source: postlfs/security/heimdal.xml@ 852cd813

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
  <!ENTITY heimdal-download-ftp  "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
  <!ENTITY heimdal-size          "3.3 MB">
  <!ENTITY heimdal-buildsize     "70 MB">
  <!ENTITY heimdal-time          "2.18 SBU">
]>

<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="heimdal.html"?>
<title>Heimdal-&heimdal-version;</title>
<indexterm zone="heimdal">
<primary sortas="a-Heimdal">Heimdal</primary>
</indexterm>

<sect2>
<title>Introduction to <application>Heimdal</application></title>

<para><application>Heimdal</application> is a free implementation of Kerberos
5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
compatible with krb4. Kerberos is a network authentication protocol. Basically
it preserves the integrity of passwords in any untrusted network (like the
Internet). Kerberized applications work hand-in-hand with sites that support
Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
will make changes to the authentication mechanisms on your network and will
overwrite several programs and daemons from the 
<application>Coreutils</application>, <application>Inetutils</application>, 
<application>Qpopper</application> and <application>Shadow</application> 
packages.</para>

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): 
<ulink url="&heimdal-download-http;"/></para></listitem>
<listitem><para>Download (FTP): 
<ulink url="&heimdal-download-ftp;"/></para></listitem>
<listitem><para>Download size: &heimdal-size;</para></listitem>
<listitem><para>Estimated disk space required: 
&heimdal-buildsize;</para></listitem>
<listitem><para>Estimated build time: 
&heimdal-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
</listitem>
<listitem><para>Required patch for cracklib: <ulink
url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
</listitem>
</itemizedlist>

</sect3>

<sect3><title><application>Heimdal</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="openssl"/> and 
<xref linkend="db"/></para>
</sect4>

<sect4><title>Optional</title>
<para><xref linkend="Linux_PAM"/>, 
<xref linkend="openldap"/>, 
X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>), 
<xref linkend="cracklib"/> and 
<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para>

<note><para>Some sort of time synchronization facility on your system (like 
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if the 
time differential between a kerberized client and the 
<acronym>KDC</acronym> server is more than 5 minutes.</para></note> 
</sect4>

</sect3>

</sect2>

<sect2>
<title>Installation of <application>Heimdal</application></title>

<para>Before installing the package, you may want to preserve the
<command>ftp</command> program from the <application>Inetutils</application> 
package. This is because using the <application>Heimdal</application> 
<command>ftp</command> program to connect to non-kerberized ftp servers may 
not work properly. It will allow you to connect (letting you know that 
transmission of the password is clear text) but will have problems doing puts 
and gets. Issue the following command as the root user.</para>

<screen><userinput role='root'><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>

<para>If you wish the <application>Heimdal</application> package to link 
against the <application>cracklib</application> library, you must apply a 
patch:</para>

<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>

<para>Install <application>Heimdal</application> by running the following 
commands:</para>

<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/heimdal \
    --datadir=/var/lib/heimdal --localstatedir=/var/lib/heimdal \
    --libexecdir=/usr/sbin --enable-shared \
    --with-openssl=/usr --with-readline=/usr &amp;&amp;
make</command></userinput></screen>

<para>Now, as the root user:</para>

<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
mv /bin/su /bin/su.shadow &amp;&amp;
mv /usr/bin/{login,su} /bin &amp;&amp;
ln -sf ../../bin/login /usr/bin &amp;&amp;
mv /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \
   /usr/lib/lib{roken.so.16*,crypto.so.0*,db-4.3.so} /lib &amp;&amp;
ln -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \
    /usr/lib &amp;&amp;
ln -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \
    /usr/lib &amp;&amp;
ln -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \
    /usr/lib &amp;&amp;
ldconfig</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the 
daemon programs into <filename class="directory">/usr/sbin</filename>.
</para>

<note><para>
If you want to preserve all your existing <application>Inetutils</application> 
package daemons, install the <application>Heimdal</application> daemons into 
<filename class="directory">/usr/sbin/heimdal</filename> (or wherever you 
want). Since these programs will be called from <command>(x)inetd</command> or 
<filename>rc</filename> scripts, it really doesn't matter where they are 
installed, as long as they are correctly specified in the 
<filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename> 
scripts. If you choose something other than 
<filename class="directory">/usr/sbin</filename>, you may want to move some of 
the user programs (such as <command>kadmin</command>) to 
<filename class="directory">/usr/sbin</filename> manually so they'll be in the 
privileged user's default path.</para></note>

<para><command>mv ... .shadow; mv ... /bin; ln -sf ../../bin...</command>: The 
<command>login</command> and <command>su</command> programs installed by 
<application>Heimdal</application> belong in the 
<filename class="directory">/bin</filename> directory. The 
<command>login</command> program is symlinked because 
<application>Heimdal</application> is expecting to find it in 
<filename class="directory">/usr/bin</filename>. The old executables are 
preserved before the move to keep things sane should breaks occur.</para>

<para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: The 
<command>login</command> and <command>su</command> programs installed by 
<application>Heimdal</application> link against 
<application>Heimdal</application> libraries as well as libraries provided by 
the <application>Open<acronym>SSL</acronym></application> and 
<application>Berkeley <acronym>DB</acronym></application> packages. These 
libraries are moved to <filename class="directory">/lib</filename> to be 
<acronym>FHS</acronym> compliant and also in case 
<filename class="directory">/usr</filename> is located on a separate partition 
which may not always be mounted.</para>

</sect2>

<sect2>
<title>Configuring <application>Heimdal</application></title>

<sect3 id="heimdal-config"><title>Config files</title>
<para><filename>/etc/heimdal/*</filename></para>
<indexterm zone="heimdal heimdal-config">
<primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
</indexterm>
</sect3>

<sect3><title>Configuration Information</title>

<sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>

<para>Create the Kerberos configuration file with the following 
commands:</para>

<screen><userinput role='root'><command>install -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/heimdal/krb5.conf

[libdefaults]
    default_realm = <replaceable>[EXAMPLE.COM]</replaceable>
    encrypt = true

[realms]
    <replaceable>[EXAMPLE.COM]</replaceable> = {
        kdc = <replaceable>[hostname.example.com]</replaceable>
        admin_server = <replaceable>[hostname.example.com]</replaceable>
        kpasswd_server = <replaceable>[hostname.example.com]</replaceable>
    }

[domain_realm]
    .<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable>

[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

# End /etc/heimdal/krb5.conf
<command>EOF</command></userinput></screen>

<para>You will need to substitute your domain and proper hostname for the 
occurrences of the <replaceable>[hostname]</replaceable> and 
<replaceable>[EXAMPLE.COM]</replaceable> names.</para>

<para><userinput>default_realm</userinput> should be the name of your domain 
changed to ALL CAPS. This isn't required, but both 
<application>Heimdal</application> and <application><acronym>MIT</acronym> 
krb5</application> recommend it.</para>

<para><userinput>encrypt = true</userinput> provides encryption of all traffic 
between kerberized clients and servers. It's not necessary and can be left 
off. If you leave it off, you can encrypt all traffic from the client to the 
server using a switch on the client program instead.</para>

<para>The <userinput>[realms]</userinput> parameters tell the client programs 
where to look for the <acronym>KDC</acronym> authentication services.</para>

<para>The <userinput>[domain_realm]</userinput> section maps a domain to a 
realm.</para>

<para>Store the master password in a key file using the following 
commands:</para>

<screen><userinput role='root'><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
kstash</command></userinput></screen>

<para>Create the <acronym>KDC</acronym> database:</para>

<screen><userinput role='root'><command>kadmin -l</command></userinput></screen>

<para>Choose the defaults for now. You can go in later and change the 
defaults, should you feel the need. At the 
<userinput>kadmin&gt;</userinput> prompt, issue the following statement:</para>

<screen><userinput role='root'><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>

<para>The database must now be populated with at least one principle (user). 
For now, just use your regular login name or root. You may create as few, or 
as many principles as you wish using the following statement:</para>

<screen><userinput role='root'><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>

<para>The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:</para>

<screen><userinput role='root'><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>

<para>After choosing the defaults when prompted, you will have to export the 
data to a keytab file:</para>

<screen><userinput role='root'><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>

<para>This should have created two files in 
<filename class="directory">/etc/heimdal</filename>: 
<filename>krb5.keytab</filename> (Kerberos 5) and 
<filename>srvtab</filename> (Kerberos 4). Both files should have 600 
(root rw only) permissions. Keeping the keytab files from public access 
is crucial to the overall security of the Kerberos installation.</para>

<para>Eventually, you'll want to add server daemon principles to the database 
and extract them to the keytab file. You do this in the same way you created 
the host principles. Below is an example:</para>

<screen><userinput role='root'><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>

<para>(choose the defaults)</para>

<screen><userinput role='root'><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>

<para>Exit the <command>kadmin</command> program (use <command>quit</command> 
or <command>exit</command>) and return back to the shell prompt. Start 
the <acronym>KDC</acronym> daemon manually, just to test out the 
installation:</para>

<screen><userinput role='root'><command>/usr/sbin/kdc &amp;</command></userinput></screen>

<para>Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with 
the following command:</para>

<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>

<para>You will be prompted for the password you created. After you get your 
ticket, you should list it with the following command:</para>

<screen><userinput><command>klist</command></userinput></screen>

<para>Information about the ticket should be displayed on the screen.</para>

<para>To test the functionality of the keytab file, issue the following 
command:</para>

<screen><userinput><command>ktutil list</command></userinput></screen>

<para>This should dump a list of the host principals, along with the encryption 
methods used to access the principals.</para>

<para>At this point, if everything has been successful so far, you can feel 
fairly confident in the installation and configuration of the package.</para>

<para id="heimdal-init">Install the 
<filename>/etc/rc.d/init.d/heimdal</filename> init script included in the 
<xref linkend="intro-important-bootscripts"/> package:</para>
<indexterm zone="heimdal heimdal-init">
<primary sortas="f-heimdal">heimdal</primary>
</indexterm>

<screen><userinput role='root'><command>make install-heimdal</command></userinput></screen>
</sect4>

<sect4><title>Using Kerberized Client Programs</title>

<para>To use the kerberized client programs (<command>telnet</command>, 
<command>ftp</command>, <command>rsh</command>, 
<command>rxterm</command>, <command>rxtelnet</command>, 
<command>rcp</command>, <command>xnlock</command>), you first must get 
a <acronym>TGT</acronym>. Use the <command>kinit</command> program to 
get the ticket. After you've acquired the ticket, you can use the 
kerberized programs to connect to any kerberized server on the network. 
You will not be prompted for authentication until your ticket expires 
(default is one day), unless you specify a different user as a command 
line argument to the program.</para>

<para>The kerberized programs will connect to non-kerberized daemons, warning 
you that authentication is not encrypted. As mentioned earlier, only the 
<command>ftp</command> program gives any trouble connecting to 
non-kerberized daemons.</para>

<para>In order to use the <application>Heimdal</application> 
<application>X</application> programs, you'll need to add a service port 
entry to the <filename>/etc/services</filename> file for the 
<command>kxd</command> server. There is no 'standardized port number' for 
the 'kx' service in the <acronym>IANA</acronym> database, so you'll have to 
pick an unused port number. Add an entry to the <filename>services</filename> 
file similar to the entry below (substitute your chosen port number for 
<replaceable>[49150]</replaceable>):</para>

<screen><userinput role='root'>kx              <replaceable>[49150]</replaceable>/tcp   # Heimdal kerberos X
kx              <replaceable>[49150]</replaceable>/udp   # Heimdal kerberos X</userinput></screen>

<para>For additional information consult <ulink 
url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the 
Heimdal hint</ulink> on which the above instructions are based.</para>
</sect4>
</sect3>

</sect2>

<sect2>
<title>Contents</title>

<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>

<seglistitem>
<seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave, 
kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist, 
kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp, 
otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet, 
rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log, 
verify_krb5_conf and xnlock</seg>
<seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a], 
libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a], 
libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]</seg>
<seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss and 
/var/lib/heimdal</seg>
</seglistitem>
</segmentedlist>

<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>

<varlistentry id="afslog">
<term><command>afslog</command></term>
<listitem><para>obtains <acronym>AFS</acronym> tokens for a number of 
cells.</para>
<indexterm zone="heimdal afslog">
<primary sortas="b-afslog">afslog</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="ftp">
<term><command>ftp</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
<indexterm zone="heimdal ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="ftpd">
<term><command>ftpd</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
<indexterm zone="heimdal ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="hprop">
<term><command>hprop</command></term>
<listitem><para> takes a principal database in a specified format and converts 
it into a stream of <application>Heimdal</application> database records.</para>
<indexterm zone="heimdal hprop">
<primary sortas="b-hprop">hprop</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="hpropd">
<term><command>hpropd</command></term>
<listitem><para>is a server that receives a database sent by 
<command>hprop</command> and writes it as a local database.</para>
<indexterm zone="heimdal hpropd">
<primary sortas="b-hpropd">hpropd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="ipropd-master">
<term><command>ipropd-master</command></term>
<listitem><para>is a daemon which runs on the master <acronym>KDC</acronym> 
server which incrementally propogates changes to the <acronym>KDC</acronym> 
database to the slave <acronym>KDC</acronym> servers.</para>
<indexterm zone="heimdal ipropd-master">
<primary sortas="b-ipropd-master">ipropd-master</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="ipropd-slave">
<term><command>ipropd-slave</command></term>
<listitem><para>is a daemon which runs on the slave <acronym>KDC</acronym> 
servers which incrementally propogates changes to the <acronym>KDC</acronym> 
database from the master <acronym>KDC</acronym> server.</para>
<indexterm zone="heimdal ipropd-slave">
<primary sortas="b-ipropd-slave">ipropd-slave</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kadmin">
<term><command>kadmin</command></term>
<listitem><para>is a utility used to make modifications to the Kerberos 
database.</para>
<indexterm zone="heimdal kadmin">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kadmind">
<term><command>kadmind</command></term>
<listitem><para>is a server for administrative access to the Kerberos 
database.</para>
<indexterm zone="heimdal kadmind">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kauth">
<term><command>kauth</command></term>
<listitem><para>is a symbolic link to the <command>kinit</command> 
program.</para>
<indexterm zone="heimdal kauth">
<primary sortas="g-kauth">kauth</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kdc">
<term><command>kdc</command></term>
<listitem><para>is a Kerberos 5 server.</para>
<indexterm zone="heimdal kdc">
<primary sortas="b-kdc">kdc</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kdestroy">
<term><command>kdestroy</command></term>
<listitem><para>removes a principle's current set of tickets.</para>
<indexterm zone="heimdal kdestroy">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kf">
<term><command>kf</command></term>
<listitem><para>is a program which forwards tickets to a remote host through 
an authenticated and encrypted stream.</para>
<indexterm zone="heimdal kf">
<primary sortas="b-kf">kf</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kfd">
<term><command>kfd</command></term>
<listitem><para>is a server used to receive forwarded tickets.</para>
<indexterm zone="heimdal kfd">
<primary sortas="b-kfd">kfd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kgetcred">
<term><command>kgetcred</command></term>
<listitem><para>obtains a ticket for a service.</para>
<indexterm zone="heimdal kgetcred">
<primary sortas="b-kgetcred">kgetcred</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kinit">
<term><command>kinit</command></term>
<listitem><para>is used to authenticate to the Kerberos server as a principal 
and acquire a ticket granting ticket that can later be used to obtain tickets 
for other services.</para>
<indexterm zone="heimdal kinit">
<primary sortas="b-kinit">kinit</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="klist">
<term><command>klist</command></term>
<listitem><para>reads and displays the current tickets in the credential 
cache.</para>
<indexterm zone="heimdal klist">
<primary sortas="b-klist">klist</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kpasswd">
<term><command>kpasswd</command></term>
<listitem><para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="heimdal kpasswd">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kpasswdd">
<term><command>kpasswdd</command></term>
<listitem><para>is a Kerberos 5 password changing server.</para>
<indexterm zone="heimdal kpasswdd">
<primary sortas="b-kpasswdd">kpasswdd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="krb5-config-prog">
<term><command>krb5-config</command></term>
<listitem><para>gives information on how to link programs against 
<application>Heimdal</application> libraries.</para>
<indexterm zone="heimdal krb5-config-prog">
<primary sortas="b-krb5-config">krb5-config</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kstash">
<term><command>kstash</command></term>
<listitem><para>stores the <acronym>KDC</acronym> master password in a 
file.</para>
<indexterm zone="heimdal kstash">
<primary sortas="b-kstash">kstash</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="ktutil">
<term><command>ktutil</command></term>
<listitem><para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="heimdal ktutil">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kx">
<term><command>kx</command></term>
<listitem><para>is a program which securely forwards 
<application>X</application> connections.</para>
<indexterm zone="heimdal kx">
<primary sortas="b-kx">kx</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="kxd">
<term><command>kxd</command></term>
<listitem><para>is the daemon for <command>kx</command>.</para>
<indexterm zone="heimdal kxd">
<primary sortas="b-kxd">kxd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="login">
<term><command>login</command></term>
<listitem><para>is a kerberized login program.</para>
<indexterm zone="heimdal login">
<primary sortas="b-login">login</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="otp">
<term><command>otp</command></term>
<listitem><para>manages one-time passwords.</para>
<indexterm zone="heimdal otp">
<primary sortas="b-otp">otp</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="otpprint">
<term><command>otpprint</command></term>
<listitem><para>prints lists of one-time passwords.</para>
<indexterm zone="heimdal otpprint">
<primary sortas="b-otpprint">otpprint</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="pfrom">
<term><command>pfrom</command></term>
<listitem><para>is a script that runs <command>push --from</command>.</para>
<indexterm zone="heimdal pfrom">
<primary sortas="b-pfrom">pfrom</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="popper">
<term><command>popper</command></term>
<listitem><para>is a kerberized <acronym>POP</acronym>-3 server.</para>
<indexterm zone="heimdal popper">
<primary sortas="b-popper">popper</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="push">
<term><command>push</command></term>
<listitem><para>is a kerberized <acronym>POP</acronym> mail retreival 
client.</para>
<indexterm zone="heimdal push">
<primary sortas="b-push">push</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rcp">
<term><command>rcp</command></term>
<listitem><para>is a kerberized rcp client program.</para>
<indexterm zone="heimdal rcp">
<primary sortas="b-rcp">rcp</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rsh">
<term><command>rsh</command></term>
<listitem><para>is a kerberized rsh client program.</para>
<indexterm zone="heimdal rsh">
<primary sortas="b-rsh">rsh</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rshd">
<term><command>rshd</command></term>
<listitem><para>is a kerberized rsh server.</para>
<indexterm zone="heimdal rshd">
<primary sortas="b-rshd">rshd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rxtelnet">
<term><command>rxtelnet</command></term>
<listitem><para>starts a secure <command>xterm</command> window with a 
<command>telnet</command> to a given host and forwards 
<application>X</application> connections.</para>
<indexterm zone="heimdal rxtelnet">
<primary sortas="b-rxtelnet">rxtelnet</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="rxterm">
<term><command>rxterm</command></term>
<listitem><para>starts a secure remote <command>xterm</command>.</para>
<indexterm zone="heimdal rxterm">
<primary sortas="b-rxterm">rxterm</primary>
</indexterm></listitem>
</varlistentry> 

<varlistentry id="string2key">
<term><command>string2key</command></term>
<listitem><para>maps a password into a key.</para>
<indexterm zone="heimdal string2key">
<primary sortas="b-string2key">string2key</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="su">
<term><command>su</command></term>
<listitem><para>is a kerberized su client program.</para>
<indexterm zone="heimdal su">
<primary sortas="b-su">su</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="telnet">
<term><command>telnet</command></term>
<listitem><para>is a kerberized telnet client program.</para>
<indexterm zone="heimdal telnet">
<primary sortas="b-telnet">telnet</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="telnetd">
<term><command>telnetd</command></term>
<listitem><para>is a kerberized telnet server.</para>
<indexterm zone="heimdal telnetd">
<primary sortas="b-telnetd">telnetd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="tenletxr">
<term><command>tenletxr</command></term>
<listitem><para>forwards <application>X</application> connections 
backwards.</para>
<indexterm zone="heimdal tenletxr">
<primary sortas="b-tenletxr">tenletxr</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="verify_krb5_conf">
<term><command>verify_krb5_conf</command></term>
<listitem><para>checks <filename>krb5.conf</filename> file for obvious 
errors.</para>
<indexterm zone="heimdal verify_krb5_conf">
<primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="xnlock">
<term><command>xnlock</command></term>
<listitem><para>is a program that acts as a secure screen saver for 
workstations running <application>X</application>.</para>
<indexterm zone="heimdal xnlock">
<primary sortas="b-xnlock">xnlock</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libasn1">
<term><filename class='libraryfile'>libasn1.[so,a]</filename></term>
<listitem><para>provides the ASN.1 and DER functions to encode and decode 
the Kerberos TGTs.</para>
<indexterm zone="heimdal libasn1">
<primary sortas="c-libasn1">libasn1.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libeditline">
<term><filename class='libraryfile'>libeditline.a</filename></term>
<listitem><para>is a command-line editing library with history.</para>
<indexterm zone="heimdal libeditline">
<primary sortas="c-libeditline">libeditline.a</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libgssapi">
<term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
<listitem><para>contain the Generic Security Service Application Programming 
Interface (<acronym>GSSAPI</acronym>) functions which provides security 
services to callers in a generic fashion, supportable with a range of 
underlying mechanisms and technologies and hence allowing source-level 
portability of applications to different environments.</para>
<indexterm zone="heimdal libgssapi">
<primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libhdb">
<term><filename class='libraryfile'>libhdb.[so,a]</filename></term>
<listitem><para>is a <application>Heimdal</application> Kerberos 5 
authentication/authorization database access library.</para>
<indexterm zone="heimdal libhdb">
<primary sortas="c-libhdb">libhdb.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libkadm5clnt">
<term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
<listitem><para>contains the administrative authentication and password 
checking functions required by Kerberos 5 client-side programs.</para>
<indexterm zone="heimdal libkadm5clnt">
<primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libkadm5srv">
<term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
<listitem><para>contain the administrative authentication and password 
checking functions required by Kerberos 5 servers.</para>
<indexterm zone="heimdal libkadm5srv">
<primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libkafs">
<term><filename class='libraryfile'>libkafs.[so,a]</filename></term>
<listitem><para>contains the functions required to authenticated to AFS.</para>
<indexterm zone="heimdal libkafs">
<primary sortas="c-libkafs">libkafs.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libkrb5">
<term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
<listitem><para>is an all-purpose Kerberos 5 library.</para>
<indexterm zone="heimdal libkrb5">
<primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libotp">
<term><filename class='libraryfile'>libotp.[so,a]</filename></term>
<listitem><para>contains the functions required to handle authenticating 
one time passwords.</para>
<indexterm zone="heimdal libotp">
<primary sortas="c-libotp">libotp.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libroken">
<term><filename class='libraryfile'>libroken.[so,a]</filename></term>
<listitem><para>is a library containing Kerberos 5 compatibility 
functions.</para>
<indexterm zone="heimdal libroken">
<primary sortas="c-libroken">libroken.[so,a]</primary>
</indexterm></listitem>
</varlistentry>

</variablelist>

</sect2>

</sect1>