source: postlfs/security/mitkrb.xml@ af8b2d9

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
  <!ENTITY mitkrb-download-ftp  " ">
  <!ENTITY mitkrb-md5sum        "2e35f0af0344d68aba99cef616d3a64f">
  <!ENTITY mitkrb-size          "17.1 MB">
  <!ENTITY mitkrb-buildsize     "128 MB (Additional 36 MB for the testsuite)">
  <!ENTITY mitkrb-time          "1.0 SBU (additional 2.0 SBU for the testsuite)">
]>

<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
  <?dbhtml filename="mitkrb.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>MIT Kerberos V5-&mitkrb-version;</title>

  <indexterm zone="mitkrb">
    <primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
  </indexterm>

    <sect2 role="package">
      <title>Introduction to MIT Kerberos V5</title>

    <para>
      <application>MIT Kerberos V5</application> is a free implementation
      of Kerberos 5. Kerberos is a network authentication protocol. It
      centralizes the authentication database and uses kerberized
      applications to work with servers or services that support Kerberos
      allowing single logins and encrypted communication over internal
      networks or the Internet.
    </para>

    &lfs77_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&mitkrb-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &mitkrb-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &mitkrb-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &mitkrb-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &mitkrb-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="dejagnu"/> (for full test coverage),
      <xref linkend="gnupg2"/> (to authenticate the package),
      <xref linkend="keyutils"/>,
      <xref linkend="openldap"/>,
      <xref linkend="python2"/> (used during the testsuite), and
      <xref linkend="rpcbind"/> (used during the testsuite)
    </para>

    <note>
      <para>
        Some sort of time synchronization facility on your system (like
        <xref linkend="ntp"/>) is required since Kerberos won't authenticate
        if there is a time difference between a kerberized client and the
        KDC server.
      </para>
    </note>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/mitkrb"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of MIT Kerberos V5</title>

<!--
    <para>
      <application>MIT Kerberos V5</application> is distributed in a
      TAR file containing a compressed TAR package and a detached PGP2
      <filename class="extension">ASC</filename> file. You'll need to unpack
      the distribution tar file, then unpack the compressed tar file before
      starting the build.
    </para>

    <para>
      After unpacking the distribution tarball and if you have
      <xref linkend="gnupg2"/> installed, you can
      authenticate the package. First, check the contents of the file
      <filename>krb5-&mitkrb-version;.tar.gz.asc</filename>.
    </para>

<screen><userinput>gpg2 -\-verify krb5-&mitkrb-version;.tar.gz.asc krb5-&mitkrb-version;.tar.gz</userinput></screen>

    <para>You will probably see output similar to:</para>

<screen><literal>gpg: Signature made Fri May  8 23:40:13 2015 utc using RSA key ID 0055C305
gpg: Can't check signature: No public key</literal></screen>

    <para>
      You can import the public key with:
    </para>

<screen><userinput>gpg2 -\-keyserver pgp.mit.edu -\-recv-keys 0055C305</userinput></screen>

    <para>
      Now re-verify the package with the first command above. You should get a
      indication of a good signature, but the key will still not be certified
      with a trusted signature. Trusting the downloaded key is a separate
      operation but it is up to you to determine the level of trust.
    </para>-->

    <para>
      Build <application>MIT Kerberos V5</application> by running the
      following commands:
    </para>

<screen><userinput>cd src &amp;&amp;
sed -e "s@python2.5/Python.h@&amp; python2.7/Python.h@g" \
    -e "s@-lpython2.5]@&amp;,\n  AC_CHECK_LIB(python2.7,main,[PYTHON_LIB=-lpython2.7])@g" \
    -i configure.in &amp;&amp;

sed -e 's@\^u}@^u cols 300}@' \
    -i tests/dejagnu/config/default.exp &amp;&amp;

sed -e  '/eq 0/{n;s/12 //}' \
    -i plugins/kdb/db2/libdb2/test/run.test &amp;&amp;

autoconf &amp;&amp;
./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --with-system-et         \
            --with-system-ss         \
            --with-system-verto=no   \
            --enable-dns-for-realm   &amp;&amp;
make</userinput></screen>

    <para>
      To test the build, issue as the <systemitem
      class="username">root</systemitem> user: <command>make check</command>.
      You need at least <xref linkend="tcl"/>, which is used to drive the 
      testsuite. Furthermore, <xref linkend="dejagnu"/> must be available for 
      some of the tests to run. If you have a former version of MIT Kerberos V5
      installed, it may happen that the test suite pick up the installed
      versions of the libraries, rather than the newly built ones. If so, it is
      better to run the tests after the installation.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;

for f in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
               kdb5 kdb_ldap krad krb5 krb5support verto ; do

    find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;
done &amp;&amp;

mv -v /usr/lib/libkrb5.so.3*        /lib &amp;&amp;
mv -v /usr/lib/libk5crypto.so.3*    /lib &amp;&amp;
mv -v /usr/lib/libkrb5support.so.0* /lib &amp;&amp;

ln -sfv ../../lib/libkrb5.so.3.3        /usr/lib/libkrb5.so        &amp;&amp;
ln -sfv ../../lib/libk5crypto.so.3.1    /usr/lib/libk5crypto.so    &amp;&amp;
ln -sfv ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &amp;&amp;

mv -v /usr/bin/ksu /bin &amp;&amp;
chmod -v 755 /bin/ksu   &amp;&amp;

install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &amp;&amp;
cp -rfv ../doc/*  /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <command>sed -e ...</command>: The first <command>sed</command> fixes
      <application>Python</application> detection. The second one increases
      the width of the virtual terminal used for some tests to prevent
      some spurious characters in the output which is taken as a failure. The
      third <command>sed</command> removes a test that is known to fail.
    </para>

    <para>
      <option>--localstatedir=/var/lib</option>: This option is
      used so that the Kerberos variable run-time data is located in
      <filename class="directory">/var/lib</filename> instead of
      <filename class="directory">/usr/var</filename>.
    </para>

    <para>
      <option>--with-system-et</option>: This switch causes the build
      to use the system-installed versions of the error-table support
      software.
    </para>

    <para>
      <option>--with-system-ss</option>: This switch causes the build
      to use the system-installed versions of the subsystem command-line
      interface software.
    </para>

    <para>
      <option>--with-system-verto=no</option>: This switch fixes a bug in
      the package: it does not recognize its own verto library installed
      previously. This is not a problem if you are reinstalling the same version.
      However, if you are updating, the old library is used as the system library,
      instead of installing the new version.
    </para>

    <para>
      <option>--enable-dns-for-realm</option>: This switch allows
      realms to be resolved using the DNS server.
    </para>

    <para>
      <option>--with-ldap</option>: Use this switch if you want to compile
      <application>OpenLDAP</application> database backend module.
    </para>

    <para>
      <command>mv -v /usr/lib/libk... /lib</command> and
      <command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>:
      Move critical libraries to the
      <filename class="directory">/lib</filename> directory so that they are
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>

    <para>
      <command>find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;</command>:
      This command changes the permissions of installed libraries.
    </para>

    <para>
      <command>mv -v /usr/bin/ksu /bin</command>: Moves the
      <command>ksu</command> program to the
      <filename class="directory">/bin</filename> directory so that it is
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring MIT Kerberos V5</title>

    <sect3 id="krb5-config">
      <title>Config Files</title>

      <para>
        <filename>/etc/krb5.conf</filename> and
        <filename>/var/lib/krb5kdc/kdc.conf</filename>
      </para>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
      </indexterm>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <sect4>
        <title>Kerberos Configuration</title>

        <tip>
          <para>
            You should consider installing some sort of password checking
            dictionary so that you can configure the installation to only
            accept strong passwords. A suitable dictionary to use is shown in
            the <xref linkend="cracklib"/> instructions. Note that only one
            file can be used, but you can concatenate many files into one. The
            configuration file shown below assumes you have installed a
            dictionary to <filename>/usr/share/dict/words</filename>.
          </para>
        </tip>

        <para>
          Create the Kerberos configuration file with the following
          commands issued by the <systemitem class="username">root</systemitem>
          user:
        </para>

<screen role="root"><userinput>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"
<literal># Begin /etc/krb5.conf

[libdefaults]
    default_realm = <replaceable>&lt;LFS.ORG&gt;</replaceable>
    encrypt = true

[realms]
    <replaceable>&lt;LFS.ORG&gt;</replaceable> = {
        kdc = <replaceable>&lt;belgarath.lfs.org&gt;</replaceable>
        admin_server = <replaceable>&lt;belgarath.lfs.org&gt;</replaceable>
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .<replaceable>&lt;lfs.org&gt;</replaceable> = <replaceable>&lt;LFS.ORG&gt;</replaceable>

[logging]
    kdc = SYSLOG[:INFO[:AUTH]]
    admin_server = SYSLOG[INFO[:AUTH]]
    default = SYSLOG[[:SYS]]

# End /etc/krb5.conf</literal>
EOF</userinput></screen>

        <para>
          You will need to substitute your domain and proper hostname for the
          occurrences of the <replaceable>&lt;belgarath&gt;</replaceable> and
          <replaceable>&lt;lfs.org&gt;</replaceable> names.
        </para>

        <para>
          <option>default_realm</option> should be the name of your
          domain changed to ALL CAPS. This isn't required, but both
          <application>Heimdal</application> and MIT recommend it.
        </para>

        <para>
          <option>encrypt = true</option> provides encryption of all traffic
          between kerberized clients and servers. It's not necessary and can
          be left off. If you leave it off, you can encrypt all traffic from
          the client to the server using a switch on the client program
          instead.
        </para>

        <para>
          The <option>[realms]</option> parameters tell the client programs
          where to look for the KDC authentication services.
        </para>

        <para>
          The <option>[domain_realm]</option> section maps a domain to a realm.
        </para>

        <para>
          Create the KDC database:
       </para>

<screen role="root"><userinput>kdb5_util create -r <replaceable>&lt;LFS.ORG&gt;</replaceable> -s</userinput></screen>

        <para>
          Now you should populate the database with principals
          (users). For now, just use your regular login name or
          <systemitem class="username">root</systemitem>.
        </para>

<screen role="root"><userinput>kadmin.local
<prompt>kadmin.local:</prompt> add_policy dict-only
<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          The KDC server and any machine running kerberized
          server daemons must have a host key installed:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable></userinput></screen>

        <para>
          After choosing the defaults when prompted, you will have to
          export the data to a keytab file:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable></userinput></screen>

        <para>
          This should have created a file in
          <filename class="directory">/etc</filename> named
          <filename>krb5.keytab</filename> (Kerberos 5). This file should
          have 600 (<systemitem class="username">root</systemitem> rw only)
          permissions. Keeping the keytab files from public access is crucial
          to the overall security of the Kerberos installation.
        </para>

        <para>
          Exit the <command>kadmin</command> program (use
          <command>quit</command> or <command>exit</command>) and return
          back to the shell prompt. Start the KDC daemon manually, just to
          test out the installation:
        </para>

<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>

        <para>
          Attempt to get a ticket with the following command:
        </para>

<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          You will be prompted for the password you created. After you
          get your ticket, you can list it with the following command:
        </para>

<screen><userinput>klist</userinput></screen>

        <para>
          Information about the ticket should be displayed on the
          screen.
        </para>

        <para>
          To test the functionality of the keytab file, issue the
          following command:
        </para>

<screen><userinput>ktutil
<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
<prompt>ktutil:</prompt> l</userinput></screen>

        <para>
          This should dump a list of the host principal, along with
          the encryption methods used to access the principal.
        </para>

        <para>
          At this point, if everything has been successful so far, you
          can feel fairly confident in the installation and configuration of
          the package.
        </para>

      </sect4>

      <sect4>
        <title>Additional Information</title>

        <para>
          For additional information consult the <ulink
          url="http://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
          documentation for krb5-&mitkrb-version;</ulink> on which the above
          instructions are based.
        </para>

      </sect4>

    </sect3>

    <sect3 id="mitkrb-init">
      <title>Systemd Units</title>

      <para>
        To start the Kerberos services at boot,
        install the systemd units from the <xref linkend="bootscripts"/>
        package by running the following command as the
        <systemitem class="username">root</systemitem> user:
      </para>

      <indexterm zone="mitkrb mitkrb-init">
        <primary sortas="f-krb5">krb5</primary>
      </indexterm>

<screen role="root"><userinput>make install-krb5</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">

    <title>Contents</title>
    <para></para>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          gss-client, 
          gss-server, 
          k5srvutil, 
          kadmin, 
          kadmin.local,
          kadmind, 
          kdb5_ldap_util (optional), 
          kdb5_util, 
          kdestroy, 
          kinit, 
          klist,
          kpasswd, 
          kprop, 
          kpropd, 
          kproplog, 
          krb5-config, 
          krb5kdc, 
          krb5-send-pr,
          ksu, 
          kswitch, 
          ktutil, 
          kvno, 
          sclient, 
          sim_client, 
          sim_server,
          sserver, 
          uuclient,
          and uuserver
        </seg>
        <seg>
          libgssapi_krb5.so, 
          libgssrpc.so, 
          libk5crypto.so, 
          libkadm5clnt_mit.so,
          libkadm5clnt.so, 
          libkadm5srv_mit.so, 
          libkadm5srv.so, 
          libkdb_ldap.so
          (optional), 
          libkdb5.so, 
          libkrad.so, 
          libkrb5.so, 
          libkrb5support.so,
          libverto.so, 
          and some plugins under the /usr/lib/krb5 tree
        </seg>
        <seg>
          /usr/include/gssapi,
          /usr/include/gssrpc,
          /usr/include/kadm5,
          /usr/include/krb5,
          /usr/lib/krb5,
          /usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
          /var/lib/krb5kdc, and
          /var/lib/run/krb5kdc
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="gss-client">
        <term><command>gss-client</command></term>
        <listitem>
          <para>
            is a GSSAPI test client.
          </para>
          <indexterm zone="mitkrb gss-client">
            <primary sortas="b-gss-client">gss-client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gss-server">
        <term><command>gss-server</command></term>
        <listitem>
          <para>
            is a GSSAPI test server.
          </para>
          <indexterm zone="mitkrb gss-server">
            <primary sortas="b-gss-server">gss-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="k5srvutil">
        <term><command>k5srvutil</command></term>
        <listitem>
          <para>
            is a host keytable manipulation utility.
          </para>
          <indexterm zone="mitkrb k5srvutil">
            <primary sortas="b-k5srvutil">k5srvutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin">
        <term><command>kadmin</command></term>
        <listitem>
          <para>
            is a utility used to make modifications
            to the Kerberos database.
          </para>
          <indexterm zone="mitkrb kadmin">
            <primary sortas="b-kadmin">kadmin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin.local">
        <term><command>kadmin.local</command></term>
        <listitem>
          <para>
            is a utility similar at <command>kadmin</command>, but if the
            database is db2, the local client <command>kadmin.local</command>,
            is intended to run directly on the master KDC without Kerberos
            authentication.
          </para>
          <indexterm zone="mitkrb kadmin.local">
            <primary sortas="b-kadmin.local">kadmin.local</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmind">
        <term><command>kadmind</command></term>
        <listitem>
          <para>
            is a server for administrative access
            to a Kerberos database.
          </para>
          <indexterm zone="mitkrb kadmind">
            <primary sortas="b-kadmind">kadmind</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_ldap_util">
        <term><command>kdb5_ldap_util (optional)</command></term>
        <listitem>
          <para>
            allows an administrator to manage realms, Kerberos services
            and ticket policies.
          </para>
          <indexterm zone="mitkrb kdb5_ldap_util">
            <primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_util">
        <term><command>kdb5_util</command></term>
        <listitem>
          <para>
            is the KDC database utility.
          </para>
          <indexterm zone="mitkrb kdb5_util">
            <primary sortas="b-kdb5_util">kdb5_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdestroy">
        <term><command>kdestroy</command></term>
        <listitem>
          <para>
            removes the current set of tickets.
          </para>
          <indexterm zone="mitkrb kdestroy">
            <primary sortas="b-kdestroy">kdestroy</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kinit">
        <term><command>kinit</command></term>
        <listitem>
          <para>
            is used to authenticate to the Kerberos server as a
            principal and acquire a ticket granting ticket that can
            later be used to obtain tickets for other services.
          </para>
          <indexterm zone="mitkrb kinit">
            <primary sortas="b-kinit">kinit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="klist">
        <term><command>klist</command></term>
        <listitem>
          <para>
            reads and displays the current tickets in
            the credential cache.
          </para>
          <indexterm zone="mitkrb klist">
            <primary sortas="b-klist">klist</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpasswd">
        <term><command>kpasswd</command></term>
        <listitem>
          <para>
            is a program for changing Kerberos 5 passwords.
          </para>
          <indexterm zone="mitkrb kpasswd">
            <primary sortas="b-kpasswd">kpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kprop">
        <term><command>kprop</command></term>
        <listitem>
          <para>
            takes a principal database in a specified format and
            converts it into a stream of database records.
          </para>
          <indexterm zone="mitkrb kprop">
            <primary sortas="b-kprop">kprop</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpropd">
        <term><command>kpropd</command></term>
        <listitem>
          <para>
            receives a database sent by <command>kprop</command>
            and writes it as a local database.
          </para>
          <indexterm zone="mitkrb kpropd">
            <primary sortas="b-kpropd">kpropd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kproplog">
        <term><command>kproplog</command></term>
        <listitem>
          <para>
            displays the contents of the KDC database update log to standard
            output.
          </para>
          <indexterm zone="mitkrb kproplog">
            <primary sortas="b-kproplog">kproplog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-config-prog2">
        <term><command>krb5-config</command></term>
        <listitem>
          <para>
            gives information on how to link programs against
            libraries.
          </para>
          <indexterm zone="mitkrb krb5-config-prog2">
            <primary sortas="b-krb5-config">krb5-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5kdc">
        <term><command>krb5kdc</command></term>
        <listitem>
          <para>
            is the <application>Kerberos 5</application> server.
          </para>
          <indexterm zone="mitkrb krb5kdc">
            <primary sortas="b-krb5kdc">krb5kdc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-send-pr">
        <term><command>krb5-send-pr</command></term>
        <listitem>
          <para>
            send problem report (PR) to a central support site.
          </para>
          <indexterm zone="mitkrb krb5-send-pr">
            <primary sortas="b-krb-send-pr">krb5-send-pr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ksu">
        <term><command>ksu</command></term>
        <listitem>
          <para>
            is the super user program using Kerberos protocol.
            Requires a properly configured
            <filename>/etc/shells</filename> and
            <filename>~/.k5login</filename> containing principals
            authorized to become super users.
          </para>
          <indexterm zone="mitkrb ksu">
            <primary sortas="b-ksu">ksu</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kswitch">
        <term><command>kswitch</command></term>
        <listitem>
          <para>
            makes the specified credential cache the
            primary cache for the collection, if a cache
            collection is available.
          </para>
          <indexterm zone="mitkrb kswitch">
            <primary sortas="b-kswitch">kswitch</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ktutil">
        <term><command>ktutil</command></term>
        <listitem>
          <para>
            is a program for managing Kerberos keytabs.
          </para>
          <indexterm zone="mitkrb ktutil">
            <primary sortas="b-ktutil">ktutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kvno">
        <term><command>kvno</command></term>
        <listitem>
          <para>
            prints keyversion numbers of Kerberos principals.
          </para>
          <indexterm zone="mitkrb kvno">
            <primary sortas="b-kvno">kvno</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sclient">
        <term><command>sclient</command></term>
        <listitem>
          <para>
            used to contact a sample server and authenticate to it
            using Kerberos 5 tickets, then display the server's
            response.
          </para>
          <indexterm zone="mitkrb sclient">
            <primary sortas="b-sclient">sclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_client">
        <term><command>sim_client</command></term>
        <listitem>
          <para>
            is a simple UDP-based sample client program, for
            demonstration.
          </para>
          <indexterm zone="mitkrb sim_client">
            <primary sortas="b-sim_client">sim_client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_server">
        <term><command>sim_server</command></term>
        <listitem>
          <para>
            is a simple UDP-based server application, for
            demonstration.
          </para>
          <indexterm zone="mitkrb sim_server">
            <primary sortas="b-sim_server">sim_server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sserver">
        <term><command>sserver</command></term>
        <listitem>
          <para>
            is the sample Kerberos 5 server.
          </para>
          <indexterm zone="mitkrb sserver">
            <primary sortas="b-sserver">sserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuclient">
        <term><command>uuclient</command></term>
        <listitem>
          <para>
            is an another sample client.
          </para>
          <indexterm zone="mitkrb uuclient">
            <primary sortas="b-uuclient">uuclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuserver">
        <term><command>uuserver</command></term>
        <listitem>
          <para>
            is an another sample server.
          </para>
          <indexterm zone="mitkrb uuserver">
            <primary sortas="b-uuserver">uuserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>


      <varlistentry id="libgssapi_krb5">
        <term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
        <listitem>
          <para>
            contain the Generic Security Service Application Programming
            Interface (GSSAPI) functions which provides security services
            to callers in a generic fashion, supportable with a range of
            underlying mechanisms and technologies and hence allowing
            source-level portability of applications to different
            environments.
          </para>
          <indexterm zone="mitkrb libgssapi_krb5">
            <primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5clnt">
        <term><filename class="libraryfile">libkadm5clnt.so</filename></term>
        <listitem>
          <para>
            contains the administrative authentication and password checking
            functions required by Kerberos 5 client-side programs.
          </para>
          <indexterm zone="mitkrb libkadm5clnt">
            <primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5srv">
        <term><filename class="libraryfile">libkadm5srv.so</filename></term>
        <listitem>
          <para>
            contain the administrative authentication and password
            checking functions required by Kerberos 5 servers.
          </para>
          <indexterm zone="mitkrb libkadm5srv">
            <primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkdb5">
        <term><filename class="libraryfile">libkdb5.so</filename></term>
        <listitem>
          <para>
            is a Kerberos 5 authentication/authorization database
            access library.
          </para>
          <indexterm zone="mitkrb libkdb5">
            <primary sortas="c-libkdb5">libkdb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrad">
        <term><filename class="libraryfile">libkrad.so</filename></term>
        <listitem>
          <para>
            contains the internal support library for RADIUS functionality.
          </para>
          <indexterm zone="mitkrb libkrad">
            <primary sortas="c-libkrad">libkrad.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrb5">
        <term><filename class="libraryfile">libkrb5.so</filename></term>
        <listitem>
          <para>
            is an all-purpose <application>Kerberos 5</application> library.
          </para>
          <indexterm zone="mitkrb libkrb5">
            <primary sortas="c-libkrb5">libkrb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>