linkend="db"/> -->
85 <xref linkend="db"/> is recommended (installed in LFS)
86 or <xref linkend="gdbm"/></para>
87
88 <bridgehead renderas="sect4">Recommended</bridgehead>
89 <para role="recommended"><xref linkend="openssl"/></para>
90
91 <bridgehead renderas="sect4">Optional</bridgehead>
92 <para role="optional"><xref linkend="linux-pam"/>,
93 <xref linkend="openldap"/>,
94 <xref linkend="x-window-system"/>, and
95 <ulink url="http://packages.debian.org/stable/source/libcap">libcap</ulink></para>
96
97 <note>
98 <para>Some sort of time synchronization facility on your system
99 (like <xref linkend="ntp"/>) is required since Kerberos won't
100 authenticate if the time differential between a kerberized client
101 and the KDC server is more than 5 minutes.</para>
102 </note>
103
104 <para condition="html" role="usernotes">User Notes:
105 <ulink url="&blfs-wiki;/heimdal"/></para>
106
107 </sect2>
108
109 <sect2 role="installation">
110 <title>Installation of Heimdal</title>
111
112 <warning>
113 <para>Ensure you really need a Kerberos installation before you decide
114 to install this package. Failure to install and configure the package
115 correctly can alter your system so that users cannot log in.</para>
116 </warning>
117
118 <para>Install <application>Heimdal</application> by running the following
119 commands:</para>
120
121<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-blfs_docs-1.patch &amp;&amp;
122patch -Np1 -i ../heimdal-&heimdal-version;-libss-1.patch &amp;&amp;
123
124./configure --prefix=/usr \
125 --sysconfdir=/etc/heimdal \
126 --libexecdir=/usr/sbin \
127 --localstatedir=/var/lib/heimdal \
128 --datadir=/var/lib/heimdal \
129 --with-hdbdir=/var/lib/heimdal \
130 --with-readline=/usr \
131 --enable-kcm &amp;&amp;
132make</userinput></screen>
133
134 <para>If you have <xref linkend="tetex"/> installed and wish to create
135 alternate forms of the documentation, change into the
136 <filename class='directory'>doc</filename> directory and issue any or all
137 of the following commands:</para>
138
139<screen><userinput>pushd doc &amp;&amp;
140
141make html &amp;&amp;
142
143texi2pdf heimdal.texi &amp;&amp;
144texi2dvi heimdal.texi &amp;&amp;
145dvips -o heimdal.ps heimdal.dvi &amp;&amp;
146makeinfo --plaintext -o heimdal.txt heimdal.texi &amp;&amp;
147
148texi2pdf hx509.texi &amp;&amp;
149texi2dvi hx509.texi &amp;&amp;
150dvips -o hx509.ps hx509.dvi &amp;&amp;
151makeinfo --plaintext -o hx509.txt hx509.texi &amp;&amp;
152
153popd</userinput></screen>
154
155 <para>To test the results, issue: <command>make -k check</command>. The
156 <command>ipropd</command> test is known to fail but all others should
157 pass.</para>
158
159 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
160
161<!-- <screen role="root"><?dbfo keep-together="auto"?><userinput>mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs &amp;&amp;
162mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs &amp;&amp;
163mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs &amp;&amp;
164mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.e2fsprogs &amp;&amp;
165-->
166
167<screen role="root"><userinput>make install &amp;&amp;
168
169install -v -m755 -d /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
170install -v -m644 doc/{init-creds,layman.asc} \
171 /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
172
173ln -sfv mech.5 /usr/share/man/man5/qop.5 &amp;&amp;
174ln -sfv ../man5/mech.5 /usr/share/man/cat5/qop.5 &amp;&amp;
175ln -sfv ../man5/mech.5 /usr/share/man/cat5 &amp;&amp;
176
177mv -v /bin/login /bin/login.SHADOW &amp;&amp;
178mv -v /bin/su /bin/su.SHADOW &amp;&amp;
179mv -v /usr/bin/{login,su} /bin &amp;&amp;
180ln -v -sf ../../bin/login /usr/bin &amp;&amp;
181
182for LINK in lib{otp,kafs,krb5,hx509,asn1,roken,crypto}; do
183 mv -v /usr/lib/${LINK}.so.* /lib &amp;&amp;
184 ln -v -sf ../../lib/$(readlink /usr/lib/${LINK}.so) \
185 /usr/lib/${LINK}.so
186done &amp;&amp;
187
188mv -v /usr/lib/$(readlink /usr/lib/libdb.so) \
189 /usr/lib/libdb-?.so \
190 /lib &amp;&amp;
191ln -v -sf ../../lib/$(readlink /usr/lib/libdb.so) \
192 /usr/lib/libdb.so &amp;&amp;
193
194ldconfig</userinput></screen>
195
196<!-- mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.heimdal &amp;&amp;
197mv -v /usr/include/ss/ss.h.e2fsprogs /usr/include/ss/ss.h &amp;&amp;
198mv -v /usr/lib/libss.a /usr/lib/libss.a.heimdal &amp;&amp;
199mv -v /usr/lib/libss.a.e2fsprogs /usr/lib/libss.a &amp;&amp;
200mv -v /usr/lib/libss.so /usr/lib/libss.so.heimdal &amp;&amp;
201mv -v /usr/lib/libss.so.e2fsprogs /usr/lib/libss.so &amp;&amp;
202mv -v /usr/lib/libss.la /usr/lib/libss.la.heimdal &amp;&amp;
203mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.heimdal &amp;&amp;
204mv -v /usr/bin/mk_cmds.e2fsprogs /usr/bin/mk_cmds &amp;&amp; -->
205
206 <para>If you built any of the alternate forms of documentation, install it
207 using the following commands as the
208 <systemitem class="username">root</systemitem> user:</para>
209
210<screen role="root"><userinput>install -v -m644 doc/{heimdal,hx509}.{dvi,ps,pdf,html,txt} \
211 /usr/share/doc/heimdal-&heimdal-version;</userinput></screen>
212
213 <para>If you wish to use the <xref linkend="cracklib"/> library to enforce
214 strong passwords in the KDC database, issue the following commands as the
215 <systemitem class="username">root</systemitem> user:</para>
216
217<screen role="root"><userinput>sed -e 's|/usr/pkg|/usr|' \
218 -e 's|/usr/lib/cracklib_dict|/lib/cracklib/pw_dict|' \
219 -e 's|/var/heimdal|/var/lib/heimdal|' \
220 lib/kadm5/check-cracklib.pl \
221 > /bin/krb5-check-cracklib.pl &amp;&amp;
222
223chmod -v 755 /bin/krb5-check-cracklib.pl</userinput></screen>
224
225 </sect2>
226
227 <sect2 role="commands">
228 <title>Command Explanations</title>
229
230 <!-- <para><command>mv -v /usr/include/...</command>,
231 <command>mv -v /usr/lib/libss.* ...</command> and
232 <command>mv -v /usr/bin/mk_cmds ...</command>: The
233 <application>Heimdal</application> installation will overwrite an
234 interface header, static library, library symbolic link and a
235 shell script from the
236 <application>E2fsprogs</application> package. These commands rename the
237 original files before the installation, and then restore them (after
238 renaming the new <application>Heimdal</application> files) after the
239 installation.</para> -->
240
241 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch causes
242 the daemon programs to be installed into
243 <filename class="directory">/usr/sbin</filename>.</para>
244
245 <tip>
246 <para>If you want to preserve all your existing
247 <application>Inetutils</application> package daemons, install the
248 <application>Heimdal</application> daemons into
249 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever
250 you want). Since these programs will be called from
251 <command>(x)inetd</command> or <filename>rc</filename> scripts, it
252 really doesn't matter where they are installed, as long as they are
253 correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
254 and <filename>rc</filename> scripts. If you choose something other than
255 <filename class="directory">/usr/sbin</filename>, you may want to move
256 some of the user programs (such as <command>kadmin</command>) to
257 <filename class="directory">/usr/sbin</filename> manually so they'll be
258 in the privileged user's default <envar>PATH</envar>.</para>
259 </tip>
260
261 <para><parameter>--localstatedir=/var/lib/heimdal</parameter>,
262 <parameter>--datadir=/var/lib/heimdal</parameter> and
263 <parameter>--with-hdbdir=/var/lib/heimdal</parameter>: These parameters
264 are used so that the KDC database and associated files will all reside
265 in <filename class='directory'>/var/lib/heimdal</filename>.</para>
266
267 <para><parameter>--with-readline=/usr</parameter>: This parameter must be
268 used so that the <command>configure</command> script properly locates the
269 installed <application>Readline</application> package.</para>
270
271 <para><parameter>--enable-kcm</parameter>: This parameter enables building
272 the Kerberos Credentials Manager.</para>
273
274 <para><command>ln -sfv .../mech.5 /usr/share/man/...</command>: These
275 commands are used to fix some broken symbolic links.</para>
276
277 <para><command>mv ... ...SHADOW</command>, <command>mv ... /bin</command>
278 and <command> ln ... /usr/bin</command>: The <command>login</command>
279 and <command>su</command> programs installed by
280 <application>Heimdal</application> belong in the
281 <filename class="directory">/bin</filename> directory. The
282 <command>login</command> program is symlinked because
283 <application>Heimdal</application> is expecting to find it in
284 <filename class="directory">/usr/bin</filename>. The old executables from
285 the <application>Shadow</application> package are preserved before the move
286 so that they can be restored if you experience problems logging into the
287 system after the <application>Heimdal</application> package is installed
288 and configured.</para>
289
290 <para><command>for LINK in ...; do ...; done</command>,
291 <command>mv ... /lib</command> and
292 <command>ln ... /usr/lib/libdb.so</command>: The <command>login</command>
293 and <command>su</command> programs previously moved into the
294 <filename class='directory'>/lib</filename> directory link against
295 <application>Heimdal</application> libraries as well as libraries provided
296 by the <application>OpenSSL</application> and
297 <application>Berkeley DB</application> packages. These
298 libraries are also moved to <filename class="directory">/lib</filename>
299 so they are FHS compliant and also in case
300 <filename class="directory">/usr</filename> is located on a separate
301 partition which may not always be mounted.</para>
302
303 </sect2>
304
305 <sect2 role="configuration">
306 <title>Configuring Heimdal</title>
307
308 <sect3 id="heimdal-config">
309 <title>Config Files</title>
310
311 <para><filename>/etc/heimdal/*</filename></para>
312
313 <indexterm zone="heimdal heimdal-config">
314 <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
315 </indexterm>
316
317 </sect3>
318
319 <sect3>
320 <title>Configuration Information</title>
321
322 <note>
323 <para>All the configuration steps shown below must be accomplished
324 by the <systemitem class='username'>root</systemitem> user unless
325 otherwise noted.</para>
326 </note>
327
328 <sect4>
329 <title>Master KDC Server Configuration</title>
330
331 <para>Many of the commands below use
332 <replaceable>&lt;replaceable&gt;</replaceable> tags to identify places
333 where you need to substitute information specific to your network.
334 Ensure you replace everything in these tags (there will be no angle
335 brackets when you are done) with your site-specific information.</para>
336
337 <para>Create the Kerberos configuration file with the following
338 commands:</para>
339
340<screen role="root"><userinput>install -v -m755 -d /etc/heimdal &amp;&amp;
341cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF" &amp;&amp;
342<literal># Begin /etc/heimdal/krb5.conf
343
344[libdefaults]
345 default_realm = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
346 encrypt = true
347
348[realms]
349 <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> = {
350 kdc = <replaceable>&lt;hostname.example.com&gt;</replaceable>
351 admin_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
352 kpasswd_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
353 }
354
355[domain_realm]
356 .<replaceable>&lt;example.com&gt;</replaceable> = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
357
358[logging]
359 kdc = FILE:/var/log/kdc.log
360 admin_server = FILE:/var/log/kadmin.log
361 default = FILE:/var/log/krb.log
362
363# End /etc/heimdal/krb5.conf</literal>
364EOF
365chmod -v 644 /etc/heimdal/krb5.conf</userinput></screen>
366
367 <para>You will need to substitute your domain and proper hostname
368 for the occurrences of the <replaceable>&lt;hostname&gt;</replaceable>
369 and <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> names.</para>
370
371 <para><option>default_realm</option> should be the name of your
372 domain changed to ALL CAPS. This isn't required, but both
373 <application>Heimdal</application> and <application>MIT
374 Kerberos</application> recommend it.</para>
375
376 <para><option>encrypt = true</option> provides encryption of all
377 traffic between kerberized clients and servers. It's not necessary
378 and can be left off. If you leave it off, you can encrypt all traffic
379 from the client to the server using a switch on the client program
380 instead. The <option>[realms]</option> parameters tell the client
381 programs where to look for the KDC authentication services. The
382 <option>[domain_realm]</option> section maps a domain
383 to a realm.</para>
384
385 <para>Store the master password in a key file using the following
386 commands:</para>
387
388<screen role="root"><userinput>install -v -m755 -d /var/lib/heimdal &amp;&amp;
389kstash</userinput></screen>
390
391 <para>Create the KDC database:</para>
392
393<screen role="root"><userinput>kadmin -l</userinput></screen>
394
395 <para>The commands below will prompt you for information about the
396 principles. Choose the defaults for now unless you know what you are
397 doing and need to specify different values. You can go in later and
398 change the defaults, should you feel the need. You may use the up and
399 down arrow keys to use the history feature of <command>kadmin</command>
400 in a similar manner as the <command>bash</command> history
401 feature.</para>
402
403 <para>At the <prompt>kadmin&gt;</prompt> prompt, issue the following
404 statement:</para>
405
406<screen role="root"><userinput>init <replaceable>&lt;EXAMPLE.COM&gt;</replaceable></userinput></screen>
407
408 <para>The database must now be populated with at least one principle
409 (user). For now, just use your regular login name or root. You may
410 create as few, or as many principles as you wish using the following
411 statement:</para>
412
413<screen role="root"><userinput>add <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
414
415 <para>The KDC server and any machine running kerberized
416 server daemons must have a host key installed:</para>
417
418<screen role="root"><userinput>add --random-key host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
419
420 <para>After choosing the defaults when prompted, you will have to
421 export the data to a keytab file:</para>
422
423<screen role="root"><userinput>ext host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
424
425 <para>This should have created two files in
426 <filename class="directory">/etc/heimdal</filename>:
427 <filename>krb5.keytab</filename> (Kerberos 5) and
428 <filename>srvtab</filename> (Kerberos 4). Both files should have 600
429 (root rw only) permissions. Keeping the keytab files from public access
430 is crucial to the overall security of the Kerberos installation.</para>
431
432 <para>Eventually, you'll want to add server daemon principles to the
433 database and extract them to the keytab file. You do this in the same
434 way you created the host principles. Below is an example:</para>
435
436<screen role="root"><userinput>add --random-key ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
437
438 <para>(choose the defaults)</para>
439
440<screen role="root"><userinput>ext ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
441
442 <para>Exit the <command>kadmin</command> program (use
443 <command>quit</command> or <command>exit</command>) and return back
444 to the shell prompt. Start the KDC daemon manually, just to test out
445 the installation:</para>
446
447<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>
448
449 <para>Attempt to get a TGT (ticket granting ticket) with
450 the following command:</para>
451
452<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
453
454 <para>You will be prompted for the password you created. After you get
455 your ticket, you should list it with the following command:</para>
456
457<screen><userinput>klist</userinput></screen>
458
459 <para>Information about the ticket should be displayed on
460 the screen.</para>
461
462 <para>To test the functionality of the <filename>keytab</filename> file,
463 issue the following command:</para>
464
465<screen><userinput>ktutil list</userinput></screen>
466
467 <para>This should dump a list of the host principals, along with the
468 encryption methods used to access the principals.</para>
469
470 <para>At this point, if everything has been successful so far, you
471 can feel fairly confident in the installation, setup and configuration
472 of your new <application>Heimdal</application> Kerberos 5
473 installation.</para>
474
475 <para>If you wish to use the <xref linkend="cracklib"/> library to
476 enforce strong passwords in the KDC database, you must do two things.
477 First, add the following lines to the
478 <filename>/etc/heimdal/krb5.conf</filename> configuration file:</para>
479
480<screen><literal>[password_quality]
481 policies = builtin:external-check
482 external_program = /bin/krb5-check-cracklib.pl</literal></screen>
483
484 <para>Next you must install the
485 <application>Crypt::Cracklib</application>
486 <application>Perl</application> module. Download it from the CPAN
487 site. The URL at the time of this writing is <ulink
488 url="http://cpan.org/authors/id/D/DA/DANIEL/Crypt-Cracklib-1.2.tar.gz"/>.
489 After unpacking the tarball and changing into the newly created
490 directory, issue the following command to add the BLFS
491 <application>Cracklib</application> dictionary location to one of the
492 source files:</para>
493
494<screen><userinput>sed -i 's|pw_dict|&amp;\n\t\t/lib/cracklib/pw_dict|' Cracklib.pm</userinput></screen>
495
496 <para>Then use the standard <command>perl Makefile.PL</command>;
497 <command>make</command>; <command>make test</command>;
498 <command>make install</command> commands. Note that one test fails
499 due to an unknown reason.</para>
500
501 <para id="heimdal-init">Install the
502 <filename>/etc/rc.d/init.d/heimdal</filename> init script included
503 in the <xref linkend="bootscripts"/> package:</para>
504
505 <indexterm zone="heimdal heimdal-init">
506 <primary sortas="f-heimdal">heimdal</primary>
507 </indexterm>
508
509<screen role="root"><userinput>make install-heimdal</userinput></screen>
510
511 </sect4>
512
513 <sect4>
514 <title>Using Kerberized Client Programs</title>
515
516 <para>To use the kerberized client programs (<command>telnet</command>,
517 <command>ftp</command>, <command>rsh</command>,
518 <command>rxterm</command>, <command>rxtelnet</command>,
519 <command>rcp</command>, <command>xnlock</command>), you first must get
520 a TGT. Use the <command>kinit</command> program to get the ticket.
521 After you've acquired the ticket, you can use the kerberized programs
522 to connect to any kerberized server on the network. You will not be
523 prompted for authentication until your ticket expires (default is one
524 day), unless you specify a different user as a command line argument
525 to the program.</para>
526
527 <para>The kerberized programs will connect to non-kerberized daemons,
528 warning you that authentication is not encrypted.</para>
529
530 <para>In order to use the <application>Heimdal</application>
531 <application>X</application> programs, you'll need to add a service
532 port entry to the <filename>/etc/services</filename> file for the
533 <command>kxd</command> server. There is no 'standardized port number'
534 for the 'kx' service in the IANA database, so you'll have to pick an
535 unused port number. Add an entry to the <filename>services</filename>
536 file similar to the entry below (substitute your chosen port number
537 for <replaceable>&lt;49150&gt;</replaceable>):</para>
538
539<screen><literal>kx <replaceable>&lt;49150&gt;</replaceable>/tcp # Heimdal kerberos X
540kx <replaceable>&lt;49150&gt;</replaceable>/udp # Heimdal kerberos X</literal></screen>
541
542 <para>For additional information consult <ulink
543 url="&hints-root;/downloads/files/heimdal.txt">the
544 Heimdal hint</ulink> on which the above instructions are based.</para>
545
546 </sect4>
547
548 </sect3>
549
550 </sect2>
551
552 <sect2 role="content">
553 <title>Contents</title>
554
555 <segmentedlist>
556 <segtitle>Installed Programs</segtitle>
557 <segtitle>Installed Libraries</segtitle>
558 <segtitle>Installed Directories</segtitle>
559
560 <seglistitem>
561 <seg>afslog, ftp, ftpd, gss, hprop, hpropd, hxtool, iprop-log,
562 ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc,
563 kdestroy, kdigest, kf, kfd, kgetcred, kimpersonate, kinit, klist,
564 kpasswd, kpasswdd, krb5-check-cracklib.pl, krb5-config, kstash,
565 ktutil, kx, kxd, login, mk_cmds-krb5, otp, otpprint, pagsh, pfrom,
566 popper, push, rcp, rsh, rshd, rxtelnet, rxterm, string2key, su,
567 telnet, telnetd, tenletxr, verify_krb5_conf and xnlock</seg>
568
569 <seg>hdb_ldap.{so,a}, libasn1.{so,a}, libeditline.{so,a},
570 libgssapi.{so,a}, libhdb.{so,a}, libheimntlm.{so,a}, libhx509.{so,a},
571 libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkafs.{so,a},
572 libkdc.{so,a}, libkrb5.{so,a}, libotp.{so,a}, libroken.{so,a},
573 libsl.{so,a}, libss-krb5.{so,a} and windc.{so,a}</seg>
574
575 <seg>/etc/heimdal, /usr/include/gssapi, /usr/include/kadm5,
576 /usr/include/krb5, /usr/include/roken, /usr/include/ss,
577 /usr/share/doc/heimdal-&heimdal-version; and /var/lib/heimdal</seg>
578 </seglistitem>
579 </segmentedlist>
580
581 <variablelist>
582 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
583 <?dbfo list-presentation="list"?>
584 <?dbhtml list-presentation="table"?>
585
586 <varlistentry id="afslog">
587 <term><command>afslog</command></term>
588 <listitem>
589 <para>obtains AFS tokens for a number of cells.</para>
590 <indexterm zone="heimdal afslog">
591 <primary sortas="b-afslog">afslog</primary>
592 </indexterm>
593 </listitem>
594 </varlistentry>
595
596 <varlistentry id="ftp">
597 <term><command>ftp</command></term>
598 <listitem>
599 <para>is a kerberized FTP client.</para>
600 <indexterm zone="heimdal ftp">
601 <primary sortas="b-ftp">ftp</primary>
602 </indexterm>
603 </listitem>
604 </varlistentry>
605
606 <varlistentry id="ftpd">
607 <term><command>ftpd</command></term>
608 <listitem>
609 <para>is a kerberized FTP daemon.</para>
610 <indexterm zone="heimdal ftpd">
611 <primary sortas="b-ftpd">ftpd</primary>
612 </indexterm>
613 </listitem>
614 </varlistentry>
615
616 <varlistentry id="hprop">
617 <term><command>hprop</command></term>
618 <listitem>
619 <para> takes a principal database in a specified format and converts
620 it into a stream of <application>Heimdal</application> database
621 records.</para>
622 <indexterm zone="heimdal hprop">
623 <primary sortas="b-hprop">hprop</primary>
624 </indexterm>
625 </listitem>
626 </varlistentry>
627
628 <varlistentry id="hpropd">
629 <term><command>hpropd</command></term>
630 <listitem>
631 <para>is a server that receives a database sent by
632 <command>hprop</command> and writes it as a local database.</para>
633 <indexterm zone="heimdal hpropd">
634 <primary sortas="b-hpropd">hpropd</primary>
635 </indexterm>
636 </listitem>
637 </varlistentry>
638
639 <varlistentry id="iprop-log">
640 <term><command>iprop-log</command></term>
641 <listitem>
642 <para>is used to maintain the iprop log file.</para>
643 <indexterm zone="heimdal iprop-log">
644 <primary sortas="b-iprop-log">iprop-log</primary>
645 </indexterm>
646 </listitem>
647 </varlistentry>
648
649 <varlistentry id="ipropd-master">
650 <term><command>ipropd-master</command></term>
651 <listitem>
652 <para>is a daemon which runs on the master KDC
653 server which incrementally propagates changes to the KDC
654 database to the slave KDC servers.</para>
655 <indexterm zone="heimdal ipropd-master">
656 <primary sortas="b-ipropd-master">ipropd-master</primary>
657 </indexterm>
658 </listitem>
659 </varlistentry>
660
661 <varlistentry id="ipropd-slave">
662 <term><command>ipropd-slave</command></term>
663 <listitem>
664 <para>is a daemon which runs on the slave KDC
665 servers which incrementally propagates changes to the KDC
666 database from the master KDC server.</para>
667 <indexterm zone="heimdal ipropd-slave">
668 <primary sortas="b-ipropd-slave">ipropd-slave</primary>
669 </indexterm>
670 </listitem>
671 </varlistentry>
672
673 <varlistentry id="kadmin">
674 <term><command>kadmin</command></term>
675 <listitem>
676 <para>is a utility used to make modifications to the Kerberos
677 database.</para>
678 <indexterm zone="heimdal kadmin">
679 <primary sortas="b-kadmin">kadmin</primary>
680 </indexterm>
681 </listitem>
682 </varlistentry>
683
684 <varlistentry id="kadmind">
685 <term><command>kadmind</command></term>
686 <listitem>
687 <para>is a server for administrative access to the Kerberos
688 database.</para>
689 <indexterm zone="heimdal kadmind">
690 <primary sortas="b-kadmind">kadmind</primary>
691 </indexterm>
692 </listitem>
693 </varlistentry>
694
695 <varlistentry id="kauth">
696 <term><command>kauth</command></term>
697 <listitem>
698 <para>is a symbolic link to the <command>kinit</command>
699 program.</para>
700 <indexterm zone="heimdal kauth">
701 <primary sortas="g-kauth">kauth</primary>
702 </indexterm>
703 </listitem>
704 </varlistentry>
705
706 <varlistentry id="kcm">
707 <term><command>kcm</command></term>
708 <listitem>
709 <para>is a process based credential cache for Kerberos
710 tickets.</para>
711 <indexterm zone="heimdal kcm">
712 <primary sortas="b-kcm">kcm</primary>
713 </indexterm>
714 </listitem>
715 </varlistentry>
716
717 <varlistentry id="kdc">
718 <term><command>kdc</command></term>
719 <listitem>
720 <para>is a Kerberos 5 server.</para>
721 <indexterm zone="heimdal kdc">
722 <primary sortas="b-kdc">kdc</primary>
723 </indexterm>
724 </listitem>
725 </varlistentry>
726
727 <varlistentry id="kdestroy">
728 <term><command>kdestroy</command></term>
729 <listitem>
730 <para>removes a principle's current set of tickets.</para>
731 <indexterm zone="heimdal kdestroy">
732 <primary sortas="b-kdestroy">kdestroy</primary>
733 </indexterm>
734 </listitem>
735 </varlistentry>
736
737 <varlistentry id="kf">
738 <term><command>kf</command></term>
739 <listitem>
740 <para>is a program which forwards tickets to a remote host through
741 an authenticated and encrypted stream.</para>
742 <indexterm zone="heimdal kf">
743 <primary sortas="b-kf">kf</primary>
744 </indexterm>
745 </listitem>
746 </varlistentry>
747
748 <varlistentry id="kfd">
749 <term><command>kfd</command></term>
750 <listitem>
751 <para>is a server used to receive forwarded tickets.</para>
752 <indexterm zone="heimdal kfd">
753 <primary sortas="b-kfd">kfd</primary>
754 </indexterm>
755 </listitem>
756 </varlistentry>
757
758 <varlistentry id="kgetcred">
759 <term><command>kgetcred</command></term>
760 <listitem>
761 <para>obtains a ticket for a service.</para>
762 <indexterm zone="heimdal kgetcred">
763 <primary sortas="b-kgetcred">kgetcred</primary>
764 </indexterm>
765 </listitem>
766 </varlistentry>
767
768 <varlistentry id="kinit">
769 <term><command>kinit</command></term>
770 <listitem>
771 <para>is used to authenticate to the Kerberos server as a principal
772 and acquire a ticket granting ticket that can later be used to obtain
773 tickets for other services.</para>
774 <indexterm zone="heimdal kinit">
775 <primary sortas="b-kinit">kinit</primary>
776 </indexterm>
777 </listitem>
778 </varlistentry>
779
780 <varlistentry id="klist">
781 <term><command>klist</command></term>
782 <listitem>
783 <para>reads and displays the current tickets in the credential
784 cache.</para>
785 <indexterm zone="heimdal klist">
786 <primary sortas="b-klist">klist</primary>
787 </indexterm>
788 </listitem>
789 </varlistentry>
790
791 <varlistentry id="kpasswd">
792 <term><command>kpasswd</command></term>
793 <listitem>
794 <para>is a program for changing Kerberos 5 passwords.</para>
795 <indexterm zone="heimdal kpasswd">
796 <primary sortas="b-kpasswd">kpasswd</primary>
797 </indexterm>
798 </listitem>
799 </varlistentry>
800
801 <varlistentry id="kpasswdd">
802 <term><command>kpasswdd</command></term>
803 <listitem>
804 <para>is a Kerberos 5 password changing server.</para>
805 <indexterm zone="heimdal kpasswdd">
806 <primary sortas="b-kpasswdd">kpasswdd</primary>
807 </indexterm>
808 </listitem>
809 </varlistentry>
810
811 <varlistentry id="krb5-config-prog">
812 <term><command>krb5-config</command></term>
813 <listitem>
814 <para>gives information on how to link programs against
815 <application>Heimdal</application> libraries.</para>
816 <indexterm zone="heimdal krb5-config-prog">
817 <primary sortas="b-krb5-config">krb5-config</primary>
818 </indexterm>
819 </listitem>
820 </varlistentry>
821
822 <varlistentry id="kstash">
823 <term><command>kstash</command></term>
824 <listitem>
825 <para>stores the KDC master password in a file.</para>
826 <indexterm zone="heimdal kstash">
827 <primary sortas="b-kstash">kstash</primary>
828 </indexterm>
829 </listitem>
830 </varlistentry>
831
832 <varlistentry id="ktutil">
833 <term><command>ktutil</command></term>
834 <listitem>
835 <para>is a program for managing Kerberos keytabs.</para>
836 <indexterm zone="heimdal ktutil">
837 <primary sortas="b-ktutil">ktutil</primary>
838 </indexterm>
839 </listitem>
840 </varlistentry>
841
842 <varlistentry id="kx">
843 <term><command>kx</command></term>
844 <listitem>
845 <para>is a program which securely forwards
846 <application>X</application> connections.</para>
847 <indexterm zone="heimdal kx">
848 <primary sortas="b-kx">kx</primary>
849 </indexterm>
850 </listitem>
851 </varlistentry>
852
853 <varlistentry id="kxd">
854 <term><command>kxd</command></term>
855 <listitem>
856 <para>is the daemon for <command>kx</command>.</para>
857 <indexterm zone="heimdal kxd">
858 <primary sortas="b-kxd">kxd</primary>
859 </indexterm>
860 </listitem>
861 </varlistentry>
862
863 <varlistentry id="login">
864 <term><command>login</command></term>
865 <listitem>
866 <para>is a kerberized login program.</para>
867 <indexterm zone="heimdal login">
868 <primary sortas="b-login">login</primary>
869 </indexterm>
870 </listitem>
871 </varlistentry>
872
873 <varlistentry id="otp">
874 <term><command>otp</command></term>
875 <listitem>
876 <para>manages one-time passwords.</para>
877 <indexterm zone="heimdal otp">
878 <primary sortas="b-otp">otp</primary>
879 </indexterm>
880 </listitem>
881 </varlistentry>
882
883 <varlistentry id="otpprint">
884 <term><command>otpprint</command></term>
885 <listitem>
886 <para>prints lists of one-time passwords.</para>
887 <indexterm zone="heimdal otpprint">
888 <primary sortas="b-otpprint">otpprint</primary>
889 </indexterm>
890 </listitem>
891 </varlistentry>
892
893 <varlistentry id="pfrom">
894 <term><command>pfrom</command></term>
895 <listitem>
896 <para>is a script that runs <command>push --from</command>.</para>
897 <indexterm zone="heimdal pfrom">
898 <primary sortas="b-pfrom">pfrom</primary>
899 </indexterm>
900 </listitem>
901 </varlistentry>
902
903 <varlistentry id="popper">
904 <term><command>popper</command></term>
905 <listitem>
906 <para>is a kerberized POP-3 server.</para>
907 <indexterm zone="heimdal popper">
908 <primary sortas="b-popper">popper</primary>
909 </indexterm>
910 </listitem>
911 </varlistentry>
912
913 <varlistentry id="push">
914 <term><command>push</command></term>
915 <listitem>
916 <para>is a kerberized POP mail retrieval client.</para>
917 <indexterm zone="heimdal push">
918 <primary sortas="b-push">push</primary>
919 </indexterm>
920 </listitem>
921 </varlistentry>
922
923 <varlistentry id="rcp">
924 <term><command>rcp</command></term>
925 <listitem>
926 <para>is a kerberized rcp client program.</para>
927 <indexterm zone="heimdal rcp">
928 <primary sortas="b-rcp">rcp</primary>
929 </indexterm>
930 </listitem>
931 </varlistentry>
932
933 <varlistentry id="rsh">
934 <term><command>rsh</command></term>
935 <listitem>
936 <para>is a kerberized rsh client program.</para>
937 <indexterm zone="heimdal rsh">
938 <primary sortas="b-rsh">rsh</primary>
939 </indexterm>
940 </listitem>
941 </varlistentry>
942
943 <varlistentry id="rshd">
944 <term><command>rshd</command></term>
945 <listitem>
946 <para>is a kerberized rsh server.</para>
947 <indexterm zone="heimdal rshd">
948 <primary sortas="b-rshd">rshd</primary>
949 </indexterm>
950 </listitem>
951 </varlistentry>
952
953 <varlistentry id="rxtelnet">
954 <term><command>rxtelnet</command></term>
955 <listitem>
956 <para>starts a secure <command>xterm</command> window with a
957 <command>telnet</command> to a given host and forwards
958 <application>X</application> connections.</para>
959 <indexterm zone="heimdal rxtelnet">
960 <primary sortas="b-rxtelnet">rxtelnet</primary>
961 </indexterm>
962 </listitem>
963 </varlistentry>
964
965 <varlistentry id="rxterm">
966 <term><command>rxterm</command></term>
967 <listitem>
968 <para>starts a secure remote <command>xterm</command>.</para>
969 <indexterm zone="heimdal rxterm">
970 <primary sortas="b-rxterm">rxterm</primary>
971 </indexterm>
972 </listitem>
973 </varlistentry>
974
975 <varlistentry id="string2key">
976 <term><command>string2key</command></term>
977 <listitem>
978 <para>maps a password into a key.</para>
979 <indexterm zone="heimdal string2key">
980 <primary sortas="b-string2key">string2key</primary>
981 </indexterm>
982 </listitem>
983 </varlistentry>
984
985 <varlistentry id="su">
986 <term><command>su</command></term>
987 <listitem>
988 <para>is a kerberized su client program.</para>
989 <indexterm zone="heimdal su">
990 <primary sortas="b-su">su</primary>
991 </indexterm>
992 </listitem>
993 </varlistentry>
994
995 <varlistentry id="telnet">
996 <term><command>telnet</command></term>
997 <listitem>
998 <para>is a kerberized telnet client program.</para>
999 <indexterm zone="heimdal telnet">
1000 <primary sortas="b-telnet">telnet</primary>
1001 </indexterm>
1002 </listitem>
1003 </varlistentry>
1004
1005 <varlistentry id="telnetd">
1006 <term><command>telnetd</command></term>
1007 <listitem>
1008 <para>is a kerberized telnet server.</para>
1009 <indexterm zone="heimdal telnetd">
1010 <primary sortas="b-telnetd">telnetd</primary>
1011 </indexterm>
1012 </listitem>
1013 </varlistentry>
1014
1015 <varlistentry id="tenletxr">
1016 <term><command>tenletxr</command></term>
1017 <listitem>
1018 <para>forwards <application>X</application> connections
1019 backwards.</para>
1020 <indexterm zone="heimdal tenletxr">
1021 <primary sortas="b-tenletxr">tenletxr</primary>
1022 </indexterm>
1023 </listitem>
1024 </varlistentry>
1025
1026 <varlistentry id="verify_krb5_conf">
1027 <term><command>verify_krb5_conf</command></term>
1028 <listitem>
1029 <para>checks <filename>krb5.conf</filename> file for obvious
1030 errors.</para>
1031 <indexterm zone="heimdal verify_krb5_conf">
1032 <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
1033 </indexterm>
1034 </listitem>
1035 </varlistentry>
1036
1037 <varlistentry id="xnlock">
1038 <term><command>xnlock</command></term>
1039 <listitem>
1040 <para>is a program that acts as a secure screen saver for
1041 workstations running <application>X</application>.</para>
1042 <indexterm zone="heimdal xnlock">
1043 <primary sortas="b-xnlock">xnlock</primary>
1044 </indexterm>
1045 </listitem>
1046 </varlistentry>
1047
1048 <varlistentry id="libasn1">
1049 <term><filename class='libraryfile'>libasn1.{so,a}</filename></term>
1050 <listitem>
1051 <para>provides the ASN.1 and DER functions to encode and decode
1052 the Kerberos TGTs.</para>
1053 <indexterm zone="heimdal libasn1">
1054 <primary sortas="c-libasn1">libasn1.{so,a}</primary>
1055 </indexterm>
1056 </listitem>
1057 </varlistentry>
1058
1059 <varlistentry id="libeditline">
1060 <term><filename class='libraryfile'>libeditline.a</filename></term>
1061 <listitem>
1062 <para>is a command-line editing library with history.</para>
1063 <indexterm zone="heimdal libeditline">
1064 <primary sortas="c-libeditline">libeditline.a</primary>
1065 </indexterm>
1066 </listitem>
1067 </varlistentry>
1068
1069 <varlistentry id="libgssapi">
1070 <term><filename class='libraryfile'>libgssapi.{so,a}</filename></term>
1071 <listitem>
1072 <para>contain the Generic Security Service Application Programming
1073 Interface (GSSAPI) functions which provides security
1074 services to callers in a generic fashion, supportable with a range of
1075 underlying mechanisms and technologies and hence allowing source-level
1076 portability of applications to different environments.</para>
1077 <indexterm zone="heimdal libgssapi">
1078 <primary sortas="c-libgssapi">libgssapi.{so,a}</primary>
1079 </indexterm>
1080 </listitem>
1081 </varlistentry>
1082
1083 <varlistentry id="libhdb">
1084 <term><filename class='libraryfile'>libhdb.{so,a}</filename></term>
1085 <listitem>
1086 <para>is a <application>Heimdal</application> Kerberos 5
1087 authentication/authorization database access library.</para>
1088 <indexterm zone="heimdal libhdb">
1089 <primary sortas="c-libhdb">libhdb.{so,a}</primary>
1090 </indexterm>
1091 </listitem>
1092 </varlistentry>
1093
1094 <varlistentry id="libkadm5clnt">
1095 <term><filename class='libraryfile'>libkadm5clnt.{so,a}</filename></term>
1096 <listitem>
1097 <para>contains the administrative authentication and password
1098 checking functions required by Kerberos 5 client-side programs.</para>
1099 <indexterm zone="heimdal libkadm5clnt">
1100 <primary sortas="c-libkadm5clnt">libkadm5clnt.{so,a}</primary>
1101 </indexterm>
1102 </listitem>
1103 </varlistentry>
1104
1105 <varlistentry id="libkadm5srv">
1106 <term><filename class='libraryfile'>libkadm5srv.{so,a}</filename></term>
1107 <listitem>
1108 <para>contain the administrative authentication and password
1109 checking functions required by Kerberos 5 servers.</para>
1110 <indexterm zone="heimdal libkadm5srv">
1111 <primary sortas="c-libkadm5srv">libkadm5srv.{so,a}</primary>
1112 </indexterm>
1113 </listitem>
1114 </varlistentry>
1115
1116 <varlistentry id="libkafs">
1117 <term><filename class='libraryfile'>libkafs.{so,a}</filename></term>
1118 <listitem>
1119 <para>contains the functions required to authenticated to AFS.</para>
1120 <indexterm zone="heimdal libkafs">
1121 <primary sortas="c-libkafs">libkafs.{so,a}</primary>
1122 </indexterm>
1123 </listitem>
1124 </varlistentry>
1125
1126 <varlistentry id="libkrb5">
1127 <term><filename class='libraryfile'>libkrb5.{so,a}</filename></term>
1128 <listitem>
1129 <para>is an all-purpose Kerberos 5 library.</para>
1130 <indexterm zone="heimdal libkrb5">
1131 <primary sortas="c-libkrb5">libkrb5.{so,a}</primary>
1132 </indexterm>
1133 </listitem>
1134 </varlistentry>
1135
1136 <varlistentry id="libotp">
1137 <term><filename class='libraryfile'>libotp.{so,a}</filename></term>
1138 <listitem>
1139 <para>contains the functions required to handle authenticating
1140 one time passwords.</para>
1141 <indexterm zone="heimdal libotp">
1142 <primary sortas="c-libotp">libotp.{so,a}</primary>
1143 </indexterm>
1144 </listitem>
1145 </varlistentry>
1146
1147 <varlistentry id="libroken">
1148 <term><filename class='libraryfile'>libroken.{so,a}</filename></term>
1149 <listitem>
1150 <para>is a library containing Kerberos 5 compatibility
1151 functions.</para>
1152 <indexterm zone="heimdal libroken">
1153 <primary sortas="c-libroken">libroken.{so,a}</primary>
1154 </indexterm>
1155 </listitem>
1156 </varlistentry>
1157
1158 </variablelist>
1159
1160 </sect2>
1161
1162</sect1>
Note: See TracBrowser for help on using the repository browser.