diff options
Diffstat (limited to 'crypto/krb5/doc/html/_sources/user')
17 files changed, 0 insertions, 1938 deletions
diff --git a/crypto/krb5/doc/html/_sources/user/index.rst.txt b/crypto/krb5/doc/html/_sources/user/index.rst.txt deleted file mode 100644 index 233c3ef55555..000000000000 --- a/crypto/krb5/doc/html/_sources/user/index.rst.txt +++ /dev/null @@ -1,10 +0,0 @@ -For users -========= - -.. toctree:: - :maxdepth: 2 - - pwd_mgmt.rst - tkt_mgmt.rst - user_config/index.rst - user_commands/index.rst diff --git a/crypto/krb5/doc/html/_sources/user/pwd_mgmt.rst.txt b/crypto/krb5/doc/html/_sources/user/pwd_mgmt.rst.txt deleted file mode 100644 index ed7d459f0fd0..000000000000 --- a/crypto/krb5/doc/html/_sources/user/pwd_mgmt.rst.txt +++ /dev/null @@ -1,106 +0,0 @@ -Password management -=================== - -Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you---send email that comes from you, read, edit, or delete your files, -or log into other hosts as you---and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -:ref:`grant_access`). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is. - - -Changing your password ----------------------- - -To change your Kerberos password, use the :ref:`kpasswd(1)` command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you're not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user ``david`` would do the following:: - - shell% kpasswd - Password for david: <- Type your old password. - Enter new password: <- Type your new password. - Enter it again: <- Type the new password again. - Password changed. - shell% - -If ``david`` typed the incorrect old password, he would get the -following message:: - - shell% kpasswd - Password for david: <- Type the incorrect old password. - kpasswd: Password incorrect while getting initial ticket - shell% - -If you make a mistake and don't type the new password the same way -twice, kpasswd will ask you to try again:: - - shell% kpasswd - Password for david: <- Type the old password. - Enter new password: <- Type the new password. - Enter it again: <- Type a different new password. - kpasswd: Password mismatch while reading password - shell% - -Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn't work, try again -using the old one. - - -.. _grant_access: - -Granting access to your account -------------------------------- - -If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called :ref:`.k5login(5)` in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file:: - - jennifer@ATHENA.MIT.EDU - david@EXAMPLE.COM - -This file would allow the users ``jennifer`` and ``david`` to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts. - -Using a .k5login file is much safer than giving out your password, -because: - -* You can take access away any time simply by removing the principal - from your .k5login file. - -* Although the user has full access to your account on one particular - host (or set of hosts if your .k5login file is shared, e.g., over - NFS), that user does not inherit your network privileges. - -* Kerberos keeps a log of who obtains tickets, so a system - administrator could find out, if necessary, who was capable of using - your user ID at a particular time. - -One common application is to have a .k5login file in root's home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network. - - -Password quality verification ------------------------------ - -TODO diff --git a/crypto/krb5/doc/html/_sources/user/tkt_mgmt.rst.txt b/crypto/krb5/doc/html/_sources/user/tkt_mgmt.rst.txt deleted file mode 100644 index 9ec7f1e7ca3e..000000000000 --- a/crypto/krb5/doc/html/_sources/user/tkt_mgmt.rst.txt +++ /dev/null @@ -1,314 +0,0 @@ -Ticket management -================= - -On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the :ref:`kdestroy(1)` command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen. - - -Kerberos ticket properties --------------------------- - -There are various properties that Kerberos tickets can have: - -If a ticket is **forwardable**, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally. - -When the KDC creates a new ticket based on a forwardable ticket, it -sets the **forwarded** flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set. - -A **proxiable** ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket-granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable. - -A **proxy** ticket is one that was issued based on a proxiable ticket. - -A **postdated** ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets. - -Ticket-granting tickets with the **postdateable** flag set can be used -to obtain postdated service tickets. - -**Renewable** tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket. - -A ticket with the **initial flag** set was issued based on the -authentication protocol, and not on a ticket-granting ticket. -Application servers that wish to ensure that the user's key has been -recently presented for verification could specify that this flag must -be set to accept the ticket. - -An **invalid** ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used. - -A **preauthenticated** ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC. - -The **hardware authentication** flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets. - -If a ticket has the **transit policy** checked flag set, then the KDC -that issued this ticket implements the transited-realm check policy -and checked the transited-realms list on the ticket. The -transited-realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket. - -The **okay as delegate** flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it. - -An **anonymous** ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key. - - -.. _obtain_tkt: - -Obtaining tickets with kinit ----------------------------- - -If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -:ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones. - -To use the kinit program, simply type ``kinit`` and then type your -password at the prompt. For example, Jennifer (whose username is -``jennifer``) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type:: - - shell% kinit - Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] - shell% - -If you type your password incorrectly, kinit will give you the -following error message:: - - shell% kinit - Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] - kinit: Password incorrect - shell% - -and you won't get Kerberos tickets. - -By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer's friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type:: - - shell% kinit david@EXAMPLE.COM - Password for david@EXAMPLE.COM: <-- [Type david's password here.] - shell% - -David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer's -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm. - -If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the -**-f** option:: - - shell% kinit -f - Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] - shell% - -Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the :ref:`klist(1)` command (see -:ref:`view_tkt`). - -Normally, your tickets are good for your system's default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the **-l** option. Add the letter -**s** to the value for seconds, **m** for minutes, **h** for hours, or -**d** for days. For example, to obtain forwardable tickets for -``david@EXAMPLE.COM`` that would be good for three hours, you would -type:: - - shell% kinit -f -l 3h david@EXAMPLE.COM - Password for david@EXAMPLE.COM: <-- [Type david's password here.] - shell% - -.. note:: - - You cannot mix units; specifying a lifetime of 3h30m would - result in an error. Note also that most systems specify a - maximum ticket lifetime. If you request a longer ticket - lifetime, it will be automatically truncated to the maximum - lifetime. - - -.. _view_tkt: - -Viewing tickets with klist --------------------------- - -The :ref:`klist(1)` command shows your tickets. When you first obtain -tickets, you will have only the ticket-granting ticket. The listing -would look like this:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - shell% - -The ticket cache is the location of your ticket file. In the above -example, this file is named ``/tmp/krb5cc_ttypa``. The default -principal is your Kerberos principal. - -The "valid starting" and "expires" fields describe the period of time -during which the ticket is valid. The "service principal" describes -each ticket. The ticket-granting ticket has a first component -``krbtgt``, and a second component which is the realm name. - -Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, -and then typed "klist" again, she would have gotten the following -result:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU - shell% - -Here's what happened: when ``jennifer`` used ssh to connect to the -host ``daffodil.mit.edu``, the ssh program presented her -ticket-granting ticket to the KDC and requested a host ticket for the -host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh -then presented to the host ``daffodil.mit.edu``, and she was allowed -to log in without typing her password. - -Suppose your Kerberos tickets allow you to log into a host in another -domain, such as ``trillium.example.com``, which is also in another -Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will -receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus -the new host ticket for ``trillium.example.com``. klist will now -show:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU - 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU - 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM - shell% - -Depending on your host's and realm's configuration, you may also see a -ticket with the service principal ``host/trillium.example.com@``. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for -a referral. The next time you connect to ``trillium.example.com``, -the odd-looking entry will be used to avoid needing to ask for a -referral again. - -You can use the **-f** option to view the flags that apply to your -tickets. The flags are: - -===== ========================= - F Forwardable - f forwarded - P Proxiable - p proxy - D postDateable - d postdated - R Renewable - I Initial - i invalid - H Hardware authenticated - A preAuthenticated - T Transit policy checked - O Okay as delegate - a anonymous -===== ========================= - -Here is a sample listing. In this example, the user *jennifer* -obtained her initial tickets (**I**), which are forwardable (**F**) -and postdated (**d**) but not yet validated (**i**):: - - shell% klist -f - Ticket cache: /tmp/krb5cc_320 - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - Flags: FdiI - shell% - -In the following example, the user *david*'s tickets were forwarded -(**f**) to this host from another host. The tickets are reforwardable -(**F**):: - - shell% klist -f - Ticket cache: /tmp/krb5cc_p11795 - Default principal: david@EXAMPLE.COM - - Valid starting Expires Service principal - 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM - Flags: Ff - 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM - Flags: Ff - shell% - - -Destroying tickets with kdestroy --------------------------------- - -Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer. - -Destroying your tickets is easy. Simply type kdestroy:: - - shell% kdestroy - shell% - -If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can't find any -tickets to destroy, it will give the following message:: - - shell% kdestroy - kdestroy: No credentials cache file found while destroying cache - shell% diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/index.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/index.rst.txt deleted file mode 100644 index 7ce86a14c428..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/index.rst.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. _user_commands: - -User commands -============= - -.. toctree:: - :maxdepth: 1 - - kdestroy.rst - kinit.rst - klist.rst - kpasswd.rst - krb5-config.rst - ksu.rst - kswitch.rst - kvno.rst - sclient.rst diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kdestroy.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kdestroy.rst.txt deleted file mode 100644 index b15846f9192d..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kdestroy.rst.txt +++ /dev/null @@ -1,77 +0,0 @@ -.. _kdestroy(1): - -kdestroy -======== - -SYNOPSIS --------- - -**kdestroy** -[**-A**] -[**-q**] -[**-c** *cache_name*] -[**-p** *princ_name*] - - -DESCRIPTION ------------ - -The kdestroy utility destroys the user's active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -OPTIONS -------- - -**-A** - Destroys all caches in the collection, if a cache collection is - available. May be used with the **-c** option to specify the - collection to be destroyed. - -**-q** - Run quietly. Normally kdestroy beeps if it fails to destroy the - user's tickets. The **-q** flag suppresses this behavior. - -**-c** *cache_name* - Use *cache_name* as the credentials (ticket) cache name and - location; if this option is not used, the default cache name and - location are used. - - The default credentials cache may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - name the default ticket cache. - -**-p** *princ_name* - If a cache collection is available, destroy the cache for - *princ_name* instead of the primary cache. May be used with the - **-c** option to specify the collection to be searched. - - -NOTE ----- - -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt deleted file mode 100644 index 5b105e35a5ae..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kinit.rst.txt +++ /dev/null @@ -1,230 +0,0 @@ -.. _kinit(1): - -kinit -===== - -SYNOPSIS --------- - -**kinit** -[**-V**] -[**-l** *lifetime*] -[**-s** *start_time*] -[**-r** *renewable_life*] -[**-p** | -**P**] -[**-f** | -**F**] -[**-a**] -[**-A**] -[**-C**] -[**-E**] -[**-v**] -[**-R**] -[**-k** [**-i** | -**t** *keytab_file*]] -[**-c** *cache_name*] -[**-n**] -[**-S** *service_name*] -[**-I** *input_ccache*] -[**-T** *armor_ccache*] -[**-X** *attribute*\ [=\ *value*]] -[**--request-pac** | **--no-request-pac**] -[*principal*] - - -DESCRIPTION ------------ - -kinit obtains and caches an initial ticket-granting ticket for -*principal*. If *principal* is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -OPTIONS -------- - -**-V** - display verbose output. - -**-l** *lifetime* - (:ref:`duration` string.) Requests a ticket with the lifetime - *lifetime*. - - For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. - - If the **-l** option is not specified, the default ticket lifetime - (configured by each site) is used. Specifying a ticket lifetime - longer than the maximum ticket lifetime (configured by each site) - will not override the configured maximum ticket lifetime. - -**-s** *start_time* - (:ref:`duration` string.) Requests a postdated ticket. Postdated - tickets are issued with the **invalid** flag set, and need to be - resubmitted to the KDC for validation before use. - - *start_time* specifies the duration of the delay before the ticket - can become valid. - -**-r** *renewable_life* - (:ref:`duration` string.) Requests renewable tickets, with a total - lifetime of *renewable_life*. - -**-f** - requests forwardable tickets. - -**-F** - requests non-forwardable tickets. - -**-p** - requests proxiable tickets. - -**-P** - requests non-proxiable tickets. - -**-a** - requests tickets restricted to the host's local address[es]. - -**-A** - requests tickets not restricted by address. - -**-C** - requests canonicalization of the principal name, and allows the - KDC to reply with a different client principal from the one - requested. - -**-E** - treats the principal name as an enterprise name. - -**-v** - requests that the ticket-granting ticket in the cache (with the - **invalid** flag set) be passed to the KDC for validation. If the - ticket is within its requested time range, the cache is replaced - with the validated ticket. - -**-R** - requests renewal of the ticket-granting ticket. Note that an - expired ticket cannot be renewed, even if the ticket is still - within its renewable life. - - Note that renewable tickets that have expired as reported by - :ref:`klist(1)` may sometimes be renewed using this option, - because the KDC applies a grace period to account for client-KDC - clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. - -**-k** [**-i** | **-t** *keytab_file*] - requests a ticket, obtained from a key in the local host's keytab. - The location of the keytab may be specified with the **-t** - *keytab_file* option, or with the **-i** option to specify the use - of the default client keytab; otherwise the default keytab will be - used. By default, a host ticket for the local host is requested, - but any principal may be specified. On a KDC, the special keytab - location ``KDB:`` can be used to indicate that kinit should open - the KDC database and look up the key directly. This permits an - administrator to obtain tickets as any principal that supports - authentication based on the key. - -**-n** - Requests anonymous processing. Two types of anonymous principals - are supported. - - For fully anonymous Kerberos, configure pkinit on the KDC and - configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. - Then use the **-n** option with a principal of the form ``@REALM`` - (an empty principal name followed by the at-sign and a realm - name). If permitted by the KDC, an anonymous ticket will be - returned. - - A second form of anonymous tickets is supported; these - realm-exposed tickets hide the identity of the client but not the - client's realm. For this mode, use ``kinit -n`` with a normal - principal name. If supported by the KDC, the principal (but not - realm) will be replaced by the anonymous principal. - - As of release 1.8, the MIT Kerberos KDC only supports fully - anonymous operation. - -**-I** *input_ccache* - - Specifies the name of a credentials cache that already contains a - ticket. When obtaining that ticket, if information about how that - ticket was obtained was also stored to the cache, that information - will be used to affect how new credentials are obtained, including - preselecting the same methods of authenticating to the KDC. - -**-T** *armor_ccache* - Specifies the name of a credentials cache that already contains a - ticket. If supported by the KDC, this cache will be used to armor - the request, preventing offline dictionary attacks and allowing - the use of additional preauthentication mechanisms. Armoring also - makes sure that the response from the KDC is not modified in - transit. - -**-c** *cache_name* - use *cache_name* as the Kerberos 5 credentials (ticket) cache - location. If this option is not used, the default cache location - is used. - - The default cache location may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - locate the default cache. If a principal name is specified and - the type of the default cache supports a collection (such as the - DIR type), an existing cache containing credentials for the - principal is selected or a new one is created and becomes the new - primary cache. Otherwise, any existing contents of the default - cache are destroyed by kinit. - -**-S** *service_name* - specify an alternate service name to use when getting initial - tickets. - -**-X** *attribute*\ [=\ *value*] - specify a pre-authentication *attribute* and *value* to be - interpreted by pre-authentication modules. The acceptable - attribute and value values vary from module to module. This - option may be specified multiple times to specify multiple - attributes. If no value is specified, it is assumed to be "yes". - - The following attributes are recognized by the PKINIT - pre-authentication mechanism: - - **X509_user_identity**\ =\ *value* - specify where to find user's X509 identity information - - **X509_anchors**\ =\ *value* - specify where to find trusted X509 anchor information - - **flag_RSA_PROTOCOL**\ [**=yes**] - specify use of RSA, rather than the default Diffie-Hellman - protocol - - **disable_freshness**\ [**=yes**] - disable sending freshness tokens (for testing purposes only) - -**--request-pac** | **--no-request-pac** - mutually exclusive. If **--request-pac** is set, ask the KDC to - include a PAC in authdata; if **--no-request-pac** is set, ask the - KDC not to include a PAC; if neither are set, the KDC will follow - its default, which is typically is to include a PAC if doing so is - supported. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - default location of Kerberos 5 credentials cache - -|keytab| - default location for the local host's keytab. - - -SEE ALSO --------- - -:ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/klist.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/klist.rst.txt deleted file mode 100644 index eb5564508924..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/klist.rst.txt +++ /dev/null @@ -1,129 +0,0 @@ -.. _klist(1): - -klist -===== - -SYNOPSIS --------- - -**klist** -[**-e**] -[[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] -[**-C**] -[**-k** [**-i**] [**-t**] [**-K**]] -[**-V**] -[**-d**] -[*cache_name*\|\ *keytab_name*] - - -DESCRIPTION ------------ - -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -OPTIONS -------- - -**-e** - Displays the encryption types of the session key and the ticket - for each credential in the credential cache, or each key in the - keytab file. - -**-l** - If a cache collection is available, displays a table summarizing - the caches present in the collection. - -**-A** - If a cache collection is available, displays the contents of all - of the caches in the collection. - -**-c** - List tickets held in a credentials cache. This is the default if - neither **-c** nor **-k** is specified. - -**-f** - Shows the flags present in the credentials, using the following - abbreviations:: - - F Forwardable - f forwarded - P Proxiable - p proxy - D postDateable - d postdated - R Renewable - I Initial - i invalid - H Hardware authenticated - A preAuthenticated - T Transit policy checked - O Okay as delegate - a anonymous - -**-s** - Causes klist to run silently (produce no output). klist will exit - with status 1 if the credentials cache cannot be read or is - expired, and with status 0 otherwise. - -**-a** - Display list of addresses in credentials. - -**-n** - Show numeric addresses instead of reverse-resolving addresses. - -**-C** - List configuration data that has been stored in the credentials - cache when klist encounters it. By default, configuration data - is not listed. - -**-k** - List keys held in a keytab file. - -**-i** - In combination with **-k**, defaults to using the default client - keytab instead of the default acceptor keytab, if no name is - given. - -**-t** - Display the time entry timestamps for each keytab entry in the - keytab file. - -**-K** - Display the value of the encryption key in each keytab entry in - the keytab file. - -**-d** - Display the authdata types (if any) for each entry. - -**-V** - Display the Kerberos version number and exit. - -If *cache_name* or *keytab_name* is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the **KRB5CCNAME** environment variable is set, its -value is used to locate the default ticket cache. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - -|keytab| - Default location for the local host's keytab file. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kpasswd.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kpasswd.rst.txt deleted file mode 100644 index 0583bbd059aa..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kpasswd.rst.txt +++ /dev/null @@ -1,46 +0,0 @@ -.. _kpasswd(1): - -kpasswd -======= - -SYNOPSIS --------- - -**kpasswd** [*principal*] - - -DESCRIPTION ------------ - -The kpasswd command is used to change a Kerberos principal's password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -OPTIONS -------- - -*principal* - Change the password for the Kerberos principal principal. - Otherwise, kpasswd uses the principal name from an existing ccache - if there is one; if not, the principal is derived from the - identity of the user invoking the kpasswd command. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/krb5-config.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/krb5-config.rst.txt deleted file mode 100644 index 2c09141a194f..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/krb5-config.rst.txt +++ /dev/null @@ -1,83 +0,0 @@ -.. _krb5-config(1): - -krb5-config -=========== - -SYNOPSIS --------- - -**krb5-config** -[**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] - - -DESCRIPTION ------------ - -krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -OPTIONS -------- - -**-**\ **-help** - prints a usage message. This is the default behavior when no options - are specified. - -**-**\ **-all** - prints the version, vendor, prefix, and exec-prefix. - -**-**\ **-version** - prints the version number of the Kerberos installation. - -**-**\ **-vendor** - prints the name of the vendor of the Kerberos installation. - -**-**\ **-prefix** - prints the prefix for which the Kerberos installation was built. - -**-**\ **-exec-prefix** - prints the prefix for executables for which the Kerberos installation - was built. - -**-**\ **-defccname** - prints the built-in default credentials cache location. - -**-**\ **-defktname** - prints the built-in default keytab location. - -**-**\ **-defcktname** - prints the built-in default client (initiator) keytab location. - -**-**\ **-cflags** - prints the compilation flags used to build the Kerberos installation. - -**-**\ **-libs** [*library*] - prints the compiler options needed to link against *library*. - Allowed values for *library* are: - - ============ =============================================== - krb5 Kerberos 5 applications (default) - gssapi GSSAPI applications with Kerberos 5 bindings - kadm-client Kadmin client - kadm-server Kadmin server - kdb Applications that access the Kerberos database - ============ =============================================== - -EXAMPLES --------- - -krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in ``/opt/krb5/`` but uses -libraries in ``/usr/local/lib/`` for text localization would produce -the following output:: - - shell% krb5-config --libs krb5 - -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err - - -SEE ALSO --------- - -:ref:`kerberos(7)`, cc(1) diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/ksu.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/ksu.rst.txt deleted file mode 100644 index 933738229ad7..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/ksu.rst.txt +++ /dev/null @@ -1,411 +0,0 @@ -.. _ksu(1): - -ksu -=== - -SYNOPSIS --------- - -**ksu** -[ *target_user* ] -[ **-n** *target_principal_name* ] -[ **-c** *source_cache_name* ] -[ **-k** ] -[ **-r** time ] -[ **-p** | **-P**] -[ **-f** | **-F**] -[ **-l** *lifetime* ] -[ **-z | Z** ] -[ **-q** ] -[ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] - - -REQUIREMENTS ------------- - -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -DESCRIPTION ------------ - -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -.. note:: - - For the sake of clarity, all references to and attributes of - the user invoking the program will start with "source" - (e.g., "source user", "source cache", etc.). - - Likewise, all references to and attributes of the target - account will start with "target". - -AUTHENTICATION --------------- - -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see **-n** option). The target user -name must be the first argument to ksu; if not specified root is the -default. If ``.`` is specified then the target user will be the -source user (e.g., ``ksu .``). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal's realm. If the ticket for the -end-server is already in the cache, it's decrypted and verified. If -it's not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -**GET_TGT_VIA_PASSWD** define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -**GET_TGT_VIA_PASSWD** is not defined, authentication fails. - - -AUTHORIZATION -------------- - -This section describes authorization of the source user when ksu is -invoked without the **-e** option. For a description of the **-e** -option, see the OPTIONS section. - -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user's home directory, ksu attempts to access two authorization files: -:ref:`.k5login(5)` and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -For example:: - - jqpublic@USC.EDU - jqpublic/secure@USC.EDU - jqpublic/admin@USC.EDU - -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the **-e** option in the OPTIONS section for details). - -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by ``*`` then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname->lname mapping -rules. Otherwise, authorization fails. - - -EXECUTION OF THE TARGET SHELL ------------------------------ - -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login's -default values. In addition, the environment variable **KRB5CCNAME** -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user's shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the **-k** option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -CREATING A NEW SECURITY CONTEXT -------------------------------- - -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the **-e** -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using **-z** or **-Z** option. **-z** restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The **-Z** option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, **-z** option is the default mode of -operation. - -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If **-n** is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -.. note:: - - During authentication, only the tickets that could be - obtained without providing a password are cached in the - source cache. - - -OPTIONS -------- - -**-n** *target_principal_name* - Specify a Kerberos target principal name. Used in authentication - and authorization phases of ksu. - - If ksu is invoked without **-n**, a default principal name is - assigned via the following heuristic: - - * Case 1: source user is non-root. - - If the target user is the source user the default principal name - is set to the default principal of the source cache. If the - cache does not exist then the default principal name is set to - ``target_user@local_realm``. If the source and target users are - different and neither ``~target_user/.k5users`` nor - ``~target_user/.k5login`` exist then the default principal name - is ``target_user_login_name@local_realm``. Otherwise, starting - with the first principal listed below, ksu checks if the - principal is authorized to access the target account and whether - there is a legitimate ticket for that principal in the source - cache. If both conditions are met that principal becomes the - default target principal, otherwise go to the next principal. - - a) default principal of the source cache - b) target_user\@local_realm - c) source_user\@local_realm - - If a-c fails try any principal for which there is a ticket in - the source cache and that is authorized to access the target - account. If that fails select the first principal that is - authorized to access the target account from the above list. If - none are authorized and ksu is configured with - **PRINC_LOOK_AHEAD** turned on, select the default principal as - follows: - - For each candidate in the above list, select an authorized - principal that has the same realm name and first part of the - principal name equal to the prefix of the candidate. For - example if candidate a) is ``jqpublic@ISI.EDU`` and - ``jqpublic/secure@ISI.EDU`` is authorized to access the target - account then the default principal is set to - ``jqpublic/secure@ISI.EDU``. - - * Case 2: source user is root. - - If the target user is non-root then the default principal name - is ``target_user@local_realm``. Else, if the source cache - exists the default principal name is set to the default - principal of the source cache. If the source cache does not - exist, default principal name is set to ``root\@local_realm``. - -**-c** *source_cache_name* - - Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If - **-c** option is not used then the name is obtained from - **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not - defined the source cache name is set to ``krb5cc_<source uid>``. - The target cache name is automatically set to ``krb5cc_<target - uid>.(gen_sym())``, where gen_sym generates a new number such that - the resulting cache does not already exist. For example:: - - krb5cc_1984.2 - -**-k** - Do not delete the target cache upon termination of the target - shell or a command (**-e** command). Without **-k**, ksu deletes - the target cache. - -**-z** - Restrict the copy of tickets from the source cache to the target - cache to only the tickets where client == the target principal - name. Use the **-n** option if you want the tickets for other then - the default principal. Note that the **-z** option is mutually - exclusive with the **-Z** option. - -**-Z** - Don't copy any tickets from the source cache to the target cache. - Just create a fresh target cache, where the default principal name - of the cache is initialized to the target principal name. Note - that the **-Z** option is mutually exclusive with the **-z** - option. - -**-q** - Suppress the printing of status messages. - -Ticket granting ticket options: - -**-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** - The ticket granting ticket options only apply to the case where - there are no appropriate tickets in the cache to authenticate the - source user. In this case if ksu is configured to prompt users - for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the - ticket granting ticket options that are specified will be used - when getting a ticket granting ticket from the Kerberos server. - -**-l** *lifetime* - (:ref:`duration` string.) Specifies the lifetime to be requested - for the ticket; if this option is not specified, the default ticket - lifetime (12 hours) is used instead. - -**-r** *time* - (:ref:`duration` string.) Specifies that the **renewable** option - should be requested for the ticket, and specifies the desired - total lifetime of the ticket. - -**-p** - specifies that the **proxiable** option should be requested for - the ticket. - -**-P** - specifies that the **proxiable** option should not be requested - for the ticket, even if the default configuration is to ask for - proxiable tickets. - -**-f** - option specifies that the **forwardable** option should be - requested for the ticket. - -**-F** - option specifies that the **forwardable** option should not be - requested for the ticket, even if the default configuration is to - ask for forwardable tickets. - -**-e** *command* [*args* ...] - ksu proceeds exactly the same as if it was invoked without the - **-e** option, except instead of executing the target shell, ksu - executes the specified command. Example of usage:: - - ksu bob -e ls -lag - - The authorization algorithm for **-e** is as follows: - - If the source user is root or source user == target user, no - authorization takes place and the command is executed. If source - user id != 0, and ``~target_user/.k5users`` file does not exist, - authorization fails. Otherwise, ``~target_user/.k5users`` file - must have an appropriate entry for target principal to get - authorized. - - The .k5users file format: - - A single principal entry on each line that may be followed by a - list of commands that the principal is authorized to execute. A - principal name followed by a ``*`` means that the user is - authorized to execute any command. Thus, in the following - example:: - - jqpublic@USC.EDU ls mail /local/kerberos/klist - jqpublic/secure@USC.EDU * - jqpublic/admin@USC.EDU - - ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, - ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is - authorized to execute any command. ``jqpublic/admin@USC.EDU`` is - not authorized to execute any command. Note, that - ``jqpublic/admin@USC.EDU`` is authorized to execute the target - shell (regular ksu, without the **-e** option) but - ``jqpublic@USC.EDU`` is not. - - The commands listed after the principal name must be either a full - path names or just the program name. In the second case, - **CMD_PATH** specifying the location of authorized programs must - be defined at the compilation time of ksu. Which command gets - executed? - - If the source user is root or the target user is the source user - or the user is authorized to execute any command (``*`` entry) - then command can be either a full or a relative path leading to - the target program. Otherwise, the user must specify either a - full path or just the program name. - -**-a** *args* - Specify arguments to be passed to the target shell. Note that all - flags and parameters following -a will be passed to the shell, - thus all options intended for ksu must precede **-a**. - - The **-a** option can be used to simulate the **-e** option if - used as follows:: - - -a -c [command [arguments]]. - - **-c** is interpreted by the c-shell to execute the command. - - -INSTALLATION INSTRUCTIONS -------------------------- - -ksu can be compiled with the following four flags: - -**GET_TGT_VIA_PASSWD** - In case no appropriate tickets are found in the source cache, the - user will be prompted for a Kerberos password. The password is - then used to get a ticket granting ticket from the Kerberos - server. The danger of configuring ksu with this macro is if the - source user is logged in remotely and does not have a secure - channel, the password may get exposed. - -**PRINC_LOOK_AHEAD** - During the resolution of the default principal name, - **PRINC_LOOK_AHEAD** enables ksu to find principal names in - the .k5users file as described in the OPTIONS section - (see **-n** option). - -**CMD_PATH** - Specifies a list of directories containing programs that users are - authorized to execute (via .k5users file). - -**HAVE_GETUSERSHELL** - If the source user is non-root, ksu insists that the target user's - shell to be invoked is a "legal shell". *getusershell(3)* is - called to obtain the names of "legal shells". Note that the - target user's shell is obtained from the passwd file. - -Sample configuration:: - - KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" - -ksu should be owned by root and have the set user id bit turned on. - -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab -file must be in an appropriate location. - - -SIDE EFFECTS ------------- - -ksu deletes all expired tickets from the source cache. - - -AUTHOR OF KSU -------------- - -GENNADY (ARI) MEDVINSKY - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kerberos(7)`, :ref:`kinit(1)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kswitch.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kswitch.rst.txt deleted file mode 100644 index 010332e6ac7b..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kswitch.rst.txt +++ /dev/null @@ -1,50 +0,0 @@ -.. _kswitch(1): - -kswitch -======= - -SYNOPSIS --------- - -**kswitch** -{**-c** *cachename*\|\ **-p** *principal*} - - -DESCRIPTION ------------ - -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -OPTIONS -------- - -**-c** *cachename* - Directly specifies the credential cache to be made primary. - -**-p** *principal* - Causes the cache collection to be searched for a cache containing - credentials for *principal*. If one is found, that collection is - made primary. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, -:ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/kvno.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/kvno.rst.txt deleted file mode 100644 index 970fbb47759e..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/kvno.rst.txt +++ /dev/null @@ -1,119 +0,0 @@ -.. _kvno(1): - -kvno -==== - -SYNOPSIS --------- - -**kvno** -[**-c** *ccache*] -[**-e** *etype*] -[**-k** *keytab*] -[**-q**] -[**-u** | **-S** *sname*] -[**-P**] -[**--cached-only**] -[**--no-store**] -[**--out-cache** *cache*] -[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] -*service1 service2* ... - - -DESCRIPTION ------------ - -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -OPTIONS -------- - -**-c** *ccache* - Specifies the name of a credentials cache to use (if not the - default) - -**-e** *etype* - Specifies the enctype which will be requested for the session key - of all the services named on the command line. This is useful in - certain backward compatibility situations. - -**-k** *keytab* - Decrypt the acquired tickets using *keytab* to confirm their - validity. - -**-q** - Suppress printing output when successful. If a service ticket - cannot be obtained, an error message will still be printed and - kvno will exit with nonzero status. - -**-u** - Use the unknown name type in requested service principal names. - This option Cannot be used with *-S*. - -**-P** - Specifies that the *service1 service2* ... arguments are to be - treated as services for which credentials should be acquired using - constrained delegation. This option is only valid when used in - conjunction with protocol transition. - -**-S** *sname* - Specifies that the *service1 service2* ... arguments are - interpreted as hostnames, and the service principals are to be - constructed from those hostnames and the service name *sname*. - The service hostnames will be canonicalized according to the usual - rules for constructing service principals. - -**-I** *for_user* - Specifies that protocol transition (S4U2Self) is to be used to - acquire a ticket on behalf of *for_user*. If constrained - delegation is not requested, the service name must match the - credentials cache client principal. - -**-U** *for_user* - Same as -I, but treats *for_user* as an enterprise name. - -**-F** *cert_file* - Specifies that protocol transition is to be used, identifying the - client principal with the X.509 certificate in *cert_file*. The - certificate file must be in PEM format. - -**--cached-only** - Only retrieve credentials already present in the cache, not from - the KDC. (Added in release 1.19.) - -**--no-store** - Do not store retrieved credentials in the cache. If - **--out-cache** is also specified, credentials will still be - stored into the output credential cache. (Added in release 1.19.) - -**--out-cache** *ccache* - Initialize *ccache* and store all retrieved credentials into it. - Do not store acquired credentials in the input cache. (Added in - release 1.19.) - -**--u2u** *ccache* - Requests a user-to-user ticket. *ccache* must contain a local - krbtgt ticket for the server principal. The reported version - number will typically be 0, as the resulting ticket is not - encrypted in the server's long-term key. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of the credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_commands/sclient.rst.txt b/crypto/krb5/doc/html/_sources/user/user_commands/sclient.rst.txt deleted file mode 100644 index 1e3d38f82d32..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_commands/sclient.rst.txt +++ /dev/null @@ -1,30 +0,0 @@ -.. _sclient(1): - -sclient -======= - -SYNOPSIS --------- - -**sclient** *remotehost* - - -DESCRIPTION ------------ - -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server :ref:`sserver(8)` and -authenticates to it using Kerberos version 5 tickets, then displays -the server's response. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/html/_sources/user/user_config/index.rst.txt b/crypto/krb5/doc/html/_sources/user/user_config/index.rst.txt deleted file mode 100644 index ad0dc1a72f8f..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_config/index.rst.txt +++ /dev/null @@ -1,13 +0,0 @@ -User config files -================= - -The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host's configuration): - -.. toctree:: - :maxdepth: 1 - - kerberos.rst - k5login.rst - k5identity.rst diff --git a/crypto/krb5/doc/html/_sources/user/user_config/k5identity.rst.txt b/crypto/krb5/doc/html/_sources/user/user_config/k5identity.rst.txt deleted file mode 100644 index cf5d95e56cfd..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_config/k5identity.rst.txt +++ /dev/null @@ -1,64 +0,0 @@ -.. _.k5identity(5): - -.k5identity -=========== - -DESCRIPTION ------------ - -The .k5identity file, which resides in a user's home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible. - -Blank lines and lines beginning with ``#`` are ignored. Each line has -the form: - - *principal* *field*\=\ *value* ... - -If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized: - -**realm** - If the realm of the server principal is known, it is matched - against *value*, which may be a pattern using shell wildcards. - For host-based server principals, the realm will generally only be - known if there is a :ref:`domain_realm` section in - :ref:`krb5.conf(5)` with a mapping for the hostname. - -**service** - If the server principal is a host-based principal, its service - component is matched against *value*, which may be a pattern using - shell wildcards. - -**host** - If the server principal is a host-based principal, its hostname - component is converted to lower case and matched against *value*, - which may be a pattern using shell wildcards. - - If the server principal matches the constraints of multiple lines - in the .k5identity file, the principal from the first matching - line is used. If no line matches, credentials will be selected - some other way, such as the realm heuristic or the current primary - cache. - - -EXAMPLE -------- - -The following example .k5identity file selects the client principal -``alice@KRBTEST.COM`` if the server principal is within that realm, -the principal ``alice/root@EXAMPLE.COM`` if the server host is within -a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when -accessing the IMAP service on ``mail.example.com``:: - - alice@KRBTEST.COM realm=KRBTEST.COM - alice/root@EXAMPLE.COM host=*.servers.example.com - alice/mail@EXAMPLE.COM host=mail.example.com service=imap - - -SEE ALSO --------- - -kerberos(1), :ref:`krb5.conf(5)` diff --git a/crypto/krb5/doc/html/_sources/user/user_config/k5login.rst.txt b/crypto/krb5/doc/html/_sources/user/user_config/k5login.rst.txt deleted file mode 100644 index 8a9753da336e..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_config/k5login.rst.txt +++ /dev/null @@ -1,54 +0,0 @@ -.. _.k5login(5): - -.k5login -======== - -DESCRIPTION ------------ - -The .k5login file, which resides in a user's home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root's home directory, thereby granting system -administrators remote root access to the host via Kerberos. - - -EXAMPLES --------- - -Suppose the user ``alice`` had a .k5login file in her home directory -containing just the following line:: - - bob@FOOBAR.ORG - -This would allow ``bob`` to use Kerberos network applications, such as -ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos -tickets. In a default configuration (with **k5login_authoritative** set -to true in :ref:`krb5.conf(5)`), this .k5login file would not let -``alice`` use those network applications to access her account, since -she is not listed! With no .k5login file, or with **k5login_authoritative** -set to false, a default rule would permit the principal ``alice`` in the -machine's default realm to access the ``alice`` account. - -Let us further suppose that ``alice`` is a system administrator. -Alice and the other system administrators would have their principals -in root's .k5login file on each host:: - - alice@BLEEP.COM - - joeadmin/root@BLEEP.COM - -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because ``bob`` retains the Kerberos tickets for -his own principal, ``bob@FOOBAR.ORG``, he would not have any of the -privileges that require ``alice``'s tickets, such as root access to -any of the site's hosts, or the ability to change ``alice``'s -password. - - -SEE ALSO --------- - -kerberos(1) diff --git a/crypto/krb5/doc/html/_sources/user/user_config/kerberos.rst.txt b/crypto/krb5/doc/html/_sources/user/user_config/kerberos.rst.txt deleted file mode 100644 index 1830447a2abd..000000000000 --- a/crypto/krb5/doc/html/_sources/user/user_config/kerberos.rst.txt +++ /dev/null @@ -1,185 +0,0 @@ -.. _kerberos(7): - -kerberos -======== - -DESCRIPTION ------------ - -The Kerberos system authenticates individual users in a network -environment. After authenticating yourself to Kerberos, you can use -Kerberos-enabled programs without having to present passwords or -certificates to those programs. - -If you receive the following response from :ref:`kinit(1)`: - -kinit: Client not found in Kerberos database while getting initial -credentials - -you haven't been registered as a Kerberos user. See your system -administrator. - -A Kerberos name usually contains three parts. The first is the -**primary**, which is usually a user's or service's name. The second -is the **instance**, which in the case of a user is usually null. -Some users may have privileged instances, however, such as ``root`` or -``admin``. In the case of a service, the instance is the fully -qualified name of the machine on which it runs; i.e. there can be an -ssh service running on the machine ABC (ssh/ABC@REALM), which is -different from the ssh service running on the machine XYZ -(ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. -The realm corresponds to the Kerberos service providing authentication -for the principal. Realms are conventionally all-uppercase, and often -match the end of hostnames in the realm (for instance, host01.example.com -might be in realm EXAMPLE.COM). - -When writing a Kerberos name, the principal name is separated from the -instance (if not null) by a slash, and the realm (if not the local -realm) follows, preceded by an "@" sign. The following are examples -of valid Kerberos names:: - - david - jennifer/admin - joeuser@BLEEP.COM - cbrown/root@FUBAR.ORG - -When you authenticate yourself with Kerberos you get an initial -Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol -message that provides authentication.) Kerberos uses this ticket for -network utilities such as ssh. The ticket transactions are done -transparently, so you don't have to worry about their management. - -Note, however, that tickets expire. Administrators may configure more -privileged tickets, such as those with service or instance of ``root`` -or ``admin``, to expire in a few minutes, while tickets that carry -more ordinary privileges may be good for several hours or a day. If -your login session extends beyond the time limit, you will have to -re-authenticate yourself to Kerberos to get new tickets using the -:ref:`kinit(1)` command. - -Some tickets are **renewable** beyond their initial lifetime. This -means that ``kinit -R`` can extend their lifetime without requiring -you to re-authenticate. - -If you wish to delete your local tickets, use the :ref:`kdestroy(1)` -command. - -Kerberos tickets can be forwarded. In order to forward tickets, you -must request **forwardable** tickets when you kinit. Once you have -forwardable tickets, most Kerberos programs have a command line option -to forward them to the remote host. This can be useful for, e.g., -running kinit on your local machine and then sshing into another to do -work. Note that this should not be done on untrusted machines since -they will then have your tickets. - -ENVIRONMENT VARIABLES ---------------------- - -Several environment variables affect the operation of Kerberos-enabled -programs. These include: - -**KRB5CCNAME** - Default name for the credentials cache file, in the form - *TYPE*:*residual*. The type of the default cache may determine - the availability of a cache collection. ``FILE`` is not a - collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. - - If not set, the value of **default_ccache_name** from - configuration files (see **KRB5_CONFIG**) will be used. If that - is also not set, the default *type* is ``FILE``, and the - *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the - decimal user ID of the user. - -**KRB5_KTNAME** - Specifies the location of the default keytab file, in the form - *TYPE*:*residual*. If no *type* is present, the **FILE** type is - assumed and *residual* is the pathname of the keytab file. If - unset, |keytab| will be used. - -**KRB5_CONFIG** - Specifies the location of the Kerberos configuration file. The - default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can - be specified, separated by a colon; all files which are present - will be read. - -**KRB5_KDC_PROFILE** - Specifies the location of the KDC configuration file, which - contains additional configuration directives for the Key - Distribution Center daemon and associated programs. The default - is |kdcdir|\ ``/kdc.conf``. - -**KRB5RCACHENAME** - (New in release 1.18) Specifies the location of the default replay - cache, in the form *type*:*residual*. The ``file2`` type with a - pathname residual specifies a replay cache file in the version-2 - format in the specified location. The ``none`` type (residual is - ignored) disables the replay cache. The ``dfl`` type (residual is - ignored) indicates the default, which uses a file2 replay cache in - a temporary directory. The default is ``dfl:``. - -**KRB5RCACHETYPE** - Specifies the type of the default replay cache, if - **KRB5RCACHENAME** is unspecified. No residual can be specified, - so ``none`` and ``dfl`` are the only useful types. - -**KRB5RCACHEDIR** - Specifies the directory used by the ``dfl`` replay cache type. - The default is the value of the **TMPDIR** environment variable, - or ``/var/tmp`` if **TMPDIR** is not set. - -**KRB5_TRACE** - Specifies a filename to write trace log output to. Trace logs can - help illuminate decisions made internally by the Kerberos - libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` - would send tracing information for :ref:`kinit(1)` to - ``/dev/stderr``. The default is not to write trace log output - anywhere. - -**KRB5_CLIENT_KTNAME** - Default client keytab file name. If unset, |ckeytab| will be - used). - -**KPROP_PORT** - :ref:`kprop(8)` port to use. Defaults to 754. - -**GSS_MECH_CONFIG** - Specifies a filename containing GSSAPI mechanism module - configuration. The default is to read |sysconfdir|\ ``/gss/mech`` - and files with a ``.conf`` suffix within the directory - |sysconfdir|\ ``/gss/mech.d``. - -Most environment variables are disabled for certain programs, such as -login system programs and setuid programs, which are designed to be -secure when run within an untrusted process environment. - -SEE ALSO --------- - -:ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, -:ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, -:ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, -:ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` - -BUGS ----- - -AUTHORS -------- - -| Steve Miller, MIT Project Athena/Digital Equipment Corporation -| Clifford Neuman, MIT Project Athena -| Greg Hudson, MIT Kerberos Consortium -| Robbie Harwood, Red Hat, Inc. - -HISTORY -------- - -The MIT Kerberos 5 implementation was developed at MIT, with -contributions from many outside parties. It is currently maintained -by the MIT Kerberos Consortium. - -RESTRICTIONS ------------- - -Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts -Institute of Technology |