Context Navigation

← Previous Changeset
Next Changeset →

Changeset 84418e6

Timestamp:

05/13/2005 11:36:47 PM (19 years ago)

Author:

Manuel Canales Esparcia <manuel@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

3493b1f

Parents:

07d11f5

Message:

Tagged heimdal.xml

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@4199 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

: 1 edited

postlfs/security/heimdal.xml (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

postlfs/security/heimdal.xml

-              r07d11f5
+              r84418e6
 <sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
+<sect1info>
+<othername>$LastChangedBy$</othername>
+<date>$Date$</date>
+</sect1info>
+<?dbhtml filename="heimdal.html"?>
+<title>Heimdal-&heimdal-version;</title>
+<indexterm zone="heimdal">
+<primary sortas="a-Heimdal">Heimdal</primary>
+</indexterm>
+<sect2>
+<title>Introduction to <application>Heimdal</application></title>
+<para><application>Heimdal</application> is a free implementation of Kerberos
+, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
+compatible with krb4. Kerberos is a network authentication protocol. Basically
+it preserves the integrity of passwords in any untrusted network (like the
+Internet). Kerberized applications work hand-in-hand with sites that support
+Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
+will make changes to the authentication mechanisms on your network and will
+overwrite several programs and daemons from the
+<application>Coreutils</application>, <application>Inetutils</application>,
+<application>Qpopper</application> and <application>Shadow</application>
+packages.</para>
+<sect3><title>Package information</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Download (HTTP):
+<ulink url="&heimdal-download-http;"/></para></listitem>
+<listitem><para>Download (FTP):
+<ulink url="&heimdal-download-ftp;"/></para></listitem>
+<listitem><para>Download MD5 sum: &heimdal-md5sum;</para></listitem>
+<listitem><para>Download size: &heimdal-size;</para></listitem>
+<listitem><para>Estimated disk space required:
+&heimdal-buildsize;</para></listitem>
+<listitem><para>Estimated build time:
+&heimdal-time;</para></listitem></itemizedlist>
+</sect3>
+<sect3><title>Additional downloads</title>
+<itemizedlist spacing='compact'>
+<listitem><para>Required Patch: <ulink
+url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
+</listitem>
+<listitem><para>Required patch for cracklib: <ulink
+url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
+</listitem>
+</itemizedlist>
+</sect3>
+<sect3><title><application>Heimdal</application> dependencies</title>
+<sect4><title>Required</title>
+<para><xref linkend="openssl"/> and
+<xref linkend="db"/></para>
+</sect4>
+<sect4><title>Optional</title>
+<para><xref linkend="Linux_PAM"/>,
+<xref linkend="openldap"/>,
+X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
+<xref linkend="cracklib"/> and
+<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para>
+<note><para>Some sort of time synchronization facility on your system (like
+<xref linkend="ntp"/>) is required since Kerberos won't authenticate if the
+time differential between a kerberized client and the
+<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Installation of <application>Heimdal</application></title>
+<para>Before installing the package, you may want to preserve the
+<command>ftp</command> program from the <application>Inetutils</application>
+package. This is because using the <application>Heimdal</application>
+<command>ftp</command> program to connect to non-kerberized ftp servers may
+not work properly. It will allow you to connect (letting you know that
+transmission of the password is clear text) but will have problems doing puts
+and gets. Issue the following command as the root user.</para>
+<screen><userinput role='root'><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
+<para>If you wish the <application>Heimdal</application> package to link
+against the <application>cracklib</application> library, you must apply a
+patch:</para>
+<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
+<para>Install <application>Heimdal</application> by running the following
+commands:</para>
+<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &amp;&amp;
+  <?dbhtml filename="heimdal.html"?>
+  <sect1info>
+    <othername>$LastChangedBy$</othername>
+    <date>$Date$</date>
+  </sect1info>
+  <title>Heimdal-&heimdal-version;</title>
+  <indexterm zone="heimdal">
+    <primary sortas="a-Heimdal">Heimdal</primary>
+  </indexterm>
+  <sect2 role="package">
+    <title>Introduction to Heimdal</title>
+    <para><application>Heimdal</application> is a free implementation
+    of Kerberos 5, that aims to be compatible with MIT krb5 and is
+    backwards compatible with krb4. Kerberos is a network authentication
+    protocol. Basically it preserves the integrity of passwords in any
+    untrusted network (like the Internet). Kerberized applications work
+    hand-in-hand with sites that support Kerberos to ensure that passwords
+    cannot be stolen. A Kerberos installation will make changes to the
+    authentication mechanisms on your network and will overwrite several
+    programs and daemons from the <application>Coreutils</application>,
+    <application>Inetutils</application>, <application>Qpopper</application>
+    and <application>Shadow</application> packages.</para>
+    <bridgehead renderas="sect3">Package Information</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download MD5 sum: &heimdal-md5sum;</para>
+      </listitem>
+      <listitem>
+        <para>Download size: &heimdal-size;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &heimdal-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &heimdal-time;</para>
+      </listitem>
+    </itemizedlist>
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+    <itemizedlist spacing='compact'>
+      <listitem>
+        <para>Required Patch: <ulink
+        url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
+      </listitem>
+      <listitem>
+        <para>Required patch for <application>cracklib</application>: <ulink
+        url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
+      </listitem>
+    </itemizedlist>
+    <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>
+    <bridgehead renderas="sect4">Required</bridgehead>
+    <para><xref linkend="openssl"/> and
+    <xref linkend="db"/></para>
+    <bridgehead renderas="sect4">Optional</bridgehead>
+    <para><xref linkend="Linux_PAM"/>,
+    <xref linkend="openldap"/>,
+    X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
+    <xref linkend="cracklib"/> and
+    <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para>
+    <note>
+      <para>Some sort of time synchronization facility on your system
+      (like <xref linkend="ntp"/>) is required since Kerberos won't
+      authenticate if the time differential between a kerberized client
+      and the KDC server is more than 5 minutes.</para>
+    </note>
+  </sect2>
+  <sect2 role="installation">
+    <title>Installation of Heimdal</title>
+    <para>Before installing the package, you may want to preserve the
+    <command>ftp</command> program from the <application>Inetutils</application>
+    package. This is because using the <application>Heimdal</application>
+    <command>ftp</command> program to connect to non-kerberized ftp servers may
+    not work properly. It will allow you to connect (letting you know that
+    transmission of the password is clear text) but will have problems doing puts
+    and gets. Issue the following command as the <systemitem
+    class="username">root</systemitem> user.</para>
+<screen role="root"><userinput>mv -v /usr/bin/ftp /usr/bin/ftpn</userinput></screen>
+    <para>If you wish the <application>Heimdal</application> package to
+    link against the <application>cracklib</application> library, you
+    must apply a patch:</para>
+<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</userinput></screen>
+    <para>Install <application>Heimdal</application> by running the following
+    commands:</para>
+<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &amp;&amp;
 ./configure --prefix=/usr --sysconfdir=/etc/heimdal \
     --datadir=/var/lib/heimdal --localstatedir=/var/lib/heimdal \
     --libexecdir=/usr/sbin --enable-shared \
     --with-openssl=/usr --with-readline=/usr &amp;&amp;
 make</command></userinput></screen>
 <para>Now, as the root user:</para>
 <screen><userinput role='root'><command>make install &amp;&amp;
 mv /bin/login /bin/login.shadow &amp;&amp;
 mv /bin/su /bin/su.shadow &amp;&amp;
 mv /usr/bin/{login,su} /bin &amp;&amp;
 ln -sf ../../bin/login /usr/bin &amp;&amp;
 mv /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \
+make</userinput></screen>
+    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+<screen role="root"><userinput>make install &amp;&amp;
+mv -v /bin/login /bin/login.shadow &amp;&amp;
+mv -v /bin/su /bin/su.shadow &amp;&amp;
+mv -v /usr/bin/{login,su} /bin &amp;&amp;
+ln -v -sf ../../bin/login /usr/bin &amp;&amp;
+mv -v /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \
    /usr/lib/lib{roken.so.16*,crypto.so.0*,db-4.3.so} /lib &amp;&amp;
 ln -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \
+ln -v -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \
     /usr/lib &amp;&amp;
 ln -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \
+ln -v -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \
     /usr/lib &amp;&amp;
 ln -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \
+ln -v -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \
     /usr/lib &amp;&amp;
+ldconfig</command></userinput></screen>
+</sect2>
+<sect2>
+<title>Command explanations</title>
+<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the
+daemon programs into <filename class="directory">/usr/sbin</filename>.
+</para>
+<note><para>
+If you want to preserve all your existing <application>Inetutils</application>
+package daemons, install the <application>Heimdal</application> daemons into
+<filename class="directory">/usr/sbin/heimdal</filename> (or wherever you
+want). Since these programs will be called from <command>(x)inetd</command> or
+<filename>rc</filename> scripts, it really doesn't matter where they are
+installed, as long as they are correctly specified in the
+<filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename>
+scripts. If you choose something other than
+<filename class="directory">/usr/sbin</filename>, you may want to move some of
+the user programs (such as <command>kadmin</command>) to
+<filename class="directory">/usr/sbin</filename> manually so they'll be in the
+privileged user's default path.</para></note>
+<para><command>mv ... .shadow; mv ... /bin; ln -sf ../../bin...</command>: The
+<command>login</command> and <command>su</command> programs installed by
+<application>Heimdal</application> belong in the
+<filename class="directory">/bin</filename> directory. The
+<command>login</command> program is symlinked because
+<application>Heimdal</application> is expecting to find it in
+<filename class="directory">/usr/bin</filename>. The old executables are
+preserved before the move to keep things sane should breaks occur.</para>
+<para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: The
+<command>login</command> and <command>su</command> programs installed by
+<application>Heimdal</application> link against
+<application>Heimdal</application> libraries as well as libraries provided by
+the <application>Open<acronym>SSL</acronym></application> and
+<application>Berkeley <acronym>DB</acronym></application> packages. These
+libraries are moved to <filename class="directory">/lib</filename> to be
+<acronym>FHS</acronym> compliant and also in case
+<filename class="directory">/usr</filename> is located on a separate partition
+which may not always be mounted.</para>
+</sect2>
+<sect2>
+<title>Configuring <application>Heimdal</application></title>
+<sect3 id="heimdal-config"><title>Config files</title>
+<para><filename>/etc/heimdal/*</filename></para>
+<indexterm zone="heimdal heimdal-config">
+<primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
+</indexterm>
+</sect3>
+<sect3><title>Configuration Information</title>
+<sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>
+<para>Create the Kerberos configuration file with the following
+commands:</para>
+<screen><userinput role='root'><command>install -d /etc/heimdal &amp;&amp;
+cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
+# Begin /etc/heimdal/krb5.conf
+ldconfig</userinput></screen>
+  </sect2>
+  <sect2 role="commands">
+    <title>Command Explanations</title>
+    <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch
+    puts the daemon programs into
+    <filename class="directory">/usr/sbin</filename>.</para>
+    <note>
+      <para>If you want to preserve all your existing
+      <application>Inetutils</application> package daemons, install the
+      <application>Heimdal</application> daemons into
+      <filename class="directory">/usr/sbin/heimdal</filename> (or wherever
+      you want). Since these programs will be called from
+      <command>(x)inetd</command> or <filename>rc</filename> scripts, it
+      really doesn't matter where they are installed, as long as they are
+      correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
+      and <filename>rc</filename> scripts. If you choose something other than
+      <filename class="directory">/usr/sbin</filename>, you may want to move
+      some of the user programs (such as <command>kadmin</command>) to
+      <filename class="directory">/usr/sbin</filename> manually so they'll be
+      in the privileged user's default path.</para>
+    </note>
+    <para><command>mv ... .shadow; mv ... /bin; ln -v -sf ../../bin...</command>:
+    The <command>login</command> and <command>su</command> programs installed by
+    <application>Heimdal</application> belong in the
+    <filename class="directory">/bin</filename> directory. The
+    <command>login</command> program is symlinked because
+    <application>Heimdal</application> is expecting to find it in
+    <filename class="directory">/usr/bin</filename>. The old executables are
+    preserved before the move to keep things sane should breaks occur.</para>
+    <para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>:
+    The <command>login</command> and <command>su</command> programs installed
+    by <application>Heimdal</application> link against
+    <application>Heimdal</application> libraries as well as libraries provided
+    by the <application>OpenSSL</application> and
+    <application>Berkeley DB</application> packages. These
+    libraries are moved to <filename class="directory">/lib</filename> to be
+    FHS compliant and also in case
+    <filename class="directory">/usr</filename> is located on a separate partition
+    which may not always be mounted.</para>
+  </sect2>
+  <sect2 role="configuration">
+    <title>Configuring Heimdal</title>
+    <sect3 id="heimdal-config">
+      <title>Config Files</title>
+      <para><filename>/etc/heimdal/*</filename></para>
+      <indexterm zone="heimdal heimdal-config">
+        <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
+      </indexterm>
+    </sect3>
+    <sect3>
+      <title>Configuration Information</title>
+      <sect4>
+        <title>Master KDC Server Configuration</title>
+        <para>Create the Kerberos configuration file with the
+        following commands:</para>
+<screen role="root"><userinput>install -v -d /etc/heimdal &amp;&amp;
+cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"
+<literal># Begin /etc/heimdal/krb5.conf
 [libdefaults]
 …
     default = FILE:/var/log/krb.log
+# End /etc/heimdal/krb5.conf
+<command>EOF</command></userinput></screen>
+<para>You will need to substitute your domain and proper hostname for the
+occurrences of the <replaceable>[hostname]</replaceable> and
+<replaceable>[EXAMPLE.COM]</replaceable> names.</para>
+<para><userinput>default_realm</userinput> should be the name of your domain
+changed to ALL CAPS. This isn't required, but both
+<application>Heimdal</application> and <application><acronym>MIT</acronym>
+krb5</application> recommend it.</para>
+<para><userinput>encrypt = true</userinput> provides encryption of all traffic
+between kerberized clients and servers. It's not necessary and can be left
+off. If you leave it off, you can encrypt all traffic from the client to the
+server using a switch on the client program instead.</para>
+<para>The <userinput>[realms]</userinput> parameters tell the client programs
+where to look for the <acronym>KDC</acronym> authentication services.</para>
+<para>The <userinput>[domain_realm]</userinput> section maps a domain to a
+realm.</para>
+<para>Store the master password in a key file using the following
+commands:</para>
+<screen><userinput role='root'><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
+kstash</command></userinput></screen>
+<para>Create the <acronym>KDC</acronym> database:</para>
+<screen><userinput role='root'><command>kadmin -l</command></userinput></screen>
+<para>Choose the defaults for now. You can go in later and change the
+defaults, should you feel the need. At the
+<userinput>kadmin&gt;</userinput> prompt, issue the following statement:</para>
+<screen><userinput role='root'><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>
+<para>The database must now be populated with at least one principle (user).
+For now, just use your regular login name or root. You may create as few, or
+as many principles as you wish using the following statement:</para>
+<screen><userinput role='root'><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>The <acronym>KDC</acronym> server and any machine running kerberized
+server daemons must have a host key installed:</para>
+<screen><userinput role='root'><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
+<para>After choosing the defaults when prompted, you will have to export the
+data to a keytab file:</para>
+<screen><userinput role='root'><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
+<para>This should have created two files in
+<filename class="directory">/etc/heimdal</filename>:
+<filename>krb5.keytab</filename> (Kerberos 5) and
+<filename>srvtab</filename> (Kerberos 4). Both files should have 600
+(root rw only) permissions. Keeping the keytab files from public access
+is crucial to the overall security of the Kerberos installation.</para>
+<para>Eventually, you'll want to add server daemon principles to the database
+and extract them to the keytab file. You do this in the same way you created
+the host principles. Below is an example:</para>
+<screen><userinput role='root'><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
+<para>(choose the defaults)</para>
+<screen><userinput role='root'><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
+<para>Exit the <command>kadmin</command> program (use <command>quit</command>
+or <command>exit</command>) and return back to the shell prompt. Start
+the <acronym>KDC</acronym> daemon manually, just to test out the
+installation:</para>
+<screen><userinput role='root'><command>/usr/sbin/kdc &amp;</command></userinput></screen>
+<para>Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with
+the following command:</para>
+<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
+<para>You will be prompted for the password you created. After you get your
+ticket, you should list it with the following command:</para>
+<screen><userinput><command>klist</command></userinput></screen>
+<para>Information about the ticket should be displayed on the screen.</para>
+<para>To test the functionality of the keytab file, issue the following
+command:</para>
+<screen><userinput><command>ktutil list</command></userinput></screen>
+<para>This should dump a list of the host principals, along with the encryption
+methods used to access the principals.</para>
+<para>At this point, if everything has been successful so far, you can feel
+fairly confident in the installation and configuration of the package.</para>
+<para id="heimdal-init">Install the
+<filename>/etc/rc.d/init.d/heimdal</filename> init script included in the
+<xref linkend="intro-important-bootscripts"/> package:</para>
+<indexterm zone="heimdal heimdal-init">
+<primary sortas="f-heimdal">heimdal</primary>
+</indexterm>
+<screen><userinput role='root'><command>make install-heimdal</command></userinput></screen>
+</sect4>
+<sect4><title>Using Kerberized Client Programs</title>
+<para>To use the kerberized client programs (<command>telnet</command>,
+<command>ftp</command>, <command>rsh</command>,
+<command>rxterm</command>, <command>rxtelnet</command>,
+<command>rcp</command>, <command>xnlock</command>), you first must get
+a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
+get the ticket. After you've acquired the ticket, you can use the
+kerberized programs to connect to any kerberized server on the network.
+You will not be prompted for authentication until your ticket expires
+(default is one day), unless you specify a different user as a command
+line argument to the program.</para>
+<para>The kerberized programs will connect to non-kerberized daemons, warning
+you that authentication is not encrypted. As mentioned earlier, only the
+<command>ftp</command> program gives any trouble connecting to
+non-kerberized daemons.</para>
+<para>In order to use the <application>Heimdal</application>
+<application>X</application> programs, you'll need to add a service port
+entry to the <filename>/etc/services</filename> file for the
+<command>kxd</command> server. There is no 'standardized port number' for
+the 'kx' service in the <acronym>IANA</acronym> database, so you'll have to
+pick an unused port number. Add an entry to the <filename>services</filename>
+file similar to the entry below (substitute your chosen port number for
+<replaceable>[49150]</replaceable>):</para>
+<screen><userinput role='root'>kx              <replaceable>[49150]</replaceable>/tcp   # Heimdal kerberos X
+kx              <replaceable>[49150]</replaceable>/udp   # Heimdal kerberos X</userinput></screen>
+<para>For additional information consult <ulink
+url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
+Heimdal hint</ulink> on which the above instructions are based.</para>
+</sect4>
+</sect3>
+</sect2>
+<sect2>
+<title>Contents</title>
+<segmentedlist>
+<segtitle>Installed Programs</segtitle>
+<segtitle>Installed Libraries</segtitle>
+<segtitle>Installed Directories</segtitle>
+<seglistitem>
+<seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave,
+kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist,
+kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp,
+otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet,
+rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log,
+verify_krb5_conf and xnlock</seg>
+<seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a],
+libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a],
+libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]</seg>
+<seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss and
+/var/lib/heimdal</seg>
+</seglistitem>
+</segmentedlist>
+<variablelist>
+<bridgehead renderas="sect3">Short Descriptions</bridgehead>
+<?dbfo list-presentation="list"?>
+<varlistentry id="afslog">
+<term><command>afslog</command></term>
+<listitem><para>obtains <acronym>AFS</acronym> tokens for a number of
+cells.</para>
+<indexterm zone="heimdal afslog">
+<primary sortas="b-afslog">afslog</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="ftp">
+<term><command>ftp</command></term>
+<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
+<indexterm zone="heimdal ftp">
+<primary sortas="b-ftp">ftp</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="ftpd">
+<term><command>ftpd</command></term>
+<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
+<indexterm zone="heimdal ftpd">
+<primary sortas="b-ftpd">ftpd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="hprop">
+<term><command>hprop</command></term>
+<listitem><para> takes a principal database in a specified format and converts
+it into a stream of <application>Heimdal</application> database records.</para>
+<indexterm zone="heimdal hprop">
+<primary sortas="b-hprop">hprop</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="hpropd">
+<term><command>hpropd</command></term>
+<listitem><para>is a server that receives a database sent by
+<command>hprop</command> and writes it as a local database.</para>
+<indexterm zone="heimdal hpropd">
+<primary sortas="b-hpropd">hpropd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="ipropd-master">
+<term><command>ipropd-master</command></term>
+<listitem><para>is a daemon which runs on the master <acronym>KDC</acronym>
+server which incrementally propogates changes to the <acronym>KDC</acronym>
+database to the slave <acronym>KDC</acronym> servers.</para>
+<indexterm zone="heimdal ipropd-master">
+<primary sortas="b-ipropd-master">ipropd-master</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="ipropd-slave">
+<term><command>ipropd-slave</command></term>
+<listitem><para>is a daemon which runs on the slave <acronym>KDC</acronym>
+servers which incrementally propogates changes to the <acronym>KDC</acronym>
+database from the master <acronym>KDC</acronym> server.</para>
+<indexterm zone="heimdal ipropd-slave">
+<primary sortas="b-ipropd-slave">ipropd-slave</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kadmin">
+<term><command>kadmin</command></term>
+<listitem><para>is a utility used to make modifications to the Kerberos
+database.</para>
+<indexterm zone="heimdal kadmin">
+<primary sortas="b-kadmin">kadmin</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kadmind">
+<term><command>kadmind</command></term>
+<listitem><para>is a server for administrative access to the Kerberos
+database.</para>
+<indexterm zone="heimdal kadmind">
+<primary sortas="b-kadmind">kadmind</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kauth">
+<term><command>kauth</command></term>
+<listitem><para>is a symbolic link to the <command>kinit</command>
+program.</para>
+<indexterm zone="heimdal kauth">
+<primary sortas="g-kauth">kauth</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kdc">
+<term><command>kdc</command></term>
+<listitem><para>is a Kerberos 5 server.</para>
+<indexterm zone="heimdal kdc">
+<primary sortas="b-kdc">kdc</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kdestroy">
+<term><command>kdestroy</command></term>
+<listitem><para>removes a principle's current set of tickets.</para>
+<indexterm zone="heimdal kdestroy">
+<primary sortas="b-kdestroy">kdestroy</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kf">
+<term><command>kf</command></term>
+<listitem><para>is a program which forwards tickets to a remote host through
+an authenticated and encrypted stream.</para>
+<indexterm zone="heimdal kf">
+<primary sortas="b-kf">kf</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kfd">
+<term><command>kfd</command></term>
+<listitem><para>is a server used to receive forwarded tickets.</para>
+<indexterm zone="heimdal kfd">
+<primary sortas="b-kfd">kfd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kgetcred">
+<term><command>kgetcred</command></term>
+<listitem><para>obtains a ticket for a service.</para>
+<indexterm zone="heimdal kgetcred">
+<primary sortas="b-kgetcred">kgetcred</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kinit">
+<term><command>kinit</command></term>
+<listitem><para>is used to authenticate to the Kerberos server as a principal
+and acquire a ticket granting ticket that can later be used to obtain tickets
+for other services.</para>
+<indexterm zone="heimdal kinit">
+<primary sortas="b-kinit">kinit</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="klist">
+<term><command>klist</command></term>
+<listitem><para>reads and displays the current tickets in the credential
+cache.</para>
+<indexterm zone="heimdal klist">
+<primary sortas="b-klist">klist</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kpasswd">
+<term><command>kpasswd</command></term>
+<listitem><para>is a program for changing Kerberos 5 passwords.</para>
+<indexterm zone="heimdal kpasswd">
+<primary sortas="b-kpasswd">kpasswd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kpasswdd">
+<term><command>kpasswdd</command></term>
+<listitem><para>is a Kerberos 5 password changing server.</para>
+<indexterm zone="heimdal kpasswdd">
+<primary sortas="b-kpasswdd">kpasswdd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="krb5-config-prog">
+<term><command>krb5-config</command></term>
+<listitem><para>gives information on how to link programs against
+<application>Heimdal</application> libraries.</para>
+<indexterm zone="heimdal krb5-config-prog">
+<primary sortas="b-krb5-config">krb5-config</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kstash">
+<term><command>kstash</command></term>
+<listitem><para>stores the <acronym>KDC</acronym> master password in a
+file.</para>
+<indexterm zone="heimdal kstash">
+<primary sortas="b-kstash">kstash</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="ktutil">
+<term><command>ktutil</command></term>
+<listitem><para>is a program for managing Kerberos keytabs.</para>
+<indexterm zone="heimdal ktutil">
+<primary sortas="b-ktutil">ktutil</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kx">
+<term><command>kx</command></term>
+<listitem><para>is a program which securely forwards
+<application>X</application> connections.</para>
+<indexterm zone="heimdal kx">
+<primary sortas="b-kx">kx</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="kxd">
+<term><command>kxd</command></term>
+<listitem><para>is the daemon for <command>kx</command>.</para>
+<indexterm zone="heimdal kxd">
+<primary sortas="b-kxd">kxd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="login">
+<term><command>login</command></term>
+<listitem><para>is a kerberized login program.</para>
+<indexterm zone="heimdal login">
+<primary sortas="b-login">login</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="otp">
+<term><command>otp</command></term>
+<listitem><para>manages one-time passwords.</para>
+<indexterm zone="heimdal otp">
+<primary sortas="b-otp">otp</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="otpprint">
+<term><command>otpprint</command></term>
+<listitem><para>prints lists of one-time passwords.</para>
+<indexterm zone="heimdal otpprint">
+<primary sortas="b-otpprint">otpprint</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="pfrom">
+<term><command>pfrom</command></term>
+<listitem><para>is a script that runs <command>push --from</command>.</para>
+<indexterm zone="heimdal pfrom">
+<primary sortas="b-pfrom">pfrom</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="popper">
+<term><command>popper</command></term>
+<listitem><para>is a kerberized <acronym>POP</acronym>-3 server.</para>
+<indexterm zone="heimdal popper">
+<primary sortas="b-popper">popper</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="push">
+<term><command>push</command></term>
+<listitem><para>is a kerberized <acronym>POP</acronym> mail retreival
+client.</para>
+<indexterm zone="heimdal push">
+<primary sortas="b-push">push</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="rcp">
+<term><command>rcp</command></term>
+<listitem><para>is a kerberized rcp client program.</para>
+<indexterm zone="heimdal rcp">
+<primary sortas="b-rcp">rcp</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="rsh">
+<term><command>rsh</command></term>
+<listitem><para>is a kerberized rsh client program.</para>
+<indexterm zone="heimdal rsh">
+<primary sortas="b-rsh">rsh</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="rshd">
+<term><command>rshd</command></term>
+<listitem><para>is a kerberized rsh server.</para>
+<indexterm zone="heimdal rshd">
+<primary sortas="b-rshd">rshd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="rxtelnet">
+<term><command>rxtelnet</command></term>
+<listitem><para>starts a secure <command>xterm</command> window with a
+<command>telnet</command> to a given host and forwards
+<application>X</application> connections.</para>
+<indexterm zone="heimdal rxtelnet">
+<primary sortas="b-rxtelnet">rxtelnet</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="rxterm">
+<term><command>rxterm</command></term>
+<listitem><para>starts a secure remote <command>xterm</command>.</para>
+<indexterm zone="heimdal rxterm">
+<primary sortas="b-rxterm">rxterm</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="string2key">
+<term><command>string2key</command></term>
+<listitem><para>maps a password into a key.</para>
+<indexterm zone="heimdal string2key">
+<primary sortas="b-string2key">string2key</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="su">
+<term><command>su</command></term>
+<listitem><para>is a kerberized su client program.</para>
+<indexterm zone="heimdal su">
+<primary sortas="b-su">su</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="telnet">
+<term><command>telnet</command></term>
+<listitem><para>is a kerberized telnet client program.</para>
+<indexterm zone="heimdal telnet">
+<primary sortas="b-telnet">telnet</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="telnetd">
+<term><command>telnetd</command></term>
+<listitem><para>is a kerberized telnet server.</para>
+<indexterm zone="heimdal telnetd">
+<primary sortas="b-telnetd">telnetd</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="tenletxr">
+<term><command>tenletxr</command></term>
+<listitem><para>forwards <application>X</application> connections
+backwards.</para>
+<indexterm zone="heimdal tenletxr">
+<primary sortas="b-tenletxr">tenletxr</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="verify_krb5_conf">
+<term><command>verify_krb5_conf</command></term>
+<listitem><para>checks <filename>krb5.conf</filename> file for obvious
+errors.</para>
+<indexterm zone="heimdal verify_krb5_conf">
+<primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="xnlock">
+<term><command>xnlock</command></term>
+<listitem><para>is a program that acts as a secure screen saver for
+workstations running <application>X</application>.</para>
+<indexterm zone="heimdal xnlock">
+<primary sortas="b-xnlock">xnlock</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libasn1">
+<term><filename class='libraryfile'>libasn1.[so,a]</filename></term>
+<listitem><para>provides the ASN.1 and DER functions to encode and decode
+the Kerberos TGTs.</para>
+<indexterm zone="heimdal libasn1">
+<primary sortas="c-libasn1">libasn1.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libeditline">
+<term><filename class='libraryfile'>libeditline.a</filename></term>
+<listitem><para>is a command-line editing library with history.</para>
+<indexterm zone="heimdal libeditline">
+<primary sortas="c-libeditline">libeditline.a</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libgssapi">
+<term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
+<listitem><para>contain the Generic Security Service Application Programming
+Interface (<acronym>GSSAPI</acronym>) functions which provides security
+services to callers in a generic fashion, supportable with a range of
+underlying mechanisms and technologies and hence allowing source-level
+portability of applications to different environments.</para>
+<indexterm zone="heimdal libgssapi">
+<primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libhdb">
+<term><filename class='libraryfile'>libhdb.[so,a]</filename></term>
+<listitem><para>is a <application>Heimdal</application> Kerberos 5
+authentication/authorization database access library.</para>
+<indexterm zone="heimdal libhdb">
+<primary sortas="c-libhdb">libhdb.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libkadm5clnt">
+<term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
+<listitem><para>contains the administrative authentication and password
+checking functions required by Kerberos 5 client-side programs.</para>
+<indexterm zone="heimdal libkadm5clnt">
+<primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libkadm5srv">
+<term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
+<listitem><para>contain the administrative authentication and password
+checking functions required by Kerberos 5 servers.</para>
+<indexterm zone="heimdal libkadm5srv">
+<primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libkafs">
+<term><filename class='libraryfile'>libkafs.[so,a]</filename></term>
+<listitem><para>contains the functions required to authenticated to AFS.</para>
+<indexterm zone="heimdal libkafs">
+<primary sortas="c-libkafs">libkafs.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libkrb5">
+<term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
+<listitem><para>is an all-purpose Kerberos 5 library.</para>
+<indexterm zone="heimdal libkrb5">
+<primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libotp">
+<term><filename class='libraryfile'>libotp.[so,a]</filename></term>
+<listitem><para>contains the functions required to handle authenticating
+one time passwords.</para>
+<indexterm zone="heimdal libotp">
+<primary sortas="c-libotp">libotp.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+<varlistentry id="libroken">
+<term><filename class='libraryfile'>libroken.[so,a]</filename></term>
+<listitem><para>is a library containing Kerberos 5 compatibility
+functions.</para>
+<indexterm zone="heimdal libroken">
+<primary sortas="c-libroken">libroken.[so,a]</primary>
+</indexterm></listitem>
+</varlistentry>
+</variablelist>
+</sect2>
+# End /etc/heimdal/krb5.conf</literal>
+EOF</userinput></screen>
+        <para>You will need to substitute your domain and proper hostname
+        for the occurrences of the <replaceable>[hostname]</replaceable>
+        and <replaceable>[EXAMPLE.COM]</replaceable> names.</para>
+        <para><option>default_realm</option> should be the name of your
+        domain changed to ALL CAPS. This isn't required, but both
+        <application>Heimdal</application> and <application>MIT
+        krb5</application> recommend it.</para>
+        <para><option>encrypt = true</option> provides encryption of all
+        traffic between kerberized clients and servers. It's not necessary
+        and can be left off. If you leave it off, you can encrypt all traffic
+        from the client to the server using a switch on the client program
+        instead.</para>
+        <para>The <option>[realms]</option> parameters tell the client
+        programs where to look for the KDC authentication services.</para>
+        <para>The <option>[domain_realm]</option> section maps a domain
+        to a realm.</para>
+        <para>Store the master password in a key file using the following
+        commands:</para>
+<screen role="root"><userinput>install -d -m 755 /var/lib/heimdal &amp;&amp;
+kstash</userinput></screen>
+        <para>Create the KDC database:</para>
+<screen role="root"><userinput>kadmin -l</userinput></screen>
+        <para>Choose the defaults for now. You can go in later and change the
+        defaults, should you feel the need. At the <prompt>kadmin&gt;</prompt>
+        prompt, issue the following statement:</para>
+<screen role="root"><userinput>init <replaceable>[EXAMPLE.COM]</replaceable></userinput></screen>
+        <para>The database must now be populated with at least one principle
+        (user). For now, just use your regular login name or root. You may
+        create as few, or as many principles as you wish using the following
+        statement:</para>
+<screen role="root"><userinput>add <replaceable>[loginname]</replaceable></userinput></screen>
+        <para>The KDC server and any machine running kerberized
+        server daemons must have a host key installed:</para>
+<screen role="root"><userinput>add --random-key host/<replaceable>[hostname.example.com]</replaceable></userinput></screen>
+        <para>After choosing the defaults when prompted, you will have to
+        export the data to a keytab file:</para>
+<screen role="root"><userinput>ext host/<replaceable>[hostname.example.com]</replaceable></userinput></screen>
+        <para>This should have created two files in
+        <filename class="directory">/etc/heimdal</filename>:
+        <filename>krb5.keytab</filename> (Kerberos 5) and
+        <filename>srvtab</filename> (Kerberos 4). Both files should have 600
+        (root rw only) permissions. Keeping the keytab files from public access
+        is crucial to the overall security of the Kerberos installation.</para>
+        <para>Eventually, you'll want to add server daemon principles to the
+        database and extract them to the keytab file. You do this in the same
+        way you created the host principles. Below is an example:</para>
+<screen role="root"><userinput>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></userinput></screen>
+        <para>(choose the defaults)</para>
+<screen role="root"><userinput>ext ftp/<replaceable>[hostname.example.com]</replaceable></userinput></screen>
+        <para>Exit the <command>kadmin</command> program (use
+        <command>quit</command> or <command>exit</command>) and return back
+        to the shell prompt. Start the KDC daemon manually, just to test out
+        the installation:</para>
+<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>
+        <para>Attempt to get a TGT (ticket granting ticket) with
+        the following command:</para>
+<screen><userinput>kinit <replaceable>[loginname]</replaceable></userinput></screen>
+        <para>You will be prompted for the password you created. After you get
+        your ticket, you should list it with the following command:</para>
+<screen><userinput>klist</userinput></screen>
+        <para>Information about the ticket should be displayed on
+        the screen.</para>
+        <para>To test the functionality of the <filename>keytab</filename> file,
+        issue the following command:</para>
+<screen><userinput>ktutil list</userinput></screen>
+        <para>This should dump a list of the host principals, along with the
+        encryption methods used to access the principals.</para>
+        <para>At this point, if everything has been successful so far, you
+        can feel fairly confident in the installation and configuration of
+        the package.</para>
+        <para id="heimdal-init">Install the
+        <filename>/etc/rc.d/init.d/heimdal</filename> init script included
+        in the <xref linkend="intro-important-bootscripts"/> package:</para>
+        <indexterm zone="heimdal heimdal-init">
+          <primary sortas="f-heimdal">heimdal</primary>
+        </indexterm>
+<screen role="root"><userinput>make install-heimdal</userinput></screen>
+      </sect4>
+      <sect4>
+        <title>Using Kerberized Client Programs</title>
+        <para>To use the kerberized client programs (<command>telnet</command>,
+        <command>ftp</command>, <command>rsh</command>,
+        <command>rxterm</command>, <command>rxtelnet</command>,
+        <command>rcp</command>, <command>xnlock</command>), you first must get
+        a TGT. Use the <command>kinit</command> program to get the ticket.
+        After you've acquired the ticket, you can use the kerberized programs
+        to connect to any kerberized server on the network. You will not be
+        prompted for authentication until your ticket expires (default is one
+        day), unless you specify a different user as a command line argument
+        to the program.</para>
+        <para>The kerberized programs will connect to non-kerberized daemons,
+        warning you that authentication is not encrypted. As mentioned earlier,
+        only the <command>ftp</command> program gives any trouble connecting to
+        non-kerberized daemons.</para>
+        <para>In order to use the <application>Heimdal</application>
+        <application>X</application> programs, you'll need to add a service
+        port entry to the <filename>/etc/services</filename> file for the
+        <command>kxd</command> server. There is no 'standardized port number'
+        for the 'kx' service in the IANA database, so you'll have to pick an
+        unused port number. Add an entry to the <filename>services</filename>
+        file similar to the entry below (substitute your chosen port number
+        for <replaceable>[49150]</replaceable>):</para>
+<screen><literal>kx              <replaceable>[49150]</replaceable>/tcp   # Heimdal kerberos X
+kx              <replaceable>[49150]</replaceable>/udp   # Heimdal kerberos X</literal></screen>
+        <para>For additional information consult <ulink
+        url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
+        Heimdal hint</ulink> on which the above instructions are based.</para>
+      </sect4>
+    </sect3>
+  </sect2>
+  <sect2 role="content">
+    <title>Contents</title>
+    <segmentedlist>
+      <segtitle>Installed Programs</segtitle>
+      <segtitle>Installed Libraries</segtitle>
+      <segtitle>Installed Directories</segtitle>
+      <seglistitem>
+        <seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master,
+        ipropd-slave, kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred,
+        kinit, klist, kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd,
+        login, mk_cmds, otp, otpprint, pagsh, pfrom, popper, push, rcp,
+        replay_log, rsh, rshd, rxtelnet, rxterm, string2key, su, telnet,
+        telnetd, tenletxr, truncate-log, verify_krb5_conf, and xnlock</seg>
+        <seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a],
+        libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a],
+        libotp.[so,a], libroken.[so,a], libsl.[so,a], and libss.[so,a]</seg>
+        <seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss, and
+        /var/lib/heimdal</seg>
+      </seglistitem>
+    </segmentedlist>
+    <variablelist>
+      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
+      <?dbfo list-presentation="list"?>
+      <?dbhtml list-presentation="table"?>
+      <varlistentry id="afslog">
+        <term><command>afslog</command></term>
+        <listitem>
+          <para>obtains AFS tokens for a number of cells.</para>
+          <indexterm zone="heimdal afslog">
+            <primary sortas="b-afslog">afslog</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="ftp">
+        <term><command>ftp</command></term>
+        <listitem>
+          <para>is a kerberized FTP client.</para>
+          <indexterm zone="heimdal ftp">
+            <primary sortas="b-ftp">ftp</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="ftpd">
+        <term><command>ftpd</command></term>
+        <listitem>
+          <para>is a kerberized FTP daemon.</para>
+          <indexterm zone="heimdal ftpd">
+            <primary sortas="b-ftpd">ftpd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="hprop">
+        <term><command>hprop</command></term>
+        <listitem>
+          <para> takes a principal database in a specified format and converts
+          it into a stream of <application>Heimdal</application> database
+          records.</para>
+          <indexterm zone="heimdal hprop">
+            <primary sortas="b-hprop">hprop</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="hpropd">
+        <term><command>hpropd</command></term>
+        <listitem>
+          <para>is a server that receives a database sent by
+          <command>hprop</command> and writes it as a local database.</para>
+          <indexterm zone="heimdal hpropd">
+            <primary sortas="b-hpropd">hpropd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="ipropd-master">
+        <term><command>ipropd-master</command></term>
+        <listitem>
+          <para>is a daemon which runs on the master KDC
+          server which incrementally propogates changes to the KDC
+          database to the slave KDC servers.</para>
+          <indexterm zone="heimdal ipropd-master">
+            <primary sortas="b-ipropd-master">ipropd-master</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="ipropd-slave">
+        <term><command>ipropd-slave</command></term>
+        <listitem>
+          <para>is a daemon which runs on the slave KDC
+          servers which incrementally propogates changes to the KDC
+          database from the master KDC server.</para>
+          <indexterm zone="heimdal ipropd-slave">
+            <primary sortas="b-ipropd-slave">ipropd-slave</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kadmin">
+        <term><command>kadmin</command></term>
+        <listitem>
+          <para>is a utility used to make modifications to the Kerberos
+          database.</para>
+          <indexterm zone="heimdal kadmin">
+            <primary sortas="b-kadmin">kadmin</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kadmind">
+        <term><command>kadmind</command></term>
+        <listitem>
+          <para>is a server for administrative access to the Kerberos
+          database.</para>
+          <indexterm zone="heimdal kadmind">
+            <primary sortas="b-kadmind">kadmind</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kauth">
+        <term><command>kauth</command></term>
+        <listitem>
+          <para>is a symbolic link to the <command>kinit</command> program.</para>
+          <indexterm zone="heimdal kauth">
+            <primary sortas="g-kauth">kauth</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kdc">
+        <term><command>kdc</command></term>
+        <listitem>
+          <para>is a Kerberos 5 server.</para>
+          <indexterm zone="heimdal kdc">
+            <primary sortas="b-kdc">kdc</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kdestroy">
+        <term><command>kdestroy</command></term>
+        <listitem>
+          <para>removes a principle's current set of tickets.</para>
+          <indexterm zone="heimdal kdestroy">
+            <primary sortas="b-kdestroy">kdestroy</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kf">
+        <term><command>kf</command></term>
+        <listitem>
+          <para>is a program which forwards tickets to a remote host through
+          an authenticated and encrypted stream.</para>
+          <indexterm zone="heimdal kf">
+            <primary sortas="b-kf">kf</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kfd">
+        <term><command>kfd</command></term>
+        <listitem>
+          <para>is a server used to receive forwarded tickets.</para>
+          <indexterm zone="heimdal kfd">
+            <primary sortas="b-kfd">kfd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kgetcred">
+        <term><command>kgetcred</command></term>
+        <listitem>
+          <para>obtains a ticket for a service.</para>
+          <indexterm zone="heimdal kgetcred">
+            <primary sortas="b-kgetcred">kgetcred</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kinit">
+        <term><command>kinit</command></term>
+        <listitem>
+          <para>is used to authenticate to the Kerberos server as a principal
+          and acquire a ticket granting ticket that can later be used to obtain
+          tickets for other services.</para>
+          <indexterm zone="heimdal kinit">
+            <primary sortas="b-kinit">kinit</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="klist">
+        <term><command>klist</command></term>
+        <listitem>
+          <para>reads and displays the current tickets in the credential
+          cache.</para>
+          <indexterm zone="heimdal klist">
+            <primary sortas="b-klist">klist</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kpasswd">
+        <term><command>kpasswd</command></term>
+        <listitem>
+          <para>is a program for changing Kerberos 5 passwords.</para>
+          <indexterm zone="heimdal kpasswd">
+            <primary sortas="b-kpasswd">kpasswd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kpasswdd">
+        <term><command>kpasswdd</command></term>
+        <listitem>
+          <para>is a Kerberos 5 password changing server.</para>
+          <indexterm zone="heimdal kpasswdd">
+            <primary sortas="b-kpasswdd">kpasswdd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="krb5-config-prog">
+        <term><command>krb5-config</command></term>
+        <listitem>
+          <para>gives information on how to link programs against
+          <application>Heimdal</application> libraries.</para>
+          <indexterm zone="heimdal krb5-config-prog">
+            <primary sortas="b-krb5-config">krb5-config</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kstash">
+        <term><command>kstash</command></term>
+        <listitem>
+          <para>stores the KDC master password in a file.</para>
+          <indexterm zone="heimdal kstash">
+            <primary sortas="b-kstash">kstash</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="ktutil">
+        <term><command>ktutil</command></term>
+        <listitem>
+          <para>is a program for managing Kerberos keytabs.</para>
+          <indexterm zone="heimdal ktutil">
+            <primary sortas="b-ktutil">ktutil</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kx">
+        <term><command>kx</command></term>
+        <listitem>
+          <para>is a program which securely forwards
+          <application>X</application> connections.</para>
+          <indexterm zone="heimdal kx">
+            <primary sortas="b-kx">kx</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="kxd">
+        <term><command>kxd</command></term>
+        <listitem>
+          <para>is the daemon for <command>kx</command>.</para>
+          <indexterm zone="heimdal kxd">
+            <primary sortas="b-kxd">kxd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="login">
+        <term><command>login</command></term>
+        <listitem>
+          <para>is a kerberized login program.</para>
+          <indexterm zone="heimdal login">
+            <primary sortas="b-login">login</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="otp">
+        <term><command>otp</command></term>
+        <listitem>
+          <para>manages one-time passwords.</para>
+          <indexterm zone="heimdal otp">
+            <primary sortas="b-otp">otp</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="otpprint">
+        <term><command>otpprint</command></term>
+        <listitem>
+          <para>prints lists of one-time passwords.</para>
+          <indexterm zone="heimdal otpprint">
+            <primary sortas="b-otpprint">otpprint</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="pfrom">
+        <term><command>pfrom</command></term>
+        <listitem>
+          <para>is a script that runs <command>push --from</command>.</para>
+          <indexterm zone="heimdal pfrom">
+            <primary sortas="b-pfrom">pfrom</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="popper">
+        <term><command>popper</command></term>
+        <listitem>
+          <para>is a kerberized POP-3 server.</para>
+          <indexterm zone="heimdal popper">
+            <primary sortas="b-popper">popper</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="push">
+        <term><command>push</command></term>
+        <listitem>
+          <para>is a kerberized POP mail retreival client.</para>
+          <indexterm zone="heimdal push">
+            <primary sortas="b-push">push</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="rcp">
+        <term><command>rcp</command></term>
+        <listitem>
+          <para>is a kerberized rcp client program.</para>
+          <indexterm zone="heimdal rcp">
+            <primary sortas="b-rcp">rcp</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="rsh">
+        <term><command>rsh</command></term>
+        <listitem>
+          <para>is a kerberized rsh client program.</para>
+          <indexterm zone="heimdal rsh">
+            <primary sortas="b-rsh">rsh</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="rshd">
+        <term><command>rshd</command></term>
+        <listitem>
+          <para>is a kerberized rsh server.</para>
+          <indexterm zone="heimdal rshd">
+            <primary sortas="b-rshd">rshd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="rxtelnet">
+        <term><command>rxtelnet</command></term>
+        <listitem>
+          <para>starts a secure <command>xterm</command> window with a
+          <command>telnet</command> to a given host and forwards
+          <application>X</application> connections.</para>
+          <indexterm zone="heimdal rxtelnet">
+            <primary sortas="b-rxtelnet">rxtelnet</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="rxterm">
+        <term><command>rxterm</command></term>
+        <listitem>
+          <para>starts a secure remote <command>xterm</command>.</para>
+          <indexterm zone="heimdal rxterm">
+            <primary sortas="b-rxterm">rxterm</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="string2key">
+        <term><command>string2key</command></term>
+        <listitem>
+          <para>maps a password into a key.</para>
+          <indexterm zone="heimdal string2key">
+            <primary sortas="b-string2key">string2key</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="su">
+        <term><command>su</command></term>
+        <listitem>
+          <para>is a kerberized su client program.</para>
+          <indexterm zone="heimdal su">
+            <primary sortas="b-su">su</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="telnet">
+        <term><command>telnet</command></term>
+        <listitem>
+          <para>is a kerberized telnet client program.</para>
+          <indexterm zone="heimdal telnet">
+            <primary sortas="b-telnet">telnet</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="telnetd">
+        <term><command>telnetd</command></term>
+        <listitem>
+          <para>is a kerberized telnet server.</para>
+          <indexterm zone="heimdal telnetd">
+            <primary sortas="b-telnetd">telnetd</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="tenletxr">
+        <term><command>tenletxr</command></term>
+        <listitem>
+          <para>forwards <application>X</application> connections
+          backwards.</para>
+          <indexterm zone="heimdal tenletxr">
+            <primary sortas="b-tenletxr">tenletxr</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="verify_krb5_conf">
+        <term><command>verify_krb5_conf</command></term>
+        <listitem>
+          <para>checks <filename>krb5.conf</filename> file for obvious
+          errors.</para>
+          <indexterm zone="heimdal verify_krb5_conf">
+            <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="xnlock">
+        <term><command>xnlock</command></term>
+        <listitem>
+          <para>is a program that acts as a secure screen saver for
+          workstations running <application>X</application>.</para>
+          <indexterm zone="heimdal xnlock">
+            <primary sortas="b-xnlock">xnlock</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libasn1">
+        <term><filename class='libraryfile'>libasn1.[so,a]</filename></term>
+        <listitem>
+          <para>provides the ASN.1 and DER functions to encode and decode
+          the Kerberos TGTs.</para>
+          <indexterm zone="heimdal libasn1">
+            <primary sortas="c-libasn1">libasn1.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libeditline">
+        <term><filename class='libraryfile'>libeditline.a</filename></term>
+        <listitem>
+          <para>is a command-line editing library with history.</para>
+          <indexterm zone="heimdal libeditline">
+            <primary sortas="c-libeditline">libeditline.a</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libgssapi">
+        <term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
+        <listitem>
+          <para>contain the Generic Security Service Application Programming
+          Interface (GSSAPI) functions which provides security
+          services to callers in a generic fashion, supportable with a range of
+          underlying mechanisms and technologies and hence allowing source-level
+          portability of applications to different environments.</para>
+          <indexterm zone="heimdal libgssapi">
+            <primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libhdb">
+        <term><filename class='libraryfile'>libhdb.[so,a]</filename></term>
+        <listitem>
+          <para>is a <application>Heimdal</application> Kerberos 5
+          authentication/authorization database access library.</para>
+          <indexterm zone="heimdal libhdb">
+            <primary sortas="c-libhdb">libhdb.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libkadm5clnt">
+        <term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
+        <listitem>
+          <para>contains the administrative authentication and password
+          checking functions required by Kerberos 5 client-side programs.</para>
+          <indexterm zone="heimdal libkadm5clnt">
+            <primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libkadm5srv">
+        <term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
+        <listitem>
+          <para>contain the administrative authentication and password
+          checking functions required by Kerberos 5 servers.</para>
+          <indexterm zone="heimdal libkadm5srv">
+            <primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libkafs">
+        <term><filename class='libraryfile'>libkafs.[so,a]</filename></term>
+        <listitem>
+          <para>contains the functions required to authenticated to AFS.</para>
+          <indexterm zone="heimdal libkafs">
+            <primary sortas="c-libkafs">libkafs.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libkrb5">
+        <term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
+        <listitem>
+          <para>is an all-purpose Kerberos 5 library.</para>
+          <indexterm zone="heimdal libkrb5">
+            <primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libotp">
+        <term><filename class='libraryfile'>libotp.[so,a]</filename></term>
+        <listitem>
+          <para>contains the functions required to handle authenticating
+          one time passwords.</para>
+          <indexterm zone="heimdal libotp">
+            <primary sortas="c-libotp">libotp.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+      <varlistentry id="libroken">
+        <term><filename class='libraryfile'>libroken.[so,a]</filename></term>
+        <listitem>
+          <para>is a library containing Kerberos 5 compatibility
+          functions.</para>
+          <indexterm zone="heimdal libroken">
+            <primary sortas="c-libroken">libroken.[so,a]</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </sect2>
 </sect1>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 84418e6

Legend:

postlfs/security/heimdal.xml

Download in other formats: