Context Navigation

source: postlfs/security/mitkrb.xml@ 59f6a1f

Visit:

11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 59f6a1f was 29e27d02, checked in by Douglas R. Reno <renodr@…>, 3 years ago
Fix CVE-2021-37750 in MIT Kerberos 5. Suggested in the Samba 4.15.0 release notes.
Property mode set to `100644`
File size: 31.9 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY mitkrb-download-http "https://kerberos.org/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
8	<!ENTITY mitkrb-download-ftp " ">
9	<!ENTITY mitkrb-md5sum "eb51b7724111e1a458a8c9a261d45a31">
10	<!ENTITY mitkrb-size "8.3 MB">
11	<!ENTITY mitkrb-buildsize "95 MB (add 24 MB for tests)">
12	<!ENTITY mitkrb-time "0.4 SBU (Using parallelism=4; add 1.6 SBU for tests)">
13	]>
14
15	<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
16	<?dbhtml filename="mitkrb.html"?>
17
18	<sect1info>
19	<date>$Date$</date>
20	</sect1info>
21
22	<title>MIT Kerberos V5-&mitkrb-version;</title>
23
24	<indexterm zone="mitkrb">
25	<primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
26	</indexterm>
27
28	<sect2 role="package">
29	<title>Introduction to MIT Kerberos V5</title>
30
31	<para>
32	<application>MIT Kerberos V5</application> is a free implementation
33	of Kerberos 5. Kerberos is a network authentication protocol. It
34	centralizes the authentication database and uses kerberized
35	applications to work with servers or services that support Kerberos
36	allowing single logins and encrypted communication over internal
37	networks or the Internet.
38	</para>
39
40	&lfs110a_checked;
41
42	<bridgehead renderas="sect3">Package Information</bridgehead>
43	<itemizedlist spacing="compact">
44	<listitem>
45	<para>
46	Download (HTTP): <ulink url="&mitkrb-download-http;"/>
47	</para>
48	</listitem>
49	<listitem>
50	<para>
51	Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download MD5 sum: &mitkrb-md5sum;
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Download size: &mitkrb-size;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Estimated disk space required: &mitkrb-buildsize;
67	</para>
68	</listitem>
69	<listitem>
70	<para>
71	Estimated build time: &mitkrb-time;
72	</para>
73	</listitem>
74	</itemizedlist>
75
76	<bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>
77
78	<bridgehead renderas="sect4">Optional</bridgehead>
79	<para role="optional">
80	<!-- <xref linkend="dejagnu"/> (for full test coverage), -->
81	<xref linkend="bind-utils"/>,
82	<xref linkend="gnupg2"/> (to authenticate the package),
83	<xref linkend="keyutils"/>,
84	<xref linkend="openldap"/>,<!-- Seems so that mit has its own
85	implementation of rpc now.
86	<xref linkend="rpcbind"/> (used during the testsuite),-->
87	<xref linkend="valgrind"/> (used during the testsuite),
88	<xref linkend="yasm"/>,
89	<ulink url="http://thrysoee.dk/editline/">libedit</ulink>,
90	<ulink url="https://cmocka.org/">cmocka</ulink>,
91	<ulink url="https://pypi.org/project/pyrad/">pyrad</ulink>, and
92	<ulink url="https://cwrap.org/resolv_wrapper.html">resolv_wrapper</ulink>
93	</para>
94
95	<note>
96	<para>
97	Some sort of time synchronization facility on your system (like
98	<xref linkend="ntp"/>) is required since Kerberos won't authenticate
99	if there is a time difference between a kerberized client and the
100	KDC server.
101	</para>
102	</note>
103
104	<para condition="html" role="usernotes">User Notes:
105	<ulink url="&blfs-wiki;/mitkrb"/>
106	</para>
107	</sect2>
108
109	<sect2 role="installation">
110	<title>Installation of MIT Kerberos V5</title>
111
112	<para>
113	First, fix a denial-of-service security vulnerability:
114	<!-- CVE-2021-37750, mentioned in Samba release notes for 4.15.0. -->
115	</para>
116
117	<screen><userinput remap="pre">sed -i '210a if (sprinc == NULL) {\
118	status = "NULL_SERVER";\
119	errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;\
120	goto cleanup;\
121	}' src/kdc/do_tgs_req.c</userinput></screen>
122
123	<para>
124	Build <application>MIT Kerberos V5</application> by running the
125	following commands:
126	</para>
127
128	<screen><userinput>cd src &&
129
130	sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp &&
131	sed -i -e '/eq 0/{N;s/12 //}' plugins/kdb/db2/libdb2/test/run.test &&
132	sed -i '/t_iprop.py/d' tests/Makefile.in &&
133
134	./configure --prefix=/usr \
135	--sysconfdir=/etc \
136	--localstatedir=/var/lib \
137	--runstatedir=/run \
138	--with-system-et \
139	--with-system-ss \
140	--with-system-verto=no \
141	--enable-dns-for-realm &&
142	make</userinput></screen>
143
144	<para>
145	To test the build, issue as the <systemitem
146	class="username">root</systemitem> user: <command>make -k -j1 check</command>.
147	<!-- You need at least <xref link end="tcl"/>, which is used to drive the
148	testsuite. Furthermore, <xref link end="dejagnu"/> must be available for
149	some of the tests to run.--> If you have a former version of MIT Kerberos V5
150	installed, it may happen that the test suite may pick up the installed
151	versions of the libraries, rather than the newly built ones. If so, it is
152	better to run the tests after the installation. Some tests may fail with
153	the latest version of dejagnu and glibc.
154	<!-- Note: on my laptop -j8 fails but -j1 passes -->
155	</para>
156
157	<para>
158	Now, as the <systemitem class="username">root</systemitem> user:
159	</para>
160
161	<screen role="root"><userinput>make install &&
162
163	install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &&
164	cp -vfr ../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
165
166	</sect2>
167
168	<sect2 role="commands">
169	<title>Command Explanations</title>
170
171	<para>
172	The first <command>sed</command> increases the width of the virtual
173	terminal used for some tests to prevent some spurious text in the output
174	which is taken as a failure. The second <command>sed</command> removes a
175	test that is known to fail. The third <command>sed</command> removes a
176	test that is known to hang.
177	</para>
178
179	<para>
180	<parameter>--localstatedir=/var/lib</parameter>: This option is
181	used so that the Kerberos variable runtime data is located in
182	<filename class="directory">/var/lib</filename> instead of
183	<filename class="directory">/usr/var</filename>.
184	</para>
185
186	<para>
187	<parameter>--runstatedir=/run</parameter>: This option is used so that
188	the Kerberos runtime state information is located in
189	<filename class="directory">/run</filename> instead of the deprecated
190	<filename class="directory">/var/run</filename>.
191	</para>
192
193	<para>
194	<parameter>--with-system-et</parameter>: This switch causes the build
195	to use the system-installed versions of the error-table support
196	software.
197	</para>
198
199	<para>
200	<parameter>--with-system-ss</parameter>: This switch causes the build
201	to use the system-installed versions of the subsystem command-line
202	interface software.
203	</para>
204
205	<para>
206	<parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
207	the package: it does not recognize its own verto library installed
208	previously. This is not a problem, if reinstalling the same version,
209	but if you are updating, the old library is used as system's one,
210	instead of installing the new version.
211	</para>
212
213	<para>
214	<parameter>--enable-dns-for-realm</parameter>: This switch allows
215	realms to be resolved using the DNS server.
216	</para>
217
218	<para>
219	<option>--with-ldap</option>: Use this switch if you want to compile the
220	<application>OpenLDAP</application> database backend module.
221	</para>
222
223	<!-- FIXME: Removed due to merged-/usr setup
224	<para>
225	<command>mv -v /usr/lib/libk... /lib </command> and
226	<command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>:
227	Move critical libraries to the
228	<filename class="directory">/lib</filename> directory so that they are
229	available when the <filename class="directory">/usr</filename>
230	filesystem is not mounted.
231	</para>
232
233	<para>
234	<command>find /usr/lib -type f -name "lib$f.so" -exec chmod -v 755 {} \;</command>:
235	This command changes the permisison of installed libraries.
236	</para>
237
238	<para>
239	<command>mv -v /usr/bin/ksu /bin</command>: Moves the
240	<command>ksu</command> program to the
241	<filename class="directory">/bin</filename> directory so that it is
242	available when the <filename class="directory">/usr</filename>
243	filesystem is not mounted.
244	</para>
245	-->
246
247	</sect2>
248
249	<sect2 role="configuration">
250	<title>Configuring MIT Kerberos V5</title>
251
252	<sect3 id="krb5-config">
253	<title>Config Files</title>
254
255	<para>
256	<filename>/etc/krb5.conf</filename> and
257	<filename>/var/lib/krb5kdc/kdc.conf</filename>
258	</para>
259
260	<indexterm zone="mitkrb krb5-config">
261	<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
262	</indexterm>
263
264	<indexterm zone="mitkrb krb5-config">
265	<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
266	</indexterm>
267
268	</sect3>
269
270	<sect3>
271	<title>Configuration Information</title>
272
273	<sect4>
274	<title>Kerberos Configuration</title>
275
276	<tip>
277	<para>
278	You should consider installing some sort of password checking
279	dictionary so that you can configure the installation to only
280	accept strong passwords. A suitable dictionary to use is shown in
281	the <xref linkend="cracklib"/> instructions. Note that only one
282	file can be used, but you can concatenate many files into one. The
283	configuration file shown below assumes you have installed a
284	dictionary to <filename>/usr/share/dict/words</filename>.
285	</para>
286	</tip>
287
288	<para>
289	Create the Kerberos configuration file with the following
290	commands issued by the <systemitem class="username">root</systemitem>
291	user:
292	</para>
293
294	<screen role="root"><userinput>cat > /etc/krb5.conf << "EOF"
295	<literal># Begin /etc/krb5.conf
296
297	[libdefaults]
298	default_realm = <replaceable><EXAMPLE.ORG></replaceable>
299	encrypt = true
300
301	[realms]
302	<replaceable><EXAMPLE.ORG></replaceable> = {
303	kdc = <replaceable><belgarath.example.org></replaceable>
304	admin_server = <replaceable><belgarath.example.org></replaceable>
305	dict_file = /usr/share/dict/words
306	}
307
308	[domain_realm]
309	.<replaceable><example.org></replaceable> = <replaceable><EXAMPLE.ORG></replaceable>
310
311	[logging]
312	kdc = SYSLOG:INFO:AUTH
313	admin_server = SYSLOG:INFO:AUTH
314	default = SYSLOG:DEBUG:DAEMON
315
316	# End /etc/krb5.conf</literal>
317	EOF</userinput></screen>
318
319	<para>
320	You will need to substitute your domain and proper hostname for the
321	occurrences of the <replaceable><belgarath></replaceable> and
322	<replaceable><example.org></replaceable> names.
323	</para>
324
325	<para>
326	<option>default_realm</option> should be the name of your
327	domain changed to ALL CAPS. This isn't required, but both
328	<application>Heimdal</application> and MIT recommend it.
329	</para>
330
331	<para>
332	<option>encrypt = true</option> provides encryption of all traffic
333	between kerberized clients and servers. It's not necessary and can
334	be left off. If you leave it off, you can encrypt all traffic from
335	the client to the server using a switch on the client program
336	instead.
337	</para>
338
339	<para>
340	The <option>[realms]</option> parameters tell the client programs
341	where to look for the KDC authentication services.
342	</para>
343
344	<para>
345	The <option>[domain_realm]</option> section maps a domain to a realm.
346	</para>
347
348	<para>
349	Create the KDC database:
350	</para>
351
352	<screen role="root"><userinput>kdb5_util create -r <replaceable><EXAMPLE.ORG></replaceable> -s</userinput></screen>
353
354	<para>
355	Now you should populate the database with principals
356	(users). For now, just use your regular login name or
357	<systemitem class="username">root</systemitem>.
358	</para>
359
360	<screen role="root"><userinput>kadmin.local
361	<prompt>kadmin.local:</prompt> add_policy dict-only
362	<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable><loginname></replaceable></userinput></screen>
363
364	<para>
365	The KDC server and any machine running kerberized
366	server daemons must have a host key installed:
367	</para>
368
369	<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
370
371	<para>
372	After choosing the defaults when prompted, you will have to
373	export the data to a keytab file:
374	</para>
375
376	<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable><belgarath.example.org></replaceable></userinput></screen>
377
378	<para>
379	This should have created a file in
380	<filename class="directory">/etc</filename> named
381	<filename>krb5.keytab</filename> (Kerberos 5). This file should
382	have 600 (<systemitem class="username">root</systemitem> rw only)
383	permissions. Keeping the keytab files from public access is crucial
384	to the overall security of the Kerberos installation.
385	</para>
386
387	<para>
388	Exit the <command>kadmin</command> program (use
389	<command>quit</command> or <command>exit</command>) and return
390	back to the shell prompt. Start the KDC daemon manually, just to
391	test out the installation:
392	</para>
393
394	<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>
395
396	<para>
397	Attempt to get a ticket with the following command:
398	</para>
399
400	<screen><userinput>kinit <replaceable><loginname></replaceable></userinput></screen>
401
402	<para>
403	You will be prompted for the password you created. After you
404	get your ticket, you can list it with the following command:
405	</para>
406
407	<screen><userinput>klist</userinput></screen>
408
409	<para>
410	Information about the ticket should be displayed on the
411	screen.
412	</para>
413
414	<para>
415	To test the functionality of the keytab file, issue the
416	following command as the
417	<systemitem class="username">root</systemitem> user:
418	</para>
419
420	<screen role="root"><userinput>ktutil
421	<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
422	<prompt>ktutil:</prompt> l</userinput></screen>
423
424	<para>
425	This should dump a list of the host principal, along with
426	the encryption methods used to access the principal.
427	</para>
428
429	<para>
430	Create an empty ACL file that can be modified later:
431	</para>
432
433	<screen role="root"><userinput>touch /var/lib/krb5kdc/kadm5.acl</userinput></screen>
434
435	<para>
436	At this point, if everything has been successful so far, you
437	can feel fairly confident in the installation and configuration of
438	the package.
439	</para>
440
441	</sect4>
442
443	<sect4>
444	<title>Additional Information</title>
445
446	<para>
447	For additional information consult the <ulink
448	url="http://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
449	documentation for krb5-&mitkrb-version;</ulink> on which the above
450	instructions are based.
451	</para>
452
453	</sect4>
454
455	</sect3>
456
457	<sect3 id="mitkrb-init">
458	<title><phrase revision="sysv">Init Script</phrase>
459	<phrase revision="systemd">Systemd Unit</phrase></title>
460
461	<para revision="sysv">
462	If you want to start <application>Kerberos</application> services
463	at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
464	script included in the <xref linkend="bootscripts"/> package using
465	the following command:
466	</para>
467
468	<para revision="systemd">
469	If you want to start <application>Kerberos</application> services
470	at boot, install the <filename>krb5.service</filename> unit included in
471	the <xref linkend="systemd-units"/> package using the following command:
472	</para>
473
474	<indexterm zone="mitkrb mitkrb-init">
475	<primary sortas="f-krb5">krb5</primary>
476	</indexterm>
477
478	<screen role="root"><userinput>make install-krb5</userinput></screen>
479
480	</sect3>
481
482	</sect2>
483
484	<sect2 role="content">
485
486	<title>Contents</title>
487
488	<segmentedlist>
489	<segtitle>Installed Programs</segtitle>
490	<segtitle>Installed Libraries</segtitle>
491	<segtitle>Installed Directories</segtitle>
492
493	<seglistitem>
494	<seg>
495	gss-client, gss-server, k5srvutil, kadmin, kadmin.local,
496	kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist,
497	kpasswd, kprop, kpropd, kproplog, krb5-config, krb5-send-pr, krb5kdc,
498	ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server,
499	sserver, uuclient, and uuserver
500	</seg>
501	<seg>
502	libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
503	libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
504	(optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
505	libverto.so, and some plugins under the /usr/lib/krb5 tree
506	</seg>
507	<seg>
508	/usr/include/{gssapi,gssrpc,kadm5,krb5},
509	/usr/lib/krb5,
510	/usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
511	/var/lib/krb5kdc, and
512	/run/krb5kdc
513	</seg>
514	</seglistitem>
515	</segmentedlist>
516
517	<variablelist>
518	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
519	<?dbfo list-presentation="list"?>
520	<?dbhtml list-presentation="table"?>
521
522	<varlistentry id="gss-client">
523	<term><command>gss-client</command></term>
524	<listitem>
525	<para>
526	is a GSSAPI test client
527	</para>
528	<indexterm zone="mitkrb gss-client">
529	<primary sortas="b-gss-client">gss-client</primary>
530	</indexterm>
531	</listitem>
532	</varlistentry>
533
534	<varlistentry id="gss-server">
535	<term><command>gss-server</command></term>
536	<listitem>
537	<para>
538	is a GSSAPI test server
539	</para>
540	<indexterm zone="mitkrb gss-server">
541	<primary sortas="b-gss-server">gss-server</primary>
542	</indexterm>
543	</listitem>
544	</varlistentry>
545
546	<varlistentry id="k5srvutil">
547	<term><command>k5srvutil</command></term>
548	<listitem>
549	<para>
550	is a host keytable manipulation utility
551	</para>
552	<indexterm zone="mitkrb k5srvutil">
553	<primary sortas="b-k5srvutil">k5srvutil</primary>
554	</indexterm>
555	</listitem>
556	</varlistentry>
557
558	<varlistentry id="kadmin">
559	<term><command>kadmin</command></term>
560	<listitem>
561	<para>
562	is an utility used to make modifications
563	to the Kerberos database
564	</para>
565	<indexterm zone="mitkrb kadmin">
566	<primary sortas="b-kadmin">kadmin</primary>
567	</indexterm>
568	</listitem>
569	</varlistentry>
570
571	<varlistentry id="kadmin.local">
572	<term><command>kadmin.local</command></term>
573	<listitem>
574	<para>
575	is an utility similar to <command>kadmin</command>, but if the
576	database is db2, the local client <command>kadmin.local</command>,
577	is intended to run directly on the master KDC without Kerberos
578	authentication
579	</para>
580	<indexterm zone="mitkrb kadmin.local">
581	<primary sortas="b-kadmin.local">kadmin.local</primary>
582	</indexterm>
583	</listitem>
584	</varlistentry>
585
586	<varlistentry id="kadmind">
587	<term><command>kadmind</command></term>
588	<listitem>
589	<para>
590	is a server for administrative access
591	to a Kerberos database
592	</para>
593	<indexterm zone="mitkrb kadmind">
594	<primary sortas="b-kadmind">kadmind</primary>
595	</indexterm>
596	</listitem>
597	</varlistentry>
598
599	<varlistentry id="kdb5_ldap_util">
600	<term><command>kdb5_ldap_util (optional)</command></term>
601	<listitem>
602	<para>
603	allows an administrator to manage realms, Kerberos services
604	and ticket policies
605	</para>
606	<indexterm zone="mitkrb kdb5_ldap_util">
607	<primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
608	</indexterm>
609	</listitem>
610	</varlistentry>
611
612	<varlistentry id="kdb5_util">
613	<term><command>kdb5_util</command></term>
614	<listitem>
615	<para>
616	is the KDC database utility
617	</para>
618	<indexterm zone="mitkrb kdb5_util">
619	<primary sortas="b-kdb5_util">kdb5_util</primary>
620	</indexterm>
621	</listitem>
622	</varlistentry>
623
624	<varlistentry id="kdestroy">
625	<term><command>kdestroy</command></term>
626	<listitem>
627	<para>
628	removes the current set of tickets
629	</para>
630	<indexterm zone="mitkrb kdestroy">
631	<primary sortas="b-kdestroy">kdestroy</primary>
632	</indexterm>
633	</listitem>
634	</varlistentry>
635
636	<varlistentry id="kinit">
637	<term><command>kinit</command></term>
638	<listitem>
639	<para>
640	is used to authenticate to the Kerberos server as a
641	principal and acquire a ticket granting ticket that can
642	later be used to obtain tickets for other services
643	</para>
644	<indexterm zone="mitkrb kinit">
645	<primary sortas="b-kinit">kinit</primary>
646	</indexterm>
647	</listitem>
648	</varlistentry>
649
650	<varlistentry id="klist">
651	<term><command>klist</command></term>
652	<listitem>
653	<para>
654	reads and displays the current tickets in
655	the credential cache
656	</para>
657	<indexterm zone="mitkrb klist">
658	<primary sortas="b-klist">klist</primary>
659	</indexterm>
660	</listitem>
661	</varlistentry>
662
663	<varlistentry id="kpasswd">
664	<term><command>kpasswd</command></term>
665	<listitem>
666	<para>
667	is a program for changing Kerberos 5 passwords
668	</para>
669	<indexterm zone="mitkrb kpasswd">
670	<primary sortas="b-kpasswd">kpasswd</primary>
671	</indexterm>
672	</listitem>
673	</varlistentry>
674
675	<varlistentry id="kprop">
676	<term><command>kprop</command></term>
677	<listitem>
678	<para>
679	takes a principal database in a specified format and
680	converts it into a stream of database records
681	</para>
682	<indexterm zone="mitkrb kprop">
683	<primary sortas="b-kprop">kprop</primary>
684	</indexterm>
685	</listitem>
686	</varlistentry>
687
688	<varlistentry id="kpropd">
689	<term><command>kpropd</command></term>
690	<listitem>
691	<para>
692	receives a database sent by <command>kprop</command>
693	and writes it as a local database
694	</para>
695	<indexterm zone="mitkrb kpropd">
696	<primary sortas="b-kpropd">kpropd</primary>
697	</indexterm>
698	</listitem>
699	</varlistentry>
700
701	<varlistentry id="kproplog">
702	<term><command>kproplog</command></term>
703	<listitem>
704	<para>
705	displays the contents of the KDC database update log to standard
706	output
707	</para>
708	<indexterm zone="mitkrb kproplog">
709	<primary sortas="b-kproplog">kproplog</primary>
710	</indexterm>
711	</listitem>
712	</varlistentry>
713
714	<varlistentry id="krb5-config-prog2">
715	<term><command>krb5-config</command></term>
716	<listitem>
717	<para>
718	gives information on how to link programs against
719	libraries
720	</para>
721	<indexterm zone="mitkrb krb5-config-prog2">
722	<primary sortas="b-krb5-config">krb5-config</primary>
723	</indexterm>
724	</listitem>
725	</varlistentry>
726
727	<varlistentry id="krb5kdc">
728	<term><command>krb5kdc</command></term>
729	<listitem>
730	<para>
731	is the <application>Kerberos 5</application> server
732	</para>
733	<indexterm zone="mitkrb krb5kdc">
734	<primary sortas="b-krb5kdc">krb5kdc</primary>
735	</indexterm>
736	</listitem>
737	</varlistentry>
738
739	<varlistentry id="krb5-send-pr">
740	<term><command>krb5-send-pr</command></term>
741	<listitem>
742	<para>
743	sends a problem report (PR) to a central support site
744	</para>
745	<indexterm zone="mitkrb krb5-send-pr">
746	<primary sortas="b-krb-send-pr">krb5-send-pr</primary>
747	</indexterm>
748	</listitem>
749	</varlistentry>
750
751	<varlistentry id="ksu">
752	<term><command>ksu</command></term>
753	<listitem>
754	<para>
755	is the super user program using Kerberos protocol.
756	Requires a properly configured
757	<filename>/etc/shells</filename> and
758	<filename>~/.k5login</filename> containing principals
759	authorized to become super users
760	</para>
761	<indexterm zone="mitkrb ksu">
762	<primary sortas="b-ksu">ksu</primary>
763	</indexterm>
764	</listitem>
765	</varlistentry>
766
767	<varlistentry id="kswitch">
768	<term><command>kswitch</command></term>
769	<listitem>
770	<para>
771	makes the specified credential cache the
772	primary cache for the collection, if a cache
773	collection is available
774	</para>
775	<indexterm zone="mitkrb kswitch">
776	<primary sortas="b-kswitch">kswitch</primary>
777	</indexterm>
778	</listitem>
779	</varlistentry>
780
781	<varlistentry id="ktutil">
782	<term><command>ktutil</command></term>
783	<listitem>
784	<para>
785	is a program for managing Kerberos keytabs
786	</para>
787	<indexterm zone="mitkrb ktutil">
788	<primary sortas="b-ktutil">ktutil</primary>
789	</indexterm>
790	</listitem>
791	</varlistentry>
792
793	<varlistentry id="kvno">
794	<term><command>kvno</command></term>
795	<listitem>
796	<para>
797	prints keyversion numbers of Kerberos principals
798	</para>
799	<indexterm zone="mitkrb kvno">
800	<primary sortas="b-kvno">kvno</primary>
801	</indexterm>
802	</listitem>
803	</varlistentry>
804
805	<varlistentry id="sclient">
806	<term><command>sclient</command></term>
807	<listitem>
808	<para>
809	is used to contact a sample server and authenticate to it
810	using Kerberos 5 tickets, then display the server's
811	response
812	</para>
813	<indexterm zone="mitkrb sclient">
814	<primary sortas="b-sclient">sclient</primary>
815	</indexterm>
816	</listitem>
817	</varlistentry>
818
819	<varlistentry id="sim_client">
820	<term><command>sim_client</command></term>
821	<listitem>
822	<para>
823	is a simple UDP-based sample client program, for
824	demonstration
825	</para>
826	<indexterm zone="mitkrb sim_client">
827	<primary sortas="b-sim_client">sim_client</primary>
828	</indexterm>
829	</listitem>
830	</varlistentry>
831
832	<varlistentry id="sim_server">
833	<term><command>sim_server</command></term>
834	<listitem>
835	<para>
836	is a simple UDP-based server application, for
837	demonstration
838	</para>
839	<indexterm zone="mitkrb sim_server">
840	<primary sortas="b-sim_server">sim_server</primary>
841	</indexterm>
842	</listitem>
843	</varlistentry>
844
845	<varlistentry id="sserver">
846	<term><command>sserver</command></term>
847	<listitem>
848	<para>
849	is the sample Kerberos 5 server
850	</para>
851	<indexterm zone="mitkrb sserver">
852	<primary sortas="b-sserver">sserver</primary>
853	</indexterm>
854	</listitem>
855	</varlistentry>
856
857	<varlistentry id="uuclient">
858	<term><command>uuclient</command></term>
859	<listitem>
860	<para>
861	is another sample client
862	</para>
863	<indexterm zone="mitkrb uuclient">
864	<primary sortas="b-uuclient">uuclient</primary>
865	</indexterm>
866	</listitem>
867	</varlistentry>
868
869	<varlistentry id="uuserver">
870	<term><command>uuserver</command></term>
871	<listitem>
872	<para>
873	is another sample server
874	</para>
875	<indexterm zone="mitkrb uuserver">
876	<primary sortas="b-uuserver">uuserver</primary>
877	</indexterm>
878	</listitem>
879	</varlistentry>
880
881
882	<varlistentry id="libgssapi_krb5">
883	<term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
884	<listitem>
885	<para>
886	contains the Generic Security Service Application Programming
887	Interface (GSSAPI) functions which provides security services
888	to callers in a generic fashion, supportable with a range of
889	underlying mechanisms and technologies and hence allowing
890	source-level portability of applications to different
891	environments
892	</para>
893	<indexterm zone="mitkrb libgssapi_krb5">
894	<primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
895	</indexterm>
896	</listitem>
897	</varlistentry>
898
899	<varlistentry id="libkadm5clnt">
900	<term><filename class="libraryfile">libkadm5clnt.so</filename></term>
901	<listitem>
902	<para>
903	contains the administrative authentication and password checking
904	functions required by Kerberos 5 client-side programs
905	</para>
906	<indexterm zone="mitkrb libkadm5clnt">
907	<primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
908	</indexterm>
909	</listitem>
910	</varlistentry>
911
912	<varlistentry id="libkadm5srv">
913	<term><filename class="libraryfile">libkadm5srv.so</filename></term>
914	<listitem>
915	<para>
916	contains the administrative authentication and password
917	checking functions required by Kerberos 5 servers
918	</para>
919	<indexterm zone="mitkrb libkadm5srv">
920	<primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
921	</indexterm>
922	</listitem>
923	</varlistentry>
924
925	<varlistentry id="libkdb5">
926	<term><filename class="libraryfile">libkdb5.so</filename></term>
927	<listitem>
928	<para>
929	is a Kerberos 5 authentication/authorization database
930	access library
931	</para>
932	<indexterm zone="mitkrb libkdb5">
933	<primary sortas="c-libkdb5">libkdb5.so</primary>
934	</indexterm>
935	</listitem>
936	</varlistentry>
937
938	<varlistentry id="libkrad">
939	<term><filename class="libraryfile">libkrad.so</filename></term>
940	<listitem>
941	<para>
942	contains the internal support library for RADIUS functionality
943	</para>
944	<indexterm zone="mitkrb libkrad">
945	<primary sortas="c-libkrad">libkrad.so</primary>
946	</indexterm>
947	</listitem>
948	</varlistentry>
949
950	<varlistentry id="libkrb5">
951	<term><filename class="libraryfile">libkrb5.so</filename></term>
952	<listitem>
953	<para>
954	is an all-purpose <application>Kerberos 5</application> library
955	</para>
956	<indexterm zone="mitkrb libkrb5">
957	<primary sortas="c-libkrb5">libkrb5.so</primary>
958	</indexterm>
959	</listitem>
960	</varlistentry>
961
962	</variablelist>
963
964	</sect2>
965
966	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: