Context Navigation

source: postlfs/security/mitkrb.xml

Visit:

trunk

Last change on this file was a4fa495, checked in by Xi Ruoyao <xry111@…>, 7 weeks ago
mitkrb: Some tests may use keyutils if installed, so they require kernel configuration for keyutils
Property mode set to `100644`
File size: 31.8 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY mitkrb-download-http "https://kerberos.org/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
8	<!ENTITY mitkrb-download-ftp " ">
9	<!ENTITY mitkrb-md5sum "97d5f3a48235c53f6d537c877290d2af">
10	<!ENTITY mitkrb-size "8.2 MB">
11	<!ENTITY mitkrb-buildsize "130 MB (add 10 MB for tests)">
12	<!ENTITY mitkrb-time "0.3 SBU (Using parallelism=4; add 1.0 SBU for tests)">
13	]>
14
15	<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
16	<?dbhtml filename="mitkrb.html"?>
17
18
19	<title>MIT Kerberos V5-&mitkrb-version;</title>
20
21	<indexterm zone="mitkrb">
22	<primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
23	</indexterm>
24
25	<sect2 role="package">
26	<title>Introduction to MIT Kerberos V5</title>
27
28	<para>
29	<application>MIT Kerberos V5</application> is a free implementation
30	of Kerberos 5. Kerberos is a network authentication protocol. It
31	centralizes the authentication database and uses kerberized
32	applications to work with servers or services that support Kerberos
33	allowing single logins and encrypted communication over internal
34	networks or the Internet.
35	</para>
36
37	&lfs121_checked;
38
39	<bridgehead renderas="sect3">Package Information</bridgehead>
40	<itemizedlist spacing="compact">
41	<listitem>
42	<para>
43	Download (HTTP): <ulink url="&mitkrb-download-http;"/>
44	</para>
45	</listitem>
46	<listitem>
47	<para>
48	Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
49	</para>
50	</listitem>
51	<listitem>
52	<para>
53	Download MD5 sum: &mitkrb-md5sum;
54	</para>
55	</listitem>
56	<listitem>
57	<para>
58	Download size: &mitkrb-size;
59	</para>
60	</listitem>
61	<listitem>
62	<para>
63	Estimated disk space required: &mitkrb-buildsize;
64	</para>
65	</listitem>
66	<listitem>
67	<para>
68	Estimated build time: &mitkrb-time;
69	</para>
70	</listitem>
71	</itemizedlist>
72	<!--
73	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
74	<itemizedlist spacing="compact">
75	<listitem>
76	<para>
77	Required patch:
78	<ulink url="&patch-root;/mitkrb-&mitkrb-version;-openssl3_fixes-1.patch"/>
79	</para>
80	</listitem>
81	</itemizedlist>
82	-->
83	<bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>
84
85	<bridgehead renderas="sect4">Optional</bridgehead>
86	<para role="optional">
87	<xref linkend="bind-utils"/>,
88	<xref linkend="gnupg2"/> (to authenticate the package),
89	<xref linkend="keyutils"/>,
90	<xref linkend="openldap"/>,<!-- Seems so that mit has its own
91	implementation of rpc now.
92	<xref linkend="rpcbind"/> (used during the test suite),-->
93	<xref linkend="valgrind"/> (used during the test suite),
94	<xref linkend="yasm"/>,
95	<ulink url="https://thrysoee.dk/editline/">libedit</ulink>,
96	<ulink url="https://cmocka.org/">cmocka</ulink>,
97	<ulink url="https://pypi.org/project/kdcproxy/">kdcproxy</ulink>,
98	<ulink url="https://pypi.org/project/pyrad/">pyrad</ulink>, and
99	<ulink url="https://cwrap.org/resolv_wrapper.html">resolv_wrapper</ulink>
100	</para>
101
102	<note>
103	<para>
104	Some sort of time synchronization facility on your system (like
105	<xref linkend="ntp"/>) is required since Kerberos won't authenticate
106	if there is a time difference between a kerberized client and the
107	KDC server.
108	</para>
109	</note>
110
111	</sect2>
112
113	<sect2 role="installation">
114	<title>Installation of MIT Kerberos V5</title>
115	<!--
116	<para>
117	Next, fix several issues identified by OpenSSL-3:
118	</para>
119
120	<screen><userinput remap="pre">patch -Np1 -i ../mitkrb-&mitkrb-version;-openssl3_fixes-1.patch</userinput></screen>
121	-->
122	<para>
123	Build <application>MIT Kerberos V5</application> by running the
124	following commands:
125	</para>
126
127	<screen><userinput>cd src &&
128	<!-- dejagnu is not used anymore for tests
129	sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp &&
130	-->
131	sed -i -e '/eq 0/{N;s/12 //}' plugins/kdb/db2/libdb2/test/run.test &&
132	<!--sed -i '/t_kadm5.py/d' lib/kadm5/Makefile.in &&-->
133
134	./configure --prefix=/usr \
135	--sysconfdir=/etc \
136	--localstatedir=/var/lib \
137	--runstatedir=/run \
138	--with-system-et \
139	--with-system-ss \
140	--with-system-verto=no \
141	--enable-dns-for-realm &&
142	make</userinput></screen>
143
144	<para>
145	To test the build, issue: <command>make -j1 -k check</command>.
146	<!-- You need at least <xref link end="tcl"/>, which is used to drive the
147	test suite. Furthermore, <xref link end="dejagnu"/> must be available for
148	some of the tests to run. If you have a former version of MIT Kerberos V5
149	installed, it may happen that the test suite may pick up the installed
150	versions of the libraries, rather than the newly built ones. If so, it is
151	better to run the tests after the installation. -->Some tests may fail with
152	the latest version of dejagnu and glibc. Some tests may hang for a
153	long time and fail if the system is not connected to a network.
154	One test, <filename>t_kadm5srv</filename>, is known to fail.
155	If <xref linkend='keyutils'/> is installed but
156	<xref linkend='keyutils-test-kernel'/> is not
157	satisfied, some tests will fail complaining
158	<computeroutput>keyctl failed with code 1</computeroutput>.
159	<!-- Note: on my laptop -j8 fails but -j1 passes
160	For version 1.21, -j1 no longer needs to be specified and the
161	time for the tests was reduced considerably. -bdubbs
162	But on one of my machines (4 cores) -j4 fails and -j1 passes...
163	I guess the test suite is just too fragile. -xry111
164	-->
165	</para>
166
167	<para>
168	Now, as the <systemitem class="username">root</systemitem> user:
169	</para>
170
171	<screen role="root"><userinput>make install &&
172	cp -vfr ../doc -T /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
173
174	<!-- libsoup3 FTBFS with these flags if -Dgssapi=enabled (not used by
175	the book) -->
176	<para>
177	Still as the &root; user, remove linker flags setting RPATH from the
178	<command>krb5-config</command> script. These flags are unneeded for
179	an installation in the standard prefix
180	(<filename class='directory'>/usr</filename>) and they may cause some
181	packages fail to build:
182	</para>
183
184	<screen role='root'><userinput>sed '/PROG_RPATH_FLAGS/d' -i /usr/bin/krb5-config</userinput></screen>
185
186	</sect2>
187
188	<sect2 role="commands">
189	<title>Command Explanations</title>
190
191	<para>
192	The <command>sed</command> command removes a
193	test that is known to fail.
194	</para>
195
196	<para>
197	<parameter>--localstatedir=/var/lib</parameter>: This option is
198	used so that the Kerberos variable runtime data is located in
199	<filename class="directory">/var/lib</filename> instead of
200	<filename class="directory">/usr/var</filename>.
201	</para>
202
203	<para>
204	<parameter>--runstatedir=/run</parameter>: This option is used so that
205	the Kerberos runtime state information is located in
206	<filename class="directory">/run</filename> instead of the deprecated
207	<filename class="directory">/var/run</filename>.
208	</para>
209
210	<para>
211	<parameter>--with-system-et</parameter>: This switch causes the build
212	to use the system-installed versions of the error-table support
213	software.
214	</para>
215
216	<para>
217	<parameter>--with-system-ss</parameter>: This switch causes the build
218	to use the system-installed versions of the subsystem command-line
219	interface software.
220	</para>
221
222	<para>
223	<parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
224	the package: it does not recognize its own verto library installed
225	previously. This is not a problem, if reinstalling the same version,
226	but if you are updating, the old library is used as system's one,
227	instead of installing the new version.
228	</para>
229
230	<para>
231	<parameter>--enable-dns-for-realm</parameter>: This switch allows
232	realms to be resolved using the DNS server.
233	</para>
234
235	<para>
236	<option>--with-ldap</option>: Use this switch if you want to compile the
237	<application>OpenLDAP</application> database backend module.
238	</para>
239
240	</sect2>
241
242	<sect2 role="configuration">
243	<title>Configuring MIT Kerberos V5</title>
244
245	<sect3 id="krb5-config">
246	<title>Config Files</title>
247
248	<para>
249	<filename>/etc/krb5.conf</filename> and
250	<filename>/var/lib/krb5kdc/kdc.conf</filename>
251	</para>
252
253	<indexterm zone="mitkrb krb5-config">
254	<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
255	</indexterm>
256
257	<indexterm zone="mitkrb krb5-config">
258	<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
259	</indexterm>
260
261	</sect3>
262
263	<sect3>
264	<title>Configuration Information</title>
265
266	<sect4>
267	<title>Kerberos Configuration</title>
268
269	<tip>
270	<para>
271	You should consider installing some sort of password checking
272	dictionary so that you can configure the installation to only
273	accept strong passwords. A suitable dictionary to use is shown in
274	the <xref linkend="cracklib"/> instructions. Note that only one
275	file can be used, but you can concatenate many files into one. The
276	configuration file shown below assumes you have installed a
277	dictionary to <filename>/usr/share/dict/words</filename>.
278	</para>
279	</tip>
280
281	<para>
282	Create the Kerberos configuration file with the following
283	commands issued by the <systemitem class="username">root</systemitem>
284	user:
285	</para>
286
287	<screen role="root"><userinput>cat > /etc/krb5.conf << "EOF"
288	<literal># Begin /etc/krb5.conf
289
290	[libdefaults]
291	default_realm = <replaceable><EXAMPLE.ORG></replaceable>
292	encrypt = true
293
294	[realms]
295	<replaceable><EXAMPLE.ORG></replaceable> = {
296	kdc = <replaceable><belgarath.example.org></replaceable>
297	admin_server = <replaceable><belgarath.example.org></replaceable>
298	dict_file = /usr/share/dict/words
299	}
300
301	[domain_realm]
302	.<replaceable><example.org></replaceable> = <replaceable><EXAMPLE.ORG></replaceable>
303
304	[logging]
305	kdc = SYSLOG:INFO:AUTH
306	admin_server = SYSLOG:INFO:AUTH
307	default = SYSLOG:DEBUG:DAEMON
308
309	# End /etc/krb5.conf</literal>
310	EOF</userinput></screen>
311
312	<para>
313	You will need to substitute your domain and proper hostname for the
314	occurrences of the <replaceable><belgarath></replaceable> and
315	<replaceable><example.org></replaceable> names.
316	</para>
317
318	<para>
319	<option>default_realm</option> should be the name of your
320	domain changed to ALL CAPS. This isn't required, but both
321	<application>Heimdal</application> and MIT recommend it.
322	</para>
323
324	<para>
325	<option>encrypt = true</option> provides encryption of all traffic
326	between kerberized clients and servers. It's not necessary and can
327	be left off. If you leave it off, you can encrypt all traffic from
328	the client to the server using a switch on the client program
329	instead.
330	</para>
331
332	<para>
333	The <option>[realms]</option> parameters tell the client programs
334	where to look for the KDC authentication services.
335	</para>
336
337	<para>
338	The <option>[domain_realm]</option> section maps a domain to a realm.
339	</para>
340
341	<para>
342	Create the KDC database:
343	</para>
344
345	<screen role="root"><userinput>kdb5_util create -r <replaceable><EXAMPLE.ORG></replaceable> -s</userinput></screen>
346
347	<para>
348	Now you should populate the database with principals
349	(users). For now, just use your regular login name or
350	<systemitem class="username">root</systemitem>.
351	</para>
352
353	<screen role="root"><userinput>kadmin.local
354	<prompt>kadmin.local:</prompt> add_policy dict-only
355	<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable><loginname></replaceable></userinput></screen>
356
357	<para>
358	The KDC server and any machine running kerberized
359	server daemons must have a host key installed:
360	</para>
361
362	<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
363
364	<para>
365	After choosing the defaults when prompted, you will have to
366	export the data to a keytab file:
367	</para>
368
369	<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
370
371	<para>
372	This should have created a file in
373	<filename class="directory">/etc</filename> named
374	<filename>krb5.keytab</filename> (Kerberos 5). This file should
375	have 600 (<systemitem class="username">root</systemitem> rw only)
376	permissions. Keeping the keytab files from public access is crucial
377	to the overall security of the Kerberos installation.
378	</para>
379
380	<para>
381	Exit the <command>kadmin</command> program (use
382	<command>quit</command> or <command>exit</command>) and return
383	back to the shell prompt. Start the KDC daemon manually, just to
384	test out the installation:
385	</para>
386
387	<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>
388
389	<para>
390	Attempt to get a ticket with the following command:
391	</para>
392
393	<screen><userinput>kinit <replaceable><loginname></replaceable></userinput></screen>
394
395	<para>
396	You will be prompted for the password you created. After you
397	get your ticket, you can list it with the following command:
398	</para>
399
400	<screen><userinput>klist</userinput></screen>
401
402	<para>
403	Information about the ticket should be displayed on the
404	screen.
405	</para>
406
407	<para>
408	To test the functionality of the keytab file, issue the
409	following command as the
410	<systemitem class="username">root</systemitem> user:
411	</para>
412
413	<screen role="root"><userinput>ktutil
414	<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
415	<prompt>ktutil:</prompt> l</userinput></screen>
416
417	<para>
418	This should dump a list of the host principal, along with
419	the encryption methods used to access the principal.
420	</para>
421
422	<para>
423	Create an empty ACL file that can be modified later:
424	</para>
425
426	<screen role="root"><userinput>touch /var/lib/krb5kdc/kadm5.acl</userinput></screen>
427
428	<para>
429	At this point, if everything has been successful so far, you
430	can feel fairly confident in the installation and configuration of
431	the package.
432	</para>
433
434	</sect4>
435
436	<sect4>
437	<title>Additional Information</title>
438
439	<para>
440	For additional information consult the <ulink
441	url="https://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
442	documentation for krb5-&mitkrb-version;</ulink> on which the above
443	instructions are based.
444	</para>
445
446	</sect4>
447
448	</sect3>
449
450	<sect3 id="mitkrb-init">
451	<title><phrase revision="sysv">Init Script</phrase>
452	<phrase revision="systemd">Systemd Unit</phrase></title>
453
454	<para revision="sysv">
455	If you want to start <application>Kerberos</application> services
456	at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
457	script included in the <xref linkend="bootscripts"/> package using
458	the following command:
459	</para>
460
461	<para revision="systemd">
462	If you want to start <application>Kerberos</application> services
463	at boot, install the <filename>krb5.service</filename> unit included in
464	the <xref linkend="systemd-units"/> package using the following command:
465	</para>
466
467	<indexterm zone="mitkrb mitkrb-init">
468	<primary sortas="f-krb5">krb5</primary>
469	</indexterm>
470
471	<screen role="root"><userinput>make install-krb5</userinput></screen>
472
473	</sect3>
474
475	</sect2>
476
477	<sect2 role="content">
478
479	<title>Contents</title>
480
481	<segmentedlist>
482	<segtitle>Installed Programs</segtitle>
483	<segtitle>Installed Libraries</segtitle>
484	<segtitle>Installed Directories</segtitle>
485
486	<seglistitem>
487	<seg>
488	gss-client, gss-server, k5srvutil, kadmin, kadmin.local,
489	kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist,
490	kpasswd, kprop, kpropd, kproplog, krb5-config, krb5-send-pr, krb5kdc,
491	ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server,
492	sserver, uuclient, and uuserver
493	</seg>
494	<seg>
495	libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
496	libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
497	(optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
498	libverto.so, and some plugins under the /usr/lib/krb5 tree
499	</seg>
500	<seg>
501	/usr/include/{gssapi,gssrpc,kadm5,krb5},
502	/usr/lib/krb5,
503	/usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
504	/var/lib/krb5kdc, and
505	/run/krb5kdc
506	</seg>
507	</seglistitem>
508	</segmentedlist>
509
510	<variablelist>
511	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
512	<?dbfo list-presentation="list"?>
513	<?dbhtml list-presentation="table"?>
514
515	<varlistentry id="gss-client">
516	<term><command>gss-client</command></term>
517	<listitem>
518	<para>
519	is a GSSAPI test client
520	</para>
521	<indexterm zone="mitkrb gss-client">
522	<primary sortas="b-gss-client">gss-client</primary>
523	</indexterm>
524	</listitem>
525	</varlistentry>
526
527	<varlistentry id="gss-server">
528	<term><command>gss-server</command></term>
529	<listitem>
530	<para>
531	is a GSSAPI test server
532	</para>
533	<indexterm zone="mitkrb gss-server">
534	<primary sortas="b-gss-server">gss-server</primary>
535	</indexterm>
536	</listitem>
537	</varlistentry>
538
539	<varlistentry id="k5srvutil">
540	<term><command>k5srvutil</command></term>
541	<listitem>
542	<para>
543	is a host keytable manipulation utility
544	</para>
545	<indexterm zone="mitkrb k5srvutil">
546	<primary sortas="b-k5srvutil">k5srvutil</primary>
547	</indexterm>
548	</listitem>
549	</varlistentry>
550
551	<varlistentry id="kadmin">
552	<term><command>kadmin</command></term>
553	<listitem>
554	<para>
555	is an utility used to make modifications
556	to the Kerberos database
557	</para>
558	<indexterm zone="mitkrb kadmin">
559	<primary sortas="b-kadmin">kadmin</primary>
560	</indexterm>
561	</listitem>
562	</varlistentry>
563
564	<varlistentry id="kadmin.local">
565	<term><command>kadmin.local</command></term>
566	<listitem>
567	<para>
568	is an utility similar to <command>kadmin</command>, but if the
569	database is db2, the local client <command>kadmin.local</command>,
570	is intended to run directly on the master KDC without Kerberos
571	authentication
572	</para>
573	<indexterm zone="mitkrb kadmin.local">
574	<primary sortas="b-kadmin.local">kadmin.local</primary>
575	</indexterm>
576	</listitem>
577	</varlistentry>
578
579	<varlistentry id="kadmind">
580	<term><command>kadmind</command></term>
581	<listitem>
582	<para>
583	is a server for administrative access
584	to a Kerberos database
585	</para>
586	<indexterm zone="mitkrb kadmind">
587	<primary sortas="b-kadmind">kadmind</primary>
588	</indexterm>
589	</listitem>
590	</varlistentry>
591
592	<varlistentry id="kdb5_ldap_util">
593	<term><command>kdb5_ldap_util (optional)</command></term>
594	<listitem>
595	<para>
596	allows an administrator to manage realms, Kerberos services
597	and ticket policies
598	</para>
599	<indexterm zone="mitkrb kdb5_ldap_util">
600	<primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
601	</indexterm>
602	</listitem>
603	</varlistentry>
604
605	<varlistentry id="kdb5_util">
606	<term><command>kdb5_util</command></term>
607	<listitem>
608	<para>
609	is the KDC database utility
610	</para>
611	<indexterm zone="mitkrb kdb5_util">
612	<primary sortas="b-kdb5_util">kdb5_util</primary>
613	</indexterm>
614	</listitem>
615	</varlistentry>
616
617	<varlistentry id="kdestroy">
618	<term><command>kdestroy</command></term>
619	<listitem>
620	<para>
621	removes the current set of tickets
622	</para>
623	<indexterm zone="mitkrb kdestroy">
624	<primary sortas="b-kdestroy">kdestroy</primary>
625	</indexterm>
626	</listitem>
627	</varlistentry>
628
629	<varlistentry id="kinit">
630	<term><command>kinit</command></term>
631	<listitem>
632	<para>
633	is used to authenticate to the Kerberos server as a
634	principal and acquire a ticket granting ticket that can
635	later be used to obtain tickets for other services
636	</para>
637	<indexterm zone="mitkrb kinit">
638	<primary sortas="b-kinit">kinit</primary>
639	</indexterm>
640	</listitem>
641	</varlistentry>
642
643	<varlistentry id="klist">
644	<term><command>klist</command></term>
645	<listitem>
646	<para>
647	reads and displays the current tickets in
648	the credential cache
649	</para>
650	<indexterm zone="mitkrb klist">
651	<primary sortas="b-klist">klist</primary>
652	</indexterm>
653	</listitem>
654	</varlistentry>
655
656	<varlistentry id="kpasswd">
657	<term><command>kpasswd</command></term>
658	<listitem>
659	<para>
660	is a program for changing Kerberos 5 passwords
661	</para>
662	<indexterm zone="mitkrb kpasswd">
663	<primary sortas="b-kpasswd">kpasswd</primary>
664	</indexterm>
665	</listitem>
666	</varlistentry>
667
668	<varlistentry id="kprop">
669	<term><command>kprop</command></term>
670	<listitem>
671	<para>
672	takes a principal database in a specified format and
673	converts it into a stream of database records
674	</para>
675	<indexterm zone="mitkrb kprop">
676	<primary sortas="b-kprop">kprop</primary>
677	</indexterm>
678	</listitem>
679	</varlistentry>
680
681	<varlistentry id="kpropd">
682	<term><command>kpropd</command></term>
683	<listitem>
684	<para>
685	receives a database sent by <command>kprop</command>
686	and writes it as a local database
687	</para>
688	<indexterm zone="mitkrb kpropd">
689	<primary sortas="b-kpropd">kpropd</primary>
690	</indexterm>
691	</listitem>
692	</varlistentry>
693
694	<varlistentry id="kproplog">
695	<term><command>kproplog</command></term>
696	<listitem>
697	<para>
698	displays the contents of the KDC database update log to standard
699	output
700	</para>
701	<indexterm zone="mitkrb kproplog">
702	<primary sortas="b-kproplog">kproplog</primary>
703	</indexterm>
704	</listitem>
705	</varlistentry>
706
707	<varlistentry id="krb5-config-prog2">
708	<term><command>krb5-config</command></term>
709	<listitem>
710	<para>
711	gives information on how to link programs against
712	libraries
713	</para>
714	<indexterm zone="mitkrb krb5-config-prog2">
715	<primary sortas="b-krb5-config">krb5-config</primary>
716	</indexterm>
717	</listitem>
718	</varlistentry>
719
720	<varlistentry id="krb5kdc">
721	<term><command>krb5kdc</command></term>
722	<listitem>
723	<para>
724	is the <application>Kerberos 5</application> server
725	</para>
726	<indexterm zone="mitkrb krb5kdc">
727	<primary sortas="b-krb5kdc">krb5kdc</primary>
728	</indexterm>
729	</listitem>
730	</varlistentry>
731
732	<varlistentry id="krb5-send-pr">
733	<term><command>krb5-send-pr</command></term>
734	<listitem>
735	<para>
736	sends a problem report (PR) to a central support site
737	</para>
738	<indexterm zone="mitkrb krb5-send-pr">
739	<primary sortas="b-krb-send-pr">krb5-send-pr</primary>
740	</indexterm>
741	</listitem>
742	</varlistentry>
743
744	<varlistentry id="ksu">
745	<term><command>ksu</command></term>
746	<listitem>
747	<para>
748	is the super user program using Kerberos protocol.
749	Requires a properly configured
750	<filename>/etc/shells</filename> and
751	<filename>~/.k5login</filename> containing principals
752	authorized to become super users
753	</para>
754	<indexterm zone="mitkrb ksu">
755	<primary sortas="b-ksu">ksu</primary>
756	</indexterm>
757	</listitem>
758	</varlistentry>
759
760	<varlistentry id="kswitch">
761	<term><command>kswitch</command></term>
762	<listitem>
763	<para>
764	makes the specified credential cache the
765	primary cache for the collection, if a cache
766	collection is available
767	</para>
768	<indexterm zone="mitkrb kswitch">
769	<primary sortas="b-kswitch">kswitch</primary>
770	</indexterm>
771	</listitem>
772	</varlistentry>
773
774	<varlistentry id="ktutil">
775	<term><command>ktutil</command></term>
776	<listitem>
777	<para>
778	is a program for managing Kerberos keytabs
779	</para>
780	<indexterm zone="mitkrb ktutil">
781	<primary sortas="b-ktutil">ktutil</primary>
782	</indexterm>
783	</listitem>
784	</varlistentry>
785
786	<varlistentry id="kvno">
787	<term><command>kvno</command></term>
788	<listitem>
789	<para>
790	prints keyversion numbers of Kerberos principals
791	</para>
792	<indexterm zone="mitkrb kvno">
793	<primary sortas="b-kvno">kvno</primary>
794	</indexterm>
795	</listitem>
796	</varlistentry>
797
798	<varlistentry id="sclient">
799	<term><command>sclient</command></term>
800	<listitem>
801	<para>
802	is used to contact a sample server and authenticate to it
803	using Kerberos 5 tickets, then display the server's
804	response
805	</para>
806	<indexterm zone="mitkrb sclient">
807	<primary sortas="b-sclient">sclient</primary>
808	</indexterm>
809	</listitem>
810	</varlistentry>
811
812	<varlistentry id="sim_client">
813	<term><command>sim_client</command></term>
814	<listitem>
815	<para>
816	is a simple UDP-based sample client program, for
817	demonstration
818	</para>
819	<indexterm zone="mitkrb sim_client">
820	<primary sortas="b-sim_client">sim_client</primary>
821	</indexterm>
822	</listitem>
823	</varlistentry>
824
825	<varlistentry id="sim_server">
826	<term><command>sim_server</command></term>
827	<listitem>
828	<para>
829	is a simple UDP-based server application, for
830	demonstration
831	</para>
832	<indexterm zone="mitkrb sim_server">
833	<primary sortas="b-sim_server">sim_server</primary>
834	</indexterm>
835	</listitem>
836	</varlistentry>
837
838	<varlistentry id="sserver">
839	<term><command>sserver</command></term>
840	<listitem>
841	<para>
842	is the sample Kerberos 5 server
843	</para>
844	<indexterm zone="mitkrb sserver">
845	<primary sortas="b-sserver">sserver</primary>
846	</indexterm>
847	</listitem>
848	</varlistentry>
849
850	<varlistentry id="uuclient">
851	<term><command>uuclient</command></term>
852	<listitem>
853	<para>
854	is another sample client
855	</para>
856	<indexterm zone="mitkrb uuclient">
857	<primary sortas="b-uuclient">uuclient</primary>
858	</indexterm>
859	</listitem>
860	</varlistentry>
861
862	<varlistentry id="uuserver">
863	<term><command>uuserver</command></term>
864	<listitem>
865	<para>
866	is another sample server
867	</para>
868	<indexterm zone="mitkrb uuserver">
869	<primary sortas="b-uuserver">uuserver</primary>
870	</indexterm>
871	</listitem>
872	</varlistentry>
873
874
875	<varlistentry id="libgssapi_krb5">
876	<term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
877	<listitem>
878	<para>
879	contains the Generic Security Service Application Programming
880	Interface (GSSAPI) functions which provides security services
881	to callers in a generic fashion, supportable with a range of
882	underlying mechanisms and technologies and hence allowing
883	source-level portability of applications to different
884	environments
885	</para>
886	<indexterm zone="mitkrb libgssapi_krb5">
887	<primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
888	</indexterm>
889	</listitem>
890	</varlistentry>
891
892	<varlistentry id="libkadm5clnt">
893	<term><filename class="libraryfile">libkadm5clnt.so</filename></term>
894	<listitem>
895	<para>
896	contains the administrative authentication and password checking
897	functions required by Kerberos 5 client-side programs
898	</para>
899	<indexterm zone="mitkrb libkadm5clnt">
900	<primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
901	</indexterm>
902	</listitem>
903	</varlistentry>
904
905	<varlistentry id="libkadm5srv">
906	<term><filename class="libraryfile">libkadm5srv.so</filename></term>
907	<listitem>
908	<para>
909	contains the administrative authentication and password
910	checking functions required by Kerberos 5 servers
911	</para>
912	<indexterm zone="mitkrb libkadm5srv">
913	<primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
914	</indexterm>
915	</listitem>
916	</varlistentry>
917
918	<varlistentry id="libkdb5">
919	<term><filename class="libraryfile">libkdb5.so</filename></term>
920	<listitem>
921	<para>
922	is a Kerberos 5 authentication/authorization database
923	access library
924	</para>
925	<indexterm zone="mitkrb libkdb5">
926	<primary sortas="c-libkdb5">libkdb5.so</primary>
927	</indexterm>
928	</listitem>
929	</varlistentry>
930
931	<varlistentry id="libkrad">
932	<term><filename class="libraryfile">libkrad.so</filename></term>
933	<listitem>
934	<para>
935	contains the internal support library for RADIUS functionality
936	</para>
937	<indexterm zone="mitkrb libkrad">
938	<primary sortas="c-libkrad">libkrad.so</primary>
939	</indexterm>
940	</listitem>
941	</varlistentry>
942
943	<varlistentry id="libkrb5">
944	<term><filename class="libraryfile">libkrb5.so</filename></term>
945	<listitem>
946	<para>
947	is an all-purpose <application>Kerberos 5</application> library
948	</para>
949	<indexterm zone="mitkrb libkrb5">
950	<primary sortas="c-libkrb5">libkrb5.so</primary>
951	</indexterm>
952	</listitem>
953	</varlistentry>
954
955	</variablelist>
956
957	</sect2>
958
959	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: