diff options
Diffstat (limited to 'doc/pdf/user.tex')
| -rw-r--r-- | doc/pdf/user.tex | 1923 |
1 files changed, 0 insertions, 1923 deletions
diff --git a/doc/pdf/user.tex b/doc/pdf/user.tex deleted file mode 100644 index 15bd75167e60..000000000000 --- a/doc/pdf/user.tex +++ /dev/null @@ -1,1923 +0,0 @@ -% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\usepackage[utf8]{inputenc} -\DeclareUnicodeCharacter{00A0}{\nobreakspace} -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{babel} -\usepackage{times} -\usepackage[Bjarne]{fncychap} -\usepackage{longtable} -\usepackage{sphinx} -\usepackage{multirow} - - -\title{Kerberos User Guide} -\date{ } -\release{1.16} -\author{MIT} -\newcommand{\sphinxlogo}{} -\renewcommand{\releasename}{Release} -\makeindex - -\makeatletter -\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% - \let\PYG@ul=\relax \let\PYG@tc=\relax% - \let\PYG@bc=\relax \let\PYG@ff=\relax} -\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} -\def\PYG@toks#1+{\ifx\relax#1\empty\else% - \PYG@tok{#1}\expandafter\PYG@toks\fi} -\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% - \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} -\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} - -\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} -\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} -\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} -\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} -\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} -\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} -\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} -\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} -\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} -\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} -\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} -\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} -\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} -\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} -\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} -\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} -\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} -\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} -\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} - -\def\PYGZbs{\char`\\} -\def\PYGZus{\char`\_} -\def\PYGZob{\char`\{} -\def\PYGZcb{\char`\}} -\def\PYGZca{\char`\^} -\def\PYGZam{\char`\&} -\def\PYGZlt{\char`\<} -\def\PYGZgt{\char`\>} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{user/index::doc} - - - -\chapter{Password management} -\label{user/pwd_mgmt:for-users}\label{user/pwd_mgmt::doc}\label{user/pwd_mgmt:password-management} -Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you---send email that comes from you, read, edit, or delete your files, -or log into other hosts as you---and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -{\hyperref[user/pwd_mgmt:grant-access]{\emph{Granting access to your account}}}). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is. - - -\section{Changing your password} -\label{user/pwd_mgmt:changing-your-password} -To change your Kerberos password, use the {\hyperref[user/user_commands/kpasswd:kpasswd-1]{\emph{kpasswd}}} command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you're not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user \code{david} would do the following: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type your old password. -Enter new password: \PYGZlt{}\PYGZhy{} Type your new password. -Enter it again: \PYGZlt{}\PYGZhy{} Type the new password again. -Password changed. -shell\PYGZpc{} -\end{Verbatim} - -If \code{david} typed the incorrect old password, he would get the -following message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type the incorrect old password. -kpasswd: Password incorrect while getting initial ticket -shell\PYGZpc{} -\end{Verbatim} - -If you make a mistake and don't type the new password the same way -twice, kpasswd will ask you to try again: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type the old password. -Enter new password: \PYGZlt{}\PYGZhy{} Type the new password. -Enter it again: \PYGZlt{}\PYGZhy{} Type a different new password. -kpasswd: Password mismatch while reading password -shell\PYGZpc{} -\end{Verbatim} - -Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn't work, try again -using the old one. - - -\section{Granting access to your account} -\label{user/pwd_mgmt:grant-access}\label{user/pwd_mgmt:granting-access-to-your-account} -If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called {\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file: - -\begin{Verbatim}[commandchars=\\\{\}] -jennifer@ATHENA.MIT.EDU -david@EXAMPLE.COM -\end{Verbatim} - -This file would allow the users \code{jennifer} and \code{david} to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts. - -Using a .k5login file is much safer than giving out your password, -because: -\begin{itemize} -\item {} -You can take access away any time simply by removing the principal -from your .k5login file. - -\item {} -Although the user has full access to your account on one particular -host (or set of hosts if your .k5login file is shared, e.g., over -NFS), that user does not inherit your network privileges. - -\item {} -Kerberos keeps a log of who obtains tickets, so a system -administrator could find out, if necessary, who was capable of using -your user ID at a particular time. - -\end{itemize} - -One common application is to have a .k5login file in root's home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network. - - -\section{Password quality verification} -\label{user/pwd_mgmt:password-quality-verification} -TODO - - -\chapter{Ticket management} -\label{user/tkt_mgmt:ticket-management}\label{user/tkt_mgmt::doc} -On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen. - - -\section{Kerberos ticket properties} -\label{user/tkt_mgmt:kerberos-ticket-properties} -There are various properties that Kerberos tickets can have: - -If a ticket is \textbf{forwardable}, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally. - -When the KDC creates a new ticket based on a forwardable ticket, it -sets the \textbf{forwarded} flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set. - -A \textbf{proxiable} ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket-granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable. - -A \textbf{proxy} ticket is one that was issued based on a proxiable ticket. - -A \textbf{postdated} ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets. - -Ticket-granting tickets with the \textbf{postdateable} flag set can be used -to obtain postdated service tickets. - -\textbf{Renewable} tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket. - -A ticket with the \textbf{initial flag} set was issued based on the -authentication protocol, and not on a ticket-granting ticket. -Application servers that wish to ensure that the user's key has been -recently presented for verification could specify that this flag must -be set to accept the ticket. - -An \textbf{invalid} ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used. - -A \textbf{preauthenticated} ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC. - -The \textbf{hardware authentication} flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets. - -If a ticket has the \textbf{transit policy} checked flag set, then the KDC -that issued this ticket implements the transited-realm check policy -and checked the transited-realms list on the ticket. The -transited-realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket. - -The \textbf{okay as delegate} flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it. - -An \textbf{anonymous} ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key. - - -\section{Obtaining tickets with kinit} -\label{user/tkt_mgmt:obtaining-tickets-with-kinit}\label{user/tkt_mgmt:obtain-tkt} -If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}} program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones. - -To use the kinit program, simply type \code{kinit} and then type your -password at the prompt. For example, Jennifer (whose username is -\code{jennifer}) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type jennifer\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -If you type your password incorrectly, kinit will give you the -following error message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type the wrong password here.] -kinit: Password incorrect -shell\PYGZpc{} -\end{Verbatim} - -and you won't get Kerberos tickets. - -By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer's friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit david@EXAMPLE.COM -Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer's -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm. - -If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the -\textbf{-f} option: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit \PYGZhy{}f -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type your password here.] -shell\PYGZpc{} -\end{Verbatim} - -Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command (see -{\hyperref[user/tkt_mgmt:view-tkt]{\emph{Viewing tickets with klist}}}). - -Normally, your tickets are good for your system's default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the \textbf{-l} option. Add the letter -\textbf{s} to the value for seconds, \textbf{m} for minutes, \textbf{h} for hours, or -\textbf{d} for days. For example, to obtain forwardable tickets for -\code{david@EXAMPLE.COM} that would be good for three hours, you would -type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit \PYGZhy{}f \PYGZhy{}l 3h david@EXAMPLE.COM -Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -\begin{notice}{note}{Note:} -You cannot mix units; specifying a lifetime of 3h30m would -result in an error. Note also that most systems specify a -maximum ticket lifetime. If you request a longer ticket -lifetime, it will be automatically truncated to the maximum -lifetime. -\end{notice} - - -\section{Viewing tickets with klist} -\label{user/tkt_mgmt:viewing-tickets-with-klist}\label{user/tkt_mgmt:view-tkt} -The {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command shows your tickets. When you first obtain -tickets, you will have only the ticket-granting ticket. The listing -would look like this: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -The ticket cache is the location of your ticket file. In the above -example, this file is named \code{/tmp/krb5cc\_ttypa}. The default -principal is your Kerberos principal. - -The ``valid starting'' and ``expires'' fields describe the period of time -during which the ticket is valid. The ``service principal'' describes -each ticket. The ticket-granting ticket has a first component -\code{krbtgt}, and a second component which is the realm name. - -Now, if \code{jennifer} connected to the machine \code{daffodil.mit.edu}, -and then typed ``klist'' again, she would have gotten the following -result: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -Here's what happened: when \code{jennifer} used ssh to connect to the -host \code{daffodil.mit.edu}, the ssh program presented her -ticket-granting ticket to the KDC and requested a host ticket for the -host \code{daffodil.mit.edu}. The KDC sent the host ticket, which ssh -then presented to the host \code{daffodil.mit.edu}, and she was allowed -to log in without typing her password. - -Suppose your Kerberos tickets allow you to log into a host in another -domain, such as \code{trillium.example.com}, which is also in another -Kerberos realm, \code{EXAMPLE.COM}. If you ssh to this host, you will -receive a ticket-granting ticket for the realm \code{EXAMPLE.COM}, plus -the new host ticket for \code{trillium.example.com}. klist will now -show: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU -06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU -06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM -shell\PYGZpc{} -\end{Verbatim} - -Depending on your host's and realm's configuration, you may also see a -ticket with the service principal \code{host/trillium.example.com@}. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the \code{ATHENA.MIT.EDU} KDC for -a referral. The next time you connect to \code{trillium.example.com}, -the odd-looking entry will be used to avoid needing to ask for a -referral again. - -You can use the \textbf{-f} option to view the flags that apply to your -tickets. The flags are: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -F - & -Forwardable -\\ -\hline -f - & -forwarded -\\ -\hline -P - & -Proxiable -\\ -\hline -p - & -proxy -\\ -\hline -D - & -postDateable -\\ -\hline -d - & -postdated -\\ -\hline -R - & -Renewable -\\ -\hline -I - & -Initial -\\ -\hline -i - & -invalid -\\ -\hline -H - & -Hardware authenticated -\\ -\hline -A - & -preAuthenticated -\\ -\hline -T - & -Transit policy checked -\\ -\hline -O - & -Okay as delegate -\\ -\hline -a - & -anonymous -\\ -\hline\end{tabulary} - - -Here is a sample listing. In this example, the user \emph{jennifer} -obtained her initial tickets (\textbf{I}), which are forwardable (\textbf{F}) -and postdated (\textbf{d}) but not yet validated (\textbf{i}): - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist \PYGZhy{}f -Ticket cache: /tmp/krb5cc\PYGZus{}320 -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - Flags: FdiI -shell\PYGZpc{} -\end{Verbatim} - -In the following example, the user \emph{david}`s tickets were forwarded -(\textbf{f}) to this host from another host. The tickets are reforwardable -(\textbf{F}): - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist \PYGZhy{}f -Ticket cache: /tmp/krb5cc\PYGZus{}p11795 -Default principal: david@EXAMPLE.COM - -Valid starting Expires Service principal -07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM - Flags: Ff -07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM - Flags: Ff -shell\PYGZpc{} -\end{Verbatim} - - -\section{Destroying tickets with kdestroy} -\label{user/tkt_mgmt:destroying-tickets-with-kdestroy} -Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer. - -Destroying your tickets is easy. Simply type kdestroy: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdestroy -shell\PYGZpc{} -\end{Verbatim} - -If {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can't find any -tickets to destroy, it will give the following message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdestroy -kdestroy: No credentials cache file found while destroying cache -shell\PYGZpc{} -\end{Verbatim} - - -\chapter{User config files} -\label{user/user_config/index::doc}\label{user/user_config/index:user-config-files} -The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host's configuration): - - -\section{.k5login} -\label{user/user_config/k5login:k5login-5}\label{user/user_config/k5login:k5login}\label{user/user_config/k5login::doc} - -\subsection{DESCRIPTION} -\label{user/user_config/k5login:description} -The .k5login file, which resides in a user's home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root's home directory, thereby granting system -administrators remote root access to the host via Kerberos. - - -\subsection{EXAMPLES} -\label{user/user_config/k5login:examples} -Suppose the user \code{alice} had a .k5login file in her home directory -containing just the following line: - -\begin{Verbatim}[commandchars=\\\{\}] -bob@FOOBAR.ORG -\end{Verbatim} - -This would allow \code{bob} to use Kerberos network applications, such as -ssh(1), to access \code{alice}`s account, using \code{bob}`s Kerberos -tickets. In a default configuration (with \textbf{k5login\_authoritative} set -to true in \emph{krb5.conf(5)}), this .k5login file would not let -\code{alice} use those network applications to access her account, since -she is not listed! With no .k5login file, or with \textbf{k5login\_authoritative} -set to false, a default rule would permit the principal \code{alice} in the -machine's default realm to access the \code{alice} account. - -Let us further suppose that \code{alice} is a system administrator. -Alice and the other system administrators would have their principals -in root's .k5login file on each host: - -\begin{Verbatim}[commandchars=\\\{\}] -alice@BLEEP.COM - -joeadmin/root@BLEEP.COM -\end{Verbatim} - -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because \code{bob} retains the Kerberos tickets for -his own principal, \code{bob@FOOBAR.ORG}, he would not have any of the -privileges that require \code{alice}`s tickets, such as root access to -any of the site's hosts, or the ability to change \code{alice}`s -password. - - -\subsection{SEE ALSO} -\label{user/user_config/k5login:see-also} -kerberos(1) - - -\section{.k5identity} -\label{user/user_config/k5identity:k5identity-5}\label{user/user_config/k5identity:k5identity}\label{user/user_config/k5identity::doc} - -\subsection{DESCRIPTION} -\label{user/user_config/k5identity:description} -The .k5identity file, which resides in a user's home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible. - -Blank lines and lines beginning with \code{\#} are ignored. Each line has -the form: -\begin{quote} - -\emph{principal} \emph{field}=\emph{value} ... -\end{quote} - -If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized: -\begin{description} -\item[{\textbf{realm}}] \leavevmode -If the realm of the server principal is known, it is matched -against \emph{value}, which may be a pattern using shell wildcards. -For host-based server principals, the realm will generally only be -known if there is a \emph{domain\_realm} section in -\emph{krb5.conf(5)} with a mapping for the hostname. - -\item[{\textbf{service}}] \leavevmode -If the server principal is a host-based principal, its service -component is matched against \emph{value}, which may be a pattern using -shell wildcards. - -\item[{\textbf{host}}] \leavevmode -If the server principal is a host-based principal, its hostname -component is converted to lower case and matched against \emph{value}, -which may be a pattern using shell wildcards. - -If the server principal matches the constraints of multiple lines -in the .k5identity file, the principal from the first matching -line is used. If no line matches, credentials will be selected -some other way, such as the realm heuristic or the current primary -cache. - -\end{description} - - -\subsection{EXAMPLE} -\label{user/user_config/k5identity:example} -The following example .k5identity file selects the client principal -\code{alice@KRBTEST.COM} if the server principal is within that realm, -the principal \code{alice/root@EXAMPLE.COM} if the server host is within -a servers subdomain, and the principal \code{alice/mail@EXAMPLE.COM} when -accessing the IMAP service on \code{mail.example.com}: - -\begin{Verbatim}[commandchars=\\\{\}] -alice@KRBTEST.COM realm=KRBTEST.COM -alice/root@EXAMPLE.COM host=*.servers.example.com -alice/mail@EXAMPLE.COM host=mail.example.com service=imap -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{user/user_config/k5identity:see-also} -kerberos(1), \emph{krb5.conf(5)} - - -\chapter{User commands} -\label{user/user_commands/index::doc}\label{user/user_commands/index:user-commands}\label{user/user_commands/index:id1} - -\section{kdestroy} -\label{user/user_commands/kdestroy:kdestroy}\label{user/user_commands/kdestroy::doc}\label{user/user_commands/kdestroy:kdestroy-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/kdestroy:synopsis} -\textbf{kdestroy} -{[}\textbf{-A}{]} -{[}\textbf{-q}{]} -{[}\textbf{-c} \emph{cache\_name}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kdestroy:description} -The kdestroy utility destroys the user's active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -\subsection{OPTIONS} -\label{user/user_commands/kdestroy:options}\begin{description} -\item[{\textbf{-A}}] \leavevmode -Destroys all caches in the collection, if a cache collection is -available. - -\item[{\textbf{-q}}] \leavevmode -Run quietly. Normally kdestroy beeps if it fails to destroy the -user's tickets. The \textbf{-q} flag suppresses this behavior. - -\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode -Use \emph{cache\_name} as the credentials (ticket) cache name and -location; if this option is not used, the default cache name and -location are used. - -The default credentials cache may vary between systems. If the -\textbf{KRB5CCNAME} environment variable is set, its value is used to -name the default ticket cache. - -\end{description} - - -\subsection{NOTE} -\label{user/user_commands/kdestroy:note} -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kdestroy:environment} -kdestroy uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kdestroy:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kdestroy:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} - - -\section{kinit} -\label{user/user_commands/kinit:kinit-1}\label{user/user_commands/kinit:kinit}\label{user/user_commands/kinit::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/kinit:synopsis} -\textbf{kinit} -{[}\textbf{-V}{]} -{[}\textbf{-l} \emph{lifetime}{]} -{[}\textbf{-s} \emph{start\_time}{]} -{[}\textbf{-r} \emph{renewable\_life}{]} -{[}\textbf{-p} \textbar{} -\textbf{P}{]} -{[}\textbf{-f} \textbar{} -\textbf{F}{]} -{[}\textbf{-a}{]} -{[}\textbf{-A}{]} -{[}\textbf{-C}{]} -{[}\textbf{-E}{]} -{[}\textbf{-v}{]} -{[}\textbf{-R}{]} -{[}\textbf{-k} {[}-\textbf{t} \emph{keytab\_file}{]}{]} -{[}\textbf{-c} \emph{cache\_name}{]} -{[}\textbf{-n}{]} -{[}\textbf{-S} \emph{service\_name}{]} -{[}\textbf{-I} \emph{input\_ccache}{]} -{[}\textbf{-T} \emph{armor\_ccache}{]} -{[}\textbf{-X} \emph{attribute}{[}=\emph{value}{]}{]} -{[}\emph{principal}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kinit:description} -kinit obtains and caches an initial ticket-granting ticket for -\emph{principal}. If \emph{principal} is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -\subsection{OPTIONS} -\label{user/user_commands/kinit:options}\begin{description} -\item[{\textbf{-V}}] \leavevmode -display verbose output. - -\item[{\textbf{-l} \emph{lifetime}}] \leavevmode -(\emph{duration} string.) Requests a ticket with the lifetime -\emph{lifetime}. - -For example, \code{kinit -l 5:30} or \code{kinit -l 5h30m}. - -If the \textbf{-l} option is not specified, the default ticket lifetime -(configured by each site) is used. Specifying a ticket lifetime -longer than the maximum ticket lifetime (configured by each site) -will not override the configured maximum ticket lifetime. - -\item[{\textbf{-s} \emph{start\_time}}] \leavevmode -(\emph{duration} string.) Requests a postdated ticket. Postdated -tickets are issued with the \textbf{invalid} flag set, and need to be -resubmitted to the KDC for validation before use. - -\emph{start\_time} specifies the duration of the delay before the ticket -can become valid. - -\item[{\textbf{-r} \emph{renewable\_life}}] \leavevmode -(\emph{duration} string.) Requests renewable tickets, with a total -lifetime of \emph{renewable\_life}. - -\item[{\textbf{-f}}] \leavevmode -requests forwardable tickets. - -\item[{\textbf{-F}}] \leavevmode -requests non-forwardable tickets. - -\item[{\textbf{-p}}] \leavevmode -requests proxiable tickets. - -\item[{\textbf{-P}}] \leavevmode -requests non-proxiable tickets. - -\item[{\textbf{-a}}] \leavevmode -requests tickets restricted to the host's local address{[}es{]}. - -\item[{\textbf{-A}}] \leavevmode -requests tickets not restricted by address. - -\item[{\textbf{-C}}] \leavevmode -requests canonicalization of the principal name, and allows the -KDC to reply with a different client principal from the one -requested. - -\item[{\textbf{-E}}] \leavevmode -treats the principal name as an enterprise name (implies the -\textbf{-C} option). - -\item[{\textbf{-v}}] \leavevmode -requests that the ticket-granting ticket in the cache (with the -\textbf{invalid} flag set) be passed to the KDC for validation. If the -ticket is within its requested time range, the cache is replaced -with the validated ticket. - -\item[{\textbf{-R}}] \leavevmode -requests renewal of the ticket-granting ticket. Note that an -expired ticket cannot be renewed, even if the ticket is still -within its renewable life. - -Note that renewable tickets that have expired as reported by -{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} may sometimes be renewed using this option, -because the KDC applies a grace period to account for client-KDC -clock skew. See \emph{krb5.conf(5)} \textbf{clockskew} setting. - -\item[{\textbf{-k} {[}\textbf{-i} \textbar{} \textbf{-t} \emph{keytab\_file}{]}}] \leavevmode -requests a ticket, obtained from a key in the local host's keytab. -The location of the keytab may be specified with the \textbf{-t} -\emph{keytab\_file} option, or with the \textbf{-i} option to specify the use -of the default client keytab; otherwise the default keytab will be -used. By default, a host ticket for the local host is requested, -but any principal may be specified. On a KDC, the special keytab -location \code{KDB:} can be used to indicate that kinit should open -the KDC database and look up the key directly. This permits an -administrator to obtain tickets as any principal that supports -authentication based on the key. - -\item[{\textbf{-n}}] \leavevmode -Requests anonymous processing. Two types of anonymous principals -are supported. - -For fully anonymous Kerberos, configure pkinit on the KDC and -configure \textbf{pkinit\_anchors} in the client's \emph{krb5.conf(5)}. -Then use the \textbf{-n} option with a principal of the form \code{@REALM} -(an empty principal name followed by the at-sign and a realm -name). If permitted by the KDC, an anonymous ticket will be -returned. - -A second form of anonymous tickets is supported; these -realm-exposed tickets hide the identity of the client but not the -client's realm. For this mode, use \code{kinit -n} with a normal -principal name. If supported by the KDC, the principal (but not -realm) will be replaced by the anonymous principal. - -As of release 1.8, the MIT Kerberos KDC only supports fully -anonymous operation. - -\end{description} - -\textbf{-I} \emph{input\_ccache} -\begin{quote} - -Specifies the name of a credentials cache that already contains a -ticket. When obtaining that ticket, if information about how that -ticket was obtained was also stored to the cache, that information -will be used to affect how new credentials are obtained, including -preselecting the same methods of authenticating to the KDC. -\end{quote} -\begin{description} -\item[{\textbf{-T} \emph{armor\_ccache}}] \leavevmode -Specifies the name of a credentials cache that already contains a -ticket. If supported by the KDC, this cache will be used to armor -the request, preventing offline dictionary attacks and allowing -the use of additional preauthentication mechanisms. Armoring also -makes sure that the response from the KDC is not modified in -transit. - -\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode -use \emph{cache\_name} as the Kerberos 5 credentials (ticket) cache -location. If this option is not used, the default cache location -is used. - -The default cache location may vary between systems. If the -\textbf{KRB5CCNAME} environment variable is set, its value is used to -locate the default cache. If a principal name is specified and -the type of the default cache supports a collection (such as the -DIR type), an existing cache containing credentials for the -principal is selected or a new one is created and becomes the new -primary cache. Otherwise, any existing contents of the default -cache are destroyed by kinit. - -\item[{\textbf{-S} \emph{service\_name}}] \leavevmode -specify an alternate service name to use when getting initial -tickets. - -\item[{\textbf{-X} \emph{attribute}{[}=\emph{value}{]}}] \leavevmode -specify a pre-authentication \emph{attribute} and \emph{value} to be -interpreted by pre-authentication modules. The acceptable -attribute and value values vary from module to module. This -option may be specified multiple times to specify multiple -attributes. If no value is specified, it is assumed to be ``yes''. - -The following attributes are recognized by the PKINIT -pre-authentication mechanism: -\begin{description} -\item[{\textbf{X509\_user\_identity}=\emph{value}}] \leavevmode -specify where to find user's X509 identity information - -\item[{\textbf{X509\_anchors}=\emph{value}}] \leavevmode -specify where to find trusted X509 anchor information - -\item[{\textbf{flag\_RSA\_PROTOCOL}{[}\textbf{=yes}{]}}] \leavevmode -specify use of RSA, rather than the default Diffie-Hellman -protocol - -\end{description} - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kinit:environment} -kinit uses the following environment variables: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials cache, in the form -\emph{type}:\emph{residual}. If no \emph{type} prefix is present, the \textbf{FILE} -type is assumed. The type of the default cache may determine the -availability of a cache collection; for instance, a default cache -of type \textbf{DIR} causes caches within the directory to be present -in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kinit:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -default location of Kerberos 5 credentials cache - -\item[{\emph{DEFKTNAME}}] \leavevmode -default location for the local host's keytab. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kinit:see-also} -{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, kerberos(1) - - -\section{klist} -\label{user/user_commands/klist:klist}\label{user/user_commands/klist::doc}\label{user/user_commands/klist:klist-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/klist:synopsis} -\textbf{klist} -{[}\textbf{-e}{]} -{[}{[}\textbf{-c}{]} {[}\textbf{-l}{]} {[}\textbf{-A}{]} {[}\textbf{-f}{]} {[}\textbf{-s}{]} {[}\textbf{-a} {[}\textbf{-n}{]}{]}{]} -{[}\textbf{-C}{]} -{[}\textbf{-k} {[}\textbf{-t}{]} {[}\textbf{-K}{]}{]} -{[}\textbf{-V}{]} -{[}\emph{cache\_name}\textbar{}\emph{keytab\_name}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/klist:description} -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -\subsection{OPTIONS} -\label{user/user_commands/klist:options}\begin{description} -\item[{\textbf{-e}}] \leavevmode -Displays the encryption types of the session key and the ticket -for each credential in the credential cache, or each key in the -keytab file. - -\item[{\textbf{-l}}] \leavevmode -If a cache collection is available, displays a table summarizing -the caches present in the collection. - -\item[{\textbf{-A}}] \leavevmode -If a cache collection is available, displays the contents of all -of the caches in the collection. - -\item[{\textbf{-c}}] \leavevmode -List tickets held in a credentials cache. This is the default if -neither \textbf{-c} nor \textbf{-k} is specified. - -\item[{\textbf{-f}}] \leavevmode -Shows the flags present in the credentials, using the following -abbreviations: - -\begin{Verbatim}[commandchars=\\\{\}] -F Forwardable -f forwarded -P Proxiable -p proxy -D postDateable -d postdated -R Renewable -I Initial -i invalid -H Hardware authenticated -A preAuthenticated -T Transit policy checked -O Okay as delegate -a anonymous -\end{Verbatim} - -\item[{\textbf{-s}}] \leavevmode -Causes klist to run silently (produce no output). klist will exit -with status 1 if the credentials cache cannot be read or is -expired, and with status 0 otherwise. - -\item[{\textbf{-a}}] \leavevmode -Display list of addresses in credentials. - -\item[{\textbf{-n}}] \leavevmode -Show numeric addresses instead of reverse-resolving addresses. - -\item[{\textbf{-C}}] \leavevmode -List configuration data that has been stored in the credentials -cache when klist encounters it. By default, configuration data -is not listed. - -\item[{\textbf{-k}}] \leavevmode -List keys held in a keytab file. - -\item[{\textbf{-i}}] \leavevmode -In combination with \textbf{-k}, defaults to using the default client -keytab instead of the default acceptor keytab, if no name is -given. - -\item[{\textbf{-t}}] \leavevmode -Display the time entry timestamps for each keytab entry in the -keytab file. - -\item[{\textbf{-K}}] \leavevmode -Display the value of the encryption key in each keytab entry in -the keytab file. - -\item[{\textbf{-V}}] \leavevmode -Display the Kerberos version number and exit. - -\end{description} - -If \emph{cache\_name} or \emph{keytab\_name} is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the \textbf{KRB5CCNAME} environment variable is set, its -value is used to locate the default ticket cache. - - -\subsection{ENVIRONMENT} -\label{user/user_commands/klist:environment} -klist uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/klist:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\item[{\emph{DEFKTNAME}}] \leavevmode -Default location for the local host's keytab file. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/klist:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} - - -\section{kpasswd} -\label{user/user_commands/kpasswd:kpasswd}\label{user/user_commands/kpasswd::doc}\label{user/user_commands/kpasswd:kpasswd-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/kpasswd:synopsis} -\textbf{kpasswd} {[}\emph{principal}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kpasswd:description} -The kpasswd command is used to change a Kerberos principal's password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -\subsection{OPTIONS} -\label{user/user_commands/kpasswd:options}\begin{description} -\item[{\emph{principal}}] \leavevmode -Change the password for the Kerberos principal principal. -Otherwise, kpasswd uses the principal name from an existing ccache -if there is one; if not, the principal is derived from the -identity of the user invoking the kpasswd command. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kpasswd:see-also} -\emph{kadmin(1)}, \emph{kadmind(8)} - - -\section{krb5-config} -\label{user/user_commands/krb5-config:krb5-config-1}\label{user/user_commands/krb5-config:krb5-config}\label{user/user_commands/krb5-config::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/krb5-config:synopsis} -\textbf{krb5-config} -{[}\textbf{-}\textbf{-help} \textbar{} \textbf{-}\textbf{-all} \textbar{} \textbf{-}\textbf{-version} \textbar{} \textbf{-}\textbf{-vendor} \textbar{} \textbf{-}\textbf{-prefix} \textbar{} \textbf{-}\textbf{-exec-prefix} \textbar{} \textbf{-}\textbf{-defccname} \textbar{} \textbf{-}\textbf{-defktname} \textbar{} \textbf{-}\textbf{-defcktname} \textbar{} \textbf{-}\textbf{-cflags} \textbar{} \textbf{-}\textbf{-libs} {[}\emph{libraries}{]}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/krb5-config:description} -krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -\subsection{OPTIONS} -\label{user/user_commands/krb5-config:options}\begin{description} -\item[{\textbf{-}\textbf{-help}}] \leavevmode -prints a usage message. This is the default behavior when no options -are specified. - -\item[{\textbf{-}\textbf{-all}}] \leavevmode -prints the version, vendor, prefix, and exec-prefix. - -\item[{\textbf{-}\textbf{-version}}] \leavevmode -prints the version number of the Kerberos installation. - -\item[{\textbf{-}\textbf{-vendor}}] \leavevmode -prints the name of the vendor of the Kerberos installation. - -\item[{\textbf{-}\textbf{-prefix}}] \leavevmode -prints the prefix for which the Kerberos installation was built. - -\item[{\textbf{-}\textbf{-exec-prefix}}] \leavevmode -prints the prefix for executables for which the Kerberos installation -was built. - -\item[{\textbf{-}\textbf{-defccname}}] \leavevmode -prints the built-in default credentials cache location. - -\item[{\textbf{-}\textbf{-defktname}}] \leavevmode -prints the built-in default keytab location. - -\item[{\textbf{-}\textbf{-defcktname}}] \leavevmode -prints the built-in default client (initiator) keytab location. - -\item[{\textbf{-}\textbf{-cflags}}] \leavevmode -prints the compilation flags used to build the Kerberos installation. - -\item[{\textbf{-}\textbf{-libs} {[}\emph{library}{]}}] \leavevmode -prints the compiler options needed to link against \emph{library}. -Allowed values for \emph{library} are: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -krb5 - & -Kerberos 5 applications (default) -\\ -\hline -gssapi - & -GSSAPI applications with Kerberos 5 bindings -\\ -\hline -kadm-client - & -Kadmin client -\\ -\hline -kadm-server - & -Kadmin server -\\ -\hline -kdb - & -Applications that access the Kerberos database -\\ -\hline\end{tabulary} - - -\end{description} - - -\subsection{EXAMPLES} -\label{user/user_commands/krb5-config:examples} -krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in \code{/opt/krb5/} but uses -libraries in \code{/usr/local/lib/} for text localization would produce -the following output: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} krb5\PYGZhy{}config \PYGZhy{}\PYGZhy{}libs krb5 -\PYGZhy{}L/opt/krb5/lib \PYGZhy{}Wl,\PYGZhy{}rpath \PYGZhy{}Wl,/opt/krb5/lib \PYGZhy{}L/usr/local/lib \PYGZhy{}lkrb5 \PYGZhy{}lk5crypto \PYGZhy{}lcom\PYGZus{}err -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{user/user_commands/krb5-config:see-also} -kerberos(1), cc(1) - - -\section{ksu} -\label{user/user_commands/ksu:ksu-1}\label{user/user_commands/ksu:ksu}\label{user/user_commands/ksu::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/ksu:synopsis} -\textbf{ksu} -{[} \emph{target\_user} {]} -{[} \textbf{-n} \emph{target\_principal\_name} {]} -{[} \textbf{-c} \emph{source\_cache\_name} {]} -{[} \textbf{-k} {]} -{[} \textbf{-r} time {]} -{[} \textbf{-pf} {]} -{[} \textbf{-l} \emph{lifetime} {]} -{[} \textbf{-z \textbar{} Z} {]} -{[} \textbf{-q} {]} -{[} \textbf{-e} \emph{command} {[} args ... {]} {]} {[} \textbf{-a} {[} args ... {]} {]} - - -\subsection{REQUIREMENTS} -\label{user/user_commands/ksu:requirements} -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -\subsection{DESCRIPTION} -\label{user/user_commands/ksu:description} -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -\begin{notice}{note}{Note:} -For the sake of clarity, all references to and attributes of -the user invoking the program will start with ``source'' -(e.g., ``source user'', ``source cache'', etc.). - -Likewise, all references to and attributes of the target -account will start with ``target''. -\end{notice} - - -\subsection{AUTHENTICATION} -\label{user/user_commands/ksu:authentication} -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the \textbf{-n} option (e.g., \code{-n jqpublic@USC.EDU}) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see \textbf{-n} option). The target user -name must be the first argument to ksu; if not specified root is the -default. If \code{.} is specified then the target user will be the -source user (e.g., \code{ksu .}). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal's realm. If the ticket for the -end-server is already in the cache, it's decrypted and verified. If -it's not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -\textbf{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -\textbf{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails. - - -\subsection{AUTHORIZATION} -\label{user/user_commands/ksu:authorization} -This section describes authorization of the source user when ksu is -invoked without the \textbf{-e} option. For a description of the \textbf{-e} -option, see the OPTIONS section. - -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user's home directory, ksu attempts to access two authorization files: -{\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -For example: - -\begin{Verbatim}[commandchars=\\\{\}] -jqpublic@USC.EDU -jqpublic/secure@USC.EDU -jqpublic/admin@USC.EDU -\end{Verbatim} - -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the \textbf{-e} option in the OPTIONS section for details). - -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by \code{*} then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname-\textgreater{}lname mapping -rules. Otherwise, authorization fails. - - -\subsection{EXECUTION OF THE TARGET SHELL} -\label{user/user_commands/ksu:execution-of-the-target-shell} -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login's -default values. In addition, the environment variable \textbf{KRB5CCNAME} -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user's shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the \textbf{-k} option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -\subsection{CREATING A NEW SECURITY CONTEXT} -\label{user/user_commands/ksu:creating-a-new-security-context} -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the \textbf{-e} -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using \textbf{-z} or \textbf{-Z} option. \textbf{-z} restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The \textbf{-Z} option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, \textbf{-z} option is the default mode of -operation. - -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If \textbf{-n} is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless \textbf{-Z} specified or \textbf{GET\_TGT\_VIA\_PASSWD} -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -\begin{notice}{note}{Note:} -During authentication, only the tickets that could be -obtained without providing a password are cached in in the -source cache. -\end{notice} - - -\subsection{OPTIONS} -\label{user/user_commands/ksu:options}\begin{description} -\item[{\textbf{-n} \emph{target\_principal\_name}}] \leavevmode -Specify a Kerberos target principal name. Used in authentication -and authorization phases of ksu. - -If ksu is invoked without \textbf{-n}, a default principal name is -assigned via the following heuristic: -\begin{itemize} -\item {} -Case 1: source user is non-root. - -If the target user is the source user the default principal name -is set to the default principal of the source cache. If the -cache does not exist then the default principal name is set to -\code{target\_user@local\_realm}. If the source and target users are -different and neither \code{\textasciitilde{}target\_user/.k5users} nor -\code{\textasciitilde{}target\_user/.k5login} exist then the default principal name -is \code{target\_user\_login\_name@local\_realm}. Otherwise, starting -with the first principal listed below, ksu checks if the -principal is authorized to access the target account and whether -there is a legitimate ticket for that principal in the source -cache. If both conditions are met that principal becomes the -default target principal, otherwise go to the next principal. -\begin{enumerate} -\item {} -default principal of the source cache - -\item {} -target\_user@local\_realm - -\item {} -source\_user@local\_realm - -\end{enumerate} - -If a-c fails try any principal for which there is a ticket in -the source cache and that is authorized to access the target -account. If that fails select the first principal that is -authorized to access the target account from the above list. If -none are authorized and ksu is configured with -\textbf{PRINC\_LOOK\_AHEAD} turned on, select the default principal as -follows: - -For each candidate in the above list, select an authorized -principal that has the same realm name and first part of the -principal name equal to the prefix of the candidate. For -example if candidate a) is \code{jqpublic@ISI.EDU} and -\code{jqpublic/secure@ISI.EDU} is authorized to access the target -account then the default principal is set to -\code{jqpublic/secure@ISI.EDU}. - -\item {} -Case 2: source user is root. - -If the target user is non-root then the default principal name -is \code{target\_user@local\_realm}. Else, if the source cache -exists the default principal name is set to the default -principal of the source cache. If the source cache does not -exist, default principal name is set to \code{root\textbackslash{}@local\_realm}. - -\end{itemize} - -\end{description} - -\textbf{-c} \emph{source\_cache\_name} -\begin{quote} - -Specify source cache name (e.g., \code{-c FILE:/tmp/my\_cache}). If -\textbf{-c} option is not used then the name is obtained from -\textbf{KRB5CCNAME} environment variable. If \textbf{KRB5CCNAME} is not -defined the source cache name is set to \code{krb5cc\_\textless{}source uid\textgreater{}}. -The target cache name is automatically set to \code{krb5cc\_\textless{}target -uid\textgreater{}.(gen\_sym())}, where gen\_sym generates a new number such that -the resulting cache does not already exist. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5cc\PYGZus{}1984.2 -\end{Verbatim} -\end{quote} -\begin{description} -\item[{\textbf{-k}}] \leavevmode -Do not delete the target cache upon termination of the target -shell or a command (\textbf{-e} command). Without \textbf{-k}, ksu deletes -the target cache. - -\item[{\textbf{-z}}] \leavevmode -Restrict the copy of tickets from the source cache to the target -cache to only the tickets where client == the target principal -name. Use the \textbf{-n} option if you want the tickets for other then -the default principal. Note that the \textbf{-z} option is mutually -exclusive with the \textbf{-Z} option. - -\item[{\textbf{-Z}}] \leavevmode -Don't copy any tickets from the source cache to the target cache. -Just create a fresh target cache, where the default principal name -of the cache is initialized to the target principal name. Note -that the \textbf{-Z} option is mutually exclusive with the \textbf{-z} -option. - -\item[{\textbf{-q}}] \leavevmode -Suppress the printing of status messages. - -\end{description} - -Ticket granting ticket options: -\begin{description} -\item[{\textbf{-l} \emph{lifetime} \textbf{-r} \emph{time} \textbf{-pf}}] \leavevmode -The ticket granting ticket options only apply to the case where -there are no appropriate tickets in the cache to authenticate the -source user. In this case if ksu is configured to prompt users -for a Kerberos password (\textbf{GET\_TGT\_VIA\_PASSWD} is defined), the -ticket granting ticket options that are specified will be used -when getting a ticket granting ticket from the Kerberos server. - -\item[{\textbf{-l} \emph{lifetime}}] \leavevmode -(\emph{duration} string.) Specifies the lifetime to be requested -for the ticket; if this option is not specified, the default ticket -lifetime (12 hours) is used instead. - -\item[{\textbf{-r} \emph{time}}] \leavevmode -(\emph{duration} string.) Specifies that the \textbf{renewable} option -should be requested for the ticket, and specifies the desired -total lifetime of the ticket. - -\item[{\textbf{-p}}] \leavevmode -specifies that the \textbf{proxiable} option should be requested for -the ticket. - -\item[{\textbf{-f}}] \leavevmode -option specifies that the \textbf{forwardable} option should be -requested for the ticket. - -\item[{\textbf{-e} \emph{command} {[}\emph{args} ...{]}}] \leavevmode -ksu proceeds exactly the same as if it was invoked without the -\textbf{-e} option, except instead of executing the target shell, ksu -executes the specified command. Example of usage: - -\begin{Verbatim}[commandchars=\\\{\}] -ksu bob \PYGZhy{}e ls \PYGZhy{}lag -\end{Verbatim} - -The authorization algorithm for \textbf{-e} is as follows: - -If the source user is root or source user == target user, no -authorization takes place and the command is executed. If source -user id != 0, and \code{\textasciitilde{}target\_user/.k5users} file does not exist, -authorization fails. Otherwise, \code{\textasciitilde{}target\_user/.k5users} file -must have an appropriate entry for target principal to get -authorized. - -The .k5users file format: - -A single principal entry on each line that may be followed by a -list of commands that the principal is authorized to execute. A -principal name followed by a \code{*} means that the user is -authorized to execute any command. Thus, in the following -example: - -\begin{Verbatim}[commandchars=\\\{\}] -jqpublic@USC.EDU ls mail /local/kerberos/klist -jqpublic/secure@USC.EDU * -jqpublic/admin@USC.EDU -\end{Verbatim} - -\code{jqpublic@USC.EDU} is only authorized to execute \code{ls}, -\code{mail} and \code{klist} commands. \code{jqpublic/secure@USC.EDU} is -authorized to execute any command. \code{jqpublic/admin@USC.EDU} is -not authorized to execute any command. Note, that -\code{jqpublic/admin@USC.EDU} is authorized to execute the target -shell (regular ksu, without the \textbf{-e} option) but -\code{jqpublic@USC.EDU} is not. - -The commands listed after the principal name must be either a full -path names or just the program name. In the second case, -\textbf{CMD\_PATH} specifying the location of authorized programs must -be defined at the compilation time of ksu. Which command gets -executed? - -If the source user is root or the target user is the source user -or the user is authorized to execute any command (\code{*} entry) -then command can be either a full or a relative path leading to -the target program. Otherwise, the user must specify either a -full path or just the program name. - -\item[{\textbf{-a} \emph{args}}] \leavevmode -Specify arguments to be passed to the target shell. Note that all -flags and parameters following -a will be passed to the shell, -thus all options intended for ksu must precede \textbf{-a}. - -The \textbf{-a} option can be used to simulate the \textbf{-e} option if -used as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZhy{}a \PYGZhy{}c [command [arguments]]. -\end{Verbatim} - -\textbf{-c} is interpreted by the c-shell to execute the command. - -\end{description} - - -\subsection{INSTALLATION INSTRUCTIONS} -\label{user/user_commands/ksu:installation-instructions} -ksu can be compiled with the following four flags: -\begin{description} -\item[{\textbf{GET\_TGT\_VIA\_PASSWD}}] \leavevmode -In case no appropriate tickets are found in the source cache, the -user will be prompted for a Kerberos password. The password is -then used to get a ticket granting ticket from the Kerberos -server. The danger of configuring ksu with this macro is if the -source user is logged in remotely and does not have a secure -channel, the password may get exposed. - -\item[{\textbf{PRINC\_LOOK\_AHEAD}}] \leavevmode -During the resolution of the default principal name, -\textbf{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in -the .k5users file as described in the OPTIONS section -(see \textbf{-n} option). - -\item[{\textbf{CMD\_PATH}}] \leavevmode -Specifies a list of directories containing programs that users are -authorized to execute (via .k5users file). - -\item[{\textbf{HAVE\_GETUSERSHELL}}] \leavevmode -If the source user is non-root, ksu insists that the target user's -shell to be invoked is a ``legal shell''. \emph{getusershell(3)} is -called to obtain the names of ``legal shells''. Note that the -target user's shell is obtained from the passwd file. - -\end{description} - -Sample configuration: - -\begin{Verbatim}[commandchars=\\\{\}] -KSU\PYGZus{}OPTS = \PYGZhy{}DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD \PYGZhy{}DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD \PYGZhy{}DCMD\PYGZus{}PATH=\PYGZsq{}\PYGZdq{}/bin /usr/ucb /local/bin\PYGZdq{} -\end{Verbatim} - -ksu should be owned by root and have the set user id bit turned on. - -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., \code{host/nii.isi.edu@ISI.EDU}). The keytab -file must be in an appropriate location. - - -\subsection{SIDE EFFECTS} -\label{user/user_commands/ksu:side-effects} -ksu deletes all expired tickets from the source cache. - - -\subsection{AUTHOR OF KSU} -\label{user/user_commands/ksu:author-of-ksu} -GENNADY (ARI) MEDVINSKY - - -\section{kswitch} -\label{user/user_commands/kswitch:kswitch-1}\label{user/user_commands/kswitch:kswitch}\label{user/user_commands/kswitch::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/kswitch:synopsis} -\textbf{kswitch} -\{\textbf{-c} \emph{cachename}\textbar{}\textbf{-p} \emph{principal}\} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kswitch:description} -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -\subsection{OPTIONS} -\label{user/user_commands/kswitch:options}\begin{description} -\item[{\textbf{-c} \emph{cachename}}] \leavevmode -Directly specifies the credential cache to be made primary. - -\item[{\textbf{-p} \emph{principal}}] \leavevmode -Causes the cache collection to be searched for a cache containing -credentials for \emph{principal}. If one is found, that collection is -made primary. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kswitch:environment} -kswitch uses the following environment variables: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kswitch:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kswitch:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}), kerberos(1) - - -\section{kvno} -\label{user/user_commands/kvno:kvno-1}\label{user/user_commands/kvno::doc}\label{user/user_commands/kvno:kvno} - -\subsection{SYNOPSIS} -\label{user/user_commands/kvno:synopsis} -\textbf{kvno} -{[}\textbf{-c} \emph{ccache}{]} -{[}\textbf{-e} \emph{etype}{]} -{[}\textbf{-q}{]} -{[}\textbf{-h}{]} -{[}\textbf{-P}{]} -{[}\textbf{-S} \emph{sname}{]} -{[}\textbf{-U} \emph{for\_user}{]} -\emph{service1 service2} ... - - -\subsection{DESCRIPTION} -\label{user/user_commands/kvno:description} -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -\subsection{OPTIONS} -\label{user/user_commands/kvno:options}\begin{description} -\item[{\textbf{-c} \emph{ccache}}] \leavevmode -Specifies the name of a credentials cache to use (if not the -default) - -\item[{\textbf{-e} \emph{etype}}] \leavevmode -Specifies the enctype which will be requested for the session key -of all the services named on the command line. This is useful in -certain backward compatibility situations. - -\item[{\textbf{-q}}] \leavevmode -Suppress printing output when successful. If a service ticket -cannot be obtained, an error message will still be printed and -kvno will exit with nonzero status. - -\item[{\textbf{-h}}] \leavevmode -Prints a usage statement and exits. - -\item[{\textbf{-P}}] \leavevmode -Specifies that the \emph{service1 service2} ... arguments are to be -treated as services for which credentials should be acquired using -constrained delegation. This option is only valid when used in -conjunction with protocol transition. - -\item[{\textbf{-S} \emph{sname}}] \leavevmode -Specifies that the \emph{service1 service2} ... arguments are -interpreted as hostnames, and the service principals are to be -constructed from those hostnames and the service name \emph{sname}. -The service hostnames will be canonicalized according to the usual -rules for constructing service principals. - -\item[{\textbf{-U} \emph{for\_user}}] \leavevmode -Specifies that protocol transition (S4U2Self) is to be used to -acquire a ticket on behalf of \emph{for\_user}. If constrained -delegation is not requested, the service name must match the -credentials cache client principal. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kvno:environment} -kvno uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the credentials (ticket) cache. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kvno:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of the credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kvno:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} - - -\section{sclient} -\label{user/user_commands/sclient:sclient}\label{user/user_commands/sclient::doc}\label{user/user_commands/sclient:sclient-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/sclient:synopsis} -\textbf{sclient} \emph{remotehost} - - -\subsection{DESCRIPTION} -\label{user/user_commands/sclient:description} -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server \emph{sserver(8)} and -authenticates to it using Kerberos version 5 tickets, then displays -the server's response. - - -\subsection{SEE ALSO} -\label{user/user_commands/sclient:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, \emph{sserver(8)} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} |