diff options
Diffstat (limited to 'crypto/krb5/doc/user/user_commands')
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/index.rst | 17 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/kdestroy.rst | 77 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/kinit.rst | 226 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/klist.rst | 129 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/kpasswd.rst | 46 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/krb5-config.rst | 83 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/ksu.rst | 411 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/kswitch.rst | 50 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/kvno.rst | 119 | ||||
| -rw-r--r-- | crypto/krb5/doc/user/user_commands/sclient.rst | 30 |
10 files changed, 0 insertions, 1188 deletions
diff --git a/crypto/krb5/doc/user/user_commands/index.rst b/crypto/krb5/doc/user/user_commands/index.rst deleted file mode 100644 index 7ce86a14c428..000000000000 --- a/crypto/krb5/doc/user/user_commands/index.rst +++ /dev/null @@ -1,17 +0,0 @@ -.. _user_commands: - -User commands -============= - -.. toctree:: - :maxdepth: 1 - - kdestroy.rst - kinit.rst - klist.rst - kpasswd.rst - krb5-config.rst - ksu.rst - kswitch.rst - kvno.rst - sclient.rst diff --git a/crypto/krb5/doc/user/user_commands/kdestroy.rst b/crypto/krb5/doc/user/user_commands/kdestroy.rst deleted file mode 100644 index b15846f9192d..000000000000 --- a/crypto/krb5/doc/user/user_commands/kdestroy.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. _kdestroy(1): - -kdestroy -======== - -SYNOPSIS --------- - -**kdestroy** -[**-A**] -[**-q**] -[**-c** *cache_name*] -[**-p** *princ_name*] - - -DESCRIPTION ------------ - -The kdestroy utility destroys the user's active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -OPTIONS -------- - -**-A** - Destroys all caches in the collection, if a cache collection is - available. May be used with the **-c** option to specify the - collection to be destroyed. - -**-q** - Run quietly. Normally kdestroy beeps if it fails to destroy the - user's tickets. The **-q** flag suppresses this behavior. - -**-c** *cache_name* - Use *cache_name* as the credentials (ticket) cache name and - location; if this option is not used, the default cache name and - location are used. - - The default credentials cache may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - name the default ticket cache. - -**-p** *princ_name* - If a cache collection is available, destroy the cache for - *princ_name* instead of the primary cache. May be used with the - **-c** option to specify the collection to be searched. - - -NOTE ----- - -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/kinit.rst b/crypto/krb5/doc/user/user_commands/kinit.rst deleted file mode 100644 index d947e83cc637..000000000000 --- a/crypto/krb5/doc/user/user_commands/kinit.rst +++ /dev/null @@ -1,226 +0,0 @@ -.. _kinit(1): - -kinit -===== - -SYNOPSIS --------- - -**kinit** -[**-V**] -[**-l** *lifetime*] -[**-s** *start_time*] -[**-r** *renewable_life*] -[**-p** | -**P**] -[**-f** | -**F**] -[**-a**] -[**-A**] -[**-C**] -[**-E**] -[**-v**] -[**-R**] -[**-k** [**-i** | -**t** *keytab_file*]] -[**-c** *cache_name*] -[**-n**] -[**-S** *service_name*] -[**-I** *input_ccache*] -[**-T** *armor_ccache*] -[**-X** *attribute*\ [=\ *value*]] -[**--request-pac** | **--no-request-pac**] -[*principal*] - - -DESCRIPTION ------------ - -kinit obtains and caches an initial ticket-granting ticket for -*principal*. If *principal* is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -OPTIONS -------- - -**-V** - display verbose output. - -**-l** *lifetime* - (:ref:`duration` string.) Requests a ticket with the lifetime - *lifetime*. - - For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. - - If the **-l** option is not specified, the default ticket lifetime - (configured by each site) is used. Specifying a ticket lifetime - longer than the maximum ticket lifetime (configured by each site) - will not override the configured maximum ticket lifetime. - -**-s** *start_time* - (:ref:`duration` string.) Requests a postdated ticket. Postdated - tickets are issued with the **invalid** flag set, and need to be - resubmitted to the KDC for validation before use. - - *start_time* specifies the duration of the delay before the ticket - can become valid. - -**-r** *renewable_life* - (:ref:`duration` string.) Requests renewable tickets, with a total - lifetime of *renewable_life*. - -**-f** - requests forwardable tickets. - -**-F** - requests non-forwardable tickets. - -**-p** - requests proxiable tickets. - -**-P** - requests non-proxiable tickets. - -**-a** - requests tickets restricted to the host's local address[es]. - -**-A** - requests tickets not restricted by address. - -**-C** - requests canonicalization of the principal name, and allows the - KDC to reply with a different client principal from the one - requested. - -**-E** - treats the principal name as an enterprise name. - -**-v** - requests that the ticket-granting ticket in the cache (with the - **invalid** flag set) be passed to the KDC for validation. If the - ticket is within its requested time range, the cache is replaced - with the validated ticket. - -**-R** - requests renewal of the ticket-granting ticket. Note that an - expired ticket cannot be renewed, even if the ticket is still - within its renewable life. - - Note that renewable tickets that have expired as reported by - :ref:`klist(1)` may sometimes be renewed using this option, - because the KDC applies a grace period to account for client-KDC - clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. - -**-k** [**-i** | **-t** *keytab_file*] - requests a ticket, obtained from a key in the local host's keytab. - The location of the keytab may be specified with the **-t** - *keytab_file* option, or with the **-i** option to specify the use - of the default client keytab; otherwise the default keytab will be - used. By default, a host ticket for the local host is requested, - but any principal may be specified. On a KDC, the special keytab - location ``KDB:`` can be used to indicate that kinit should open - the KDC database and look up the key directly. This permits an - administrator to obtain tickets as any principal that supports - authentication based on the key. - -**-n** - Requests anonymous processing. Two types of anonymous principals - are supported. - - For fully anonymous Kerberos, configure pkinit on the KDC and - configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. - Then use the **-n** option with a principal of the form ``@REALM`` - (an empty principal name followed by the at-sign and a realm - name). If permitted by the KDC, an anonymous ticket will be - returned. - - A second form of anonymous tickets is supported; these - realm-exposed tickets hide the identity of the client but not the - client's realm. For this mode, use ``kinit -n`` with a normal - principal name. If supported by the KDC, the principal (but not - realm) will be replaced by the anonymous principal. - - As of release 1.8, the MIT Kerberos KDC only supports fully - anonymous operation. - -**-I** *input_ccache* - - Specifies the name of a credentials cache that already contains a - ticket. When obtaining that ticket, if information about how that - ticket was obtained was also stored to the cache, that information - will be used to affect how new credentials are obtained, including - preselecting the same methods of authenticating to the KDC. - -**-T** *armor_ccache* - Specifies the name of a credentials cache that already contains a - ticket. If supported by the KDC, this cache will be used to armor - the request, preventing offline dictionary attacks and allowing - the use of additional preauthentication mechanisms. Armoring also - makes sure that the response from the KDC is not modified in - transit. - -**-c** *cache_name* - use *cache_name* as the Kerberos 5 credentials (ticket) cache - location. If this option is not used, the default cache location - is used. - - The default cache location may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - locate the default cache. If a principal name is specified and - the type of the default cache supports a collection (such as the - DIR type), an existing cache containing credentials for the - principal is selected or a new one is created and becomes the new - primary cache. Otherwise, any existing contents of the default - cache are destroyed by kinit. - -**-S** *service_name* - specify an alternate service name to use when getting initial - tickets. - -**-X** *attribute*\ [=\ *value*] - specify a pre-authentication *attribute* and *value* to be - interpreted by pre-authentication modules. The acceptable - attribute and value values vary from module to module. This - option may be specified multiple times to specify multiple - attributes. If no value is specified, it is assumed to be "yes". - - The following attributes are recognized by the PKINIT - pre-authentication mechanism: - - **X509_user_identity**\ =\ *value* - specify where to find user's X509 identity information - - **X509_anchors**\ =\ *value* - specify where to find trusted X509 anchor information - - **disable_freshness**\ [**=yes**] - disable sending freshness tokens (for testing purposes only) - -**--request-pac** | **--no-request-pac** - mutually exclusive. If **--request-pac** is set, ask the KDC to - include a PAC in authdata; if **--no-request-pac** is set, ask the - KDC not to include a PAC; if neither are set, the KDC will follow - its default, which is typically is to include a PAC if doing so is - supported. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - default location of Kerberos 5 credentials cache - -|keytab| - default location for the local host's keytab. - - -SEE ALSO --------- - -:ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/klist.rst b/crypto/krb5/doc/user/user_commands/klist.rst deleted file mode 100644 index eb5564508924..000000000000 --- a/crypto/krb5/doc/user/user_commands/klist.rst +++ /dev/null @@ -1,129 +0,0 @@ -.. _klist(1): - -klist -===== - -SYNOPSIS --------- - -**klist** -[**-e**] -[[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] -[**-C**] -[**-k** [**-i**] [**-t**] [**-K**]] -[**-V**] -[**-d**] -[*cache_name*\|\ *keytab_name*] - - -DESCRIPTION ------------ - -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -OPTIONS -------- - -**-e** - Displays the encryption types of the session key and the ticket - for each credential in the credential cache, or each key in the - keytab file. - -**-l** - If a cache collection is available, displays a table summarizing - the caches present in the collection. - -**-A** - If a cache collection is available, displays the contents of all - of the caches in the collection. - -**-c** - List tickets held in a credentials cache. This is the default if - neither **-c** nor **-k** is specified. - -**-f** - Shows the flags present in the credentials, using the following - abbreviations:: - - F Forwardable - f forwarded - P Proxiable - p proxy - D postDateable - d postdated - R Renewable - I Initial - i invalid - H Hardware authenticated - A preAuthenticated - T Transit policy checked - O Okay as delegate - a anonymous - -**-s** - Causes klist to run silently (produce no output). klist will exit - with status 1 if the credentials cache cannot be read or is - expired, and with status 0 otherwise. - -**-a** - Display list of addresses in credentials. - -**-n** - Show numeric addresses instead of reverse-resolving addresses. - -**-C** - List configuration data that has been stored in the credentials - cache when klist encounters it. By default, configuration data - is not listed. - -**-k** - List keys held in a keytab file. - -**-i** - In combination with **-k**, defaults to using the default client - keytab instead of the default acceptor keytab, if no name is - given. - -**-t** - Display the time entry timestamps for each keytab entry in the - keytab file. - -**-K** - Display the value of the encryption key in each keytab entry in - the keytab file. - -**-d** - Display the authdata types (if any) for each entry. - -**-V** - Display the Kerberos version number and exit. - -If *cache_name* or *keytab_name* is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the **KRB5CCNAME** environment variable is set, its -value is used to locate the default ticket cache. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - -|keytab| - Default location for the local host's keytab file. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/kpasswd.rst b/crypto/krb5/doc/user/user_commands/kpasswd.rst deleted file mode 100644 index 0583bbd059aa..000000000000 --- a/crypto/krb5/doc/user/user_commands/kpasswd.rst +++ /dev/null @@ -1,46 +0,0 @@ -.. _kpasswd(1): - -kpasswd -======= - -SYNOPSIS --------- - -**kpasswd** [*principal*] - - -DESCRIPTION ------------ - -The kpasswd command is used to change a Kerberos principal's password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -OPTIONS -------- - -*principal* - Change the password for the Kerberos principal principal. - Otherwise, kpasswd uses the principal name from an existing ccache - if there is one; if not, the principal is derived from the - identity of the user invoking the kpasswd command. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/krb5-config.rst b/crypto/krb5/doc/user/user_commands/krb5-config.rst deleted file mode 100644 index 2c09141a194f..000000000000 --- a/crypto/krb5/doc/user/user_commands/krb5-config.rst +++ /dev/null @@ -1,83 +0,0 @@ -.. _krb5-config(1): - -krb5-config -=========== - -SYNOPSIS --------- - -**krb5-config** -[**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] - - -DESCRIPTION ------------ - -krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -OPTIONS -------- - -**-**\ **-help** - prints a usage message. This is the default behavior when no options - are specified. - -**-**\ **-all** - prints the version, vendor, prefix, and exec-prefix. - -**-**\ **-version** - prints the version number of the Kerberos installation. - -**-**\ **-vendor** - prints the name of the vendor of the Kerberos installation. - -**-**\ **-prefix** - prints the prefix for which the Kerberos installation was built. - -**-**\ **-exec-prefix** - prints the prefix for executables for which the Kerberos installation - was built. - -**-**\ **-defccname** - prints the built-in default credentials cache location. - -**-**\ **-defktname** - prints the built-in default keytab location. - -**-**\ **-defcktname** - prints the built-in default client (initiator) keytab location. - -**-**\ **-cflags** - prints the compilation flags used to build the Kerberos installation. - -**-**\ **-libs** [*library*] - prints the compiler options needed to link against *library*. - Allowed values for *library* are: - - ============ =============================================== - krb5 Kerberos 5 applications (default) - gssapi GSSAPI applications with Kerberos 5 bindings - kadm-client Kadmin client - kadm-server Kadmin server - kdb Applications that access the Kerberos database - ============ =============================================== - -EXAMPLES --------- - -krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in ``/opt/krb5/`` but uses -libraries in ``/usr/local/lib/`` for text localization would produce -the following output:: - - shell% krb5-config --libs krb5 - -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err - - -SEE ALSO --------- - -:ref:`kerberos(7)`, cc(1) diff --git a/crypto/krb5/doc/user/user_commands/ksu.rst b/crypto/krb5/doc/user/user_commands/ksu.rst deleted file mode 100644 index 933738229ad7..000000000000 --- a/crypto/krb5/doc/user/user_commands/ksu.rst +++ /dev/null @@ -1,411 +0,0 @@ -.. _ksu(1): - -ksu -=== - -SYNOPSIS --------- - -**ksu** -[ *target_user* ] -[ **-n** *target_principal_name* ] -[ **-c** *source_cache_name* ] -[ **-k** ] -[ **-r** time ] -[ **-p** | **-P**] -[ **-f** | **-F**] -[ **-l** *lifetime* ] -[ **-z | Z** ] -[ **-q** ] -[ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] - - -REQUIREMENTS ------------- - -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -DESCRIPTION ------------ - -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -.. note:: - - For the sake of clarity, all references to and attributes of - the user invoking the program will start with "source" - (e.g., "source user", "source cache", etc.). - - Likewise, all references to and attributes of the target - account will start with "target". - -AUTHENTICATION --------------- - -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see **-n** option). The target user -name must be the first argument to ksu; if not specified root is the -default. If ``.`` is specified then the target user will be the -source user (e.g., ``ksu .``). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal's realm. If the ticket for the -end-server is already in the cache, it's decrypted and verified. If -it's not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -**GET_TGT_VIA_PASSWD** define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -**GET_TGT_VIA_PASSWD** is not defined, authentication fails. - - -AUTHORIZATION -------------- - -This section describes authorization of the source user when ksu is -invoked without the **-e** option. For a description of the **-e** -option, see the OPTIONS section. - -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user's home directory, ksu attempts to access two authorization files: -:ref:`.k5login(5)` and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -For example:: - - jqpublic@USC.EDU - jqpublic/secure@USC.EDU - jqpublic/admin@USC.EDU - -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the **-e** option in the OPTIONS section for details). - -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by ``*`` then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname->lname mapping -rules. Otherwise, authorization fails. - - -EXECUTION OF THE TARGET SHELL ------------------------------ - -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login's -default values. In addition, the environment variable **KRB5CCNAME** -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user's shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the **-k** option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -CREATING A NEW SECURITY CONTEXT -------------------------------- - -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the **-e** -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using **-z** or **-Z** option. **-z** restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The **-Z** option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, **-z** option is the default mode of -operation. - -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If **-n** is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -.. note:: - - During authentication, only the tickets that could be - obtained without providing a password are cached in the - source cache. - - -OPTIONS -------- - -**-n** *target_principal_name* - Specify a Kerberos target principal name. Used in authentication - and authorization phases of ksu. - - If ksu is invoked without **-n**, a default principal name is - assigned via the following heuristic: - - * Case 1: source user is non-root. - - If the target user is the source user the default principal name - is set to the default principal of the source cache. If the - cache does not exist then the default principal name is set to - ``target_user@local_realm``. If the source and target users are - different and neither ``~target_user/.k5users`` nor - ``~target_user/.k5login`` exist then the default principal name - is ``target_user_login_name@local_realm``. Otherwise, starting - with the first principal listed below, ksu checks if the - principal is authorized to access the target account and whether - there is a legitimate ticket for that principal in the source - cache. If both conditions are met that principal becomes the - default target principal, otherwise go to the next principal. - - a) default principal of the source cache - b) target_user\@local_realm - c) source_user\@local_realm - - If a-c fails try any principal for which there is a ticket in - the source cache and that is authorized to access the target - account. If that fails select the first principal that is - authorized to access the target account from the above list. If - none are authorized and ksu is configured with - **PRINC_LOOK_AHEAD** turned on, select the default principal as - follows: - - For each candidate in the above list, select an authorized - principal that has the same realm name and first part of the - principal name equal to the prefix of the candidate. For - example if candidate a) is ``jqpublic@ISI.EDU`` and - ``jqpublic/secure@ISI.EDU`` is authorized to access the target - account then the default principal is set to - ``jqpublic/secure@ISI.EDU``. - - * Case 2: source user is root. - - If the target user is non-root then the default principal name - is ``target_user@local_realm``. Else, if the source cache - exists the default principal name is set to the default - principal of the source cache. If the source cache does not - exist, default principal name is set to ``root\@local_realm``. - -**-c** *source_cache_name* - - Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If - **-c** option is not used then the name is obtained from - **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not - defined the source cache name is set to ``krb5cc_<source uid>``. - The target cache name is automatically set to ``krb5cc_<target - uid>.(gen_sym())``, where gen_sym generates a new number such that - the resulting cache does not already exist. For example:: - - krb5cc_1984.2 - -**-k** - Do not delete the target cache upon termination of the target - shell or a command (**-e** command). Without **-k**, ksu deletes - the target cache. - -**-z** - Restrict the copy of tickets from the source cache to the target - cache to only the tickets where client == the target principal - name. Use the **-n** option if you want the tickets for other then - the default principal. Note that the **-z** option is mutually - exclusive with the **-Z** option. - -**-Z** - Don't copy any tickets from the source cache to the target cache. - Just create a fresh target cache, where the default principal name - of the cache is initialized to the target principal name. Note - that the **-Z** option is mutually exclusive with the **-z** - option. - -**-q** - Suppress the printing of status messages. - -Ticket granting ticket options: - -**-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** - The ticket granting ticket options only apply to the case where - there are no appropriate tickets in the cache to authenticate the - source user. In this case if ksu is configured to prompt users - for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the - ticket granting ticket options that are specified will be used - when getting a ticket granting ticket from the Kerberos server. - -**-l** *lifetime* - (:ref:`duration` string.) Specifies the lifetime to be requested - for the ticket; if this option is not specified, the default ticket - lifetime (12 hours) is used instead. - -**-r** *time* - (:ref:`duration` string.) Specifies that the **renewable** option - should be requested for the ticket, and specifies the desired - total lifetime of the ticket. - -**-p** - specifies that the **proxiable** option should be requested for - the ticket. - -**-P** - specifies that the **proxiable** option should not be requested - for the ticket, even if the default configuration is to ask for - proxiable tickets. - -**-f** - option specifies that the **forwardable** option should be - requested for the ticket. - -**-F** - option specifies that the **forwardable** option should not be - requested for the ticket, even if the default configuration is to - ask for forwardable tickets. - -**-e** *command* [*args* ...] - ksu proceeds exactly the same as if it was invoked without the - **-e** option, except instead of executing the target shell, ksu - executes the specified command. Example of usage:: - - ksu bob -e ls -lag - - The authorization algorithm for **-e** is as follows: - - If the source user is root or source user == target user, no - authorization takes place and the command is executed. If source - user id != 0, and ``~target_user/.k5users`` file does not exist, - authorization fails. Otherwise, ``~target_user/.k5users`` file - must have an appropriate entry for target principal to get - authorized. - - The .k5users file format: - - A single principal entry on each line that may be followed by a - list of commands that the principal is authorized to execute. A - principal name followed by a ``*`` means that the user is - authorized to execute any command. Thus, in the following - example:: - - jqpublic@USC.EDU ls mail /local/kerberos/klist - jqpublic/secure@USC.EDU * - jqpublic/admin@USC.EDU - - ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, - ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is - authorized to execute any command. ``jqpublic/admin@USC.EDU`` is - not authorized to execute any command. Note, that - ``jqpublic/admin@USC.EDU`` is authorized to execute the target - shell (regular ksu, without the **-e** option) but - ``jqpublic@USC.EDU`` is not. - - The commands listed after the principal name must be either a full - path names or just the program name. In the second case, - **CMD_PATH** specifying the location of authorized programs must - be defined at the compilation time of ksu. Which command gets - executed? - - If the source user is root or the target user is the source user - or the user is authorized to execute any command (``*`` entry) - then command can be either a full or a relative path leading to - the target program. Otherwise, the user must specify either a - full path or just the program name. - -**-a** *args* - Specify arguments to be passed to the target shell. Note that all - flags and parameters following -a will be passed to the shell, - thus all options intended for ksu must precede **-a**. - - The **-a** option can be used to simulate the **-e** option if - used as follows:: - - -a -c [command [arguments]]. - - **-c** is interpreted by the c-shell to execute the command. - - -INSTALLATION INSTRUCTIONS -------------------------- - -ksu can be compiled with the following four flags: - -**GET_TGT_VIA_PASSWD** - In case no appropriate tickets are found in the source cache, the - user will be prompted for a Kerberos password. The password is - then used to get a ticket granting ticket from the Kerberos - server. The danger of configuring ksu with this macro is if the - source user is logged in remotely and does not have a secure - channel, the password may get exposed. - -**PRINC_LOOK_AHEAD** - During the resolution of the default principal name, - **PRINC_LOOK_AHEAD** enables ksu to find principal names in - the .k5users file as described in the OPTIONS section - (see **-n** option). - -**CMD_PATH** - Specifies a list of directories containing programs that users are - authorized to execute (via .k5users file). - -**HAVE_GETUSERSHELL** - If the source user is non-root, ksu insists that the target user's - shell to be invoked is a "legal shell". *getusershell(3)* is - called to obtain the names of "legal shells". Note that the - target user's shell is obtained from the passwd file. - -Sample configuration:: - - KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" - -ksu should be owned by root and have the set user id bit turned on. - -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab -file must be in an appropriate location. - - -SIDE EFFECTS ------------- - -ksu deletes all expired tickets from the source cache. - - -AUTHOR OF KSU -------------- - -GENNADY (ARI) MEDVINSKY - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kerberos(7)`, :ref:`kinit(1)` diff --git a/crypto/krb5/doc/user/user_commands/kswitch.rst b/crypto/krb5/doc/user/user_commands/kswitch.rst deleted file mode 100644 index 010332e6ac7b..000000000000 --- a/crypto/krb5/doc/user/user_commands/kswitch.rst +++ /dev/null @@ -1,50 +0,0 @@ -.. _kswitch(1): - -kswitch -======= - -SYNOPSIS --------- - -**kswitch** -{**-c** *cachename*\|\ **-p** *principal*} - - -DESCRIPTION ------------ - -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -OPTIONS -------- - -**-c** *cachename* - Directly specifies the credential cache to be made primary. - -**-p** *principal* - Causes the cache collection to be searched for a cache containing - credentials for *principal*. If one is found, that collection is - made primary. - - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, -:ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/kvno.rst b/crypto/krb5/doc/user/user_commands/kvno.rst deleted file mode 100644 index 970fbb47759e..000000000000 --- a/crypto/krb5/doc/user/user_commands/kvno.rst +++ /dev/null @@ -1,119 +0,0 @@ -.. _kvno(1): - -kvno -==== - -SYNOPSIS --------- - -**kvno** -[**-c** *ccache*] -[**-e** *etype*] -[**-k** *keytab*] -[**-q**] -[**-u** | **-S** *sname*] -[**-P**] -[**--cached-only**] -[**--no-store**] -[**--out-cache** *cache*] -[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] -*service1 service2* ... - - -DESCRIPTION ------------ - -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -OPTIONS -------- - -**-c** *ccache* - Specifies the name of a credentials cache to use (if not the - default) - -**-e** *etype* - Specifies the enctype which will be requested for the session key - of all the services named on the command line. This is useful in - certain backward compatibility situations. - -**-k** *keytab* - Decrypt the acquired tickets using *keytab* to confirm their - validity. - -**-q** - Suppress printing output when successful. If a service ticket - cannot be obtained, an error message will still be printed and - kvno will exit with nonzero status. - -**-u** - Use the unknown name type in requested service principal names. - This option Cannot be used with *-S*. - -**-P** - Specifies that the *service1 service2* ... arguments are to be - treated as services for which credentials should be acquired using - constrained delegation. This option is only valid when used in - conjunction with protocol transition. - -**-S** *sname* - Specifies that the *service1 service2* ... arguments are - interpreted as hostnames, and the service principals are to be - constructed from those hostnames and the service name *sname*. - The service hostnames will be canonicalized according to the usual - rules for constructing service principals. - -**-I** *for_user* - Specifies that protocol transition (S4U2Self) is to be used to - acquire a ticket on behalf of *for_user*. If constrained - delegation is not requested, the service name must match the - credentials cache client principal. - -**-U** *for_user* - Same as -I, but treats *for_user* as an enterprise name. - -**-F** *cert_file* - Specifies that protocol transition is to be used, identifying the - client principal with the X.509 certificate in *cert_file*. The - certificate file must be in PEM format. - -**--cached-only** - Only retrieve credentials already present in the cache, not from - the KDC. (Added in release 1.19.) - -**--no-store** - Do not store retrieved credentials in the cache. If - **--out-cache** is also specified, credentials will still be - stored into the output credential cache. (Added in release 1.19.) - -**--out-cache** *ccache* - Initialize *ccache* and store all retrieved credentials into it. - Do not store acquired credentials in the input cache. (Added in - release 1.19.) - -**--u2u** *ccache* - Requests a user-to-user ticket. *ccache* must contain a local - krbtgt ticket for the server principal. The reported version - number will typically be 0, as the resulting ticket is not - encrypted in the server's long-term key. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -FILES ------ - -|ccache| - Default location of the credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/crypto/krb5/doc/user/user_commands/sclient.rst b/crypto/krb5/doc/user/user_commands/sclient.rst deleted file mode 100644 index 1e3d38f82d32..000000000000 --- a/crypto/krb5/doc/user/user_commands/sclient.rst +++ /dev/null @@ -1,30 +0,0 @@ -.. _sclient(1): - -sclient -======= - -SYNOPSIS --------- - -**sclient** *remotehost* - - -DESCRIPTION ------------ - -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server :ref:`sserver(8)` and -authenticates to it using Kerberos version 5 tickets, then displays -the server's response. - -ENVIRONMENT ------------ - -See :ref:`kerberos(7)` for a description of Kerberos environment -variables. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` |