source: postlfs/security/mitkrb.xml@ 7a23e9d

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY mitkrb-download-http "https://kerberos.org/dist/krb5/&mitkrb-major-version;/krb5-&mitkrb-version;.tar.gz">
  <!ENTITY mitkrb-download-ftp  " ">
  <!ENTITY mitkrb-md5sum        "3b729d89eb441150e146780c4138481b">
  <!ENTITY mitkrb-size          "8.4 MB">
  <!ENTITY mitkrb-buildsize     "104 MB (add 26 MB for tests)">
  <!ENTITY mitkrb-time          "0.4 SBU (using parallelism=4; add 2.2 SBU for tests)">
]>

<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
  <?dbhtml filename="mitkrb.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>MIT Kerberos V5-&mitkrb-version;</title>

  <indexterm zone="mitkrb">
    <primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
  </indexterm>

    <sect2 role="package">
      <title>Introduction to MIT Kerberos V5</title>

    <para>
      <application>MIT Kerberos V5</application> is a free implementation
      of Kerberos 5. Kerberos is a network authentication protocol. It
      centralizes the authentication database and uses kerberized
      applications to work with servers or services that support Kerberos
      allowing single logins and encrypted communication over internal
      networks or the Internet.
    </para>

    &lfs84_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&mitkrb-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&mitkrb-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &mitkrb-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &mitkrb-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &mitkrb-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &mitkrb-time;
        </para>
      </listitem>
    </itemizedlist>

<!-- Patch is not needed for this version, but don't remove this.
    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Patch required on systems with IPv4 only enabled:
          <ulink url="&patch-root;/mitkrb-&mitkrb-version;-fix_ipv4_only-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>
-->

    <bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="dejagnu"/> (for full test coverage),
      <xref linkend="gnupg2"/> (to authenticate the package),
      <xref linkend="keyutils"/>,
      <xref linkend="openldap"/>,
      <xref linkend="python2"/> (used during the testsuite),
      <xref linkend="rpcbind"/> (used during the testsuite), and
      <xref linkend="valgrind"/> (used during the test suite)
    </para>

    <note>
      <para>
        Some sort of time synchronization facility on your system (like
        <xref linkend="ntp"/>) is required since Kerberos won't authenticate
        if there is a time difference between a kerberized client and the
        KDC server.
      </para>
    </note>

    <para condition="html" role="usernotes">User Notes:
      <ulink url="&blfs-wiki;/mitkrb"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of MIT Kerberos V5</title>

<!-- PATCH IS REJECTED - ALREADY PATCHED
    <para>
      If your system is configured to support only IPv4, apply the following
      patch:
    </para>

<screen><userinput>patch -p1 -i ../mitkrb-&mitkrb-version;-fix_ipv4_only-1.patch</userinput></screen>
-->

    <para>
      Build <application>MIT Kerberos V5</application> by running the
      following commands:
    </para>

<screen><userinput>cd src &amp;&amp;
 
sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp     &amp;&amp;
sed -i -e '/eq 0/{N;s/12 //}'    plugins/kdb/db2/libdb2/test/run.test &amp;&amp;

./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --without-system-et      \
            --without-system-ss      \
            --with-system-verto=no   \
            --enable-dns-for-realm &amp;&amp;
make</userinput></screen>

    <para>
      To test the build, issue as the <systemitem
      class="username">root</systemitem> user: <command>make -k check</command>.
      You need at least <xref linkend="tcl"/>, which is used to drive the
      testsuite.  Furthermore, <xref linkend="dejagnu"/> must be available for
      some of the tests to run. If you have a former version of MIT Kerberos V5
      installed, it may happen that the test suite pick up the installed
      versions of the libraries, rather than the newly built ones. If so, it is
      better to run the tests after the installation. The t_ccselect test
      is known to fail.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install &amp;&amp;

for f in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
         kdb5 kdb_ldap krad krb5 krb5support verto ; do

    find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;    
done          &amp;&amp;

mv -v /usr/lib/libkrb5.so.3*        /lib &amp;&amp;
mv -v /usr/lib/libk5crypto.so.3*    /lib &amp;&amp;
mv -v /usr/lib/libkrb5support.so.0* /lib &amp;&amp;

ln -v -sf ../../lib/libkrb5.so.3.3        /usr/lib/libkrb5.so        &amp;&amp;
ln -v -sf ../../lib/libk5crypto.so.3.1    /usr/lib/libk5crypto.so    &amp;&amp;
ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &amp;&amp;

mv -v /usr/bin/ksu /bin &amp;&amp;
chmod -v 755 /bin/ksu   &amp;&amp;

install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; &amp;&amp;
cp -vfr ../doc/*  /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      The first sed increases the width of the virtual terminal used for some
      tests to prevent some spurious text in the output which is taken as a
      failure. The second <command>sed</command> removes a test that is known
      to fail.
    </para>

    <para>
      <parameter>--localstatedir=/var/lib</parameter>: This option is
      used so that the Kerberos variable run-time data is located in
      <filename class="directory">/var/lib</filename> instead of
      <filename class="directory">/usr/var</filename>.
    </para>
    <!-- This was broken with e2fsprogs-1.45.0. The API functions in the
         libcom_err.so library were changed, and one of the functions that
         KRB5 looks for was removed. As a result, we need to use the system
         versions for the time being. Check this again at the end of the 9.0
         release cycle, or at the next version of MIT Kerberos 5. -->
    <!--
    <para>
      <parameter>- -with-system-et</parameter>: This switch causes the build
      to use the system-installed versions of the error-table support
      software.
    </para>

    <para>
      <parameter>- -with-system-ss</parameter>: This switch causes the build
      to use the system-installed versions of the subsystem command-line
      interface software.
    </para>
    -->

    <para>
      <parameter>--without-system-et</parameter>: This switch uses the internal
      version of the error-table support library because the version that is
      shipped with e2fsprogs is now incompatible.
    </para>

    <para>
      <parameter>--without-system-ss</parameter>: This switch uses the internal
      version of the subsystem command-line interface software because the version
      that is shipped with e2fsprogs is now incompatible.
    </para>

    <para>
      <parameter>--with-system-verto=no</parameter>: This switch fixes a bug in
      the package: it does not recognize its own verto library installed
      previously. This is not a problem, if reinstalling the same version,
      but if you are updating, the old library is used as system's one,
      instead of installing the new version.
    </para>

    <para>
      <parameter>--enable-dns-for-realm</parameter>: This switch allows
      realms to be resolved using the DNS server.
    </para>

    <para>
      <option>--with-ldap</option>: Use this switch if you want to compile the
      <application>OpenLDAP</application> database backend module.
    </para>

    <para>
      <command>mv -v /usr/lib/libk... /lib </command> and 
      <command>ln -v -sf ../../lib/libk... /usr/lib/libk...</command>: 
      Move critical libraries to the
      <filename class="directory">/lib</filename> directory so that they are
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>

    <para>
      <command>find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;</command>: 
      This command changes the permisison of installed libraries.  
    </para>

    <para>
      <command>mv -v /usr/bin/ksu /bin</command>: Moves the
      <command>ksu</command> program to the
      <filename class="directory">/bin</filename> directory so that it is
      available when the <filename class="directory">/usr</filename>
      filesystem is not mounted.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring MIT Kerberos V5</title>

    <sect3 id="krb5-config">
      <title>Config Files</title>

      <para>
        <filename>/etc/krb5.conf</filename> and
        <filename>/var/lib/krb5kdc/kdc.conf</filename>
      </para>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary>
      </indexterm>

      <indexterm zone="mitkrb krb5-config">
        <primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <sect4>
        <title>Kerberos Configuration</title>

        <tip>
          <para>
            You should consider installing some sort of password checking
            dictionary so that you can configure the installation to only
            accept strong passwords. A suitable dictionary to use is shown in
            the <xref linkend="cracklib"/> instructions. Note that only one
            file can be used, but you can concatenate many files into one. The
            configuration file shown below assumes you have installed a
            dictionary to <filename>/usr/share/dict/words</filename>.
          </para>
        </tip>

        <para>
          Create the Kerberos configuration file with the following
          commands issued by the <systemitem class="username">root</systemitem>
          user:
        </para>

<screen role="root"><userinput>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"
<literal># Begin /etc/krb5.conf

[libdefaults]
    default_realm = <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable>
    encrypt = true

[realms]
    <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable> = {
        kdc = <replaceable>&lt;belgarath.example.org&gt;</replaceable>
        admin_server = <replaceable>&lt;belgarath.example.org&gt;</replaceable>
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .<replaceable>&lt;example.org&gt;</replaceable> = <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable>

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH
    default = SYSLOG:DEBUG:DAEMON

# End /etc/krb5.conf</literal>
EOF</userinput></screen>

        <para>
          You will need to substitute your domain and proper hostname for the
          occurrences of the <replaceable>&lt;belgarath&gt;</replaceable> and
          <replaceable>&lt;example.org&gt;</replaceable> names.
        </para>

        <para>
          <option>default_realm</option> should be the name of your
          domain changed to ALL CAPS. This isn't required, but both
          <application>Heimdal</application> and MIT recommend it.
        </para>

        <para>
          <option>encrypt = true</option> provides encryption of all traffic
          between kerberized clients and servers. It's not necessary and can
          be left off. If you leave it off, you can encrypt all traffic from
          the client to the server using a switch on the client program
          instead.
        </para>

        <para>
          The <option>[realms]</option> parameters tell the client programs
          where to look for the KDC authentication services.
        </para>

        <para>
          The <option>[domain_realm]</option> section maps a domain to a realm.
        </para>

        <para>
          Create the KDC database:
       </para>

<screen role="root"><userinput>kdb5_util create -r <replaceable>&lt;EXAMPLE.ORG&gt;</replaceable> -s</userinput></screen>

        <para>
          Now you should populate the database with principals
          (users). For now, just use your regular login name or
          <systemitem class="username">root</systemitem>.
        </para>

<screen role="root"><userinput>kadmin.local
<prompt>kadmin.local:</prompt> add_policy dict-only
<prompt>kadmin.local:</prompt> addprinc -policy dict-only <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          The KDC server and any machine running kerberized
          server daemons must have a host key installed:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> addprinc -randkey host/<replaceable>&lt;belgarath.example.org&gt;</replaceable></userinput></screen>

        <para>
          After choosing the defaults when prompted, you will have to
          export the data to a keytab file:
        </para>

<screen role="root"><userinput><prompt>kadmin.local:</prompt> ktadd host/<replaceable>&lt;belgarath.example.org&gt;</replaceable></userinput></screen>

        <para>
          This should have created a file in
          <filename class="directory">/etc</filename> named
          <filename>krb5.keytab</filename> (Kerberos 5). This file should
          have 600 (<systemitem class="username">root</systemitem> rw only)
          permissions. Keeping the keytab files from public access is crucial
          to the overall security of the Kerberos installation.
        </para>

        <para>
          Exit the <command>kadmin</command> program (use
          <command>quit</command> or <command>exit</command>) and return
          back to the shell prompt. Start the KDC daemon manually, just to
          test out the installation:
        </para>

<screen role="root"><userinput>/usr/sbin/krb5kdc</userinput></screen>

        <para>
          Attempt to get a ticket with the following command:
        </para>

<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>
          You will be prompted for the password you created. After you
          get your ticket, you can list it with the following command:
        </para>

<screen><userinput>klist</userinput></screen>

        <para>
          Information about the ticket should be displayed on the
          screen.
        </para>

        <para>
          To test the functionality of the keytab file, issue the
          following command:
        </para>

<screen><userinput>ktutil
<prompt>ktutil:</prompt> rkt /etc/krb5.keytab
<prompt>ktutil:</prompt> l</userinput></screen>

        <para>
          This should dump a list of the host principal, along with
          the encryption methods used to access the principal.
        </para>

        <para>
          At this point, if everything has been successful so far, you
          can feel fairly confident in the installation and configuration of
          the package.
        </para>

      </sect4>

      <sect4>
        <title>Additional Information</title>

        <para>
          For additional information consult the <ulink
          url="http://web.mit.edu/kerberos/www/krb5-&mitkrb-major-version;/#documentation">
          documentation for krb5-&mitkrb-version;</ulink> on which the above
          instructions are based.
        </para>

      </sect4>

    </sect3>

    <sect3 id="mitkrb-init">
      <title><phrase revision="sysv">Init Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para revision="sysv">
        If you want to start <application>Kerberos</application> services
        at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
        script included in the <xref linkend="bootscripts"/> package using
        the following command:
      </para>

      <para revision="systemd">
        If you want to start <application>Kerberos</application> services
        at boot, install the <filename>krb5.service</filename> unit included in
        the <xref linkend="systemd-units"/> package using the following command:
      </para>

      <indexterm zone="mitkrb mitkrb-init">
        <primary sortas="f-krb5">krb5</primary>
      </indexterm>

<screen role="root"><userinput>make install-krb5</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">

    <title>Contents</title>
    <para></para>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          gss-client, gss-server, k5srvutil, kadmin, kadmin.local,
          kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist,
          kpasswd, kprop, kpropd, kproplog, krb5-config, krb5kdc, krb5-send-pr,
          ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server,
          sserver, uuclient, and uuserver
        </seg>
        <seg>
          libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,
          libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so
          (optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so,
          libverto.so, and some plugins under the /usr/lib/krb5 tree
        </seg>
        <seg>
          /usr/include/{gssapi,gssrpc,kadm5,krb5},
          /usr/lib/krb5,
          /usr/share/{doc/krb5-&mitkrb-version;,examples/krb5},
          /var/lib/krb5kdc, and 
          /var/lib/run/krb5kdc 
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="gss-client">
        <term><command>gss-client</command></term>
        <listitem>
          <para>
            is a GSSAPI test client.
          </para>
          <indexterm zone="mitkrb gss-client">
            <primary sortas="b-gss-client">gss-client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="gss-server">
        <term><command>gss-server</command></term>
        <listitem>
          <para>
            is a GSSAPI test server.
          </para>
          <indexterm zone="mitkrb gss-server">
            <primary sortas="b-gss-server">gss-server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="k5srvutil">
        <term><command>k5srvutil</command></term>
        <listitem>
          <para>
            is a host keytable manipulation utility.
          </para>
          <indexterm zone="mitkrb k5srvutil">
            <primary sortas="b-k5srvutil">k5srvutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin">
        <term><command>kadmin</command></term>
        <listitem>
          <para>
            is an utility used to make modifications
            to the Kerberos database.
          </para>
          <indexterm zone="mitkrb kadmin">
            <primary sortas="b-kadmin">kadmin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin.local">
        <term><command>kadmin.local</command></term>
        <listitem>
          <para>
            is an utility similar to <command>kadmin</command>, but if the
            database is db2, the local client <command>kadmin.local</command>,
            is intended to run directly on the master KDC without Kerberos
            authentication.
          </para>
          <indexterm zone="mitkrb kadmin.local">
            <primary sortas="b-kadmin.local">kadmin.local</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmind">
        <term><command>kadmind</command></term>
        <listitem>
          <para>
            is a server for administrative access
            to a Kerberos database.
          </para>
          <indexterm zone="mitkrb kadmind">
            <primary sortas="b-kadmind">kadmind</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_ldap_util">
        <term><command>kdb5_ldap_util (optional)</command></term>
        <listitem>
          <para>
            allows an administrator to manage realms, Kerberos services
            and ticket policies.
          </para>
          <indexterm zone="mitkrb kdb5_ldap_util">
            <primary sortas="b-kdb5_ldap_util">kdb5_ldap_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdb5_util">
        <term><command>kdb5_util</command></term>
        <listitem>
          <para>
            is the KDC database utility.
          </para>
          <indexterm zone="mitkrb kdb5_util">
            <primary sortas="b-kdb5_util">kdb5_util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdestroy">
        <term><command>kdestroy</command></term>
        <listitem>
          <para>
            removes the current set of tickets.
          </para>
          <indexterm zone="mitkrb kdestroy">
            <primary sortas="b-kdestroy">kdestroy</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kinit">
        <term><command>kinit</command></term>
        <listitem>
          <para>
            is used to authenticate to the Kerberos server as a
            principal and acquire a ticket granting ticket that can
            later be used to obtain tickets for other services.
          </para>
          <indexterm zone="mitkrb kinit">
            <primary sortas="b-kinit">kinit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="klist">
        <term><command>klist</command></term>
        <listitem>
          <para>
            reads and displays the current tickets in
            the credential cache.
          </para>
          <indexterm zone="mitkrb klist">
            <primary sortas="b-klist">klist</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpasswd">
        <term><command>kpasswd</command></term>
        <listitem>
          <para>
            is a program for changing Kerberos 5 passwords.
          </para>
          <indexterm zone="mitkrb kpasswd">
            <primary sortas="b-kpasswd">kpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kprop">
        <term><command>kprop</command></term>
        <listitem>
          <para>
            takes a principal database in a specified format and
            converts it into a stream of database records.
          </para>
          <indexterm zone="mitkrb kprop">
            <primary sortas="b-kprop">kprop</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpropd">
        <term><command>kpropd</command></term>
        <listitem>
          <para>
            receives a database sent by <command>kprop</command>
            and writes it as a local database.
          </para>
          <indexterm zone="mitkrb kpropd">
            <primary sortas="b-kpropd">kpropd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kproplog">
        <term><command>kproplog</command></term>
        <listitem>
          <para>
            displays the contents of the KDC database update log to standard
            output.
          </para>
          <indexterm zone="mitkrb kproplog">
            <primary sortas="b-kproplog">kproplog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-config-prog2">
        <term><command>krb5-config</command></term>
        <listitem>
          <para>
            gives information on how to link programs against
            libraries.
          </para>
          <indexterm zone="mitkrb krb5-config-prog2">
            <primary sortas="b-krb5-config">krb5-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5kdc">
        <term><command>krb5kdc</command></term>
        <listitem>
          <para>
            is the <application>Kerberos 5</application> server.
          </para>
          <indexterm zone="mitkrb krb5kdc">
            <primary sortas="b-krb5kdc">krb5kdc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-send-pr">
        <term><command>krb5-send-pr</command></term>
        <listitem>
          <para>
            sends a problem report (PR) to a central support site.
          </para>
          <indexterm zone="mitkrb krb5-send-pr">
            <primary sortas="b-krb-send-pr">krb5-send-pr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ksu">
        <term><command>ksu</command></term>
        <listitem>
          <para>
            is the super user program using Kerberos protocol.
            Requires a properly configured
            <filename>/etc/shells</filename> and
            <filename>~/.k5login</filename> containing principals
            authorized to become super users.
          </para>
          <indexterm zone="mitkrb ksu">
            <primary sortas="b-ksu">ksu</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kswitch">
        <term><command>kswitch</command></term>
        <listitem>
          <para>
            makes the specified credential cache the
            primary cache for the collection, if a cache
            collection is available.
          </para>
          <indexterm zone="mitkrb kswitch">
            <primary sortas="b-kswitch">kswitch</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ktutil">
        <term><command>ktutil</command></term>
        <listitem>
          <para>
            is a program for managing Kerberos keytabs.
          </para>
          <indexterm zone="mitkrb ktutil">
            <primary sortas="b-ktutil">ktutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kvno">
        <term><command>kvno</command></term>
        <listitem>
          <para>
            prints keyversion numbers of Kerberos principals.
          </para>
          <indexterm zone="mitkrb kvno">
            <primary sortas="b-kvno">kvno</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sclient">
        <term><command>sclient</command></term>
        <listitem>
          <para>
            is used to contact a sample server and authenticate to it
            using Kerberos 5 tickets, then display the server's
            response.
          </para>
          <indexterm zone="mitkrb sclient">
            <primary sortas="b-sclient">sclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_client">
        <term><command>sim_client</command></term>
        <listitem>
          <para>
            is a simple UDP-based sample client program, for
            demonstration.
          </para>
          <indexterm zone="mitkrb sim_client">
            <primary sortas="b-sim_client">sim_client</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sim_server">
        <term><command>sim_server</command></term>
        <listitem>
          <para>
            is a simple UDP-based server application, for
            demonstration.
          </para>
          <indexterm zone="mitkrb sim_server">
            <primary sortas="b-sim_server">sim_server</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="sserver">
        <term><command>sserver</command></term>
        <listitem>
          <para>
            is the sample Kerberos 5 server.
          </para>
          <indexterm zone="mitkrb sserver">
            <primary sortas="b-sserver">sserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuclient">
        <term><command>uuclient</command></term>
        <listitem>
          <para>
            is another sample client.
          </para>
          <indexterm zone="mitkrb uuclient">
            <primary sortas="b-uuclient">uuclient</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="uuserver">
        <term><command>uuserver</command></term>
        <listitem>
          <para>
            is another sample server.
          </para>
          <indexterm zone="mitkrb uuserver">
            <primary sortas="b-uuserver">uuserver</primary>
          </indexterm>
        </listitem>
      </varlistentry>


      <varlistentry id="libgssapi_krb5">
        <term><filename class="libraryfile">libgssapi_krb5.so</filename></term>
        <listitem>
          <para>
            contains the Generic Security Service Application Programming
            Interface (GSSAPI) functions which provides security services
            to callers in a generic fashion, supportable with a range of
            underlying mechanisms and technologies and hence allowing
            source-level portability of applications to different
            environments.
          </para>
          <indexterm zone="mitkrb libgssapi_krb5">
            <primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5clnt">
        <term><filename class="libraryfile">libkadm5clnt.so</filename></term>
        <listitem>
          <para>
            contains the administrative authentication and password checking
            functions required by Kerberos 5 client-side programs.
          </para>
          <indexterm zone="mitkrb libkadm5clnt">
            <primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5srv">
        <term><filename class="libraryfile">libkadm5srv.so</filename></term>
        <listitem>
          <para>
            contains the administrative authentication and password
            checking functions required by Kerberos 5 servers.
          </para>
          <indexterm zone="mitkrb libkadm5srv">
            <primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkdb5">
        <term><filename class="libraryfile">libkdb5.so</filename></term>
        <listitem>
          <para>
            is a Kerberos 5 authentication/authorization database
            access library.
          </para>
          <indexterm zone="mitkrb libkdb5">
            <primary sortas="c-libkdb5">libkdb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrad">
        <term><filename class="libraryfile">libkrad.so</filename></term>
        <listitem>
          <para>
            contains the internal support library for RADIUS functionality.
          </para>
          <indexterm zone="mitkrb libkrad">
            <primary sortas="c-libkrad">libkrad.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrb5">
        <term><filename class="libraryfile">libkrb5.so</filename></term>
        <listitem>
          <para>
            is an all-purpose <application>Kerberos 5</application> library.
          </para>
          <indexterm zone="mitkrb libkrb5">
            <primary sortas="c-libkrb5">libkrb5.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>