source: postlfs/security/mitkrb.xml@ 51eb0bf

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY mitkrb-download-http "https://kerberos.org/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
  <!ENTITY mitkrb-download-ftp  " ">
  <!ENTITY mitkrb-md5sum        "eb51b7724111e1a458a8c9a261d45a31">
  <!ENTITY mitkrb-size          "8.3 MB">
  <!ENTITY mitkrb-buildsize     "95 MB (add 24 MB for tests)">
  <!ENTITY mitkrb-time          "0.4 SBU (Using parallelism=4; add 1.6 SBU for tests)">
]>

<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
  <?dbhtml filename="mitkrb.html"?>

  <sect1info>
    <date>$Date$</date>
  </sect1info>

  <title>MIT Kerberos V5-&mitkrb-version;</title>

  <indexterm zone="mitkrb">
    <primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
  </indexterm>

    <sect2 role="package">
      <title>Introduction to MIT Kerberos V5</title>

    <para>
      <application>MIT Kerberos V5</application> is a free implementation
      of Kerberos 5. Kerberos is a network authentication protocol. It
      centralizes the authentication database and uses kerberized
      applications to work with servers or services that support Kerberos
      allowing single logins and encrypted communication over internal
      networks or the Internet.
    </para>

    &lfs111_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&mitkrb-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &mitkrb-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &mitkrb-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &mitkrb-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &mitkrb-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch:
           <ulink url="&patch-root;/mitkrb-&mitkrb-version;-openssl3_fixes-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <!-- <xref linkend="dejagnu"/> (for full test coverage), -->
      <xref linkend="bind-utils"/>,
      <xref linkend="gnupg2"/> (to authenticate the package),
      <xref linkend="keyutils"/>,
      <xref linkend="openldap"/>,<!-- Seems so that mit has its own
      implementation of rpc now.
      <xref linkend="rpcbind"/> (used during the testsuite),-->
      <xref linkend="valgrind"/> (used during the testsuite),
      <xref linkend="yasm"/>,
      <ulink url="http://thrysoee.dk/editline/">libedit</ulink>,
      <ulink url="https://cmocka.org/">cmocka</ulink>,
      <ulink url="https://pypi.org/project/pyrad/">pyrad</ulink>, and
      <ulink url="https://cwrap.org/resolv_wrapper.html">resolv_wrapper</ulink>
    </para>

    <note>
      <para>
        Some sort of time synchronization facility on your system (like
        <xref linkend="ntp"/>) is required since Kerberos won't authenticate
        if there is a time difference between a kerberized client and the
        KDC server.
      </para>
    </note>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/mitkrb"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of MIT Kerberos V5</title>

    <para>
      First, fix a denial-of-service security vulnerability:
      <!-- CVE-2021-37750, mentioned in Samba release notes for 4.15.0. -->
    </para>

<screen><userinput remap="pre">sed -i '210a if (sprinc == NULL) {\
       status = "NULL_SERVER";\
       errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;\
       goto cleanup;\
       }' src/kdc/do_tgs_req.c</userinput></screen>

    <para>
      Next, fix several issues identified by OpenSSL-3:
    </para>

<screen><userinput remap="pre">patch -Np1 -i ../mitkrb-1.19.2-openssl3_fixes-1.patch</userinput></screen>

    <para>
      Build <application>MIT Kerberos V5</application> by running the
      following commands:
    </para>

<screen><userinput>cd src &amp;&amp;

sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp     &amp;&amp;
sed -i -e '/eq 0/{N;s/12 //}'    plugins/kdb/db2/libdb2/test/run.test &amp;&amp;
sed -i '/t_iprop.py/d'           tests/Makefile.in                    &amp;&amp;

autoreconf -fiv &amp;&amp;

./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --runstatedir=/run       \
            --with-system-et         \
            --with-system-ss         \
            --with-system-verto=no   \
            --enable-dns-for-realm &amp;&amp;
make</userinput></screen>

    <para>
      To test the build, issue as the <systemitem
      class="username">root</systemitem> user: <command>make -k -j1 check</command>.
      <!-- You need at least <xref link end="tcl"/>, which is used to drive the
      testsuite.  Furthermore, <xref link end="dejagnu"/> must be available for
      some of the tests to run.--> If you have a former version of MIT Kerberos V5
      installed, it may happen that the test suite may pick up the installed
      versions of the libraries, rather than the newly built ones. If so, it is
      better to run the tests after the installation. Some tests may fail with
      the latest version of dejagnu and glibc.
      <!-- Note: on my laptop -j8 fails but -j1 passes -->
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;

install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &amp;&amp;
cp -vfr ../doc/*  /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      The first <command>sed</command> increases the width of the virtual
      terminal used for some tests to prevent some spurious text in the output
      which is taken as a failure. The second <command>sed</command> removes a
      test that is known to fail. The third <command>sed</command> removes a
      test that is known to hang.
    </para>

    <para>
      <parameter>--localstatedir=/var/lib</parameter>: This option is
      used so that the Kerberos variable runtime data is located in
      <filename class="directory">/var/lib</filename> instead of
      <filename class="directory">/usr/var</filename>.
    </para>

    <para>
      <parameter>--runstatedir=/run</parameter>: This option is used so that
      the Kerberos runtime state information is located in
      <filename class="directory">/run</filename> instead of the deprecated
      <filename class="directory">/var/run</filename>.
    </para>

    <para>
      <parameter>--with-system-et</parameter>: This switch causes the build
      to use the system-installed versions of the error-table support
      software.
    </para>

    <para>
      <parameter>--with-system-ss</parameter>: This switch causes the build
      to use the system-installed versions of the subsystem command-line
      interface software.
    </para>

    <para>
      <parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
      the package: it does not recognize its own verto library installed
      previously. This is not a problem, if reinstalling the same version,
      but if you are updating, the old library is used as system's one,
      instead of installing the new version.
    </para>

    <para>
      <parameter>--enable-dns-for-realm</parameter>: This switch allows
      realms to be resolved using the DNS server.
    </para>

    <para>
      <option>--with-ldap</option>: Use this switch if you want to compile the
      <application>OpenLDAP</application> database backend module.
    </para>

    <!-- FIXME: Removed due to merged-/usr setup
    <para>
      <command>mv -v /usr/lib/libk... /lib </command> and
      <command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>:
      Move critical libraries to the
      <filename class="directory">/lib</filename> directory so that they are
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>

    <para>
      <command>find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;</command>:
      This command changes the permissions of installed libraries.
    </para>

    <para>
      <command>mv -v /usr/bin/ksu /bin</command>: Moves the
      <command>ksu</command> program to the
      <filename class="directory">/bin</filename> directory so that it is
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>
    -->

  </sect2>

  <sect2 role="configuration">
    <title>Configuring MIT Kerberos V5</title>

    <sect3 id="krb5-config">
      <title>Config Files</title>

      <para>
        <filename>/etc/krb5.conf</filename> and
        <filename>/var/lib/krb5kdc/kdc.conf</filename>
      </para>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
      </indexterm>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <sect4>
        <title>Kerberos Configuration</title>

        <tip>
          <para>
            You should consider installing some sort of password checking
            dictionary so that you can configure the installation to only
            accept strong passwords. A suitable dictionary to use is shown in
            the <xref linkend="cracklib"/> instructions. Note that only one
            file can be used, but you can concatenate many files into one. The
            configuration file shown below assumes you have installed a
            dictionary to <filename>/usr/share/dict/words</filename>.
          </para>
        </tip>

        <para>
          Create the Kerberos configuration file with the following
          commands issued by the <systemitem class="username">root</systemitem>
          user:
        </para>

<screen role="root"><userinput>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"
<literal># Begin /etc/krb5.conf

[libdefaults]
    default_realm = <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable>
    encrypt = true

[realms]
    <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable> = {
        kdc = <replaceable>&lt;belgarath.example.org&gt;</replaceable>
        admin_server = <replaceable>&lt;belgarath.example.org&gt;</replaceable>
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .<replaceable>&lt;example.org&gt;</replaceable> = <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable>

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH
    default = SYSLOG:DEBUG:DAEMON

# End /etc/krb5.conf</literal>
EOF</userinput></screen>

        <para>
          You will need to substitute your domain and proper hostname for the
          occurrences of the <replaceable>&lt;belgarath&gt;</replaceable> and
          <replaceable>&lt;example.org&gt;</replaceable> names.
        </para>

        <para>
          <option>default_realm</option> should be the name of your
          domain changed to ALL CAPS. This isn't required, but both
          <application>Heimdal</application> and MIT recommend it.
        </para>

        <para>
          <option>encrypt = true</option> provides encryption of all traffic
          between kerberized clients and servers. It's not necessary and can
          be left off. If you leave it off, you can encrypt all traffic from
          the client to the server using a switch on the client program
          instead.
        </para>

        <para>
          The <option>[realms]</option> parameters tell the client programs
          where to look for the KDC authentication services.
        </para>

        <para>
          The <option>[domain_realm]</option> section maps a domain to a realm.
        </para>

        <para>
          Create the KDC database:
       </para>

<screen role="root"><userinput>kdb5_util create -r <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable> -s</userinput></screen>

        <para>
          Now you should populate the database with principals
          (users). For now, just use your regular login name or
          <systemitem class="username">root</systemitem>.
        </para>

<screen role="root"><userinput>kadmin.local
<prompt>kadmin.local:</prompt> add_policy dict-only
<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          The KDC server and any machine running kerberized
          server daemons must have a host key installed:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable>&lt;belgarath.example.org&gt;</replaceable></userinput></screen>

        <para>
          After choosing the defaults when prompted, you will have to
          export the data to a keytab file:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable>&lt;belgarath.example.org&gt;</replaceable></userinput></screen>

        <para>
          This should have created a file in
          <filename class="directory">/etc</filename> named
          <filename>krb5.keytab</filename> (Kerberos 5). This file should
          have 600 (<systemitem class="username">root</systemitem> rw only)
          permissions. Keeping the keytab files from public access is crucial
          to the overall security of the Kerberos installation.
        </para>

        <para>
          Exit the <command>kadmin</command> program (use
          <command>quit</command> or <command>exit</command>) and return
          back to the shell prompt. Start the KDC daemon manually, just to
          test out the installation:
        </para>

<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>

        <para>
          Attempt to get a ticket with the following command:
        </para>

<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          You will be prompted for the password you created. After you
          get your ticket, you can list it with the following command:
        </para>

<screen><userinput>klist</userinput></screen>

        <para>
          Information about the ticket should be displayed on the
          screen.
        </para>

        <para>
          To test the functionality of the keytab file, issue the
          following command as the
          <systemitem class="username">root</systemitem> user:
        </para>

<screen role="root"><userinput>ktutil
<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
<prompt>ktutil:</prompt> l</userinput></screen>

        <para>
          This should dump a list of the host principal, along with
          the encryption methods used to access the principal.
        </para>

        <para>
          Create an empty ACL file that can be modified later:
        </para>

<screen role="root"><userinput>touch /var/lib/krb5kdc/kadm5.acl</userinput></screen>

        <para>
          At this point, if everything has been successful so far, you
          can feel fairly confident in the installation and configuration of
          the package.
        </para>

      </sect4>

      <sect4>
        <title>Additional Information</title>

        <para>
          For additional information consult the <ulink
          url="http://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
          documentation for krb5-&mitkrb-version;</ulink> on which the above
          instructions are based.
        </para>

      </sect4>

    </sect3>

    <sect3 id="mitkrb-init">
      <title><phrase revision="sysv">Init Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para revision="sysv">
        If you want to start <application>Kerberos</application> services
        at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
        script included in the <xref linkend="bootscripts"/> package using
        the following command:
      </para>

      <para revision="systemd">
        If you want to start <application>Kerberos</application> services
        at boot, install the <filename>krb5.service</filename> unit included in
        the <xref linkend="systemd-units"/> package using the following command:
      </para>

      <indexterm zone="mitkrb mitkrb-init">
        <primary sortas="f-krb5">krb5</primary>
      </indexterm>

<screen role="root"><userinput>make install-krb5</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">

    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          gss-client, gss-server, k5srvutil, kadmin, kadmin.local,
          kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist,
          kpasswd, kprop, kpropd, kproplog, krb5-config, krb5-send-pr, krb5kdc,
          ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server,
          sserver, uuclient, and uuserver
        </seg>
        <seg>
          libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
          libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
          (optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
          libverto.so, and some plugins under the /usr/lib/krb5 tree
        </seg>
        <seg>
          /usr/include/{gssapi,gssrpc,kadm5,krb5},
          /usr/lib/krb5,
          /usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
          /var/lib/krb5kdc, and
          /run/krb5kdc
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="gss-client">
        <term><command>gss-client</command></term>
        <listitem>
          <para>
            is a GSSAPI test client
          </para>
          <indexterm zone="mitkrb gss-client">
            <primary sortas="b-gss-client">gss-client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gss-server">
        <term><command>gss-server</command></term>
        <listitem>
          <para>
            is a GSSAPI test server
          </para>
          <indexterm zone="mitkrb gss-server">
            <primary sortas="b-gss-server">gss-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="k5srvutil">
        <term><command>k5srvutil</command></term>
        <listitem>
          <para>
            is a host keytable manipulation utility
          </para>
          <indexterm zone="mitkrb k5srvutil">
            <primary sortas="b-k5srvutil">k5srvutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin">
        <term><command>kadmin</command></term>
        <listitem>
          <para>
            is an utility used to make modifications
            to the Kerberos database
          </para>
          <indexterm zone="mitkrb kadmin">
            <primary sortas="b-kadmin">kadmin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin.local">
        <term><command>kadmin.local</command></term>
        <listitem>
          <para>
            is an utility similar to <command>kadmin</command>, but if the
            database is db2, the local client <command>kadmin.local</command>,
            is intended to run directly on the master KDC without Kerberos
            authentication
          </para>
          <indexterm zone="mitkrb kadmin.local">
            <primary sortas="b-kadmin.local">kadmin.local</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmind">
        <term><command>kadmind</command></term>
        <listitem>
          <para>
            is a server for administrative access
            to a Kerberos database
          </para>
          <indexterm zone="mitkrb kadmind">
            <primary sortas="b-kadmind">kadmind</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_ldap_util">
        <term><command>kdb5_ldap_util (optional)</command></term>
        <listitem>
          <para>
            allows an administrator to manage realms, Kerberos services
            and ticket policies
          </para>
          <indexterm zone="mitkrb kdb5_ldap_util">
            <primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_util">
        <term><command>kdb5_util</command></term>
        <listitem>
          <para>
            is the KDC database utility
          </para>
          <indexterm zone="mitkrb kdb5_util">
            <primary sortas="b-kdb5_util">kdb5_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdestroy">
        <term><command>kdestroy</command></term>
        <listitem>
          <para>
            removes the current set of tickets
          </para>
          <indexterm zone="mitkrb kdestroy">
            <primary sortas="b-kdestroy">kdestroy</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kinit">
        <term><command>kinit</command></term>
        <listitem>
          <para>
            is used to authenticate to the Kerberos server as a
            principal and acquire a ticket granting ticket that can
            later be used to obtain tickets for other services
          </para>
          <indexterm zone="mitkrb kinit">
            <primary sortas="b-kinit">kinit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="klist">
        <term><command>klist</command></term>
        <listitem>
          <para>
            reads and displays the current tickets in
            the credential cache
          </para>
          <indexterm zone="mitkrb klist">
            <primary sortas="b-klist">klist</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpasswd">
        <term><command>kpasswd</command></term>
        <listitem>
          <para>
            is a program for changing Kerberos 5 passwords
          </para>
          <indexterm zone="mitkrb kpasswd">
            <primary sortas="b-kpasswd">kpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kprop">
        <term><command>kprop</command></term>
        <listitem>
          <para>
            takes a principal database in a specified format and
            converts it into a stream of database records
          </para>
          <indexterm zone="mitkrb kprop">
            <primary sortas="b-kprop">kprop</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpropd">
        <term><command>kpropd</command></term>
        <listitem>
          <para>
            receives a database sent by <command>kprop</command>
            and writes it as a local database
          </para>
          <indexterm zone="mitkrb kpropd">
            <primary sortas="b-kpropd">kpropd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kproplog">
        <term><command>kproplog</command></term>
        <listitem>
          <para>
            displays the contents of the KDC database update log to standard
            output
          </para>
          <indexterm zone="mitkrb kproplog">
            <primary sortas="b-kproplog">kproplog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-config-prog2">
        <term><command>krb5-config</command></term>
        <listitem>
          <para>
            gives information on how to link programs against
            libraries
          </para>
          <indexterm zone="mitkrb krb5-config-prog2">
            <primary sortas="b-krb5-config">krb5-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5kdc">
        <term><command>krb5kdc</command></term>
        <listitem>
          <para>
            is the <application>Kerberos 5</application> server
          </para>
          <indexterm zone="mitkrb krb5kdc">
            <primary sortas="b-krb5kdc">krb5kdc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-send-pr">
        <term><command>krb5-send-pr</command></term>
        <listitem>
          <para>
            sends a problem report (PR) to a central support site
          </para>
          <indexterm zone="mitkrb krb5-send-pr">
            <primary sortas="b-krb-send-pr">krb5-send-pr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ksu">
        <term><command>ksu</command></term>
        <listitem>
          <para>
            is the super user program using Kerberos protocol.
            Requires a properly configured
            <filename>/etc/shells</filename> and
            <filename>~/.k5login</filename> containing principals
            authorized to become super users
          </para>
          <indexterm zone="mitkrb ksu">
            <primary sortas="b-ksu">ksu</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kswitch">
        <term><command>kswitch</command></term>
        <listitem>
          <para>
            makes the specified credential cache the
            primary cache for the collection, if a cache
            collection is available
          </para>
          <indexterm zone="mitkrb kswitch">
            <primary sortas="b-kswitch">kswitch</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ktutil">
        <term><command>ktutil</command></term>
        <listitem>
          <para>
            is a program for managing Kerberos keytabs
          </para>
          <indexterm zone="mitkrb ktutil">
            <primary sortas="b-ktutil">ktutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kvno">
        <term><command>kvno</command></term>
        <listitem>
          <para>
            prints keyversion numbers of Kerberos principals
          </para>
          <indexterm zone="mitkrb kvno">
            <primary sortas="b-kvno">kvno</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sclient">
        <term><command>sclient</command></term>
        <listitem>
          <para>
            is used to contact a sample server and authenticate to it
            using Kerberos 5 tickets, then display the server's
            response
          </para>
          <indexterm zone="mitkrb sclient">
            <primary sortas="b-sclient">sclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_client">
        <term><command>sim_client</command></term>
        <listitem>
          <para>
            is a simple UDP-based sample client program, for
            demonstration
          </para>
          <indexterm zone="mitkrb sim_client">
            <primary sortas="b-sim_client">sim_client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_server">
        <term><command>sim_server</command></term>
        <listitem>
          <para>
            is a simple UDP-based server application, for
            demonstration
          </para>
          <indexterm zone="mitkrb sim_server">
            <primary sortas="b-sim_server">sim_server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sserver">
        <term><command>sserver</command></term>
        <listitem>
          <para>
            is the sample Kerberos 5 server
          </para>
          <indexterm zone="mitkrb sserver">
            <primary sortas="b-sserver">sserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuclient">
        <term><command>uuclient</command></term>
        <listitem>
          <para>
            is another sample client
          </para>
          <indexterm zone="mitkrb uuclient">
            <primary sortas="b-uuclient">uuclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuserver">
        <term><command>uuserver</command></term>
        <listitem>
          <para>
            is another sample server
          </para>
          <indexterm zone="mitkrb uuserver">
            <primary sortas="b-uuserver">uuserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>


      <varlistentry id="libgssapi_krb5">
        <term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
        <listitem>
          <para>
            contains the Generic Security Service Application Programming
            Interface (GSSAPI) functions which provides security services
            to callers in a generic fashion, supportable with a range of
            underlying mechanisms and technologies and hence allowing
            source-level portability of applications to different
            environments
          </para>
          <indexterm zone="mitkrb libgssapi_krb5">
            <primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5clnt">
        <term><filename class="libraryfile">libkadm5clnt.so</filename></term>
        <listitem>
          <para>
            contains the administrative authentication and password checking
            functions required by Kerberos 5 client-side programs
          </para>
          <indexterm zone="mitkrb libkadm5clnt">
            <primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5srv">
        <term><filename class="libraryfile">libkadm5srv.so</filename></term>
        <listitem>
          <para>
            contains the administrative authentication and password
            checking functions required by Kerberos 5 servers
          </para>
          <indexterm zone="mitkrb libkadm5srv">
            <primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkdb5">
        <term><filename class="libraryfile">libkdb5.so</filename></term>
        <listitem>
          <para>
            is a Kerberos 5 authentication/authorization database
            access library
          </para>
          <indexterm zone="mitkrb libkdb5">
            <primary sortas="c-libkdb5">libkdb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrad">
        <term><filename class="libraryfile">libkrad.so</filename></term>
        <listitem>
          <para>
            contains the internal support library for RADIUS functionality
          </para>
          <indexterm zone="mitkrb libkrad">
            <primary sortas="c-libkrad">libkrad.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrb5">
        <term><filename class="libraryfile">libkrb5.so</filename></term>
        <listitem>
          <para>
            is an all-purpose <application>Kerberos 5</application> library
          </para>
          <indexterm zone="mitkrb libkrb5">
            <primary sortas="c-libkrb5">libkrb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>