diff options
Diffstat (limited to 'crypto/krb5/doc/pdf/user.tex')
| -rw-r--r-- | crypto/krb5/doc/pdf/user.tex | 2456 |
1 files changed, 0 insertions, 2456 deletions
diff --git a/crypto/krb5/doc/pdf/user.tex b/crypto/krb5/doc/pdf/user.tex deleted file mode 100644 index 38d9d91bc98a..000000000000 --- a/crypto/krb5/doc/pdf/user.tex +++ /dev/null @@ -1,2456 +0,0 @@ -%% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\ifdefined\pdfpxdimen - \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen -\fi \sphinxpxdimen=.75bp\relax -\ifdefined\pdfimageresolution - \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax -\fi -%% let collapsible pdf bookmarks panel have high depth per default -\PassOptionsToPackage{bookmarksdepth=5}{hyperref} - -\PassOptionsToPackage{warn}{textcomp} -\usepackage[utf8]{inputenc} -\ifdefined\DeclareUnicodeCharacter -% support both utf8 and utf8x syntaxes - \ifdefined\DeclareUnicodeCharacterAsOptional - \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}} - \else - \let\sphinxDUC\DeclareUnicodeCharacter - \fi - \sphinxDUC{00A0}{\nobreakspace} - \sphinxDUC{2500}{\sphinxunichar{2500}} - \sphinxDUC{2502}{\sphinxunichar{2502}} - \sphinxDUC{2514}{\sphinxunichar{2514}} - \sphinxDUC{251C}{\sphinxunichar{251C}} - \sphinxDUC{2572}{\textbackslash} -\fi -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{amsmath,amssymb,amstext} -\usepackage{babel} - - - -\usepackage{tgtermes} -\usepackage{tgheros} -\renewcommand{\ttdefault}{txtt} - - - -\usepackage[Bjarne]{fncychap} -\usepackage{sphinx} - -\fvset{fontsize=auto} -\usepackage{geometry} - - -% Include hyperref last. -\usepackage{hyperref} -% Fix anchor placement for figures with captions. -\usepackage{hypcap}% it must be loaded after hyperref. -% Set up styles of URL: it should be placed after hyperref. -\urlstyle{same} - - -\usepackage{sphinxmessages} -\setcounter{tocdepth}{1} - - - -\title{Kerberos User Guide} -\date{ } -\release{1.21.3} -\author{MIT} -\newcommand{\sphinxlogo}{\vbox{}} -\renewcommand{\releasename}{Release} -\makeindex -\begin{document} - -\pagestyle{empty} -\sphinxmaketitle -\pagestyle{plain} -\sphinxtableofcontents -\pagestyle{normal} -\phantomsection\label{\detokenize{user/index::doc}} - - - -\chapter{Password management} -\label{\detokenize{user/pwd_mgmt:password-management}}\label{\detokenize{user/pwd_mgmt::doc}} -\sphinxAtStartPar -Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you—send email that comes from you, read, edit, or delete your files, -or log into other hosts as you—and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -{\hyperref[\detokenize{user/pwd_mgmt:grant-access}]{\sphinxcrossref{\DUrole{std,std-ref}{Granting access to your account}}}}). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is. - - -\section{Changing your password} -\label{\detokenize{user/pwd_mgmt:changing-your-password}} -\sphinxAtStartPar -To change your Kerberos password, use the {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}} command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you’re not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user \sphinxcode{\sphinxupquote{david}} would do the following: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{your} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password} \PYG{n}{again}\PYG{o}{.} -\PYG{n}{Password} \PYG{n}{changed}\PYG{o}{.} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -If \sphinxcode{\sphinxupquote{david}} typed the incorrect old password, he would get the -following message: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{incorrect} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} \PYG{k}{while} \PYG{n}{getting} \PYG{n}{initial} \PYG{n}{ticket} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -If you make a mistake and don’t type the new password the same way -twice, kpasswd will ask you to try again: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kpasswd} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{old} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{Enter} \PYG{n}{new} \PYG{n}{password}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{Enter} \PYG{n}{it} \PYG{n}{again}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}} \PYG{n}{Type} \PYG{n}{a} \PYG{n}{different} \PYG{n}{new} \PYG{n}{password}\PYG{o}{.} -\PYG{n}{kpasswd}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{mismatch} \PYG{k}{while} \PYG{n}{reading} \PYG{n}{password} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn’t work, try again -using the old one. - - -\section{Granting access to your account} -\label{\detokenize{user/pwd_mgmt:granting-access-to-your-account}}\label{\detokenize{user/pwd_mgmt:grant-access}} -\sphinxAtStartPar -If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called {\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\end{sphinxVerbatim} - -\sphinxAtStartPar -This file would allow the users \sphinxcode{\sphinxupquote{jennifer}} and \sphinxcode{\sphinxupquote{david}} to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts. - -\sphinxAtStartPar -Using a .k5login file is much safer than giving out your password, -because: -\begin{itemize} -\item {} -\sphinxAtStartPar -You can take access away any time simply by removing the principal -from your .k5login file. - -\item {} -\sphinxAtStartPar -Although the user has full access to your account on one particular -host (or set of hosts if your .k5login file is shared, e.g., over -NFS), that user does not inherit your network privileges. - -\item {} -\sphinxAtStartPar -Kerberos keeps a log of who obtains tickets, so a system -administrator could find out, if necessary, who was capable of using -your user ID at a particular time. - -\end{itemize} - -\sphinxAtStartPar -One common application is to have a .k5login file in root’s home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network. - - -\section{Password quality verification} -\label{\detokenize{user/pwd_mgmt:password-quality-verification}} -\sphinxAtStartPar -TODO - - -\chapter{Ticket management} -\label{\detokenize{user/tkt_mgmt:ticket-management}}\label{\detokenize{user/tkt_mgmt::doc}} -\sphinxAtStartPar -On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen. - - -\section{Kerberos ticket properties} -\label{\detokenize{user/tkt_mgmt:kerberos-ticket-properties}} -\sphinxAtStartPar -There are various properties that Kerberos tickets can have: - -\sphinxAtStartPar -If a ticket is \sphinxstylestrong{forwardable}, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally. - -\sphinxAtStartPar -When the KDC creates a new ticket based on a forwardable ticket, it -sets the \sphinxstylestrong{forwarded} flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set. - -\sphinxAtStartPar -A \sphinxstylestrong{proxiable} ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket\sphinxhyphen{}granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable. - -\sphinxAtStartPar -A \sphinxstylestrong{proxy} ticket is one that was issued based on a proxiable ticket. - -\sphinxAtStartPar -A \sphinxstylestrong{postdated} ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets. - -\sphinxAtStartPar -Ticket\sphinxhyphen{}granting tickets with the \sphinxstylestrong{postdateable} flag set can be used -to obtain postdated service tickets. - -\sphinxAtStartPar -\sphinxstylestrong{Renewable} tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket. - -\sphinxAtStartPar -A ticket with the \sphinxstylestrong{initial flag} set was issued based on the -authentication protocol, and not on a ticket\sphinxhyphen{}granting ticket. -Application servers that wish to ensure that the user’s key has been -recently presented for verification could specify that this flag must -be set to accept the ticket. - -\sphinxAtStartPar -An \sphinxstylestrong{invalid} ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used. - -\sphinxAtStartPar -A \sphinxstylestrong{preauthenticated} ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC. - -\sphinxAtStartPar -The \sphinxstylestrong{hardware authentication} flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets. - -\sphinxAtStartPar -If a ticket has the \sphinxstylestrong{transit policy} checked flag set, then the KDC -that issued this ticket implements the transited\sphinxhyphen{}realm check policy -and checked the transited\sphinxhyphen{}realms list on the ticket. The -transited\sphinxhyphen{}realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket. - -\sphinxAtStartPar -The \sphinxstylestrong{okay as delegate} flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it. - -\sphinxAtStartPar -An \sphinxstylestrong{anonymous} ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key. - - -\section{Obtaining tickets with kinit} -\label{\detokenize{user/tkt_mgmt:obtaining-tickets-with-kinit}}\label{\detokenize{user/tkt_mgmt:obtain-tkt}} -\sphinxAtStartPar -If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones. - -\sphinxAtStartPar -To use the kinit program, simply type \sphinxcode{\sphinxupquote{kinit}} and then type your -password at the prompt. For example, Jennifer (whose username is -\sphinxcode{\sphinxupquote{jennifer}}) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{jennifer}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -If you type your password incorrectly, kinit will give you the -following error message: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{the} \PYG{n}{wrong} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]} -\PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Password} \PYG{n}{incorrect} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -and you won’t get Kerberos tickets. - -\sphinxAtStartPar -By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer’s friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer’s -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm. - -\sphinxAtStartPar -If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the -\sphinxstylestrong{\sphinxhyphen{}f} option: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{your} \PYG{n}{password} \PYG{n}{here}\PYG{o}{.}\PYG{p}{]} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command (see -{\hyperref[\detokenize{user/tkt_mgmt:view-tkt}]{\sphinxcrossref{\DUrole{std,std-ref}{Viewing tickets with klist}}}}). - -\sphinxAtStartPar -Normally, your tickets are good for your system’s default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the \sphinxstylestrong{\sphinxhyphen{}l} option. Add the letter -\sphinxstylestrong{s} to the value for seconds, \sphinxstylestrong{m} for minutes, \sphinxstylestrong{h} for hours, or -\sphinxstylestrong{d} for days. For example, to obtain forwardable tickets for -\sphinxcode{\sphinxupquote{david@EXAMPLE.COM}} that would be good for three hours, you would -type: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{\PYGZhy{}}\PYG{n}{l} \PYG{l+m+mi}{3}\PYG{n}{h} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{Password} \PYG{k}{for} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{p}{[}\PYG{n}{Type} \PYG{n}{david}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{s password here.]} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\begin{sphinxadmonition}{note}{Note:} -\sphinxAtStartPar -You cannot mix units; specifying a lifetime of 3h30m would -result in an error. Note also that most systems specify a -maximum ticket lifetime. If you request a longer ticket -lifetime, it will be automatically truncated to the maximum -lifetime. -\end{sphinxadmonition} - - -\section{Viewing tickets with klist} -\label{\detokenize{user/tkt_mgmt:viewing-tickets-with-klist}}\label{\detokenize{user/tkt_mgmt:view-tkt}} -\sphinxAtStartPar -The {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} command shows your tickets. When you first obtain -tickets, you will have only the ticket\sphinxhyphen{}granting ticket. The listing -would look like this: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} -\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} -\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} - -\PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -The ticket cache is the location of your ticket file. In the above -example, this file is named \sphinxcode{\sphinxupquote{/tmp/krb5cc\_ttypa}}. The default -principal is your Kerberos principal. - -\sphinxAtStartPar -The “valid starting” and “expires” fields describe the period of time -during which the ticket is valid. The “service principal” describes -each ticket. The ticket\sphinxhyphen{}granting ticket has a first component -\sphinxcode{\sphinxupquote{krbtgt}}, and a second component which is the realm name. - -\sphinxAtStartPar -Now, if \sphinxcode{\sphinxupquote{jennifer}} connected to the machine \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, -and then typed “klist” again, she would have gotten the following -result: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} -\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} -\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} - -\PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -Here’s what happened: when \sphinxcode{\sphinxupquote{jennifer}} used ssh to connect to the -host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, the ssh program presented her -ticket\sphinxhyphen{}granting ticket to the KDC and requested a host ticket for the -host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}. The KDC sent the host ticket, which ssh -then presented to the host \sphinxcode{\sphinxupquote{daffodil.mit.edu}}, and she was allowed -to log in without typing her password. - -\sphinxAtStartPar -Suppose your Kerberos tickets allow you to log into a host in another -domain, such as \sphinxcode{\sphinxupquote{trillium.example.com}}, which is also in another -Kerberos realm, \sphinxcode{\sphinxupquote{EXAMPLE.COM}}. If you ssh to this host, you will -receive a ticket\sphinxhyphen{}granting ticket for the realm \sphinxcode{\sphinxupquote{EXAMPLE.COM}}, plus -the new host ticket for \sphinxcode{\sphinxupquote{trillium.example.com}}. klist will now -show: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} -\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}ttypa} -\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} - -\PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{21} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{22}\PYG{p}{:}\PYG{l+m+mi}{30} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} -\PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{20}\PYG{p}{:}\PYG{l+m+mi}{24}\PYG{p}{:}\PYG{l+m+mi}{18} \PYG{l+m+mi}{06}\PYG{o}{/}\PYG{l+m+mi}{08}\PYG{o}{/}\PYG{l+m+mi}{04} \PYG{l+m+mi}{05}\PYG{p}{:}\PYG{l+m+mi}{49}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -Depending on your host’s and realm’s configuration, you may also see a -ticket with the service principal \sphinxcode{\sphinxupquote{host/trillium.example.com@}}. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} KDC for -a referral. The next time you connect to \sphinxcode{\sphinxupquote{trillium.example.com}}, -the odd\sphinxhyphen{}looking entry will be used to avoid needing to ask for a -referral again. - -\sphinxAtStartPar -You can use the \sphinxstylestrong{\sphinxhyphen{}f} option to view the flags that apply to your -tickets. The flags are: - - -\begin{savenotes}\sphinxattablestart -\centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - -\sphinxAtStartPar -F -& -\sphinxAtStartPar -Forwardable -\\ -\hline -\sphinxAtStartPar -f -& -\sphinxAtStartPar -forwarded -\\ -\hline -\sphinxAtStartPar -P -& -\sphinxAtStartPar -Proxiable -\\ -\hline -\sphinxAtStartPar -p -& -\sphinxAtStartPar -proxy -\\ -\hline -\sphinxAtStartPar -D -& -\sphinxAtStartPar -postDateable -\\ -\hline -\sphinxAtStartPar -d -& -\sphinxAtStartPar -postdated -\\ -\hline -\sphinxAtStartPar -R -& -\sphinxAtStartPar -Renewable -\\ -\hline -\sphinxAtStartPar -I -& -\sphinxAtStartPar -Initial -\\ -\hline -\sphinxAtStartPar -i -& -\sphinxAtStartPar -invalid -\\ -\hline -\sphinxAtStartPar -H -& -\sphinxAtStartPar -Hardware authenticated -\\ -\hline -\sphinxAtStartPar -A -& -\sphinxAtStartPar -preAuthenticated -\\ -\hline -\sphinxAtStartPar -T -& -\sphinxAtStartPar -Transit policy checked -\\ -\hline -\sphinxAtStartPar -O -& -\sphinxAtStartPar -Okay as delegate -\\ -\hline -\sphinxAtStartPar -a -& -\sphinxAtStartPar -anonymous -\\ -\hline -\end{tabulary} -\par -\sphinxattableend\end{savenotes} - -\sphinxAtStartPar -Here is a sample listing. In this example, the user \sphinxstyleemphasis{jennifer} -obtained her initial tickets (\sphinxstylestrong{I}), which are forwardable (\sphinxstylestrong{F}) -and postdated (\sphinxstylestrong{d}) but not yet validated (\sphinxstylestrong{i}): - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f} -\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}320} -\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} - -\PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} -\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{06}\PYG{p}{:}\PYG{l+m+mi}{25} \PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{19}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{25} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} - \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{FdiI} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -In the following example, the user \sphinxstyleemphasis{david}’s tickets were forwarded -(\sphinxstylestrong{f}) to this host from another host. The tickets are reforwardable -(\sphinxstylestrong{F}): - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{klist} \PYG{o}{\PYGZhy{}}\PYG{n}{f} -\PYG{n}{Ticket} \PYG{n}{cache}\PYG{p}{:} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5cc\PYGZus{}p11795} -\PYG{n}{Default} \PYG{n}{principal}\PYG{p}{:} \PYG{n}{david}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} - -\PYG{n}{Valid} \PYG{n}{starting} \PYG{n}{Expires} \PYG{n}{Service} \PYG{n}{principal} -\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{52}\PYG{p}{:}\PYG{l+m+mi}{29} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} - \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff} -\PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{48} \PYG{l+m+mi}{07}\PYG{o}{/}\PYG{l+m+mi}{31}\PYG{o}{/}\PYG{l+m+mi}{05} \PYG{l+m+mi}{21}\PYG{p}{:}\PYG{l+m+mi}{11}\PYG{p}{:}\PYG{l+m+mi}{23} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} - \PYG{n}{Flags}\PYG{p}{:} \PYG{n}{Ff} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - - -\section{Destroying tickets with kdestroy} -\label{\detokenize{user/tkt_mgmt:destroying-tickets-with-kdestroy}} -\sphinxAtStartPar -Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer. - -\sphinxAtStartPar -Destroying your tickets is easy. Simply type kdestroy: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -If {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can’t find any -tickets to destroy, it will give the following message: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdestroy} -\PYG{n}{kdestroy}\PYG{p}{:} \PYG{n}{No} \PYG{n}{credentials} \PYG{n}{cache} \PYG{n}{file} \PYG{n}{found} \PYG{k}{while} \PYG{n}{destroying} \PYG{n}{cache} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} -\end{sphinxVerbatim} - - -\chapter{User config files} -\label{\detokenize{user/user_config/index:user-config-files}}\label{\detokenize{user/user_config/index::doc}} -\sphinxAtStartPar -The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host’s configuration): - - -\section{kerberos} -\label{\detokenize{user/user_config/kerberos:kerberos}}\label{\detokenize{user/user_config/kerberos:kerberos-7}}\label{\detokenize{user/user_config/kerberos::doc}} - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_config/kerberos:description}} -\sphinxAtStartPar -The Kerberos system authenticates individual users in a network -environment. After authenticating yourself to Kerberos, you can use -Kerberos\sphinxhyphen{}enabled programs without having to present passwords or -certificates to those programs. - -\sphinxAtStartPar -If you receive the following response from {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}: - -\sphinxAtStartPar -kinit: Client not found in Kerberos database while getting initial -credentials - -\sphinxAtStartPar -you haven’t been registered as a Kerberos user. See your system -administrator. - -\sphinxAtStartPar -A Kerberos name usually contains three parts. The first is the -\sphinxstylestrong{primary}, which is usually a user’s or service’s name. The second -is the \sphinxstylestrong{instance}, which in the case of a user is usually null. -Some users may have privileged instances, however, such as \sphinxcode{\sphinxupquote{root}} or -\sphinxcode{\sphinxupquote{admin}}. In the case of a service, the instance is the fully -qualified name of the machine on which it runs; i.e. there can be an -ssh service running on the machine ABC (\sphinxhref{mailto:ssh/ABC@REALM}{ssh/ABC@REALM}), which is -different from the ssh service running on the machine XYZ -(\sphinxhref{mailto:ssh/XYZ@REALM}{ssh/XYZ@REALM}). The third part of a Kerberos name is the \sphinxstylestrong{realm}. -The realm corresponds to the Kerberos service providing authentication -for the principal. Realms are conventionally all\sphinxhyphen{}uppercase, and often -match the end of hostnames in the realm (for instance, host01.example.com -might be in realm EXAMPLE.COM). - -\sphinxAtStartPar -When writing a Kerberos name, the principal name is separated from the -instance (if not null) by a slash, and the realm (if not the local -realm) follows, preceded by an “@” sign. The following are examples -of valid Kerberos names: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{david} -\PYG{n}{jennifer}\PYG{o}{/}\PYG{n}{admin} -\PYG{n}{joeuser}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{cbrown}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@FUBAR}\PYG{o}{.}\PYG{n}{ORG} -\end{sphinxVerbatim} - -\sphinxAtStartPar -When you authenticate yourself with Kerberos you get an initial -Kerberos \sphinxstylestrong{ticket}. (A Kerberos ticket is an encrypted protocol -message that provides authentication.) Kerberos uses this ticket for -network utilities such as ssh. The ticket transactions are done -transparently, so you don’t have to worry about their management. - -\sphinxAtStartPar -Note, however, that tickets expire. Administrators may configure more -privileged tickets, such as those with service or instance of \sphinxcode{\sphinxupquote{root}} -or \sphinxcode{\sphinxupquote{admin}}, to expire in a few minutes, while tickets that carry -more ordinary privileges may be good for several hours or a day. If -your login session extends beyond the time limit, you will have to -re\sphinxhyphen{}authenticate yourself to Kerberos to get new tickets using the -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} command. - -\sphinxAtStartPar -Some tickets are \sphinxstylestrong{renewable} beyond their initial lifetime. This -means that \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}R}} can extend their lifetime without requiring -you to re\sphinxhyphen{}authenticate. - -\sphinxAtStartPar -If you wish to delete your local tickets, use the {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}} -command. - -\sphinxAtStartPar -Kerberos tickets can be forwarded. In order to forward tickets, you -must request \sphinxstylestrong{forwardable} tickets when you kinit. Once you have -forwardable tickets, most Kerberos programs have a command line option -to forward them to the remote host. This can be useful for, e.g., -running kinit on your local machine and then sshing into another to do -work. Note that this should not be done on untrusted machines since -they will then have your tickets. - - -\subsection{ENVIRONMENT VARIABLES} -\label{\detokenize{user/user_config/kerberos:environment-variables}} -\sphinxAtStartPar -Several environment variables affect the operation of Kerberos\sphinxhyphen{}enabled -programs. These include: -\begin{description} -\item[{\sphinxstylestrong{KRB5CCNAME}}] \leavevmode -\sphinxAtStartPar -Default name for the credentials cache file, in the form -\sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}. The type of the default cache may determine -the availability of a cache collection. \sphinxcode{\sphinxupquote{FILE}} is not a -collection type; \sphinxcode{\sphinxupquote{KEYRING}}, \sphinxcode{\sphinxupquote{DIR}}, and \sphinxcode{\sphinxupquote{KCM}} are. - -\sphinxAtStartPar -If not set, the value of \sphinxstylestrong{default\_ccache\_name} from -configuration files (see \sphinxstylestrong{KRB5\_CONFIG}) will be used. If that -is also not set, the default \sphinxstyleemphasis{type} is \sphinxcode{\sphinxupquote{FILE}}, and the -\sphinxstyleemphasis{residual} is the path /tmp/krb5cc\_*uid*, where \sphinxstyleemphasis{uid} is the -decimal user ID of the user. - -\item[{\sphinxstylestrong{KRB5\_KTNAME}}] \leavevmode -\sphinxAtStartPar -Specifies the location of the default keytab file, in the form -\sphinxstyleemphasis{TYPE}:\sphinxstyleemphasis{residual}. If no \sphinxstyleemphasis{type} is present, the \sphinxstylestrong{FILE} type is -assumed and \sphinxstyleemphasis{residual} is the pathname of the keytab file. If -unset, \DUrole{xref,std,std-ref}{DEFKTNAME} will be used. - -\item[{\sphinxstylestrong{KRB5\_CONFIG}}] \leavevmode -\sphinxAtStartPar -Specifies the location of the Kerberos configuration file. The -default is \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/krb5.conf}}. Multiple filenames can -be specified, separated by a colon; all files which are present -will be read. - -\item[{\sphinxstylestrong{KRB5\_KDC\_PROFILE}}] \leavevmode -\sphinxAtStartPar -Specifies the location of the KDC configuration file, which -contains additional configuration directives for the Key -Distribution Center daemon and associated programs. The default -is \DUrole{xref,std,std-ref}{LOCALSTATEDIR}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}}. - -\item[{\sphinxstylestrong{KRB5RCACHENAME}}] \leavevmode -\sphinxAtStartPar -(New in release 1.18) Specifies the location of the default replay -cache, in the form \sphinxstyleemphasis{type}:\sphinxstyleemphasis{residual}. The \sphinxcode{\sphinxupquote{file2}} type with a -pathname residual specifies a replay cache file in the version\sphinxhyphen{}2 -format in the specified location. The \sphinxcode{\sphinxupquote{none}} type (residual is -ignored) disables the replay cache. The \sphinxcode{\sphinxupquote{dfl}} type (residual is -ignored) indicates the default, which uses a file2 replay cache in -a temporary directory. The default is \sphinxcode{\sphinxupquote{dfl:}}. - -\item[{\sphinxstylestrong{KRB5RCACHETYPE}}] \leavevmode -\sphinxAtStartPar -Specifies the type of the default replay cache, if -\sphinxstylestrong{KRB5RCACHENAME} is unspecified. No residual can be specified, -so \sphinxcode{\sphinxupquote{none}} and \sphinxcode{\sphinxupquote{dfl}} are the only useful types. - -\item[{\sphinxstylestrong{KRB5RCACHEDIR}}] \leavevmode -\sphinxAtStartPar -Specifies the directory used by the \sphinxcode{\sphinxupquote{dfl}} replay cache type. -The default is the value of the \sphinxstylestrong{TMPDIR} environment variable, -or \sphinxcode{\sphinxupquote{/var/tmp}} if \sphinxstylestrong{TMPDIR} is not set. - -\item[{\sphinxstylestrong{KRB5\_TRACE}}] \leavevmode -\sphinxAtStartPar -Specifies a filename to write trace log output to. Trace logs can -help illuminate decisions made internally by the Kerberos -libraries. For example, \sphinxcode{\sphinxupquote{env KRB5\_TRACE=/dev/stderr kinit}} -would send tracing information for {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} to -\sphinxcode{\sphinxupquote{/dev/stderr}}. The default is not to write trace log output -anywhere. - -\item[{\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}}] \leavevmode -\sphinxAtStartPar -Default client keytab file name. If unset, \DUrole{xref,std,std-ref}{DEFCKTNAME} will be -used). - -\item[{\sphinxstylestrong{KPROP\_PORT}}] \leavevmode -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{kprop(8)} port to use. Defaults to 754. - -\item[{\sphinxstylestrong{GSS\_MECH\_CONFIG}}] \leavevmode -\sphinxAtStartPar -Specifies a filename containing GSSAPI mechanism module -configuration. The default is to read \DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech}} -and files with a \sphinxcode{\sphinxupquote{.conf}} suffix within the directory -\DUrole{xref,std,std-ref}{SYSCONFDIR}\sphinxcode{\sphinxupquote{/gss/mech.d}}. - -\end{description} - -\sphinxAtStartPar -Most environment variables are disabled for certain programs, such as -login system programs and setuid programs, which are designed to be -secure when run within an untrusted process environment. - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_config/kerberos:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, -{\hyperref[\detokenize{user/user_commands/kswitch:kswitch-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kswitch}}}}, {\hyperref[\detokenize{user/user_commands/kpasswd:kpasswd-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kpasswd}}}}, {\hyperref[\detokenize{user/user_commands/ksu:ksu-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ksu}}}}, -\DUrole{xref,std,std-ref}{krb5.conf(5)}, \DUrole{xref,std,std-ref}{kdc.conf(5)}, \DUrole{xref,std,std-ref}{kadmin(1)}, -\DUrole{xref,std,std-ref}{kadmind(8)}, \DUrole{xref,std,std-ref}{kdb5\_util(8)}, \DUrole{xref,std,std-ref}{krb5kdc(8)} - - -\subsection{BUGS} -\label{\detokenize{user/user_config/kerberos:bugs}} - -\subsection{AUTHORS} -\label{\detokenize{user/user_config/kerberos:authors}} -\begin{DUlineblock}{0em} -\item[] Steve Miller, MIT Project Athena/Digital Equipment Corporation -\item[] Clifford Neuman, MIT Project Athena -\item[] Greg Hudson, MIT Kerberos Consortium -\item[] Robbie Harwood, Red Hat, Inc. -\end{DUlineblock} - - -\subsection{HISTORY} -\label{\detokenize{user/user_config/kerberos:history}} -\sphinxAtStartPar -The MIT Kerberos 5 implementation was developed at MIT, with -contributions from many outside parties. It is currently maintained -by the MIT Kerberos Consortium. - - -\subsection{RESTRICTIONS} -\label{\detokenize{user/user_config/kerberos:restrictions}} -\sphinxAtStartPar -Copyright 1985, 1986, 1989\sphinxhyphen{}1996, 2002, 2011, 2018 Masachusetts -Institute of Technology - - -\section{.k5login} -\label{\detokenize{user/user_config/k5login:k5login}}\label{\detokenize{user/user_config/k5login:k5login-5}}\label{\detokenize{user/user_config/k5login::doc}} - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_config/k5login:description}} -\sphinxAtStartPar -The .k5login file, which resides in a user’s home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root’s home directory, thereby granting system -administrators remote root access to the host via Kerberos. - - -\subsection{EXAMPLES} -\label{\detokenize{user/user_config/k5login:examples}} -\sphinxAtStartPar -Suppose the user \sphinxcode{\sphinxupquote{alice}} had a .k5login file in her home directory -containing just the following line: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{bob}\PYG{n+nd}{@FOOBAR}\PYG{o}{.}\PYG{n}{ORG} -\end{sphinxVerbatim} - -\sphinxAtStartPar -This would allow \sphinxcode{\sphinxupquote{bob}} to use Kerberos network applications, such as -ssh(1), to access \sphinxcode{\sphinxupquote{alice}}’s account, using \sphinxcode{\sphinxupquote{bob}}’s Kerberos -tickets. In a default configuration (with \sphinxstylestrong{k5login\_authoritative} set -to true in \DUrole{xref,std,std-ref}{krb5.conf(5)}), this .k5login file would not let -\sphinxcode{\sphinxupquote{alice}} use those network applications to access her account, since -she is not listed! With no .k5login file, or with \sphinxstylestrong{k5login\_authoritative} -set to false, a default rule would permit the principal \sphinxcode{\sphinxupquote{alice}} in the -machine’s default realm to access the \sphinxcode{\sphinxupquote{alice}} account. - -\sphinxAtStartPar -Let us further suppose that \sphinxcode{\sphinxupquote{alice}} is a system administrator. -Alice and the other system administrators would have their principals -in root’s .k5login file on each host: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} - -\PYG{n}{joeadmin}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} -\end{sphinxVerbatim} - -\sphinxAtStartPar -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because \sphinxcode{\sphinxupquote{bob}} retains the Kerberos tickets for -his own principal, \sphinxcode{\sphinxupquote{bob@FOOBAR.ORG}}, he would not have any of the -privileges that require \sphinxcode{\sphinxupquote{alice}}’s tickets, such as root access to -any of the site’s hosts, or the ability to change \sphinxcode{\sphinxupquote{alice}}’s -password. - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_config/k5login:see-also}} -\sphinxAtStartPar -kerberos(1) - - -\section{.k5identity} -\label{\detokenize{user/user_config/k5identity:k5identity}}\label{\detokenize{user/user_config/k5identity:k5identity-5}}\label{\detokenize{user/user_config/k5identity::doc}} - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_config/k5identity:description}} -\sphinxAtStartPar -The .k5identity file, which resides in a user’s home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible. - -\sphinxAtStartPar -Blank lines and lines beginning with \sphinxcode{\sphinxupquote{\#}} are ignored. Each line has -the form: -\begin{quote} - -\sphinxAtStartPar -\sphinxstyleemphasis{principal} \sphinxstyleemphasis{field}=\sphinxstyleemphasis{value} … -\end{quote} - -\sphinxAtStartPar -If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized: -\begin{description} -\item[{\sphinxstylestrong{realm}}] \leavevmode -\sphinxAtStartPar -If the realm of the server principal is known, it is matched -against \sphinxstyleemphasis{value}, which may be a pattern using shell wildcards. -For host\sphinxhyphen{}based server principals, the realm will generally only be -known if there is a \DUrole{xref,std,std-ref}{domain\_realm} section in -\DUrole{xref,std,std-ref}{krb5.conf(5)} with a mapping for the hostname. - -\item[{\sphinxstylestrong{service}}] \leavevmode -\sphinxAtStartPar -If the server principal is a host\sphinxhyphen{}based principal, its service -component is matched against \sphinxstyleemphasis{value}, which may be a pattern using -shell wildcards. - -\item[{\sphinxstylestrong{host}}] \leavevmode -\sphinxAtStartPar -If the server principal is a host\sphinxhyphen{}based principal, its hostname -component is converted to lower case and matched against \sphinxstyleemphasis{value}, -which may be a pattern using shell wildcards. - -\sphinxAtStartPar -If the server principal matches the constraints of multiple lines -in the .k5identity file, the principal from the first matching -line is used. If no line matches, credentials will be selected -some other way, such as the realm heuristic or the current primary -cache. - -\end{description} - - -\subsection{EXAMPLE} -\label{\detokenize{user/user_config/k5identity:example}} -\sphinxAtStartPar -The following example .k5identity file selects the client principal -\sphinxcode{\sphinxupquote{alice@KRBTEST.COM}} if the server principal is within that realm, -the principal \sphinxcode{\sphinxupquote{alice/root@EXAMPLE.COM}} if the server host is within -a servers subdomain, and the principal \sphinxcode{\sphinxupquote{alice/mail@EXAMPLE.COM}} when -accessing the IMAP service on \sphinxcode{\sphinxupquote{mail.example.com}}: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{alice}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{realm}\PYG{o}{=}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{alice}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{host}\PYG{o}{=}\PYG{o}{*}\PYG{o}{.}\PYG{n}{servers}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} -\PYG{n}{alice}\PYG{o}{/}\PYG{n}{mail}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{host}\PYG{o}{=}\PYG{n}{mail}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{n}{service}\PYG{o}{=}\PYG{n}{imap} -\end{sphinxVerbatim} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_config/k5identity:see-also}} -\sphinxAtStartPar -kerberos(1), \DUrole{xref,std,std-ref}{krb5.conf(5)} - - -\chapter{User commands} -\label{\detokenize{user/user_commands/index:user-commands}}\label{\detokenize{user/user_commands/index:id1}}\label{\detokenize{user/user_commands/index::doc}} - -\section{kdestroy} -\label{\detokenize{user/user_commands/kdestroy:kdestroy}}\label{\detokenize{user/user_commands/kdestroy:kdestroy-1}}\label{\detokenize{user/user_commands/kdestroy::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/kdestroy:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{kdestroy} -{[}\sphinxstylestrong{\sphinxhyphen{}A}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}q}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}{]} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/kdestroy:description}} -\sphinxAtStartPar -The kdestroy utility destroys the user’s active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/kdestroy:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode -\sphinxAtStartPar -Destroys all caches in the collection, if a cache collection is -available. May be used with the \sphinxstylestrong{\sphinxhyphen{}c} option to specify the -collection to be destroyed. - -\item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode -\sphinxAtStartPar -Run quietly. Normally kdestroy beeps if it fails to destroy the -user’s tickets. The \sphinxstylestrong{\sphinxhyphen{}q} flag suppresses this behavior. - -\item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}] \leavevmode -\sphinxAtStartPar -Use \sphinxstyleemphasis{cache\_name} as the credentials (ticket) cache name and -location; if this option is not used, the default cache name and -location are used. - -\sphinxAtStartPar -The default credentials cache may vary between systems. If the -\sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to -name the default ticket cache. - -\item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{princ\_name}}] \leavevmode -\sphinxAtStartPar -If a cache collection is available, destroy the cache for -\sphinxstyleemphasis{princ\_name} instead of the primary cache. May be used with the -\sphinxstylestrong{\sphinxhyphen{}c} option to specify the collection to be searched. - -\end{description} - - -\subsection{NOTE} -\label{\detokenize{user/user_commands/kdestroy:note}} -\sphinxAtStartPar -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/kdestroy:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{FILES} -\label{\detokenize{user/user_commands/kdestroy:files}}\begin{description} -\item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode -\sphinxAtStartPar -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/kdestroy:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{kinit} -\label{\detokenize{user/user_commands/kinit:kinit}}\label{\detokenize{user/user_commands/kinit:kinit-1}}\label{\detokenize{user/user_commands/kinit::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/kinit:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{kinit} -{[}\sphinxstylestrong{\sphinxhyphen{}V}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}p} | \sphinxhyphen{}\sphinxstylestrong{P}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}f} | \sphinxhyphen{}\sphinxstylestrong{F}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}a}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}A}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}C}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}E}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}v}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}R}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxhyphen{}\sphinxstylestrong{t} \sphinxstyleemphasis{keytab\_file}{]}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}n}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}{]} -{[}\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}{]} -{[}\sphinxstyleemphasis{principal}{]} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/kinit:description}} -\sphinxAtStartPar -kinit obtains and caches an initial ticket\sphinxhyphen{}granting ticket for -\sphinxstyleemphasis{principal}. If \sphinxstyleemphasis{principal} is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/kinit:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}V}}] \leavevmode -\sphinxAtStartPar -display verbose output. - -\item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}] \leavevmode -\sphinxAtStartPar -(\DUrole{xref,std,std-ref}{duration} string.) Requests a ticket with the lifetime -\sphinxstyleemphasis{lifetime}. - -\sphinxAtStartPar -For example, \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5:30}} or \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}l 5h30m}}. - -\sphinxAtStartPar -If the \sphinxstylestrong{\sphinxhyphen{}l} option is not specified, the default ticket lifetime -(configured by each site) is used. Specifying a ticket lifetime -longer than the maximum ticket lifetime (configured by each site) -will not override the configured maximum ticket lifetime. - -\item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{start\_time}}] \leavevmode -\sphinxAtStartPar -(\DUrole{xref,std,std-ref}{duration} string.) Requests a postdated ticket. Postdated -tickets are issued with the \sphinxstylestrong{invalid} flag set, and need to be -resubmitted to the KDC for validation before use. - -\sphinxAtStartPar -\sphinxstyleemphasis{start\_time} specifies the duration of the delay before the ticket -can become valid. - -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{renewable\_life}}] \leavevmode -\sphinxAtStartPar -(\DUrole{xref,std,std-ref}{duration} string.) Requests renewable tickets, with a total -lifetime of \sphinxstyleemphasis{renewable\_life}. - -\item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode -\sphinxAtStartPar -requests forwardable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode -\sphinxAtStartPar -requests non\sphinxhyphen{}forwardable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode -\sphinxAtStartPar -requests proxiable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode -\sphinxAtStartPar -requests non\sphinxhyphen{}proxiable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}a}}] \leavevmode -\sphinxAtStartPar -requests tickets restricted to the host’s local address{[}es{]}. - -\item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode -\sphinxAtStartPar -requests tickets not restricted by address. - -\item[{\sphinxstylestrong{\sphinxhyphen{}C}}] \leavevmode -\sphinxAtStartPar -requests canonicalization of the principal name, and allows the -KDC to reply with a different client principal from the one -requested. - -\item[{\sphinxstylestrong{\sphinxhyphen{}E}}] \leavevmode -\sphinxAtStartPar -treats the principal name as an enterprise name. - -\item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode -\sphinxAtStartPar -requests that the ticket\sphinxhyphen{}granting ticket in the cache (with the -\sphinxstylestrong{invalid} flag set) be passed to the KDC for validation. If the -ticket is within its requested time range, the cache is replaced -with the validated ticket. - -\item[{\sphinxstylestrong{\sphinxhyphen{}R}}] \leavevmode -\sphinxAtStartPar -requests renewal of the ticket\sphinxhyphen{}granting ticket. Note that an -expired ticket cannot be renewed, even if the ticket is still -within its renewable life. - -\sphinxAtStartPar -Note that renewable tickets that have expired as reported by -{\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}} may sometimes be renewed using this option, -because the KDC applies a grace period to account for client\sphinxhyphen{}KDC -clock skew. See \DUrole{xref,std,std-ref}{krb5.conf(5)} \sphinxstylestrong{clockskew} setting. - -\item[{\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i} | \sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab\_file}{]}}] \leavevmode -\sphinxAtStartPar -requests a ticket, obtained from a key in the local host’s keytab. -The location of the keytab may be specified with the \sphinxstylestrong{\sphinxhyphen{}t} -\sphinxstyleemphasis{keytab\_file} option, or with the \sphinxstylestrong{\sphinxhyphen{}i} option to specify the use -of the default client keytab; otherwise the default keytab will be -used. By default, a host ticket for the local host is requested, -but any principal may be specified. On a KDC, the special keytab -location \sphinxcode{\sphinxupquote{KDB:}} can be used to indicate that kinit should open -the KDC database and look up the key directly. This permits an -administrator to obtain tickets as any principal that supports -authentication based on the key. - -\item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode -\sphinxAtStartPar -Requests anonymous processing. Two types of anonymous principals -are supported. - -\sphinxAtStartPar -For fully anonymous Kerberos, configure pkinit on the KDC and -configure \sphinxstylestrong{pkinit\_anchors} in the client’s \DUrole{xref,std,std-ref}{krb5.conf(5)}. -Then use the \sphinxstylestrong{\sphinxhyphen{}n} option with a principal of the form \sphinxcode{\sphinxupquote{@REALM}} -(an empty principal name followed by the at\sphinxhyphen{}sign and a realm -name). If permitted by the KDC, an anonymous ticket will be -returned. - -\sphinxAtStartPar -A second form of anonymous tickets is supported; these -realm\sphinxhyphen{}exposed tickets hide the identity of the client but not the -client’s realm. For this mode, use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}} with a normal -principal name. If supported by the KDC, the principal (but not -realm) will be replaced by the anonymous principal. - -\sphinxAtStartPar -As of release 1.8, the MIT Kerberos KDC only supports fully -anonymous operation. - -\end{description} - -\sphinxAtStartPar -\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{input\_ccache} -\begin{quote} - -\sphinxAtStartPar -Specifies the name of a credentials cache that already contains a -ticket. When obtaining that ticket, if information about how that -ticket was obtained was also stored to the cache, that information -will be used to affect how new credentials are obtained, including -preselecting the same methods of authenticating to the KDC. -\end{quote} -\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{armor\_ccache}}] \leavevmode -\sphinxAtStartPar -Specifies the name of a credentials cache that already contains a -ticket. If supported by the KDC, this cache will be used to armor -the request, preventing offline dictionary attacks and allowing -the use of additional preauthentication mechanisms. Armoring also -makes sure that the response from the KDC is not modified in -transit. - -\item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}}] \leavevmode -\sphinxAtStartPar -use \sphinxstyleemphasis{cache\_name} as the Kerberos 5 credentials (ticket) cache -location. If this option is not used, the default cache location -is used. - -\sphinxAtStartPar -The default cache location may vary between systems. If the -\sphinxstylestrong{KRB5CCNAME} environment variable is set, its value is used to -locate the default cache. If a principal name is specified and -the type of the default cache supports a collection (such as the -DIR type), an existing cache containing credentials for the -principal is selected or a new one is created and becomes the new -primary cache. Otherwise, any existing contents of the default -cache are destroyed by kinit. - -\item[{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{service\_name}}] \leavevmode -\sphinxAtStartPar -specify an alternate service name to use when getting initial -tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}X} \sphinxstyleemphasis{attribute}{[}=\sphinxstyleemphasis{value}{]}}] \leavevmode -\sphinxAtStartPar -specify a pre\sphinxhyphen{}authentication \sphinxstyleemphasis{attribute} and \sphinxstyleemphasis{value} to be -interpreted by pre\sphinxhyphen{}authentication modules. The acceptable -attribute and value values vary from module to module. This -option may be specified multiple times to specify multiple -attributes. If no value is specified, it is assumed to be “yes”. - -\sphinxAtStartPar -The following attributes are recognized by the PKINIT -pre\sphinxhyphen{}authentication mechanism: -\begin{description} -\item[{\sphinxstylestrong{X509\_user\_identity}=\sphinxstyleemphasis{value}}] \leavevmode -\sphinxAtStartPar -specify where to find user’s X509 identity information - -\item[{\sphinxstylestrong{X509\_anchors}=\sphinxstyleemphasis{value}}] \leavevmode -\sphinxAtStartPar -specify where to find trusted X509 anchor information - -\item[{\sphinxstylestrong{flag\_RSA\_PROTOCOL}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode -\sphinxAtStartPar -specify use of RSA, rather than the default Diffie\sphinxhyphen{}Hellman -protocol - -\item[{\sphinxstylestrong{disable\_freshness}{[}\sphinxstylestrong{=yes}{]}}] \leavevmode -\sphinxAtStartPar -disable sending freshness tokens (for testing purposes only) - -\end{description} - -\item[{\sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} | \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac}}] \leavevmode -\sphinxAtStartPar -mutually exclusive. If \sphinxstylestrong{\textendash{}request\sphinxhyphen{}pac} is set, ask the KDC to -include a PAC in authdata; if \sphinxstylestrong{\textendash{}no\sphinxhyphen{}request\sphinxhyphen{}pac} is set, ask the -KDC not to include a PAC; if neither are set, the KDC will follow -its default, which is typically is to include a PAC if doing so is -supported. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/kinit:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{FILES} -\label{\detokenize{user/user_commands/kinit:files}}\begin{description} -\item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode -\sphinxAtStartPar -default location of Kerberos 5 credentials cache - -\item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode -\sphinxAtStartPar -default location for the local host’s keytab. - -\end{description} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/kinit:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{klist} -\label{\detokenize{user/user_commands/klist:klist}}\label{\detokenize{user/user_commands/klist:klist-1}}\label{\detokenize{user/user_commands/klist::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/klist:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{klist} -{[}\sphinxstylestrong{\sphinxhyphen{}e}{]} -{[}{[}\sphinxstylestrong{\sphinxhyphen{}c}{]} {[}\sphinxstylestrong{\sphinxhyphen{}l}{]} {[}\sphinxstylestrong{\sphinxhyphen{}A}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]} {[}\sphinxstylestrong{\sphinxhyphen{}a} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]}{]}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}C}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}i}{]} {[}\sphinxstylestrong{\sphinxhyphen{}t}{]} {[}\sphinxstylestrong{\sphinxhyphen{}K}{]}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}V}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}d}{]} -{[}\sphinxstyleemphasis{cache\_name}|\sphinxstyleemphasis{keytab\_name}{]} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/klist:description}} -\sphinxAtStartPar -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/klist:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}e}}] \leavevmode -\sphinxAtStartPar -Displays the encryption types of the session key and the ticket -for each credential in the credential cache, or each key in the -keytab file. - -\item[{\sphinxstylestrong{\sphinxhyphen{}l}}] \leavevmode -\sphinxAtStartPar -If a cache collection is available, displays a table summarizing -the caches present in the collection. - -\item[{\sphinxstylestrong{\sphinxhyphen{}A}}] \leavevmode -\sphinxAtStartPar -If a cache collection is available, displays the contents of all -of the caches in the collection. - -\item[{\sphinxstylestrong{\sphinxhyphen{}c}}] \leavevmode -\sphinxAtStartPar -List tickets held in a credentials cache. This is the default if -neither \sphinxstylestrong{\sphinxhyphen{}c} nor \sphinxstylestrong{\sphinxhyphen{}k} is specified. - -\item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode -\sphinxAtStartPar -Shows the flags present in the credentials, using the following -abbreviations: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{F} \PYG{n}{Forwardable} -\PYG{n}{f} \PYG{n}{forwarded} -\PYG{n}{P} \PYG{n}{Proxiable} -\PYG{n}{p} \PYG{n}{proxy} -\PYG{n}{D} \PYG{n}{postDateable} -\PYG{n}{d} \PYG{n}{postdated} -\PYG{n}{R} \PYG{n}{Renewable} -\PYG{n}{I} \PYG{n}{Initial} -\PYG{n}{i} \PYG{n}{invalid} -\PYG{n}{H} \PYG{n}{Hardware} \PYG{n}{authenticated} -\PYG{n}{A} \PYG{n}{preAuthenticated} -\PYG{n}{T} \PYG{n}{Transit} \PYG{n}{policy} \PYG{n}{checked} -\PYG{n}{O} \PYG{n}{Okay} \PYG{k}{as} \PYG{n}{delegate} -\PYG{n}{a} \PYG{n}{anonymous} -\end{sphinxVerbatim} - -\item[{\sphinxstylestrong{\sphinxhyphen{}s}}] \leavevmode -\sphinxAtStartPar -Causes klist to run silently (produce no output). klist will exit -with status 1 if the credentials cache cannot be read or is -expired, and with status 0 otherwise. - -\item[{\sphinxstylestrong{\sphinxhyphen{}a}}] \leavevmode -\sphinxAtStartPar -Display list of addresses in credentials. - -\item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode -\sphinxAtStartPar -Show numeric addresses instead of reverse\sphinxhyphen{}resolving addresses. - -\item[{\sphinxstylestrong{\sphinxhyphen{}C}}] \leavevmode -\sphinxAtStartPar -List configuration data that has been stored in the credentials -cache when klist encounters it. By default, configuration data -is not listed. - -\item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode -\sphinxAtStartPar -List keys held in a keytab file. - -\item[{\sphinxstylestrong{\sphinxhyphen{}i}}] \leavevmode -\sphinxAtStartPar -In combination with \sphinxstylestrong{\sphinxhyphen{}k}, defaults to using the default client -keytab instead of the default acceptor keytab, if no name is -given. - -\item[{\sphinxstylestrong{\sphinxhyphen{}t}}] \leavevmode -\sphinxAtStartPar -Display the time entry timestamps for each keytab entry in the -keytab file. - -\item[{\sphinxstylestrong{\sphinxhyphen{}K}}] \leavevmode -\sphinxAtStartPar -Display the value of the encryption key in each keytab entry in -the keytab file. - -\item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode -\sphinxAtStartPar -Display the authdata types (if any) for each entry. - -\item[{\sphinxstylestrong{\sphinxhyphen{}V}}] \leavevmode -\sphinxAtStartPar -Display the Kerberos version number and exit. - -\end{description} - -\sphinxAtStartPar -If \sphinxstyleemphasis{cache\_name} or \sphinxstyleemphasis{keytab\_name} is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the \sphinxstylestrong{KRB5CCNAME} environment variable is set, its -value is used to locate the default ticket cache. - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/klist:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{FILES} -\label{\detokenize{user/user_commands/klist:files}}\begin{description} -\item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode -\sphinxAtStartPar -Default location of Kerberos 5 credentials cache - -\item[{\DUrole{xref,std,std-ref}{DEFKTNAME}}] \leavevmode -\sphinxAtStartPar -Default location for the local host’s keytab file. - -\end{description} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/klist:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{kpasswd} -\label{\detokenize{user/user_commands/kpasswd:kpasswd}}\label{\detokenize{user/user_commands/kpasswd:kpasswd-1}}\label{\detokenize{user/user_commands/kpasswd::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/kpasswd:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{kpasswd} {[}\sphinxstyleemphasis{principal}{]} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/kpasswd:description}} -\sphinxAtStartPar -The kpasswd command is used to change a Kerberos principal’s password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -\sphinxAtStartPar -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/kpasswd:options}}\begin{description} -\item[{\sphinxstyleemphasis{principal}}] \leavevmode -\sphinxAtStartPar -Change the password for the Kerberos principal principal. -Otherwise, kpasswd uses the principal name from an existing ccache -if there is one; if not, the principal is derived from the -identity of the user invoking the kpasswd command. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/kpasswd:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/kpasswd:see-also}} -\sphinxAtStartPar -\DUrole{xref,std,std-ref}{kadmin(1)}, \DUrole{xref,std,std-ref}{kadmind(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{krb5\sphinxhyphen{}config} -\label{\detokenize{user/user_commands/krb5-config:krb5-config}}\label{\detokenize{user/user_commands/krb5-config:krb5-config-1}}\label{\detokenize{user/user_commands/krb5-config::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/krb5-config:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{krb5\sphinxhyphen{}config} -{[}\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags} | \sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{libraries}{]}{]} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/krb5-config:description}} -\sphinxAtStartPar -krb5\sphinxhyphen{}config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/krb5-config:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}help}}] \leavevmode -\sphinxAtStartPar -prints a usage message. This is the default behavior when no options -are specified. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}all}}] \leavevmode -\sphinxAtStartPar -prints the version, vendor, prefix, and exec\sphinxhyphen{}prefix. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}version}}] \leavevmode -\sphinxAtStartPar -prints the version number of the Kerberos installation. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}vendor}}] \leavevmode -\sphinxAtStartPar -prints the name of the vendor of the Kerberos installation. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}prefix}}] \leavevmode -\sphinxAtStartPar -prints the prefix for which the Kerberos installation was built. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}exec\sphinxhyphen{}prefix}}] \leavevmode -\sphinxAtStartPar -prints the prefix for executables for which the Kerberos installation -was built. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defccname}}] \leavevmode -\sphinxAtStartPar -prints the built\sphinxhyphen{}in default credentials cache location. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defktname}}] \leavevmode -\sphinxAtStartPar -prints the built\sphinxhyphen{}in default keytab location. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}defcktname}}] \leavevmode -\sphinxAtStartPar -prints the built\sphinxhyphen{}in default client (initiator) keytab location. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}cflags}}] \leavevmode -\sphinxAtStartPar -prints the compilation flags used to build the Kerberos installation. - -\item[{\sphinxstylestrong{\sphinxhyphen{}}\sphinxstylestrong{\sphinxhyphen{}libs} {[}\sphinxstyleemphasis{library}{]}}] \leavevmode -\sphinxAtStartPar -prints the compiler options needed to link against \sphinxstyleemphasis{library}. -Allowed values for \sphinxstyleemphasis{library} are: - - -\begin{savenotes}\sphinxattablestart -\centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - -\sphinxAtStartPar -krb5 -& -\sphinxAtStartPar -Kerberos 5 applications (default) -\\ -\hline -\sphinxAtStartPar -gssapi -& -\sphinxAtStartPar -GSSAPI applications with Kerberos 5 bindings -\\ -\hline -\sphinxAtStartPar -kadm\sphinxhyphen{}client -& -\sphinxAtStartPar -Kadmin client -\\ -\hline -\sphinxAtStartPar -kadm\sphinxhyphen{}server -& -\sphinxAtStartPar -Kadmin server -\\ -\hline -\sphinxAtStartPar -kdb -& -\sphinxAtStartPar -Applications that access the Kerberos database -\\ -\hline -\end{tabulary} -\par -\sphinxattableend\end{savenotes} - -\end{description} - - -\subsection{EXAMPLES} -\label{\detokenize{user/user_commands/krb5-config:examples}} -\sphinxAtStartPar -krb5\sphinxhyphen{}config is particularly useful for compiling against a Kerberos -installation that was installed in a non\sphinxhyphen{}standard location. For example, -a Kerberos installation that is installed in \sphinxcode{\sphinxupquote{/opt/krb5/}} but uses -libraries in \sphinxcode{\sphinxupquote{/usr/local/lib/}} for text localization would produce -the following output: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{config} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{libs} \PYG{n}{krb5} -\PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{\PYGZhy{}}\PYG{n}{rpath} \PYG{o}{\PYGZhy{}}\PYG{n}{Wl}\PYG{p}{,}\PYG{o}{/}\PYG{n}{opt}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{L}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{lib} \PYG{o}{\PYGZhy{}}\PYG{n}{lkrb5} \PYG{o}{\PYGZhy{}}\PYG{n}{lk5crypto} \PYG{o}{\PYGZhy{}}\PYG{n}{lcom\PYGZus{}err} -\end{sphinxVerbatim} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/krb5-config:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, cc(1) - - -\section{ksu} -\label{\detokenize{user/user_commands/ksu:ksu}}\label{\detokenize{user/user_commands/ksu:ksu-1}}\label{\detokenize{user/user_commands/ksu::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/ksu:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{ksu} -{[} \sphinxstyleemphasis{target\_user} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}k} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}r} time {]} -{[} \sphinxstylestrong{\sphinxhyphen{}p} | \sphinxstylestrong{\sphinxhyphen{}P}{]} -{[} \sphinxstylestrong{\sphinxhyphen{}f} | \sphinxstylestrong{\sphinxhyphen{}F}{]} -{[} \sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}z | Z} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}q} {]} -{[} \sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[} args … {]} {]} {[} \sphinxstylestrong{\sphinxhyphen{}a} {[} args … {]} {]} - - -\subsection{REQUIREMENTS} -\label{\detokenize{user/user_commands/ksu:requirements}} -\sphinxAtStartPar -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/ksu:description}} -\sphinxAtStartPar -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -\begin{sphinxadmonition}{note}{Note:} -\sphinxAtStartPar -For the sake of clarity, all references to and attributes of -the user invoking the program will start with “source” -(e.g., “source user”, “source cache”, etc.). - -\sphinxAtStartPar -Likewise, all references to and attributes of the target -account will start with “target”. -\end{sphinxadmonition} - - -\subsection{AUTHENTICATION} -\label{\detokenize{user/user_commands/ksu:authentication}} -\sphinxAtStartPar -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the \sphinxstylestrong{\sphinxhyphen{}n} option (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}n jqpublic@USC.EDU}}) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see \sphinxstylestrong{\sphinxhyphen{}n} option). The target user -name must be the first argument to ksu; if not specified root is the -default. If \sphinxcode{\sphinxupquote{.}} is specified then the target user will be the -source user (e.g., \sphinxcode{\sphinxupquote{ksu .}}). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -\sphinxAtStartPar -The ticket can either be for the end\sphinxhyphen{}server or a ticket granting -ticket (TGT) for the target principal’s realm. If the ticket for the -end\sphinxhyphen{}server is already in the cache, it’s decrypted and verified. If -it’s not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end\sphinxhyphen{}server. The end\sphinxhyphen{}server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails. - - -\subsection{AUTHORIZATION} -\label{\detokenize{user/user_commands/ksu:authorization}} -\sphinxAtStartPar -This section describes authorization of the source user when ksu is -invoked without the \sphinxstylestrong{\sphinxhyphen{}e} option. For a description of the \sphinxstylestrong{\sphinxhyphen{}e} -option, see the OPTIONS section. - -\sphinxAtStartPar -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user’s home directory, ksu attempts to access two authorization files: -{\hyperref[\detokenize{user/user_config/k5login:k5login-5}]{\sphinxcrossref{\DUrole{std,std-ref}{.k5login}}}} and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -\sphinxAtStartPar -For example: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} -\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} -\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} -\end{sphinxVerbatim} - -\sphinxAtStartPar -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the \sphinxstylestrong{\sphinxhyphen{}e} option in the OPTIONS section for details). - -\sphinxAtStartPar -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by \sphinxcode{\sphinxupquote{*}} then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname\sphinxhyphen{}\textgreater{}lname mapping -rules. Otherwise, authorization fails. - - -\subsection{EXECUTION OF THE TARGET SHELL} -\label{\detokenize{user/user_commands/ksu:execution-of-the-target-shell}} -\sphinxAtStartPar -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login’s -default values. In addition, the environment variable \sphinxstylestrong{KRB5CCNAME} -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user’s shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the \sphinxstylestrong{\sphinxhyphen{}k} option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -\subsection{CREATING A NEW SECURITY CONTEXT} -\label{\detokenize{user/user_commands/ksu:creating-a-new-security-context}} -\sphinxAtStartPar -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the \sphinxstylestrong{\sphinxhyphen{}e} -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using \sphinxstylestrong{\sphinxhyphen{}z} or \sphinxstylestrong{\sphinxhyphen{}Z} option. \sphinxstylestrong{\sphinxhyphen{}z} restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The \sphinxstylestrong{\sphinxhyphen{}Z} option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non\sphinxhyphen{}root, \sphinxstylestrong{\sphinxhyphen{}z} option is the default mode of -operation. - -\sphinxAtStartPar -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If \sphinxstylestrong{\sphinxhyphen{}n} is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless \sphinxstylestrong{\sphinxhyphen{}Z} specified or \sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -\begin{sphinxadmonition}{note}{Note:} -\sphinxAtStartPar -During authentication, only the tickets that could be -obtained without providing a password are cached in the -source cache. -\end{sphinxadmonition} - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/ksu:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}n} \sphinxstyleemphasis{target\_principal\_name}}] \leavevmode -\sphinxAtStartPar -Specify a Kerberos target principal name. Used in authentication -and authorization phases of ksu. - -\sphinxAtStartPar -If ksu is invoked without \sphinxstylestrong{\sphinxhyphen{}n}, a default principal name is -assigned via the following heuristic: -\begin{itemize} -\item {} -\sphinxAtStartPar -Case 1: source user is non\sphinxhyphen{}root. - -\sphinxAtStartPar -If the target user is the source user the default principal name -is set to the default principal of the source cache. If the -cache does not exist then the default principal name is set to -\sphinxcode{\sphinxupquote{target\_user@local\_realm}}. If the source and target users are -different and neither \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} nor -\sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5login}} exist then the default principal name -is \sphinxcode{\sphinxupquote{target\_user\_login\_name@local\_realm}}. Otherwise, starting -with the first principal listed below, ksu checks if the -principal is authorized to access the target account and whether -there is a legitimate ticket for that principal in the source -cache. If both conditions are met that principal becomes the -default target principal, otherwise go to the next principal. -\begin{enumerate} -\sphinxsetlistlabels{\alph}{enumi}{enumii}{}{)}% -\item {} -\sphinxAtStartPar -default principal of the source cache - -\item {} -\sphinxAtStartPar -target\_user@local\_realm - -\item {} -\sphinxAtStartPar -source\_user@local\_realm - -\end{enumerate} - -\sphinxAtStartPar -If a\sphinxhyphen{}c fails try any principal for which there is a ticket in -the source cache and that is authorized to access the target -account. If that fails select the first principal that is -authorized to access the target account from the above list. If -none are authorized and ksu is configured with -\sphinxstylestrong{PRINC\_LOOK\_AHEAD} turned on, select the default principal as -follows: - -\sphinxAtStartPar -For each candidate in the above list, select an authorized -principal that has the same realm name and first part of the -principal name equal to the prefix of the candidate. For -example if candidate a) is \sphinxcode{\sphinxupquote{jqpublic@ISI.EDU}} and -\sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}} is authorized to access the target -account then the default principal is set to -\sphinxcode{\sphinxupquote{jqpublic/secure@ISI.EDU}}. - -\item {} -\sphinxAtStartPar -Case 2: source user is root. - -\sphinxAtStartPar -If the target user is non\sphinxhyphen{}root then the default principal name -is \sphinxcode{\sphinxupquote{target\_user@local\_realm}}. Else, if the source cache -exists the default principal name is set to the default -principal of the source cache. If the source cache does not -exist, default principal name is set to \sphinxcode{\sphinxupquote{root\textbackslash{}@local\_realm}}. - -\end{itemize} - -\end{description} - -\sphinxAtStartPar -\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{source\_cache\_name} -\begin{quote} - -\sphinxAtStartPar -Specify source cache name (e.g., \sphinxcode{\sphinxupquote{\sphinxhyphen{}c FILE:/tmp/my\_cache}}). If -\sphinxstylestrong{\sphinxhyphen{}c} option is not used then the name is obtained from -\sphinxstylestrong{KRB5CCNAME} environment variable. If \sphinxstylestrong{KRB5CCNAME} is not -defined the source cache name is set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}source uid\textgreater{}}}. -The target cache name is automatically set to \sphinxcode{\sphinxupquote{krb5cc\_\textless{}target -uid\textgreater{}.(gen\_sym())}}, where gen\_sym generates a new number such that -the resulting cache does not already exist. For example: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{krb5cc\PYGZus{}1984}\PYG{l+m+mf}{.2} -\end{sphinxVerbatim} -\end{quote} -\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode -\sphinxAtStartPar -Do not delete the target cache upon termination of the target -shell or a command (\sphinxstylestrong{\sphinxhyphen{}e} command). Without \sphinxstylestrong{\sphinxhyphen{}k}, ksu deletes -the target cache. - -\item[{\sphinxstylestrong{\sphinxhyphen{}z}}] \leavevmode -\sphinxAtStartPar -Restrict the copy of tickets from the source cache to the target -cache to only the tickets where client == the target principal -name. Use the \sphinxstylestrong{\sphinxhyphen{}n} option if you want the tickets for other then -the default principal. Note that the \sphinxstylestrong{\sphinxhyphen{}z} option is mutually -exclusive with the \sphinxstylestrong{\sphinxhyphen{}Z} option. - -\item[{\sphinxstylestrong{\sphinxhyphen{}Z}}] \leavevmode -\sphinxAtStartPar -Don’t copy any tickets from the source cache to the target cache. -Just create a fresh target cache, where the default principal name -of the cache is initialized to the target principal name. Note -that the \sphinxstylestrong{\sphinxhyphen{}Z} option is mutually exclusive with the \sphinxstylestrong{\sphinxhyphen{}z} -option. - -\item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode -\sphinxAtStartPar -Suppress the printing of status messages. - -\end{description} - -\sphinxAtStartPar -Ticket granting ticket options: -\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime} \sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstylestrong{\sphinxhyphen{}P} \sphinxstylestrong{\sphinxhyphen{}f} \sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode -\sphinxAtStartPar -The ticket granting ticket options only apply to the case where -there are no appropriate tickets in the cache to authenticate the -source user. In this case if ksu is configured to prompt users -for a Kerberos password (\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD} is defined), the -ticket granting ticket options that are specified will be used -when getting a ticket granting ticket from the Kerberos server. - -\item[{\sphinxstylestrong{\sphinxhyphen{}l} \sphinxstyleemphasis{lifetime}}] \leavevmode -\sphinxAtStartPar -(\DUrole{xref,std,std-ref}{duration} string.) Specifies the lifetime to be requested -for the ticket; if this option is not specified, the default ticket -lifetime (12 hours) is used instead. - -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{time}}] \leavevmode -\sphinxAtStartPar -(\DUrole{xref,std,std-ref}{duration} string.) Specifies that the \sphinxstylestrong{renewable} option -should be requested for the ticket, and specifies the desired -total lifetime of the ticket. - -\item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode -\sphinxAtStartPar -specifies that the \sphinxstylestrong{proxiable} option should be requested for -the ticket. - -\item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode -\sphinxAtStartPar -specifies that the \sphinxstylestrong{proxiable} option should not be requested -for the ticket, even if the default configuration is to ask for -proxiable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode -\sphinxAtStartPar -option specifies that the \sphinxstylestrong{forwardable} option should be -requested for the ticket. - -\item[{\sphinxstylestrong{\sphinxhyphen{}F}}] \leavevmode -\sphinxAtStartPar -option specifies that the \sphinxstylestrong{forwardable} option should not be -requested for the ticket, even if the default configuration is to -ask for forwardable tickets. - -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{args} …{]}}] \leavevmode -\sphinxAtStartPar -ksu proceeds exactly the same as if it was invoked without the -\sphinxstylestrong{\sphinxhyphen{}e} option, except instead of executing the target shell, ksu -executes the specified command. Example of usage: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{ksu} \PYG{n}{bob} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{ls} \PYG{o}{\PYGZhy{}}\PYG{n}{lag} -\end{sphinxVerbatim} - -\sphinxAtStartPar -The authorization algorithm for \sphinxstylestrong{\sphinxhyphen{}e} is as follows: - -\sphinxAtStartPar -If the source user is root or source user == target user, no -authorization takes place and the command is executed. If source -user id != 0, and \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file does not exist, -authorization fails. Otherwise, \sphinxcode{\sphinxupquote{\textasciitilde{}target\_user/.k5users}} file -must have an appropriate entry for target principal to get -authorized. - -\sphinxAtStartPar -The .k5users file format: - -\sphinxAtStartPar -A single principal entry on each line that may be followed by a -list of commands that the principal is authorized to execute. A -principal name followed by a \sphinxcode{\sphinxupquote{*}} means that the user is -authorized to execute any command. Thus, in the following -example: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{jqpublic}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ls} \PYG{n}{mail} \PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{klist} -\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{secure}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*} -\PYG{n}{jqpublic}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@USC}\PYG{o}{.}\PYG{n}{EDU} -\end{sphinxVerbatim} - -\sphinxAtStartPar -\sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is only authorized to execute \sphinxcode{\sphinxupquote{ls}}, -\sphinxcode{\sphinxupquote{mail}} and \sphinxcode{\sphinxupquote{klist}} commands. \sphinxcode{\sphinxupquote{jqpublic/secure@USC.EDU}} is -authorized to execute any command. \sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is -not authorized to execute any command. Note, that -\sphinxcode{\sphinxupquote{jqpublic/admin@USC.EDU}} is authorized to execute the target -shell (regular ksu, without the \sphinxstylestrong{\sphinxhyphen{}e} option) but -\sphinxcode{\sphinxupquote{jqpublic@USC.EDU}} is not. - -\sphinxAtStartPar -The commands listed after the principal name must be either a full -path names or just the program name. In the second case, -\sphinxstylestrong{CMD\_PATH} specifying the location of authorized programs must -be defined at the compilation time of ksu. Which command gets -executed? - -\sphinxAtStartPar -If the source user is root or the target user is the source user -or the user is authorized to execute any command (\sphinxcode{\sphinxupquote{*}} entry) -then command can be either a full or a relative path leading to -the target program. Otherwise, the user must specify either a -full path or just the program name. - -\item[{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{args}}] \leavevmode -\sphinxAtStartPar -Specify arguments to be passed to the target shell. Note that all -flags and parameters following \sphinxhyphen{}a will be passed to the shell, -thus all options intended for ksu must precede \sphinxstylestrong{\sphinxhyphen{}a}. - -\sphinxAtStartPar -The \sphinxstylestrong{\sphinxhyphen{}a} option can be used to simulate the \sphinxstylestrong{\sphinxhyphen{}e} option if -used as follows: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{o}{\PYGZhy{}}\PYG{n}{a} \PYG{o}{\PYGZhy{}}\PYG{n}{c} \PYG{p}{[}\PYG{n}{command} \PYG{p}{[}\PYG{n}{arguments}\PYG{p}{]}\PYG{p}{]}\PYG{o}{.} -\end{sphinxVerbatim} - -\sphinxAtStartPar -\sphinxstylestrong{\sphinxhyphen{}c} is interpreted by the c\sphinxhyphen{}shell to execute the command. - -\end{description} - - -\subsection{INSTALLATION INSTRUCTIONS} -\label{\detokenize{user/user_commands/ksu:installation-instructions}} -\sphinxAtStartPar -ksu can be compiled with the following four flags: -\begin{description} -\item[{\sphinxstylestrong{GET\_TGT\_VIA\_PASSWD}}] \leavevmode -\sphinxAtStartPar -In case no appropriate tickets are found in the source cache, the -user will be prompted for a Kerberos password. The password is -then used to get a ticket granting ticket from the Kerberos -server. The danger of configuring ksu with this macro is if the -source user is logged in remotely and does not have a secure -channel, the password may get exposed. - -\item[{\sphinxstylestrong{PRINC\_LOOK\_AHEAD}}] \leavevmode -\sphinxAtStartPar -During the resolution of the default principal name, -\sphinxstylestrong{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in -the .k5users file as described in the OPTIONS section -(see \sphinxstylestrong{\sphinxhyphen{}n} option). - -\item[{\sphinxstylestrong{CMD\_PATH}}] \leavevmode -\sphinxAtStartPar -Specifies a list of directories containing programs that users are -authorized to execute (via .k5users file). - -\item[{\sphinxstylestrong{HAVE\_GETUSERSHELL}}] \leavevmode -\sphinxAtStartPar -If the source user is non\sphinxhyphen{}root, ksu insists that the target user’s -shell to be invoked is a “legal shell”. \sphinxstyleemphasis{getusershell(3)} is -called to obtain the names of “legal shells”. Note that the -target user’s shell is obtained from the passwd file. - -\end{description} - -\sphinxAtStartPar -Sample configuration: - -\begin{sphinxVerbatim}[commandchars=\\\{\}] -\PYG{n}{KSU\PYGZus{}OPTS} \PYG{o}{=} \PYG{o}{\PYGZhy{}}\PYG{n}{DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD} \PYG{o}{\PYGZhy{}}\PYG{n}{DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD} \PYG{o}{\PYGZhy{}}\PYG{n}{DCMD\PYGZus{}PATH}\PYG{o}{=}\PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{\PYGZdq{}}\PYG{l+s+s1}{/bin /usr/ucb /local/bin}\PYG{l+s+s1}{\PYGZdq{}} -\end{sphinxVerbatim} - -\sphinxAtStartPar -ksu should be owned by root and have the set user id bit turned on. - -\sphinxAtStartPar -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., \sphinxcode{\sphinxupquote{host/nii.isi.edu@ISI.EDU}}). The keytab -file must be in an appropriate location. - - -\subsection{SIDE EFFECTS} -\label{\detokenize{user/user_commands/ksu:side-effects}} -\sphinxAtStartPar -ksu deletes all expired tickets from the source cache. - - -\subsection{AUTHOR OF KSU} -\label{\detokenize{user/user_commands/ksu:author-of-ksu}} -\sphinxAtStartPar -GENNADY (ARI) MEDVINSKY - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/ksu:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/ksu:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}}, {\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}} - - -\section{kswitch} -\label{\detokenize{user/user_commands/kswitch:kswitch}}\label{\detokenize{user/user_commands/kswitch:kswitch-1}}\label{\detokenize{user/user_commands/kswitch::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/kswitch:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{kswitch} -\{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}|\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}\} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/kswitch:description}} -\sphinxAtStartPar -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/kswitch:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cachename}}] \leavevmode -\sphinxAtStartPar -Directly specifies the credential cache to be made primary. - -\item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}] \leavevmode -\sphinxAtStartPar -Causes the cache collection to be searched for a cache containing -credentials for \sphinxstyleemphasis{principal}. If one is found, that collection is -made primary. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/kswitch:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{FILES} -\label{\detokenize{user/user_commands/kswitch:files}}\begin{description} -\item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode -\sphinxAtStartPar -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/kswitch:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_commands/klist:klist-1}]{\sphinxcrossref{\DUrole{std,std-ref}{klist}}}}, -{\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{kvno} -\label{\detokenize{user/user_commands/kvno:kvno}}\label{\detokenize{user/user_commands/kvno:kvno-1}}\label{\detokenize{user/user_commands/kvno::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/kvno:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{kvno} -{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}q}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}u} | \sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}{]} -{[}\sphinxstylestrong{\sphinxhyphen{}P}{]} -{[}\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}{]} -{[}\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}{]} -{[}\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{cache}{]} -{[}{[}\{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file} | \{\sphinxstylestrong{\sphinxhyphen{}I} | \sphinxstylestrong{\sphinxhyphen{}U}\} \sphinxstyleemphasis{for\_user}\} {[}\sphinxstylestrong{\sphinxhyphen{}P}{]}{]} | \sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}{]} -\sphinxstyleemphasis{service1 service2} … - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/kvno:description}} -\sphinxAtStartPar -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -\subsection{OPTIONS} -\label{\detokenize{user/user_commands/kvno:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{ccache}}] \leavevmode -\sphinxAtStartPar -Specifies the name of a credentials cache to use (if not the -default) - -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}}] \leavevmode -\sphinxAtStartPar -Specifies the enctype which will be requested for the session key -of all the services named on the command line. This is useful in -certain backward compatibility situations. - -\item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytab}}] \leavevmode -\sphinxAtStartPar -Decrypt the acquired tickets using \sphinxstyleemphasis{keytab} to confirm their -validity. - -\item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode -\sphinxAtStartPar -Suppress printing output when successful. If a service ticket -cannot be obtained, an error message will still be printed and -kvno will exit with nonzero status. - -\item[{\sphinxstylestrong{\sphinxhyphen{}u}}] \leavevmode -\sphinxAtStartPar -Use the unknown name type in requested service principal names. -This option Cannot be used with \sphinxstyleemphasis{\sphinxhyphen{}S}. - -\item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode -\sphinxAtStartPar -Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are to be -treated as services for which credentials should be acquired using -constrained delegation. This option is only valid when used in -conjunction with protocol transition. - -\item[{\sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{sname}}] \leavevmode -\sphinxAtStartPar -Specifies that the \sphinxstyleemphasis{service1 service2} … arguments are -interpreted as hostnames, and the service principals are to be -constructed from those hostnames and the service name \sphinxstyleemphasis{sname}. -The service hostnames will be canonicalized according to the usual -rules for constructing service principals. - -\item[{\sphinxstylestrong{\sphinxhyphen{}I} \sphinxstyleemphasis{for\_user}}] \leavevmode -\sphinxAtStartPar -Specifies that protocol transition (S4U2Self) is to be used to -acquire a ticket on behalf of \sphinxstyleemphasis{for\_user}. If constrained -delegation is not requested, the service name must match the -credentials cache client principal. - -\item[{\sphinxstylestrong{\sphinxhyphen{}U} \sphinxstyleemphasis{for\_user}}] \leavevmode -\sphinxAtStartPar -Same as \sphinxhyphen{}I, but treats \sphinxstyleemphasis{for\_user} as an enterprise name. - -\item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{cert\_file}}] \leavevmode -\sphinxAtStartPar -Specifies that protocol transition is to be used, identifying the -client principal with the X.509 certificate in \sphinxstyleemphasis{cert\_file}. The -certificate file must be in PEM format. - -\item[{\sphinxstylestrong{\textendash{}cached\sphinxhyphen{}only}}] \leavevmode -\sphinxAtStartPar -Only retrieve credentials already present in the cache, not from -the KDC. (Added in release 1.19.) - -\item[{\sphinxstylestrong{\textendash{}no\sphinxhyphen{}store}}] \leavevmode -\sphinxAtStartPar -Do not store retrieved credentials in the cache. If -\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} is also specified, credentials will still be -stored into the output credential cache. (Added in release 1.19.) - -\item[{\sphinxstylestrong{\textendash{}out\sphinxhyphen{}cache} \sphinxstyleemphasis{ccache}}] \leavevmode -\sphinxAtStartPar -Initialize \sphinxstyleemphasis{ccache} and store all retrieved credentials into it. -Do not store acquired credentials in the input cache. (Added in -release 1.19.) - -\item[{\sphinxstylestrong{\textendash{}u2u} \sphinxstyleemphasis{ccache}}] \leavevmode -\sphinxAtStartPar -Requests a user\sphinxhyphen{}to\sphinxhyphen{}user ticket. \sphinxstyleemphasis{ccache} must contain a local -krbtgt ticket for the server principal. The reported version -number will typically be 0, as the resulting ticket is not -encrypted in the server’s long\sphinxhyphen{}term key. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/kvno:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{FILES} -\label{\detokenize{user/user_commands/kvno:files}}\begin{description} -\item[{\DUrole{xref,std,std-ref}{DEFCCNAME}}] \leavevmode -\sphinxAtStartPar -Default location of the credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/kvno:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, {\hyperref[\detokenize{user/user_commands/kdestroy:kdestroy-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kdestroy}}}}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - -\section{sclient} -\label{\detokenize{user/user_commands/sclient:sclient}}\label{\detokenize{user/user_commands/sclient:sclient-1}}\label{\detokenize{user/user_commands/sclient::doc}} - -\subsection{SYNOPSIS} -\label{\detokenize{user/user_commands/sclient:synopsis}} -\sphinxAtStartPar -\sphinxstylestrong{sclient} \sphinxstyleemphasis{remotehost} - - -\subsection{DESCRIPTION} -\label{\detokenize{user/user_commands/sclient:description}} -\sphinxAtStartPar -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server \DUrole{xref,std,std-ref}{sserver(8)} and -authenticates to it using Kerberos version 5 tickets, then displays -the server’s response. - - -\subsection{ENVIRONMENT} -\label{\detokenize{user/user_commands/sclient:environment}} -\sphinxAtStartPar -See {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} for a description of Kerberos environment -variables. - - -\subsection{SEE ALSO} -\label{\detokenize{user/user_commands/sclient:see-also}} -\sphinxAtStartPar -{\hyperref[\detokenize{user/user_commands/kinit:kinit-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kinit}}}}, \DUrole{xref,std,std-ref}{sserver(8)}, {\hyperref[\detokenize{user/user_config/kerberos:kerberos-7}]{\sphinxcrossref{\DUrole{std,std-ref}{kerberos}}}} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document}
\ No newline at end of file |