[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
| 7 | <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
|
---|
| 8 | <!ENTITY mitkrb-download-ftp " ">
|
---|
[769e82a] | 9 | <!ENTITY mitkrb-size "6.4 MB">
|
---|
| 10 | <!ENTITY mitkrb-buildsize "65.5 MB">
|
---|
[b4b71892] | 11 | <!ENTITY mitkrb-time "2.55 SBU">
|
---|
| 12 | ]>
|
---|
| 13 |
|
---|
[1dce143] | 14 | <sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
|
---|
[a0f03b0] | 15 | <sect1info>
|
---|
[5cd0959d] | 16 | <othername>$LastChangedBy$</othername>
|
---|
| 17 | <date>$Date$</date>
|
---|
[a0f03b0] | 18 | </sect1info>
|
---|
[1dce143] | 19 | <?dbhtml filename="mitkrb.html"?>
|
---|
[a2ed79b7] | 20 | <title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
|
---|
[1dce143] | 21 |
|
---|
[b4b71892] | 22 | <sect2>
|
---|
| 23 | <title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
|
---|
| 24 |
|
---|
| 25 | <para>
|
---|
[a2ed79b7] | 26 | <application><acronym>MIT</acronym> krb5</application> is a free
|
---|
| 27 | implementation of Kerberos 5. Kerberos is a network authentication
|
---|
| 28 | protocol. It centralizes the authentication database and uses kerberized
|
---|
| 29 | applications to work with servers or services that support Kerberos
|
---|
| 30 | allowing single logins and encrypted communication over internal
|
---|
| 31 | networks or the Internet.
|
---|
| 32 | </para>
|
---|
[b4b71892] | 33 |
|
---|
| 34 | <sect3><title>Package information</title>
|
---|
| 35 | <itemizedlist spacing='compact'>
|
---|
| 36 | <listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
|
---|
| 37 | <listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
|
---|
| 38 | <listitem><para>Download size: &mitkrb-size;</para></listitem>
|
---|
| 39 | <listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem>
|
---|
| 40 | <listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
|
---|
| 41 | </sect3>
|
---|
| 42 |
|
---|
| 43 | <sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
|
---|
| 44 | <sect4><title>Optional</title>
|
---|
| 45 | <para>
|
---|
| 46 | <xref linkend="xinetd"/> (services servers only),
|
---|
[dc04b84] | 47 | <xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
|
---|
| 48 | <xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
|
---|
| 49 | password database)
|
---|
[b4b71892] | 50 | </para>
|
---|
| 51 |
|
---|
| 52 | <note><para>
|
---|
[dc04b84] | 53 | Some sort of time synchronization facility on your system (like
|
---|
| 54 | <xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
|
---|
[b4b71892] | 55 | is a time difference between a kerberized client and the
|
---|
| 56 | <acronym>KDC</acronym> server.</para></note>
|
---|
| 57 | </sect4>
|
---|
| 58 |
|
---|
| 59 | </sect3>
|
---|
| 60 |
|
---|
| 61 | </sect2>
|
---|
| 62 |
|
---|
| 63 | <sect2>
|
---|
[a2ed79b7] | 64 | <title>Installation of <application><acronym>MIT</acronym> krb5</application></title>
|
---|
| 65 |
|
---|
| 66 | <para>
|
---|
[dc04b84] | 67 | <application><acronym>MIT</acronym> krb5</application> is distributed in a
|
---|
| 68 | <acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
|
---|
| 69 | package and a detached <acronym>PGP</acronym>
|
---|
| 70 | <filename class="extension">ASC</filename> file.
|
---|
[a2ed79b7] | 71 | </para>
|
---|
[b4b71892] | 72 |
|
---|
[a2ed79b7] | 73 | <para>
|
---|
| 74 | If you have installed <xref linkend="gnupg"/>, you can
|
---|
| 75 | authenticate the package with the following command:
|
---|
| 76 | </para>
|
---|
[b4b71892] | 77 |
|
---|
[a2ed79b7] | 78 | <screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc krb5-&mitkrb-version;.tar.gz</command></userinput></screen>
|
---|
| 79 |
|
---|
| 80 | <para>
|
---|
[dc04b84] | 81 | Build <application><acronym>MIT</acronym> krb5</application> by running the
|
---|
| 82 | following commands:
|
---|
[a2ed79b7] | 83 | </para>
|
---|
| 84 |
|
---|
| 85 | <screen><userinput><command>cd src &&
|
---|
| 86 | ./configure --prefix=/usr --sysconfdir=/etc \
|
---|
[b4b71892] | 87 | --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &&
|
---|
[a2ed79b7] | 88 | make</command></userinput></screen>
|
---|
| 89 |
|
---|
| 90 | <para>
|
---|
| 91 | Install <application><acronym>MIT</acronym> krb5</application> by
|
---|
| 92 | running the following commands as root:
|
---|
| 93 | </para>
|
---|
| 94 |
|
---|
| 95 | <screen><userinput><command>make install &&
|
---|
[b4b71892] | 96 | mv /bin/login /bin/login.shadow &&
|
---|
| 97 | cp /usr/sbin/login.krb5 /bin/login &&
|
---|
| 98 | mv /usr/bin/ksu /bin &&
|
---|
| 99 | mv /usr/lib/libkrb5.so.3* /lib &&
|
---|
| 100 | mv /usr/lib/libkrb4.so.2* /lib &&
|
---|
| 101 | mv /usr/lib/libdes425.so.3* /lib &&
|
---|
| 102 | mv /usr/lib/libk5crypto.so.3* /lib &&
|
---|
[def66bb8] | 103 | mv /usr/lib/libcom_err.so.3* /lib &&
|
---|
| 104 | ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &&
|
---|
| 105 | ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &&
|
---|
| 106 | ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &&
|
---|
| 107 | ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &&
|
---|
[48a26cd] | 108 | ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &&
|
---|
[b4b71892] | 109 | ldconfig</command></userinput></screen>
|
---|
| 110 |
|
---|
| 111 | </sect2>
|
---|
| 112 |
|
---|
| 113 | <sect2>
|
---|
| 114 | <title>Command explanations</title>
|
---|
| 115 |
|
---|
[a2ed79b7] | 116 | <para>
|
---|
| 117 | <parameter>--enable-dns</parameter>: This switch allows realms to
|
---|
| 118 | be resolved using the <acronym>DNS</acronym> server.
|
---|
| 119 | </para>
|
---|
[b4b71892] | 120 |
|
---|
[a2ed79b7] | 121 | <para>
|
---|
| 122 | <screen><command>mv /bin/login /bin/login.shadow
|
---|
[b4b71892] | 123 | cp /usr/sbin/login.krb5 /bin/login
|
---|
| 124 | mv /usr/bin/ksu /bin</command></screen>
|
---|
| 125 | Preserves <application>Shadow</application>'s <command>login</command>
|
---|
| 126 | command, moves <command>ksu</command> and <command>login</command> to
|
---|
[a2ed79b7] | 127 | the <filename class="directory">/bin</filename> directory.
|
---|
| 128 | </para>
|
---|
[b4b71892] | 129 |
|
---|
[a2ed79b7] | 130 | <para>
|
---|
| 131 | <screen><command>mv /usr/lib/libkrb5.so.3* /lib
|
---|
[b4b71892] | 132 | mv /usr/lib/libkrb4.so.2* /lib
|
---|
| 133 | mv /usr/lib/libdes425.so.3* /lib
|
---|
| 134 | mv /usr/lib/libk5crypto.so.3* /lib
|
---|
[def66bb8] | 135 | mv /usr/lib/libcom_err.so.3* /lib
|
---|
| 136 | ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
|
---|
| 137 | ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
|
---|
| 138 | ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
|
---|
| 139 | ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
|
---|
| 140 | ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
|
---|
[b4b71892] | 141 | The <command>login</command> and <command>ksu</command> programs
|
---|
| 142 | are linked against these libraries, therefore we move these libraries to
|
---|
[dc04b84] | 143 | <filename class="directory">/lib</filename> to allow logins without mounting
|
---|
| 144 | <filename class="directory">/usr</filename>.
|
---|
[a2ed79b7] | 145 | </para>
|
---|
[b4b71892] | 146 |
|
---|
| 147 | </sect2>
|
---|
| 148 |
|
---|
| 149 | <sect2>
|
---|
| 150 | <title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
|
---|
| 151 |
|
---|
| 152 | <sect3><title>Config files</title>
|
---|
[a2ed79b7] | 153 | <para>
|
---|
| 154 | <filename>/etc/krb5.conf</filename> and
|
---|
| 155 | <filename>/var/lib/krb5kdc/kdc.conf</filename>
|
---|
| 156 | </para>
|
---|
[b4b71892] | 157 | </sect3>
|
---|
| 158 |
|
---|
| 159 | <sect3><title>Configuration Information</title>
|
---|
| 160 |
|
---|
| 161 | <sect4><title>Kerberos Configuration</title>
|
---|
| 162 |
|
---|
| 163 | <para>
|
---|
| 164 | Create the Kerberos configuration file with the following command:
|
---|
| 165 | </para>
|
---|
| 166 |
|
---|
| 167 | <screen><userinput><command>cat > /etc/krb5.conf << "EOF"</command>
|
---|
| 168 | # Begin /etc/krb5.conf
|
---|
[dc04b84] | 169 |
|
---|
[b4b71892] | 170 | [libdefaults]
|
---|
| 171 | default_realm = <replaceable>[LFS.ORG]</replaceable>
|
---|
| 172 | encrypt = true
|
---|
| 173 |
|
---|
| 174 | [realms]
|
---|
| 175 | <replaceable>[LFS.ORG]</replaceable> = {
|
---|
| 176 | kdc = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
| 177 | admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
| 178 | }
|
---|
| 179 |
|
---|
| 180 | [domain_realm]
|
---|
| 181 | .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
|
---|
| 182 |
|
---|
| 183 | [logging]
|
---|
| 184 | kdc = SYSLOG[:INFO[:AUTH]]
|
---|
| 185 | admin_server = SYSLOG[INFO[:AUTH]]
|
---|
| 186 | default = SYSLOG[[:SYS]]
|
---|
| 187 |
|
---|
| 188 | # End /etc/krb5.conf
|
---|
| 189 | <command>EOF</command></userinput></screen>
|
---|
| 190 |
|
---|
| 191 | <para>
|
---|
| 192 | You will need to substitute your domain and proper hostname for the
|
---|
[dc04b84] | 193 | occurances of the <replaceable>[belgarath]</replaceable> and
|
---|
| 194 | <replaceable>[lfs.org]</replaceable> names.
|
---|
[b4b71892] | 195 | </para>
|
---|
| 196 |
|
---|
| 197 | <para>
|
---|
[dc04b84] | 198 | <userinput>default_realm</userinput> should be the name of your domain changed
|
---|
| 199 | to ALL CAPS. This isn't required, but both <application>Heimdal</application>
|
---|
| 200 | and <acronym>MIT</acronym> recommend it.
|
---|
[b4b71892] | 201 | </para>
|
---|
| 202 |
|
---|
| 203 | <para>
|
---|
[dc04b84] | 204 | <userinput>encrypt = true</userinput> provides encryption of all traffic
|
---|
| 205 | between kerberized clients and servers. It's not necessary and can be left
|
---|
| 206 | off. If you leave it off, you can encrypt all traffic from the client to the
|
---|
| 207 | server using a switch on the client program instead.
|
---|
[b4b71892] | 208 | </para>
|
---|
| 209 |
|
---|
| 210 | <para>
|
---|
[dc04b84] | 211 | The <userinput>[realms]</userinput> parameters tell the client programs where
|
---|
| 212 | to look for the <acronym>KDC</acronym> authentication services.
|
---|
[b4b71892] | 213 | </para>
|
---|
| 214 |
|
---|
| 215 | <para>
|
---|
| 216 | The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
|
---|
| 217 | </para>
|
---|
| 218 |
|
---|
| 219 | <para>
|
---|
| 220 | Create the <acronym>KDC</acronym> database:
|
---|
| 221 | </para>
|
---|
| 222 |
|
---|
| 223 | <screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
|
---|
| 224 |
|
---|
| 225 | <para>
|
---|
[dc04b84] | 226 | Now you should populate the database with principles (users). For now,
|
---|
[b4b71892] | 227 | just use your regular login name or root.
|
---|
| 228 | </para>
|
---|
| 229 |
|
---|
| 230 | <screen><userinput><command>kadmin.local</command></userinput>
|
---|
| 231 | <prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 232 |
|
---|
| 233 | <para>
|
---|
| 234 | The <acronym>KDC</acronym> server and any machine running kerberized
|
---|
| 235 | server daemons must have a host key installed:
|
---|
| 236 | </para>
|
---|
| 237 |
|
---|
[99f6b7d] | 238 | <screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 239 |
|
---|
| 240 | <para>
|
---|
| 241 | After choosing the defaults when prompted, you will have to export the
|
---|
| 242 | data to a keytab file:
|
---|
| 243 | </para>
|
---|
| 244 |
|
---|
| 245 | <screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
| 246 |
|
---|
| 247 | <para>
|
---|
[dc04b84] | 248 | This should have created a file in <filename class="directory">/etc</filename>
|
---|
| 249 | named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
|
---|
[b4b71892] | 250 | (root rw only) permissions. Keeping the keytab files from public access
|
---|
| 251 | is crucial to the overall security of the Kerberos installation.
|
---|
| 252 | </para>
|
---|
| 253 |
|
---|
| 254 | <para>
|
---|
| 255 | Eventually, you'll want to add server daemon principles to the database
|
---|
| 256 | and extract them to the keytab file. You do this in the same way you
|
---|
| 257 | created the host principles. Below is an example:
|
---|
| 258 | </para>
|
---|
| 259 |
|
---|
[99f6b7d] | 260 | <screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
|
---|
[b4b71892] | 261 | <prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
| 262 |
|
---|
| 263 | <para>
|
---|
| 264 | Exit the <command>kadmin</command> program (use <command>quit</command>
|
---|
| 265 | or <command>exit</command>) and return back to the shell prompt. Start
|
---|
| 266 | the <acronym>KDC</acronym> daemon manually, just to test out the
|
---|
| 267 | installation:
|
---|
| 268 | </para>
|
---|
| 269 |
|
---|
| 270 | <screen><userinput><command>/usr/sbin/krb5kdc &</command></userinput></screen>
|
---|
| 271 |
|
---|
| 272 | <para>
|
---|
| 273 | Attempt to get a ticket with the following command:
|
---|
| 274 | </para>
|
---|
| 275 |
|
---|
| 276 | <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 277 |
|
---|
| 278 | <para>
|
---|
| 279 | You will be prompted for the password you created. After you get your
|
---|
| 280 | ticket, you can list it with the following command:
|
---|
| 281 | </para>
|
---|
| 282 |
|
---|
| 283 | <screen><userinput><command>klist</command></userinput></screen>
|
---|
| 284 |
|
---|
| 285 | <para>
|
---|
| 286 | Information about the ticket should be displayed on the screen.
|
---|
| 287 | </para>
|
---|
| 288 |
|
---|
| 289 | <para>
|
---|
| 290 | To test the functionality of the keytab file, issue the following
|
---|
| 291 | command:
|
---|
| 292 | </para>
|
---|
| 293 |
|
---|
| 294 | <screen><userinput><command>ktutil</command></userinput>
|
---|
| 295 | <prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
|
---|
| 296 | <prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
|
---|
| 297 |
|
---|
| 298 | <para>
|
---|
| 299 | This should dump a list of the host principal, along with the encryption
|
---|
| 300 | methods used to access the principal.
|
---|
| 301 | </para>
|
---|
| 302 |
|
---|
| 303 | <para>
|
---|
| 304 | At this point, if everything has been successful so far, you can feel
|
---|
| 305 | fairly confident in the installation and configuration of the package.
|
---|
| 306 | </para>
|
---|
| 307 |
|
---|
[a2ed79b7] | 308 | <para>
|
---|
| 309 | Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
|
---|
[dc04b84] | 310 | included in the <xref linkend="intro-important-bootscripts"/> package.
|
---|
[a2ed79b7] | 311 | </para>
|
---|
[b4b71892] | 312 |
|
---|
| 313 | <screen><userinput><command>make install-kerberos</command></userinput></screen>
|
---|
| 314 |
|
---|
| 315 | </sect4>
|
---|
| 316 |
|
---|
| 317 | <sect4><title>Using Kerberized Client Programs</title>
|
---|
| 318 |
|
---|
| 319 | <para>
|
---|
| 320 | To use the kerberized client programs (<command>telnet</command>,
|
---|
| 321 | <command>ftp</command>, <command>rsh</command>,
|
---|
| 322 | <command>rcp</command>, <command>rlogin</command>), you first must get
|
---|
| 323 | an authentication ticket. Use the <command>kinit</command> program to
|
---|
| 324 | get the ticket. After you've acquired the ticket, you can use the
|
---|
| 325 | kerberized programs to connect to any kerberized server on the network.
|
---|
| 326 | You will not be prompted for authentication until your ticket expires
|
---|
| 327 | (default is one day), unless you specify a different user as a command
|
---|
| 328 | line argument to the program.
|
---|
| 329 | </para>
|
---|
| 330 |
|
---|
| 331 | <para>
|
---|
| 332 | The kerberized programs will connect to non kerberized daemons, warning
|
---|
[a2ed79b7] | 333 | you that authentication is not encrypted.
|
---|
| 334 | </para>
|
---|
| 335 | </sect4>
|
---|
[b4b71892] | 336 |
|
---|
| 337 | <sect4><title>Using Kerberized Server Programs</title>
|
---|
[a2ed79b7] | 338 | <para>
|
---|
| 339 | Using kerberized server programs (<command>telnetd</command>,
|
---|
[dc04b84] | 340 | <command>kpropd</command>, <command>klogind</command> and
|
---|
| 341 | <command>kshd</command>) requires two additional configuration steps.
|
---|
[b4b71892] | 342 | First the <filename>/etc/services</filename> file must be updated to
|
---|
[dc04b84] | 343 | include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
|
---|
| 344 | or <filename>xinetd.conf</filename> must be modified for each server that will
|
---|
| 345 | be activated, usually replacing the server from <xref linkend="inetutils"/>.
|
---|
[a2ed79b7] | 346 | </para>
|
---|
| 347 | </sect4>
|
---|
[b4b71892] | 348 |
|
---|
| 349 | <sect4><title>Additional Information</title>
|
---|
| 350 | <para>
|
---|
| 351 | For additional information consult <ulink
|
---|
| 352 | url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
|
---|
| 353 | for krb-&mitkrb-version;</ulink> on which the above instructions are based.
|
---|
| 354 | </para>
|
---|
| 355 |
|
---|
| 356 | </sect4>
|
---|
| 357 |
|
---|
| 358 | </sect3>
|
---|
| 359 |
|
---|
| 360 | </sect2>
|
---|
| 361 |
|
---|
| 362 | <sect2>
|
---|
| 363 | <title>Contents</title>
|
---|
| 364 |
|
---|
[a2ed79b7] | 365 | <para>
|
---|
| 366 | The <application>MIT krb5</application> package contains
|
---|
[b4b71892] | 367 | <command>compile-et</command>,
|
---|
| 368 | <command>ftp</command>,
|
---|
| 369 | <command>ftpd</command>,
|
---|
| 370 | <command>gss-client</command>,
|
---|
| 371 | <command>gss-server</command>,
|
---|
| 372 | <command>k5srvutil</command>,
|
---|
| 373 | <command>kadmin</command>,
|
---|
| 374 | <command>kadmin.local</command>,
|
---|
| 375 | <command>kadmind</command>,
|
---|
| 376 | <command>kadmind4</command>,
|
---|
| 377 | <command>kdb5_util</command>
|
---|
| 378 | <command>kdestroy</command>,
|
---|
| 379 | <command>kinit</command>,
|
---|
| 380 | <command>klist</command>,
|
---|
| 381 | <command>klogind</command>,
|
---|
| 382 | <command>kpasswd</command>,
|
---|
| 383 | <command>kprop</command>,
|
---|
| 384 | <command>kpropd</command>,
|
---|
| 385 | <command>krb5-send-pr</command>,
|
---|
| 386 | <command>krb5-config</command>,
|
---|
| 387 | <command>krb524d</command>,
|
---|
| 388 | <command>krb524init</command>,
|
---|
| 389 | <command>krb5kdc</command>,
|
---|
| 390 | <command>kshd</command>,
|
---|
| 391 | <command>ksu</command>,
|
---|
| 392 | <command>ktutil</command>,
|
---|
| 393 | <command>kvno</command>,
|
---|
| 394 | <command>login.krb5</command>,
|
---|
| 395 | <command>rcp</command>,
|
---|
| 396 | <command>rlogin</command>,
|
---|
| 397 | <command>rsh</command>,
|
---|
| 398 | <command>rshd</command>,
|
---|
| 399 | <command>rxtelnet</command>,
|
---|
| 400 | <command>rxterm</command>,
|
---|
| 401 | <command>sclient</command>,
|
---|
| 402 | <command>sim_client</command>,
|
---|
| 403 | <command>sim_server</command>,
|
---|
| 404 | <command>sserver</command>,
|
---|
| 405 | <command>telnet</command>,
|
---|
| 406 | <command>telnetd</command>,
|
---|
| 407 | <command>uuclient</command>,
|
---|
| 408 | <command>uuserver</command>,
|
---|
| 409 | <command>v5passwd</command>,
|
---|
| 410 | <command>v5passwdd</command>,
|
---|
| 411 | <filename class="libraryfile">libcom_err</filename>,
|
---|
| 412 | <filename class="libraryfile">libdes425</filename>,
|
---|
| 413 | <filename class="libraryfile">libgssapi</filename>,
|
---|
| 414 | <filename class="libraryfile">libgssrpc</filename>,
|
---|
| 415 | <filename class="libraryfile">lib5crypto</filename>,
|
---|
| 416 | <filename class="libraryfile">libkadm5clnt</filename>,
|
---|
| 417 | <filename class="libraryfile">libkadm5srv</filename>,
|
---|
| 418 | <filename class="libraryfile">libkdb5</filename>,
|
---|
[dc04b84] | 419 | <filename class="libraryfile">libkrb4</filename> and
|
---|
[a2ed79b7] | 420 | <filename class="libraryfile">libkrb5</filename>.
|
---|
| 421 | </para>
|
---|
[b4b71892] | 422 |
|
---|
| 423 | </sect2>
|
---|
| 424 |
|
---|
| 425 | <sect2><title>Description</title>
|
---|
| 426 |
|
---|
| 427 | <sect3><title>compile_et</title>
|
---|
[a2ed79b7] | 428 | <para>
|
---|
| 429 | <command>compile_et</command> converts the table listing
|
---|
| 430 | error-code names into a <application>C</application> source file.
|
---|
| 431 | </para>
|
---|
| 432 | </sect3>
|
---|
[b4b71892] | 433 |
|
---|
| 434 | <sect3><title>k5srvutil</title>
|
---|
[a2ed79b7] | 435 | <para>
|
---|
[dc04b84] | 436 | <command>k5srvutil</command> is a host keytable manipulation utility.
|
---|
[a2ed79b7] | 437 | </para>
|
---|
| 438 | </sect3>
|
---|
[b4b71892] | 439 |
|
---|
| 440 | <sect3><title>kadmin</title>
|
---|
[a2ed79b7] | 441 | <para>
|
---|
| 442 | <command>kadmin</command> is an utility used to make modifications
|
---|
| 443 | to the Kerberos database.
|
---|
| 444 | </para>
|
---|
| 445 | </sect3>
|
---|
[b4b71892] | 446 |
|
---|
| 447 | <sect3><title>kadmind</title>
|
---|
[a2ed79b7] | 448 | <para>
|
---|
| 449 | <command>kadmind</command> is a server for administrative access
|
---|
[dc04b84] | 450 | to a Kerberos database.
|
---|
[a2ed79b7] | 451 | </para>
|
---|
| 452 | </sect3>
|
---|
[b4b71892] | 453 |
|
---|
| 454 | <sect3><title>kinit</title>
|
---|
[a2ed79b7] | 455 | <para>
|
---|
[dc04b84] | 456 | <command>kinit</command> is used to authenticate to the Kerberos server as
|
---|
| 457 | a principal and acquire a ticket granting ticket that can later be used to
|
---|
| 458 | obtain tickets for other services.
|
---|
[a2ed79b7] | 459 | </para>
|
---|
| 460 | </sect3>
|
---|
[b4b71892] | 461 |
|
---|
| 462 | <sect3><title>krb5kdc</title>
|
---|
[a2ed79b7] | 463 | <para>
|
---|
[dc04b84] | 464 | <command>krb5kdc</command> is a Kerberos 5 server.
|
---|
[a2ed79b7] | 465 | </para>
|
---|
| 466 | </sect3>
|
---|
[b4b71892] | 467 |
|
---|
| 468 | <sect3><title>kdestroy</title>
|
---|
[a2ed79b7] | 469 | <para>
|
---|
[dc04b84] | 470 | <command>kdestroy</command> removes the current set of tickets.
|
---|
[a2ed79b7] | 471 | </para>
|
---|
| 472 | </sect3>
|
---|
[b4b71892] | 473 |
|
---|
| 474 | <sect3><title>kdb5_util</title>
|
---|
[a2ed79b7] | 475 | <para>
|
---|
[dc04b84] | 476 | <command>kdb5_util</command> is the <acronym>KDC</acronym> database utility.
|
---|
[a2ed79b7] | 477 | </para>
|
---|
| 478 | </sect3>
|
---|
[b4b71892] | 479 |
|
---|
| 480 | <sect3><title>klist</title>
|
---|
[a2ed79b7] | 481 | <para>
|
---|
| 482 | <command>klist</command> reads and displays the current tickets in
|
---|
| 483 | the credential cache.
|
---|
| 484 | </para>
|
---|
| 485 | </sect3>
|
---|
[b4b71892] | 486 |
|
---|
| 487 | <sect3><title>klogind</title>
|
---|
[a2ed79b7] | 488 | <para>
|
---|
[dc04b84] | 489 | <command>klogind</command> is the server that responds to
|
---|
| 490 | <command>rlogin</command> requests.
|
---|
[a2ed79b7] | 491 | </para>
|
---|
| 492 | </sect3>
|
---|
[b4b71892] | 493 |
|
---|
| 494 | <sect3><title>kpasswd</title>
|
---|
[a2ed79b7] | 495 | <para>
|
---|
[dc04b84] | 496 | <command>kpasswd</command> is a program for changing Kerberos 5 passwords.
|
---|
[a2ed79b7] | 497 | </para>
|
---|
| 498 | </sect3>
|
---|
[b4b71892] | 499 |
|
---|
| 500 | <sect3><title>kprop</title>
|
---|
[a2ed79b7] | 501 | <para>
|
---|
| 502 | <command>kprop</command> takes a principal database in a specified
|
---|
[b4b71892] | 503 | format and converts it into a stream of database
|
---|
[a2ed79b7] | 504 | records.
|
---|
| 505 | </para>
|
---|
| 506 | </sect3>
|
---|
[b4b71892] | 507 |
|
---|
| 508 | <sect3><title>kpropd</title>
|
---|
[a2ed79b7] | 509 | <para>
|
---|
| 510 | <command>kpropd</command> receives a database sent by
|
---|
[dc04b84] | 511 | <command>hprop</command> and writes it as a local database.
|
---|
[a2ed79b7] | 512 | </para>
|
---|
| 513 | </sect3>
|
---|
[b4b71892] | 514 |
|
---|
| 515 | <sect3><title>krb5-config</title>
|
---|
[a2ed79b7] | 516 | <para>
|
---|
| 517 | <command>krb5-config</command> gives information on how to link
|
---|
| 518 | programs against libraries.
|
---|
| 519 | </para>
|
---|
| 520 | </sect3>
|
---|
[b4b71892] | 521 |
|
---|
| 522 | <sect3><title>ksu</title>
|
---|
[a2ed79b7] | 523 | <para>
|
---|
[dc04b84] | 524 | <command>ksu</command> is the super user program using Kerberos protocol.
|
---|
| 525 | Requires a properly configured
|
---|
| 526 | <filename class="directory">/etc/shells</filename> and
|
---|
| 527 | <filename>~/.k5login</filename> containing principals authorized to
|
---|
[a2ed79b7] | 528 | become super users.
|
---|
| 529 | </para>
|
---|
| 530 | </sect3>
|
---|
[b4b71892] | 531 |
|
---|
| 532 | <sect3><title>ktutil</title>
|
---|
[a2ed79b7] | 533 | <para>
|
---|
[dc04b84] | 534 | <command>ktutil</command> is a program for managing Kerberos keytabs.
|
---|
[a2ed79b7] | 535 | </para>
|
---|
| 536 | </sect3>
|
---|
[b4b71892] | 537 |
|
---|
| 538 | <sect3><title>kvno</title>
|
---|
[a2ed79b7] | 539 | <para>
|
---|
[dc04b84] | 540 | <command>kvno</command> prints keyversion numbers of Kerberos principals.
|
---|
[a2ed79b7] | 541 | </para>
|
---|
| 542 | </sect3>
|
---|
[b4b71892] | 543 |
|
---|
| 544 | </sect2>
|
---|
[1dce143] | 545 |
|
---|
| 546 | </sect1>
|
---|