Context Navigation

source: postlfs/security/mitkrb.xml@ 2189c53

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 2189c53 was 2189c53, checked in by Pierre Labastie <pierre.labastie@…>, 2 years ago
Typo in mitkrb.xml
Property mode set to `100644`
File size: 32.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY mitkrb-download-http "https://kerberos.org/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
8	<!ENTITY mitkrb-download-ftp " ">
9	<!ENTITY mitkrb-md5sum "eb51b7724111e1a458a8c9a261d45a31">
10	<!ENTITY mitkrb-size "8.3 MB">
11	<!ENTITY mitkrb-buildsize "95 MB (add 24 MB for tests)">
12	<!ENTITY mitkrb-time "0.4 SBU (Using parallelism=4; add 1.6 SBU for tests)">
13	]>
14
15	<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
16	<?dbhtml filename="mitkrb.html"?>
17
18	<sect1info>
19	<date>$Date$</date>
20	</sect1info>
21
22	<title>MIT Kerberos V5-&mitkrb-version;</title>
23
24	<indexterm zone="mitkrb">
25	<primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to MIT Kerberos V5</title>
30
31	<para>
32	<application>MIT Kerberos V5</application> is a free implementation
33	of Kerberos 5. Kerberos is a network authentication protocol. It
34	centralizes the authentication database and uses kerberized
35	applications to work with servers or services that support Kerberos
36	allowing single logins and encrypted communication over internal
37	networks or the Internet.
38	</para>
39
40	&lfs110a_checked;
41
42	<bridgehead renderas="sect3">Package Information</bridgehead>
43	<itemizedlist spacing="compact">
44	<listitem>
45	<para>
46	Download (HTTP): <ulink url="&mitkrb-download-http;"/>
47	</para>
48	</listitem>
49	<listitem>
50	<para>
51	Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download MD5 sum: &mitkrb-md5sum;
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download size: &mitkrb-size;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Estimated disk space required: &mitkrb-buildsize;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated build time: &mitkrb-time;
72	</para>
73	</listitem>
74	</itemizedlist>
75
76	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
77	<itemizedlist spacing="compact">
78	<listitem>
79	<para>
80	Required patch:
81	<ulink url="&patch-root;/mitkrb-&mitkrb-version;-openssl3_fixes-1.patch"/>
82	</para>
83	</listitem>
84	</itemizedlist>
85
86	<bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>
87
88	<bridgehead renderas="sect4">Optional</bridgehead>
89	<para role="optional">
90	<!-- <xref linkend="dejagnu"/> (for full test coverage), -->
91	<xref linkend="bind-utils"/>,
92	<xref linkend="gnupg2"/> (to authenticate the package),
93	<xref linkend="keyutils"/>,
94	<xref linkend="openldap"/>,<!-- Seems so that mit has its own
95	implementation of rpc now.
96	<xref linkend="rpcbind"/> (used during the testsuite),-->
97	<xref linkend="valgrind"/> (used during the testsuite),
98	<xref linkend="yasm"/>,
99	<ulink url="http://thrysoee.dk/editline/">libedit</ulink>,
100	<ulink url="https://cmocka.org/">cmocka</ulink>,
101	<ulink url="https://pypi.org/project/pyrad/">pyrad</ulink>, and
102	<ulink url="https://cwrap.org/resolv_wrapper.html">resolv_wrapper</ulink>
103	</para>
104
105	<note>
106	<para>
107	Some sort of time synchronization facility on your system (like
108	<xref linkend="ntp"/>) is required since Kerberos won't authenticate
109	if there is a time difference between a kerberized client and the
110	KDC server.
111	</para>
112	</note>
113
114	<para condition="html" role="usernotes">User Notes:
115	<ulink url="&blfs-wiki;/mitkrb"/>
116	</para>
117	</sect2>
118
119	<sect2 role="installation">
120	<title>Installation of MIT Kerberos V5</title>
121
122	<para>
123	First, fix a denial-of-service security vulnerability:
124	<!-- CVE-2021-37750, mentioned in Samba release notes for 4.15.0. -->
125	</para>
126
127	<screen><userinput remap="pre">sed -i '210a if (sprinc == NULL) {\
128	status = "NULL_SERVER";\
129	errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;\
130	goto cleanup;\
131	}' src/kdc/do_tgs_req.c</userinput></screen>
132
133	<para>
134	Next, fix several issues identified by OpenSSL-3:
135	</para>
136
137	<screen><userinput remap="pre">patch -Np1 -i ../mitkrb-1.19.2-openssl3_fixes-1.patch</userinput></screen>
138
139	<para>
140	Build <application>MIT Kerberos V5</application> by running the
141	following commands:
142	</para>
143
144	<screen><userinput>cd src &&
145
146	sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp &&
147	sed -i -e '/eq 0/{N;s/12 //}' plugins/kdb/db2/libdb2/test/run.test &&
148	sed -i '/t_iprop.py/d' tests/Makefile.in &&
149
150	autoreconf -fiv &&
151
152	./configure --prefix=/usr \
153	--sysconfdir=/etc \
154	--localstatedir=/var/lib \
155	--runstatedir=/run \
156	--with-system-et \
157	--with-system-ss \
158	--with-system-verto=no \
159	--enable-dns-for-realm &&
160	make</userinput></screen>
161
162	<para>
163	To test the build, issue as the <systemitem
164	class="username">root</systemitem> user: <command>make -k -j1 check</command>.
165	<!-- You need at least <xref link end="tcl"/>, which is used to drive the
166	testsuite. Furthermore, <xref link end="dejagnu"/> must be available for
167	some of the tests to run.--> If you have a former version of MIT Kerberos V5
168	installed, it may happen that the test suite may pick up the installed
169	versions of the libraries, rather than the newly built ones. If so, it is
170	better to run the tests after the installation. Some tests may fail with
171	the latest version of dejagnu and glibc.
172	<!-- Note: on my laptop -j8 fails but -j1 passes -->
173	</para>
174
175	<para>
176	Now, as the <systemitem class="username">root</systemitem> user:
177	</para>
178
179	<screen role="root"><userinput>make install &&
180
181	install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &&
182	cp -vfr ../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
183
184	</sect2>
185
186	<sect2 role="commands">
187	<title>Command Explanations</title>
188
189	<para>
190	The first <command>sed</command> increases the width of the virtual
191	terminal used for some tests to prevent some spurious text in the output
192	which is taken as a failure. The second <command>sed</command> removes a
193	test that is known to fail. The third <command>sed</command> removes a
194	test that is known to hang.
195	</para>
196
197	<para>
198	<parameter>--localstatedir=/var/lib</parameter>: This option is
199	used so that the Kerberos variable runtime data is located in
200	<filename class="directory">/var/lib</filename> instead of
201	<filename class="directory">/usr/var</filename>.
202	</para>
203
204	<para>
205	<parameter>--runstatedir=/run</parameter>: This option is used so that
206	the Kerberos runtime state information is located in
207	<filename class="directory">/run</filename> instead of the deprecated
208	<filename class="directory">/var/run</filename>.
209	</para>
210
211	<para>
212	<parameter>--with-system-et</parameter>: This switch causes the build
213	to use the system-installed versions of the error-table support
214	software.
215	</para>
216
217	<para>
218	<parameter>--with-system-ss</parameter>: This switch causes the build
219	to use the system-installed versions of the subsystem command-line
220	interface software.
221	</para>
222
223	<para>
224	<parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
225	the package: it does not recognize its own verto library installed
226	previously. This is not a problem, if reinstalling the same version,
227	but if you are updating, the old library is used as system's one,
228	instead of installing the new version.
229	</para>
230
231	<para>
232	<parameter>--enable-dns-for-realm</parameter>: This switch allows
233	realms to be resolved using the DNS server.
234	</para>
235
236	<para>
237	<option>--with-ldap</option>: Use this switch if you want to compile the
238	<application>OpenLDAP</application> database backend module.
239	</para>
240
241	<!-- FIXME: Removed due to merged-/usr setup
242	<para>
243	<command>mv -v /usr/lib/libk... /lib </command> and
244	<command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>:
245	Move critical libraries to the
246	<filename class="directory">/lib</filename> directory so that they are
247	available when the <filename class="directory">/usr</filename>
248	filesystem is not mounted.
249	</para>
250
251	<para>
252	<command>find /usr/lib -type f -name "lib$f.so" -exec chmod -v 755 {} \;</command>:
253	This command changes the permisison of installed libraries.
254	</para>
255
256	<para>
257	<command>mv -v /usr/bin/ksu /bin</command>: Moves the
258	<command>ksu</command> program to the
259	<filename class="directory">/bin</filename> directory so that it is
260	available when the <filename class="directory">/usr</filename>
261	filesystem is not mounted.
262	</para>
263	-->
264
265	</sect2>
266
267	<sect2 role="configuration">
268	<title>Configuring MIT Kerberos V5</title>
269
270	<sect3 id="krb5-config">
271	<title>Config Files</title>
272
273	<para>
274	<filename>/etc/krb5.conf</filename> and
275	<filename>/var/lib/krb5kdc/kdc.conf</filename>
276	</para>
277
278	<indexterm zone="mitkrb krb5-config">
279	<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
280	</indexterm>
281
282	<indexterm zone="mitkrb krb5-config">
283	<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
284	</indexterm>
285
286	</sect3>
287
288	<sect3>
289	<title>Configuration Information</title>
290
291	<sect4>
292	<title>Kerberos Configuration</title>
293
294	<tip>
295	<para>
296	You should consider installing some sort of password checking
297	dictionary so that you can configure the installation to only
298	accept strong passwords. A suitable dictionary to use is shown in
299	the <xref linkend="cracklib"/> instructions. Note that only one
300	file can be used, but you can concatenate many files into one. The
301	configuration file shown below assumes you have installed a
302	dictionary to <filename>/usr/share/dict/words</filename>.
303	</para>
304	</tip>
305
306	<para>
307	Create the Kerberos configuration file with the following
308	commands issued by the <systemitem class="username">root</systemitem>
309	user:
310	</para>
311
312	<screen role="root"><userinput>cat > /etc/krb5.conf << "EOF"
313	<literal># Begin /etc/krb5.conf
314
315	[libdefaults]
316	default_realm = <replaceable><EXAMPLE.ORG></replaceable>
317	encrypt = true
318
319	[realms]
320	<replaceable><EXAMPLE.ORG></replaceable> = {
321	kdc = <replaceable><belgarath.example.org></replaceable>
322	admin_server = <replaceable><belgarath.example.org></replaceable>
323	dict_file = /usr/share/dict/words
324	}
325
326	[domain_realm]
327	.<replaceable><example.org></replaceable> = <replaceable><EXAMPLE.ORG></replaceable>
328
329	[logging]
330	kdc = SYSLOG:INFO:AUTH
331	admin_server = SYSLOG:INFO:AUTH
332	default = SYSLOG:DEBUG:DAEMON
333
334	# End /etc/krb5.conf</literal>
335	EOF</userinput></screen>
336
337	<para>
338	You will need to substitute your domain and proper hostname for the
339	occurrences of the <replaceable><belgarath></replaceable> and
340	<replaceable><example.org></replaceable> names.
341	</para>
342
343	<para>
344	<option>default_realm</option> should be the name of your
345	domain changed to ALL CAPS. This isn't required, but both
346	<application>Heimdal</application> and MIT recommend it.
347	</para>
348
349	<para>
350	<option>encrypt = true</option> provides encryption of all traffic
351	between kerberized clients and servers. It's not necessary and can
352	be left off. If you leave it off, you can encrypt all traffic from
353	the client to the server using a switch on the client program
354	instead.
355	</para>
356
357	<para>
358	The <option>[realms]</option> parameters tell the client programs
359	where to look for the KDC authentication services.
360	</para>
361
362	<para>
363	The <option>[domain_realm]</option> section maps a domain to a realm.
364	</para>
365
366	<para>
367	Create the KDC database:
368	</para>
369
370	<screen role="root"><userinput>kdb5_util create -r <replaceable><EXAMPLE.ORG></replaceable> -s</userinput></screen>
371
372	<para>
373	Now you should populate the database with principals
374	(users). For now, just use your regular login name or
375	<systemitem class="username">root</systemitem>.
376	</para>
377
378	<screen role="root"><userinput>kadmin.local
379	<prompt>kadmin.local:</prompt> add_policy dict-only
380	<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable><loginname></replaceable></userinput></screen>
381
382	<para>
383	The KDC server and any machine running kerberized
384	server daemons must have a host key installed:
385	</para>
386
387	<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
388
389	<para>
390	After choosing the defaults when prompted, you will have to
391	export the data to a keytab file:
392	</para>
393
394	<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
395
396	<para>
397	This should have created a file in
398	<filename class="directory">/etc</filename> named
399	<filename>krb5.keytab</filename> (Kerberos 5). This file should
400	have 600 (<systemitem class="username">root</systemitem> rw only)
401	permissions. Keeping the keytab files from public access is crucial
402	to the overall security of the Kerberos installation.
403	</para>
404
405	<para>
406	Exit the <command>kadmin</command> program (use
407	<command>quit</command> or <command>exit</command>) and return
408	back to the shell prompt. Start the KDC daemon manually, just to
409	test out the installation:
410	</para>
411
412	<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>
413
414	<para>
415	Attempt to get a ticket with the following command:
416	</para>
417
418	<screen><userinput>kinit <replaceable><loginname></replaceable></userinput></screen>
419
420	<para>
421	You will be prompted for the password you created. After you
422	get your ticket, you can list it with the following command:
423	</para>
424
425	<screen><userinput>klist</userinput></screen>
426
427	<para>
428	Information about the ticket should be displayed on the
429	screen.
430	</para>
431
432	<para>
433	To test the functionality of the keytab file, issue the
434	following command as the
435	<systemitem class="username">root</systemitem> user:
436	</para>
437
438	<screen role="root"><userinput>ktutil
439	<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
440	<prompt>ktutil:</prompt> l</userinput></screen>
441
442	<para>
443	This should dump a list of the host principal, along with
444	the encryption methods used to access the principal.
445	</para>
446
447	<para>
448	Create an empty ACL file that can be modified later:
449	</para>
450
451	<screen role="root"><userinput>touch /var/lib/krb5kdc/kadm5.acl</userinput></screen>
452
453	<para>
454	At this point, if everything has been successful so far, you
455	can feel fairly confident in the installation and configuration of
456	the package.
457	</para>
458
459	</sect4>
460
461	<sect4>
462	<title>Additional Information</title>
463
464	<para>
465	For additional information consult the <ulink
466	url="http://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
467	documentation for krb5-&mitkrb-version;</ulink> on which the above
468	instructions are based.
469	</para>
470
471	</sect4>
472
473	</sect3>
474
475	<sect3 id="mitkrb-init">
476	<title><phrase revision="sysv">Init Script</phrase>
477	<phrase revision="systemd">Systemd Unit</phrase></title>
478
479	<para revision="sysv">
480	If you want to start <application>Kerberos</application> services
481	at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
482	script included in the <xref linkend="bootscripts"/> package using
483	the following command:
484	</para>
485
486	<para revision="systemd">
487	If you want to start <application>Kerberos</application> services
488	at boot, install the <filename>krb5.service</filename> unit included in
489	the <xref linkend="systemd-units"/> package using the following command:
490	</para>
491
492	<indexterm zone="mitkrb mitkrb-init">
493	<primary sortas="f-krb5">krb5</primary>
494	</indexterm>
495
496	<screen role="root"><userinput>make install-krb5</userinput></screen>
497
498	</sect3>
499
500	</sect2>
501
502	<sect2 role="content">
503
504	<title>Contents</title>
505
506	<segmentedlist>
507	<segtitle>Installed Programs</segtitle>
508	<segtitle>Installed Libraries</segtitle>
509	<segtitle>Installed Directories</segtitle>
510
511	<seglistitem>
512	<seg>
513	gss-client, gss-server, k5srvutil, kadmin, kadmin.local,
514	kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist,
515	kpasswd, kprop, kpropd, kproplog, krb5-config, krb5-send-pr, krb5kdc,
516	ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server,
517	sserver, uuclient, and uuserver
518	</seg>
519	<seg>
520	libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
521	libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
522	(optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
523	libverto.so, and some plugins under the /usr/lib/krb5 tree
524	</seg>
525	<seg>
526	/usr/include/{gssapi,gssrpc,kadm5,krb5},
527	/usr/lib/krb5,
528	/usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
529	/var/lib/krb5kdc, and
530	/run/krb5kdc
531	</seg>
532	</seglistitem>
533	</segmentedlist>
534
535	<variablelist>
536	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
537	<?dbfo list-presentation="list"?>
538	<?dbhtml list-presentation="table"?>
539
540	<varlistentry id="gss-client">
541	<term><command>gss-client</command></term>
542	<listitem>
543	<para>
544	is a GSSAPI test client
545	</para>
546	<indexterm zone="mitkrb gss-client">
547	<primary sortas="b-gss-client">gss-client</primary>
548	</indexterm>
549	</listitem>
550	</varlistentry>
551
552	<varlistentry id="gss-server">
553	<term><command>gss-server</command></term>
554	<listitem>
555	<para>
556	is a GSSAPI test server
557	</para>
558	<indexterm zone="mitkrb gss-server">
559	<primary sortas="b-gss-server">gss-server</primary>
560	</indexterm>
561	</listitem>
562	</varlistentry>
563
564	<varlistentry id="k5srvutil">
565	<term><command>k5srvutil</command></term>
566	<listitem>
567	<para>
568	is a host keytable manipulation utility
569	</para>
570	<indexterm zone="mitkrb k5srvutil">
571	<primary sortas="b-k5srvutil">k5srvutil</primary>
572	</indexterm>
573	</listitem>
574	</varlistentry>
575
576	<varlistentry id="kadmin">
577	<term><command>kadmin</command></term>
578	<listitem>
579	<para>
580	is an utility used to make modifications
581	to the Kerberos database
582	</para>
583	<indexterm zone="mitkrb kadmin">
584	<primary sortas="b-kadmin">kadmin</primary>
585	</indexterm>
586	</listitem>
587	</varlistentry>
588
589	<varlistentry id="kadmin.local">
590	<term><command>kadmin.local</command></term>
591	<listitem>
592	<para>
593	is an utility similar to <command>kadmin</command>, but if the
594	database is db2, the local client <command>kadmin.local</command>,
595	is intended to run directly on the master KDC without Kerberos
596	authentication
597	</para>
598	<indexterm zone="mitkrb kadmin.local">
599	<primary sortas="b-kadmin.local">kadmin.local</primary>
600	</indexterm>
601	</listitem>
602	</varlistentry>
603
604	<varlistentry id="kadmind">
605	<term><command>kadmind</command></term>
606	<listitem>
607	<para>
608	is a server for administrative access
609	to a Kerberos database
610	</para>
611	<indexterm zone="mitkrb kadmind">
612	<primary sortas="b-kadmind">kadmind</primary>
613	</indexterm>
614	</listitem>
615	</varlistentry>
616
617	<varlistentry id="kdb5_ldap_util">
618	<term><command>kdb5_ldap_util (optional)</command></term>
619	<listitem>
620	<para>
621	allows an administrator to manage realms, Kerberos services
622	and ticket policies
623	</para>
624	<indexterm zone="mitkrb kdb5_ldap_util">
625	<primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
626	</indexterm>
627	</listitem>
628	</varlistentry>
629
630	<varlistentry id="kdb5_util">
631	<term><command>kdb5_util</command></term>
632	<listitem>
633	<para>
634	is the KDC database utility
635	</para>
636	<indexterm zone="mitkrb kdb5_util">
637	<primary sortas="b-kdb5_util">kdb5_util</primary>
638	</indexterm>
639	</listitem>
640	</varlistentry>
641
642	<varlistentry id="kdestroy">
643	<term><command>kdestroy</command></term>
644	<listitem>
645	<para>
646	removes the current set of tickets
647	</para>
648	<indexterm zone="mitkrb kdestroy">
649	<primary sortas="b-kdestroy">kdestroy</primary>
650	</indexterm>
651	</listitem>
652	</varlistentry>
653
654	<varlistentry id="kinit">
655	<term><command>kinit</command></term>
656	<listitem>
657	<para>
658	is used to authenticate to the Kerberos server as a
659	principal and acquire a ticket granting ticket that can
660	later be used to obtain tickets for other services
661	</para>
662	<indexterm zone="mitkrb kinit">
663	<primary sortas="b-kinit">kinit</primary>
664	</indexterm>
665	</listitem>
666	</varlistentry>
667
668	<varlistentry id="klist">
669	<term><command>klist</command></term>
670	<listitem>
671	<para>
672	reads and displays the current tickets in
673	the credential cache
674	</para>
675	<indexterm zone="mitkrb klist">
676	<primary sortas="b-klist">klist</primary>
677	</indexterm>
678	</listitem>
679	</varlistentry>
680
681	<varlistentry id="kpasswd">
682	<term><command>kpasswd</command></term>
683	<listitem>
684	<para>
685	is a program for changing Kerberos 5 passwords
686	</para>
687	<indexterm zone="mitkrb kpasswd">
688	<primary sortas="b-kpasswd">kpasswd</primary>
689	</indexterm>
690	</listitem>
691	</varlistentry>
692
693	<varlistentry id="kprop">
694	<term><command>kprop</command></term>
695	<listitem>
696	<para>
697	takes a principal database in a specified format and
698	converts it into a stream of database records
699	</para>
700	<indexterm zone="mitkrb kprop">
701	<primary sortas="b-kprop">kprop</primary>
702	</indexterm>
703	</listitem>
704	</varlistentry>
705
706	<varlistentry id="kpropd">
707	<term><command>kpropd</command></term>
708	<listitem>
709	<para>
710	receives a database sent by <command>kprop</command>
711	and writes it as a local database
712	</para>
713	<indexterm zone="mitkrb kpropd">
714	<primary sortas="b-kpropd">kpropd</primary>
715	</indexterm>
716	</listitem>
717	</varlistentry>
718
719	<varlistentry id="kproplog">
720	<term><command>kproplog</command></term>
721	<listitem>
722	<para>
723	displays the contents of the KDC database update log to standard
724	output
725	</para>
726	<indexterm zone="mitkrb kproplog">
727	<primary sortas="b-kproplog">kproplog</primary>
728	</indexterm>
729	</listitem>
730	</varlistentry>
731
732	<varlistentry id="krb5-config-prog2">
733	<term><command>krb5-config</command></term>
734	<listitem>
735	<para>
736	gives information on how to link programs against
737	libraries
738	</para>
739	<indexterm zone="mitkrb krb5-config-prog2">
740	<primary sortas="b-krb5-config">krb5-config</primary>
741	</indexterm>
742	</listitem>
743	</varlistentry>
744
745	<varlistentry id="krb5kdc">
746	<term><command>krb5kdc</command></term>
747	<listitem>
748	<para>
749	is the <application>Kerberos 5</application> server
750	</para>
751	<indexterm zone="mitkrb krb5kdc">
752	<primary sortas="b-krb5kdc">krb5kdc</primary>
753	</indexterm>
754	</listitem>
755	</varlistentry>
756
757	<varlistentry id="krb5-send-pr">
758	<term><command>krb5-send-pr</command></term>
759	<listitem>
760	<para>
761	sends a problem report (PR) to a central support site
762	</para>
763	<indexterm zone="mitkrb krb5-send-pr">
764	<primary sortas="b-krb-send-pr">krb5-send-pr</primary>
765	</indexterm>
766	</listitem>
767	</varlistentry>
768
769	<varlistentry id="ksu">
770	<term><command>ksu</command></term>
771	<listitem>
772	<para>
773	is the super user program using Kerberos protocol.
774	Requires a properly configured
775	<filename>/etc/shells</filename> and
776	<filename>~/.k5login</filename> containing principals
777	authorized to become super users
778	</para>
779	<indexterm zone="mitkrb ksu">
780	<primary sortas="b-ksu">ksu</primary>
781	</indexterm>
782	</listitem>
783	</varlistentry>
784
785	<varlistentry id="kswitch">
786	<term><command>kswitch</command></term>
787	<listitem>
788	<para>
789	makes the specified credential cache the
790	primary cache for the collection, if a cache
791	collection is available
792	</para>
793	<indexterm zone="mitkrb kswitch">
794	<primary sortas="b-kswitch">kswitch</primary>
795	</indexterm>
796	</listitem>
797	</varlistentry>
798
799	<varlistentry id="ktutil">
800	<term><command>ktutil</command></term>
801	<listitem>
802	<para>
803	is a program for managing Kerberos keytabs
804	</para>
805	<indexterm zone="mitkrb ktutil">
806	<primary sortas="b-ktutil">ktutil</primary>
807	</indexterm>
808	</listitem>
809	</varlistentry>
810
811	<varlistentry id="kvno">
812	<term><command>kvno</command></term>
813	<listitem>
814	<para>
815	prints keyversion numbers of Kerberos principals
816	</para>
817	<indexterm zone="mitkrb kvno">
818	<primary sortas="b-kvno">kvno</primary>
819	</indexterm>
820	</listitem>
821	</varlistentry>
822
823	<varlistentry id="sclient">
824	<term><command>sclient</command></term>
825	<listitem>
826	<para>
827	is used to contact a sample server and authenticate to it
828	using Kerberos 5 tickets, then display the server's
829	response
830	</para>
831	<indexterm zone="mitkrb sclient">
832	<primary sortas="b-sclient">sclient</primary>
833	</indexterm>
834	</listitem>
835	</varlistentry>
836
837	<varlistentry id="sim_client">
838	<term><command>sim_client</command></term>
839	<listitem>
840	<para>
841	is a simple UDP-based sample client program, for
842	demonstration
843	</para>
844	<indexterm zone="mitkrb sim_client">
845	<primary sortas="b-sim_client">sim_client</primary>
846	</indexterm>
847	</listitem>
848	</varlistentry>
849
850	<varlistentry id="sim_server">
851	<term><command>sim_server</command></term>
852	<listitem>
853	<para>
854	is a simple UDP-based server application, for
855	demonstration
856	</para>
857	<indexterm zone="mitkrb sim_server">
858	<primary sortas="b-sim_server">sim_server</primary>
859	</indexterm>
860	</listitem>
861	</varlistentry>
862
863	<varlistentry id="sserver">
864	<term><command>sserver</command></term>
865	<listitem>
866	<para>
867	is the sample Kerberos 5 server
868	</para>
869	<indexterm zone="mitkrb sserver">
870	<primary sortas="b-sserver">sserver</primary>
871	</indexterm>
872	</listitem>
873	</varlistentry>
874
875	<varlistentry id="uuclient">
876	<term><command>uuclient</command></term>
877	<listitem>
878	<para>
879	is another sample client
880	</para>
881	<indexterm zone="mitkrb uuclient">
882	<primary sortas="b-uuclient">uuclient</primary>
883	</indexterm>
884	</listitem>
885	</varlistentry>
886
887	<varlistentry id="uuserver">
888	<term><command>uuserver</command></term>
889	<listitem>
890	<para>
891	is another sample server
892	</para>
893	<indexterm zone="mitkrb uuserver">
894	<primary sortas="b-uuserver">uuserver</primary>
895	</indexterm>
896	</listitem>
897	</varlistentry>
898
899
900	<varlistentry id="libgssapi_krb5">
901	<term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
902	<listitem>
903	<para>
904	contains the Generic Security Service Application Programming
905	Interface (GSSAPI) functions which provides security services
906	to callers in a generic fashion, supportable with a range of
907	underlying mechanisms and technologies and hence allowing
908	source-level portability of applications to different
909	environments
910	</para>
911	<indexterm zone="mitkrb libgssapi_krb5">
912	<primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
913	</indexterm>
914	</listitem>
915	</varlistentry>
916
917	<varlistentry id="libkadm5clnt">
918	<term><filename class="libraryfile">libkadm5clnt.so</filename></term>
919	<listitem>
920	<para>
921	contains the administrative authentication and password checking
922	functions required by Kerberos 5 client-side programs
923	</para>
924	<indexterm zone="mitkrb libkadm5clnt">
925	<primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
926	</indexterm>
927	</listitem>
928	</varlistentry>
929
930	<varlistentry id="libkadm5srv">
931	<term><filename class="libraryfile">libkadm5srv.so</filename></term>
932	<listitem>
933	<para>
934	contains the administrative authentication and password
935	checking functions required by Kerberos 5 servers
936	</para>
937	<indexterm zone="mitkrb libkadm5srv">
938	<primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
939	</indexterm>
940	</listitem>
941	</varlistentry>
942
943	<varlistentry id="libkdb5">
944	<term><filename class="libraryfile">libkdb5.so</filename></term>
945	<listitem>
946	<para>
947	is a Kerberos 5 authentication/authorization database
948	access library
949	</para>
950	<indexterm zone="mitkrb libkdb5">
951	<primary sortas="c-libkdb5">libkdb5.so</primary>
952	</indexterm>
953	</listitem>
954	</varlistentry>
955
956	<varlistentry id="libkrad">
957	<term><filename class="libraryfile">libkrad.so</filename></term>
958	<listitem>
959	<para>
960	contains the internal support library for RADIUS functionality
961	</para>
962	<indexterm zone="mitkrb libkrad">
963	<primary sortas="c-libkrad">libkrad.so</primary>
964	</indexterm>
965	</listitem>
966	</varlistentry>
967
968	<varlistentry id="libkrb5">
969	<term><filename class="libraryfile">libkrb5.so</filename></term>
970	<listitem>
971	<para>
972	is an all-purpose <application>Kerberos 5</application> library
973	</para>
974	<indexterm zone="mitkrb libkrb5">
975	<primary sortas="c-libkrb5">libkrb5.so</primary>
976	</indexterm>
977	</listitem>
978	</varlistentry>
979
980	</variablelist>
981
982	</sect2>
983
984	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: