diff options
Diffstat (limited to 'eBones/man')
40 files changed, 0 insertions, 4701 deletions
diff --git a/eBones/man/Makefile b/eBones/man/Makefile deleted file mode 100644 index 8de00f02884f..000000000000 --- a/eBones/man/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# from: @(#)Makefile 5.4 (Berkeley) 7/25/90 -# $Id: Makefile,v 1.2 1994/07/19 19:27:15 g89r4222 Exp $ - -MAN1= kdestroy.1 kerberos.1 kinit.1 klist.1 ksrvtgt.1 \ - kpasswd.1 ksu.1 rcp.1 rlogin.1 rsh.1 tftp.1 -MAN3= acl_check.3 des_crypt.3 krb.3 krb_realmofhost.3 krb_sendauth.3 \ - krb_set_tkt_string.3 kuserok.3 tf_util.3 kerberos.3 -MAN5= krb.conf.5 krb.realms.5 -MAN8= ext_srvtab.8 kdb_destroy.8 kdb_edit.8 kdb_init.8 kdb_util.8 kstash.8 \ - kadmin.8 kadmind.8 klogind.8 kshd.8 ksrvutil.8 tcom.8 tftpd.8 -MLINKS+=krb_realmofhost.3 realm.3 -MLINKS+=des_crypt.3 des.3 -MLINKS+=krb.3 kerberos.3 krb.3 krb_mk_req.3 krb.3 krb_rd_req.3 -MLINKS+=krb.3 krb_kntoln.3 krb.3 krb_set_key.3 krb.3 krb_get_cred.3 -MLINKS+=krb.3 krb_mk_priv.3 krb.3 krb_mk_safe.3 krb.3 krb_rd_safe.3 -MLINKS+=krb.3 krb_mk_err.3 krb.3 krb_rd_err.3 krb.3 krb_ck_repl.3 -MLINKS+=krb_sendauth.3 ksend.3 - -.include <bsd.prog.mk> diff --git a/eBones/man/acl_check.3 b/eBones/man/acl_check.3 deleted file mode 100644 index c142506dbfcf..000000000000 --- a/eBones/man/acl_check.3 +++ /dev/null @@ -1,183 +0,0 @@ -.\" from: acl_check.3,v 4.1 89/01/23 11:06:54 jtkohl Exp $ -.\" $Id: acl_check.3,v 1.2 1994/07/19 19:27:17 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -acl_canonicalize_principal, acl_check, acl_exact_match, acl_add, -acl_delete, acl_initialize \- Access control list routines -.SH SYNOPSIS -.nf -.nj -.ft B -cc <files> \-lacl \-lkrb -.PP -.ft B -#include <krb.h> -.PP -.ft B -acl_canonicalize_principal(principal, buf) -char *principal; -char *buf; -.PP -.ft B -acl_check(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_exact_match(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_add(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_delete(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_initialize(acl_file, mode) -char *acl_file; -int mode; -.fi -.ft R -.SH DESCRIPTION -.SS Introduction -.PP -An access control list (ACL) is a list of principals, where each -principal is represented by a text string which cannot contain -whitespace. The library allows application programs to refer to named -access control lists to test membership and to atomically add and -delete principals using a natural and intuitive interface. At -present, the names of access control lists are required to be Unix -filenames, and refer to human-readable Unix files; in the future, when -a networked ACL server is implemented, the names may refer to a -different namespace specific to the ACL service. -.PP -.SS Principal Names -.PP -Principal names have the form -.nf -.in +5n -<name>[.<instance>][@<realm>] -.in -5n -e.g.: -.in +5n -asp -asp.root -asp@ATHENA.MIT.EDU -asp.@ATHENA.MIT.EDU -asp.root@ATHENA.MIT.EDU -.in -5n -.fi -It is possible for principals to be underspecified. If an instance is -missing, it is assumed to be "". If realm is missing, it is assumed -to be the local realm as determined by -.IR krb_get_lrealm (3). -The canonical form contains all of name, instance, -and realm; the acl_add and acl_delete routines will always -leave the file in that form. Note that the canonical form of -asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU. -.SS Routines -.PP -.I acl_canonicalize_principal -stores the canonical form of -.I principal -in -.IR buf . -.I Buf -must contain enough -space to store a principal, given the limits on the sizes of name, -instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ, -respectively, in -.IR /usr/include/krb.h . -.PP -.I acl_check -returns nonzero if -.I principal -appears in -.IR acl . -Returns 0 if principal -does not appear in acl, or if an error occurs. Canonicalizes -principal before checking, and allows the ACL to contain wildcards. The -only supported wildcards are entries of the form -name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the -its component field. For example, "jtkohl.*@*" would match principal -jtkohl, with any instance and any realm. -.PP -.I acl_exact_match -performs like -.IR acl_check , -but does no canonicalization or wildcard matching. -.PP -.I acl_add -atomically adds -.I principal -to -.IR acl . -Returns 0 if successful, nonzero otherwise. It is considered a failure -if -.I principal -is already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_delete -atomically deletes -.I principal -from -.IR acl . -Returns 0 if successful, -nonzero otherwise. It is considered a failure if -.I principal -is not -already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_initialize -initializes -.IR acl_file . -If the file -.I acl_file -does not exist, -.I acl_initialize -creates it with mode -.IR mode . -If the file -.I acl_file -exists, -.I acl_initialize -removes all members. Returns 0 if successful, -nonzero otherwise. WARNING: Mode argument is likely to change with -the eventual introduction of an ACL service. -.SH NOTES -In the presence of concurrency, there is a very small chance that -.I acl_add -or -.I acl_delete -could report success even though it would have -had no effect. This is a necessary side effect of using lock files -for concurrency control rather than flock(2), which is not supported -by NFS. -.PP -The current implementation caches ACLs in memory in a hash-table -format for increased efficiency in checking membership; one effect of -the caching scheme is that one file descriptor will be kept open for -each ACL cached, up to a maximum of 8. -.SH SEE ALSO -kerberos(3), krb_get_lrealm(3) -.SH AUTHOR -James Aspnes (MIT Project Athena) diff --git a/eBones/man/des.point b/eBones/man/des.point deleted file mode 100644 index 853c9cbdf192..000000000000 --- a/eBones/man/des.point +++ /dev/null @@ -1 +0,0 @@ -.so man3/des_crypt.3 diff --git a/eBones/man/des_crypt.3 b/eBones/man/des_crypt.3 deleted file mode 100644 index 0be834289ef1..000000000000 --- a/eBones/man/des_crypt.3 +++ /dev/null @@ -1,380 +0,0 @@ -.\" from: des_crypt.3,v 4.3 89/01/23 17:08:59 steiner Exp $ -.\" $Id: des_crypt.3,v 1.2 1994/07/19 19:27:19 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH DES_CRYPT 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -des_read_password, des_string_to_key, des_random_key, des_set_key, -des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum, -des_quad_cksum, \- (new) DES encryption -.SH SYNOPSIS -.nf -.nj -.ft B -#include <des.h> -.PP -.ft B -.B int des_read_password(key,prompt,verify) -des_cblock *key; -char *prompt; -int verify; -.PP -.ft B -int des_string_to_key(str,key) -char *str; -des_cblock key; -.PP -.ft B -int des_random_key(key) -des_cblock *key; -.PP -.ft B -int des_set_key(key,schedule) -des_cblock *key; -des_key_schedule schedule; -.PP -.ft B -int des_ecb_encrypt(input,output,schedule,encrypt) -des_cblock *input; -des_cblock *output; -des_key_schedule schedule; -int encrypt; -.PP -.ft B -int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.ft B -int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -int encrypt; -.PP -.ft B -unsigned long des_cbc_cksum(input,output,length,schedule,ivec) -des_cblock *input; -des_cblock *output; -long length; -des_key_schedule schedule; -des_cblock *ivec; -.PP -.ft B -unsigned long quad_cksum(input,output,length,out_count,seed) -des_cblock *input; -des_cblock *output; -long length; -int out_count; -des_cblock *seed; -.PP -.fi -.SH DESCRIPTION -This library supports various DES encryption related operations. It differs -from the -.I crypt, setkey, and encrypt -library routines in that it provides -a true DES encryption, without modifying the algorithm, -and executes much faster. -.PP -For each key that may be simultaneously active, create a -.B des_key_schedule -struct, -defined in "des.h". Next, create key schedules (from the 8-byte keys) as -needed, via -.I des_set_key, -prior to using the encryption or checksum routines. Then -setup the input and output areas. Make sure to note the restrictions -on lengths being multiples of eight bytes. Finally, invoke the -encryption/decryption routines, -.I des_ecb_encrypt -or -.I des_cbc_encrypt -or -.I des_pcbc_encrypt, -or, to generate a cryptographic checksum, use -.I quad_cksum -(fast) or -.I des_cbc_cksum -(slow). -.PP -A -.I des_cblock -struct is an 8 byte block used as the fundamental unit for DES data and -keys, and is defined as: -.PP -.B typedef unsigned char des_cblock[8]; -.PP -and a -.I des_key_schedule, -is defined as: -.PP -.B typedef struct des_ks_struct {des_cblock _;} des_key_schedule[16]; -.PP -.I des_read_password -writes the string specified by -.I prompt -to the standard -output, turns off echo (if possible) -and reads an input string from standard input until terminated with a newline. -If -.I verify -is non-zero, it prompts and reads input again, for use -in applications such as changing a password; both -versions are compared, and the input is requested repeatedly until they -match. Then -.I des_read_password -converts the input string into a valid DES key, internally -using the -.I des_string_to_key -routine. The newly created key is copied to the -area pointed to by the -.I key -argument. -.I des_read_password -returns a zero if no errors occurred, or a -1 -indicating that an error -occurred trying to manipulate the terminal echo. -.PP -.PP -.I des_string_to_key -converts an arbitrary length null-terminated string -to an 8 byte DES key, with odd byte parity, per FIPS specification. -A one-way function is used to convert the string to a key, making it -very difficult to reconstruct the string from the key. -The -.I str -argument is a pointer to the string, and -.I key -should -point to a -.I des_cblock -supplied by the caller to receive the generated key. -No meaningful value is returned. Void is not used for compatibility with -other compilers. -.PP -.PP -.I des_random_key -generates a random DES encryption key (eight bytes), set to odd parity per -FIPS -specifications. -This routine uses the current time, process id, and a counter -as a seed for the random number generator. -The caller must supply space for the output key, pointed to -by argument -.I key, -then after calling -.I des_random_key -should -call the -.I des_set_key -routine when needed. -No meaningful value is returned. Void is not used for compatibility -with other compilers. -.PP -.PP -.I des_set_key -calculates a key schedule from all eight bytes of the input key, pointed -to by the -.I key -argument, and outputs the schedule into the -.I des_key_schedule -indicated by the -.I schedule -argument. Make sure to pass a valid eight byte -key; no padding is done. The key schedule may then be used in subsequent -encryption/decryption/checksum operations. Many key schedules may be -cached for later use. The user is responsible to clear keys and schedules -as soon as no longer needed, to prevent their disclosure. -The routine also checks the key -parity, and returns a zero if the key parity is correct (odd), a -1 -indicating a key parity error, or a -2 indicating use of an illegal -weak key. If an error is returned, the key schedule was not created. -.PP -.PP -.I des_ecb_encrypt -is the basic DES encryption routine that encrypts or decrypts a single 8-byte -block in -.B electronic code book -mode. It always transforms the input data, pointed to by -.I input, -into the output data, pointed to by the -.I output -argument. -.PP -If the -.I encrypt -argument is non-zero, the -.I input -(cleartext) is encrypted into the -.I output -(ciphertext) using the key_schedule specified by the -.I schedule -argument, previously set via -.I des_set_key -.PP -If encrypt is zero, the -.I input -(now ciphertext) is decrypted into the -.I output -(now cleartext). -.PP -Input and output may overlap. -.PP -No meaningful value is returned. Void is not used for compatibility -with other compilers. -.PP -.PP -.I des_cbc_encrypt -encrypts/decrypts using the -.B cipher-block-chaining mode of DES. -If the -.I encrypt -argument is non-zero, the routine cipher-block-chain encrypts -the cleartext data pointed to by the -.I input -argument into the ciphertext pointed to by the -.I output -argument, using the key schedule provided by the -.I schedule -argument, and initialization vector provided by the -.I ivec -argument. -If the -.I length -argument is not an integral -multiple of eight bytes, the last block is copied to a temp and zero -filled (highest addresses). The output is ALWAYS an integral multiple -of eight bytes. -.PP -If -.I encrypt -is zero, the routine cipher-block chain decrypts the (now) ciphertext -data pointed to by the -.I input -argument into (now) cleartext pointed to by the -.I output -argument using the key schedule provided by the -.I schedule -argument, and initialization vector provided by the -.I ivec -argument. Decryption ALWAYS operates on integral -multiples of 8 bytes, so it will round the -.I length -provided up to the -appropriate multiple. Consequently, it will always produce the rounded-up -number of bytes of output cleartext. The application must determine if -the output cleartext was zero-padded due to original cleartext lengths that -were not integral multiples of 8. -.PP -No errors or meaningful values are returned. Void is not used for -compatibility with other compilers. -.PP -A characteristic of cbc mode is that changing a single bit of the -cleartext, then encrypting using cbc mode, -affects ALL the subsequent ciphertext. This makes cryptanalysis -much more difficult. However, modifying a single bit of the ciphertext, -then decrypting, only affects the resulting cleartext from -the modified block and the succeeding block. Therefore, -.I des_pcbc_encrypt -is STRONGLY recommended for applications where -indefinite propagation of errors is required in order to detect modifications. -.PP -.PP -.I des_pcbc_encrypt -encrypts/decrypts using a modified block chaining mode. Its calling -sequence is identical to -.I des_cbc_encrypt. -It differs in its error propagation characteristics. -.PP -.I des_pcbc_encrypt -is highly recommended for most encryption purposes, in that -modification of a single bit of the ciphertext will affect ALL the -subsequent (decrypted) cleartext. Similarly, modifying a single bit of -the cleartext will affect ALL the subsequent (encrypted) ciphertext. -"PCBC" mode, on encryption, "xors" both the -cleartext of block N and the ciphertext resulting from block N with the -cleartext for block N+1 prior to encrypting block N+1. -.PP -.I des_cbc_cksum -produces an 8 byte cryptographic checksum by cipher-block-chain -encrypting the cleartext data pointed to by the -.I input -argument. All of the ciphertext output is discarded, except the -last 8-byte ciphertext block, which is written into the area pointed to by -the -.I output -argument. -It uses the key schedule, -provided by the -.I schedule -argument and initialization vector provided by the -.I ivec -argument. -If the -.I length -argument is not an integral -multiple of eight bytes, the last cleartext block is copied to a temp and zero -filled (highest addresses). The output is ALWAYS eight bytes. -.PP -The routine also returns an unsigned long, which is the last (highest address) -half of the 8 byte checksum computed. -.PP -.PP -.I quad_cksum -produces a checksum by chaining quadratic operations on the cleartext data -pointed to by the -.I input -argument. The -.I length -argument specifies the length of the -input -- only exactly that many bytes are included for the checksum, -without any padding. -.PP -The algorithm may be iterated over the same input data, if the -.I out_count -argument is 2, 3 or 4, and the optional -.I output -argument is a non-null pointer . -The default is one iteration, and it will not run -more than 4 times. Multiple iterations run slower, but provide -a longer checksum if desired. The -.I seed -argument provides an 8-byte seed for the first iteration. If multiple iterations are -requested, the results of one iteration are automatically used as -the seed for the next iteration. -.PP -It returns both an unsigned long checksum value, and -if the -.I output -argument is not a null pointer, up to 16 bytes of -the computed checksum are written into the output. -.PP -.PP -.SH FILES -/usr/include/des.h -.br -/usr/lib/libdes.a -.SH "SEE ALSO" -.SH DIAGNOSTICS -.SH BUGS -This software has not yet been compiled or tested on machines other than the -VAX and the IBM PC. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986 Massachusetts Institute of Technology -.PP -This software may not be exported outside of the US without a special -license from the US Dept of Commerce. It may be replaced by any secret -key block cipher with block length and key length of 8 bytes, as long -as the interface is the same as described here. diff --git a/eBones/man/ext_srvtab.8 b/eBones/man/ext_srvtab.8 deleted file mode 100644 index af980a9f1465..000000000000 --- a/eBones/man/ext_srvtab.8 +++ /dev/null @@ -1,63 +0,0 @@ -.\" from: ext_srvtab.8,v 4.2 89/07/18 16:53:18 jtkohl Exp $ -.\" $Id: ext_srvtab.8,v 1.2 1994/07/19 19:27:20 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH EXT_SRVTAB 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ext_srvtab \- extract service key files from Kerberos key distribution center database -.SH SYNOPSIS -ext_srvtab [ -.B \-n -] [ -.B \-r realm -] [ -.B hostname ... -] -.SH DESCRIPTION -.I ext_srvtab -extracts service key files from the Kerberos key distribution center -(KDC) database. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -For each -.I hostname -specified on the command line, -.I ext_srvtab -creates the service key file -.IR hostname -new-srvtab, -containing all the entries in the database with an instance field of -.I hostname. -This new file contains all the keys registered for Kerberos-mediated -service providing programs which use the -.IR krb_get_phost (3) -principal and instance conventions to run on the host -.IR hostname . -If the -.B \-r -option is specified, the realm fields in the extracted file will -match the given realm rather than the local realm. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -.IR hostname -new-srvtab -Service key file generated for -.I hostname -.TP -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.TP -/.k -Master key cache file. -.SH SEE ALSO -read_service_key(3), krb_get_phost(3) diff --git a/eBones/man/kadmin.8 b/eBones/man/kadmin.8 deleted file mode 100644 index 6e1501571326..000000000000 --- a/eBones/man/kadmin.8 +++ /dev/null @@ -1,158 +0,0 @@ -.\" from: kadmin.8,v 4.2 89/07/25 17:20:02 jtkohl Exp $ -.\" $Id: kadmin.8,v 1.2 1994/07/19 19:27:22 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KADMIN 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmin \- network utility for Kerberos database administration -.SH SYNOPSIS -.B kadmin [-u user] [-r default_realm] [-m] -.SH DESCRIPTION -This utility provides a unified administration interface to -the -Kerberos -master database. -Kerberos -administrators -use -.I kadmin -to register new users and services to the master database, -and to change information about existing database entries. -For instance, an administrator can use -.I kadmin -to change a user's -Kerberos -password. -A Kerberos administrator is a user with an ``admin'' instance -whose name appears on one of the Kerberos administration access control -lists. If the \-u option is used, -.I user -will be used as the administrator instead of the local user. -If the \-r option is used, -.I default_realm -will be used as the default realm for transactions. Otherwise, -the local realm will be used by default. -If the \-m option is used, multiple requests will be permitted -on only one entry of the admin password. Some sites won't -support this option. - -The -.I kadmin -program communicates over the network with the -.I kadmind -program, which runs on the machine housing the Kerberos master -database. -The -.I kadmind -creates new entries and makes modifications to the database. - -When you enter the -.I kadmin -command, -the program displays a message that welcomes you and explains -how to ask for help. -Then -.I kadmin -waits for you to enter commands (which are described below). -It then asks you for your -.I admin -password before accessing the database. - -Use the -.I add_new_key -(or -.I ank -for short) -command to register a new principal -with the master database. -The command requires one argument, -the principal's name. The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's -new password. If no realm is specified, -the local realm is used unless another was -given on the commandline with the \-r flag. -If no instance is -specified, a null instance is used. If -a realm other than the default realm is specified, -you will need to supply your admin password for -the other realm. - -Use the -.I change_password (cpw) -to change a principal's -Kerberos -password. -The command requires one argument, -the principal's -name. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's new password. -The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. - -Use the -.I change_admin_password (cap) -to change your -.I admin -instance password. -This command requires no arguments. -It prompts you for your old -.I admin -password, then prompts you twice to enter the new -.I admin -password. If this is your first command, -the default realm is used. Otherwise, the realm -used in the last command is used. - -Use the -.I destroy_tickets (dest) -command to destroy your admin tickets explicitly. - -Use the -.I list_requests (lr) -command to get a list of possible commands. - -Use the -.I help -command to display -.IR kadmin's -various help messages. -If entered without an argument, -.I help -displays a general help message. -You can get detailed information on specific -.I kadmin -commands -by entering -.I help -.IR command_name . - -To quit the program, type -.IR quit . - -.SH BUGS -The user interface is primitive, and the command names could be better. - -.SH "SEE ALSO" -kerberos(1), kadmind(8), kpasswd(1), ksrvutil(8) -.br -``A Subsystem Utilities Package for UNIX'' by Ken Raeburn -.SH AUTHORS -Jeffrey I. Schiller, MIT Project Athena -.br -Emanuel Jay Berkenbilt, MIT Project Athena diff --git a/eBones/man/kadmind.8 b/eBones/man/kadmind.8 deleted file mode 100644 index 59075eec8bc6..000000000000 --- a/eBones/man/kadmind.8 +++ /dev/null @@ -1,117 +0,0 @@ -.\" from: kadmind.8,v 4.1 89/07/25 17:28:33 jtkohl Exp $ -.\" $Id: kadmind.8,v 1.2 1994/07/19 19:27:25 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmind \- network daemon for Kerberos database administration -.SH SYNOPSIS -.B kadmind -[ -.B \-n -] [ -.B \-h -] [ -.B \-r realm -] [ -.B \-f filename -] [ -.B \-d dbname -] [ -.B \-a acldir -] -.SH DESCRIPTION -.I kadmind -is the network database server for the Kerberos password-changing and -administration tools. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. -.PP -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -If the -.B \-r -.I realm -option is specified, the admin server will pretend that its -local realm is -.I realm -instead of the actual local realm of the host it is running on. -This makes it possible to run a server for a foreign kerberos -realm. -.PP -If the -.B \-f -.I filename -option is specified, then that file is used to hold the log information -instead of the default. -.PP -If the -.B \-d -.I dbname -option is specified, then that file is used as the database name instead -of the default. -.PP -If the -.B \-a -.I acldir -option is specified, then -.I acldir -is used as the directory in which to search for access control lists -instead of the default. -.PP -If the -.B \-h -option is specified, -.I kadmind -prints out a short summary of the permissible control arguments, and -then exits. -.PP -When performing requests on behalf of clients, -.I kadmind -checks access control lists (ACLs) to determine the authorization of the client -to perform the requested action. -Currently three distinct access types are supported: -.TP 1i -Addition -(.add ACL file). If a principal is on this list, it may add new -principals to the database. -.TP -Retrieval -(.get ACL file). If a principal is on this list, it may retrieve -database entries. NOTE: A principal's private key is never returned by -the get functions. -.TP -Modification -(.mod ACL file). If a principal is on this list, it may modify entries -in the database. -.PP -A principal is always granted authorization to change its own password. -.SH FILES -.TP 20n -/kerberos/admin_server.syslog -Default log file. -.TP -/kerberos -Default access control list directory. -.TP -admin_acl.{add,get,mod} -Access control list files (within the directory) -.TP -/kerberos/principal.pag, /kerberos/principal.dir -Default DBM files containing database -.TP -/.k -Master key cache file. -.SH "SEE ALSO" -kerberos(1), kpasswd(1), kadmin(8), acl_check(3) -.SH AUTHORS -Douglas A. Church, MIT Project Athena -.br -John T. Kohl, Project Athena/Digital Equipment Corporation diff --git a/eBones/man/kdb_destroy.8 b/eBones/man/kdb_destroy.8 deleted file mode 100644 index 93db4662a7de..000000000000 --- a/eBones/man/kdb_destroy.8 +++ /dev/null @@ -1,33 +0,0 @@ -.\" from: kdb_destroy.8,v 4.1 89/01/23 11:08:02 jtkohl Exp $ -.\" $Id: kdb_destroy.8,v 1.2 1994/07/19 19:27:26 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_DESTROY 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_destroy \- destroy Kerberos key distribution center database -.SH SYNOPSIS -kdb_destroy -.SH DESCRIPTION -.I kdb_destroy -deletes a Kerberos key distribution center database. -.PP -The user is prompted to verify that the database should be destroyed. A -response beginning with `y' or `Y' confirms deletion. -Any other response aborts deletion. -.SH DIAGNOSTICS -.TP 20n -"Database cannot be deleted at /kerberos/principal" -The attempt to delete the database failed (probably due to a system or -access permission error). -.TP -"Database not deleted." -The user aborted the deletion. -.SH FILES -.TP 20n -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.SH SEE ALSO -kdb_init(8) diff --git a/eBones/man/kdb_edit.8 b/eBones/man/kdb_edit.8 deleted file mode 100644 index 1cfd6ed0ca93..000000000000 --- a/eBones/man/kdb_edit.8 +++ /dev/null @@ -1,55 +0,0 @@ -.\" from: kdb_edit.8,v 4.1 89/01/23 11:08:55 jtkohl Exp $ -.\" $Id: kdb_edit.8,v 1.2 1994/07/19 19:27:27 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_EDIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_edit \- Kerberos key distribution center database editing utility -.SH SYNOPSIS -kdb_edit [ -.B \-n -] -.SH DESCRIPTION -.I kdb_edit -is used to create or change principals stored in the Kerberos key -distribution center (KDC) database. -.PP -When executed, -.I kdb_edit -prompts for the master key string and verifies that it matches the -master key stored in the database. -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -Once the master key has been verified, -.I kdb_edit -begins a prompt loop. The user is prompted for the principal and -instance to be modified. If the entry is not found the user may create -it. -Once an entry is found or created, the user may set the password, -expiration date, maximum ticket lifetime, and attributes. -Default expiration dates, maximum ticket lifetimes, and attributes are -presented in brackets; if the user presses return the default is selected. -There is no default password. -The password RANDOM is interpreted specially, and if entered -the user may have the program select a random DES key for the -principal. -.PP -Upon successfully creating or changing the entry, ``Edit O.K.'' is -printed. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.TP -/.k -Master key cache file. diff --git a/eBones/man/kdb_init.8 b/eBones/man/kdb_init.8 deleted file mode 100644 index 54537ad95ce4..000000000000 --- a/eBones/man/kdb_init.8 +++ /dev/null @@ -1,41 +0,0 @@ -.\" from: kdb_init.8,v 4.1 89/01/23 11:09:02 jtkohl Exp $ -.\" $Id: kdb_init.8,v 1.2 1994/07/19 19:27:29 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_INIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_init \- Initialize Kerberos key distribution center database -.SH SYNOPSIS -kdb_init [ -.B realm -] -.SH DESCRIPTION -.I kdb_init -initializes a Kerberos key distribution center database, creating the -necessary principals. -.PP -If the optional -.I realm -argument is not present, -.I kdb_init -prompts for a realm name (defaulting to the definition in /usr/include/krb.h). -After determining the realm to be created, it prompts for -a master key password. The master key password is used to encrypt -every encryption key stored in the database. -.SH DIAGNOSTICS -.TP 20n -"/kerberos/principal: File exists" -An attempt was made to create a database on a machine which already had -an existing database. -.SH FILES -.TP 20n -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.TP -/usr/include/krb.h -Include file defining default realm -.SH SEE ALSO -kdb_destroy(8) diff --git a/eBones/man/kdb_util.8 b/eBones/man/kdb_util.8 deleted file mode 100644 index 30a3b9f3d909..000000000000 --- a/eBones/man/kdb_util.8 +++ /dev/null @@ -1,64 +0,0 @@ -.\" from: kdb_util.8,v 4.1 89/01/23 11:09:11 jtkohl Exp $ -.\" $Id: kdb_util.8,v 1.2 1994/07/19 19:27:30 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDB_UTIL 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_util \- Kerberos key distribution center database utility -.SH SYNOPSIS -kdb_util -.B operation filename -.SH DESCRIPTION -.I kdb_util -allows the Kerberos key distribution center (KDC) database administrator to -perform utility functions on the database. -.PP -.I Operation -must be one of the following: -.TP 10n -.I load -initializes the KDC database with the records described by the -text contained in the file -.IR filename . -Any existing database is overwritten. -.TP -.I dump -dumps the KDC database into a text representation in the file -.IR filename . -.TP -.I slave_dump -performs a database dump like the -.I dump -operation, and additionally creates a semaphore file signalling the -propagation software that an update is available for distribution to -slave KDC databases. -.TP -.I new_master_key -prompts for the old and new master key strings, and then dumps the KDC -database into a text representation in the file -.IR filename . -The keys in the text representation are encrypted in the new master key. -.TP -.I convert_old_db -prompts for the master key string, and then dumps the KDC database into -a text representation in the file -.IR filename . -The existing database is assumed to be encrypted using the old format -(encrypted by the key schedule of the master key); the dumped database -is encrypted using the new format (encrypted directly with master key). -.PP -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.TP -.IR filename .ok -semaphore file created by -.IR slave_dump. diff --git a/eBones/man/kdestroy.1 b/eBones/man/kdestroy.1 deleted file mode 100644 index 709935366e73..000000000000 --- a/eBones/man/kdestroy.1 +++ /dev/null @@ -1,81 +0,0 @@ -.\" from: kdestroy.1,v 4.9 89/01/23 11:39:50 jtkohl Exp $ -.\" $Id: kdestroy.1,v 1.2 1994/07/19 19:27:32 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KDESTROY 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdestroy \- destroy Kerberos tickets -.SH SYNOPSIS -.B kdestroy -[ -.B \-f -] -[ -.B \-q -] -.SH DESCRIPTION -The -.I kdestroy -utility destroys the user's active -Kerberos -authorization tickets by writing zeros to the file that contains them. -If the ticket file does not exist, -.I kdestroy -displays a message to that effect. -.PP -After overwriting the file, -.I kdestroy -removes the file from the system. -The utility -displays a message indicating the success or failure of the -operation. -If -.I kdestroy -is unable to destroy the ticket file, -the utility will warn you by making your terminal beep. -.PP -In the Athena workstation environment, -the -.I toehold -service automatically destroys your tickets when you -end a workstation session. -If your site does not provide a similar ticket-destroying mechanism, -you can place the -.I kdestroy -command in your -.I .logout -file so that your tickets are destroyed automatically -when you logout. -.PP -The options to -.I kdestroy -are as follows: -.TP 7 -.B \-f -.I kdestroy -runs without displaying the status message. -.TP -.B \-q -.I kdestroy -will not make your terminal beep if it fails to destroy the tickets. -.SH FILES -KRBTKFILE environment variable if set, otherwise -.br -/tmp/tkt[uid] -.SH SEE ALSO -kerberos(1), kinit(1), klist(1) -.SH BUGS -.PP -Only the tickets in the user's current ticket file are destroyed. -Separate ticket files are used to hold root instance and password -changing tickets. These files should probably be destroyed too, or -all of a user's tickets kept in a single ticket file. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena -.br -Bill Sommerfeld, MIT Project Athena diff --git a/eBones/man/kerberos.1 b/eBones/man/kerberos.1 deleted file mode 100644 index c489b880c23c..000000000000 --- a/eBones/man/kerberos.1 +++ /dev/null @@ -1,259 +0,0 @@ -.\" from: kerberos.1,v 4.7 89/01/23 11:39:33 jtkohl Exp $ -.\" $Id: kerberos.1,v 1.2 1994/07/19 19:27:33 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KERBEROS 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kerberos \- introduction to the Kerberos system - -.SH DESCRIPTION -The -Kerberos -system authenticates -individual users in a network environment. -After authenticating yourself to -Kerberos, -you can use network utilities such as -.IR rlogin , -.IR rcp , -and -.IR rsh -without -having to present passwords to remote hosts and without having to bother -with -.I \.rhosts -files. -Note that these utilities will work without passwords only if -the remote machines you deal with -support the -Kerberos -system. -All Athena timesharing machines and public workstations support -Kerberos. -.PP -Before you can use -Kerberos, -you must register as an Athena user, -and you must make sure you have been added to -the -Kerberos -database. -You can use the -.I kinit -command to find out. -This command -tries to log you into the -Kerberos -system. -.I kinit -will prompt you for a username and password. -Enter your username and password. -If the utility lets you login without giving you a message, -you have already been registered. -.PP -If you enter your username and -.I kinit -responds with this message: -.nf - -Principal unknown (kerberos) - -.fi -you haven't been registered as a -Kerberos -user. -See your system administrator. -.PP -A Kerberos name contains three parts. -The first is the -.I principal name, -which is usually a user's or service's name. -The second is the -.I instance, -which in the case of a user is usually null. -Some users may have privileged instances, however, -such as ``root'' or ``admin''. -In the case of a service, the instance is the -name of the machine on which it runs; i.e. there -can be an -.I rlogin -service running on the machine ABC, which -is different from the rlogin service running on -the machine XYZ. -The third part of a Kerberos name -is the -.I realm. -The realm corresponds to the Kerberos service providing -authentication for the principal. -For example, at MIT there is a Kerberos running at the -Laboratory for Computer Science and one running at -Project Athena. -.PP -When writing a Kerberos name, the principal name is -separated from the instance (if not null) by a period, -and the realm (if not the local realm) follows, preceded by -an ``@'' sign. -The following are examples of valid Kerberos names: -.sp -.nf -.in +8 -billb -jis.admin -srz@lcs.mit.edu -treese.root@athena.mit.edu -.in -8 -.fi -.PP -When you authenticate yourself with -Kerberos, -through either the workstation -.I toehold -system or the -.I kinit -command, -Kerberos -gives you an initial -Kerberos -.IR ticket . -(A -Kerberos -ticket -is an encrypted protocol message that provides authentication.) -Kerberos -uses this ticket for network utilities -such as -.I rlogin -and -.IR rcp . -The ticket transactions are done transparently, -so you don't have to worry about their management. -.PP -Note, however, that tickets expire. -Privileged tickets, such as root instance tickets, -expire in a few minutes, while tickets that carry more ordinary -privileges may be good for several hours or a day, depending on the -installation's policy. -If your login session extends beyond the time limit, -you will have to re-authenticate yourself to -Kerberos -to get new tickets. -Use the -.IR kinit -command to re-authenticate yourself. -.PP -If you use the -.I kinit -command to get your tickets, -make sure you use the -.I kdestroy -command -to destroy your tickets before you end your login session. -You should probably put the -.I kdestroy -command in your -.I \.logout -file so that your tickets will be destroyed automatically when you logout. -For more information about the -.I kinit -and -.I kdestroy -commands, -see the -.I kinit(1) -and -.I kdestroy(1) -manual pages. -.PP -Currently, -Kerberos -supports the following network services: -.IR rlogin , -.IR rsh , -and -.IR rcp . -Other services are being worked on, -such as the -.IR pop -mail system and NFS (network file system), -but are not yet available. - -.SH "SEE ALSO" -kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3), -kadmin(8) -.SH BUGS -Kerberos -will not do authentication forwarding. -In other words, -if you use -.I rlogin -to login to a remote host, -you cannot use -Kerberos -services from that host -until you authenticate yourself explicitly on that host. -Although you may need to authenticate yourself on the remote -host, -be aware that when you do so, -.I rlogin -sends your password across the network in clear text. - -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena - -The following people helped out on various aspects of the system: - -Jeff Schiller designed and wrote the administration server and its -user interface, kadmin. -He also wrote the dbm version of the database management system. - -Mark Colan developed the -Kerberos -versions of -.IR rlogin , -.IR rsh , -and -.IR rcp , -as well as contributing work on the servers. - -John Ostlund developed the -Kerberos -versions of -.I passwd -and -.IR userreg . - -Stan Zanarotti pioneered Kerberos in a foreign realm (LCS), -and made many contributions based on that experience. - -Many people contributed code and/or useful ideas, including -Jim Aspnes, -Bob Baldwin, -John Barba, -Richard Basch, -Jim Bloom, -Bill Bryant, -Rob French, -Dan Geer, -David Jedlinsky, -John Kohl, -John Kubiatowicz, -Bob McKie, -Brian Murphy, -Ken Raeburn, -Chris Reed, -Jon Rochlis, -Mike Shanzer, -Bill Sommerfeld, -Jennifer Steiner, -Ted Ts'o, -and -Win Treese. - -.SH RESTRICTIONS - -COPYRIGHT 1985,1986 Massachusetts Institute of Technology diff --git a/eBones/man/kerberos.3 b/eBones/man/kerberos.3 deleted file mode 100644 index 30fa88520c5e..000000000000 --- a/eBones/man/kerberos.3 +++ /dev/null @@ -1,461 +0,0 @@ -.\" from: kerberos.3,v 4.9 89/01/23 16:28:19 steiner Exp $ -.\" $Id: kerberos.3,v 1.2 1994/07/19 19:27:35 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred, -krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err, -krb_rd_err, krb_ck_repl \- Kerberos authentication library -.SH SYNOPSIS -.nf -.nj -.ft B -#include <des.h> -#include <krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -int krb_mk_req(authent,service,instance,realm,checksum) -KTEXT authent; -char *service; -char *instance; -char *realm; -u_long checksum; -.PP -.ft B -int krb_rd_req(authent,service,instance,from_addr,ad,fn) -KTEXT authent; -char *service; -char *instance; -u_long from_addr; -AUTH_DAT *ad; -char *fn; -.PP -.ft B -int krb_kntoln(ad,lname) -AUTH_DAT *ad; -char *lname; -.PP -.ft B -int krb_set_key(key,cvt) -char *key; -int cvt; -.PP -.ft B -int krb_get_cred(service,instance,realm,c) -char *service; -char *instance; -char *realm; -CREDENTIALS *c; -.PP -.ft B -long krb_mk_priv(in,out,in_length,schedule,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -des_key_schedule schedule; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_priv(in,in_length,schedule,key,sender,receiver,msg_data) -u_char *in; -u_long in_length; -Key_schedule schedule; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_safe(in,out,in_length,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_safe(in,length,key,sender,receiver,msg_data) -u_char *in; -u_long length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_err(out,code,string) -u_char *out; -long code; -char *string; -.PP -.ft B -long krb_rd_err(in,length,code,msg_data) -u_char *in; -u_long length; -long code; -MSG_DAT *msg_data; -.fi -.ft R -.SH DESCRIPTION -This library supports network authentication and various related -operations. The library contains many routines beyond those described -in this man page, but they are not intended to be used directly. -Instead, they are called by the routines that are described, the -authentication server and the login program. -.PP -.I krb_err_txt[] -contains text string descriptions of various Kerberos error codes returned -by some of the routines below. -.PP -.I krb_mk_req -takes a pointer to a text structure in which an authenticator is to be -built. It also takes the name, instance, and realm of the service to be -used and an optional checksum. It is up to the application to decide -how to generate the checksum. -.I krb_mk_req -then retrieves a ticket for the desired service and creates an -authenticator. The authenticator is built in -.I authent -and is accessible -to the calling procedure. -.PP -It is up to the application to get the authenticator to the service -where it will be read by -.I krb_rd_req. -Unless an attacker posesses the session key contained in the ticket, it -will be unable to modify the authenticator. Thus, the checksum can be -used to verify the authenticity of the other data that will pass through -a connection. -.PP -.I krb_rd_req -takes an authenticator of type -.B KTEXT, -a service name, an instance, the address of the -host originating the request, and a pointer to a structure of type -.B AUTH_DAT -which is filled in with information obtained from the authenticator. -It also optionally takes the name of the file in which it will find the -secret key(s) for the service. -If the supplied -.I instance -contains "*", then the first service key with the same service name -found in the service key file will be used, and the -.I instance -argument will be filled in with the chosen instance. This means that -the caller must provide space for such an instance name. -.PP -It is used to find out information about the principal when a request -has been made to a service. It is up to the application protocol to get -the authenticator from the client to the service. The authenticator is -then passed to -.I krb_rd_req -to extract the desired information. -.PP -.I krb_rd_req -returns zero (RD_AP_OK) upon successful authentication. If a packet was -forged, modified, or replayed, authentication will fail. If the -authentication fails, a non-zero value is returned indicating the -particular problem encountered. See -.I krb.h -for the list of error codes. -.PP -If the last argument is the null string (""), krb_rd_req will use the -file /etc/srvtab to find its keys. If the last argument is NULL, it -will assume that the key has been set by -.I krb_set_key -and will not bother looking further. -.PP -.I krb_kntoln -converts a Kerberos name to a local name. It takes a structure -of type AUTH_DAT and uses the name and instance to look in the database -/etc/aname to find the corresponding local name. The local name is -returned and can be used by an application to change uids, directories, -or other parameters. It is not an integral part of Kerberos, but is -instead provided to support the use of Kerberos in existing utilities. -.PP -.I krb_set_key -takes as an argument a des key. It then creates -a key schedule from it and saves the original key to be used as an -initialization vector. -It is used to set the server's key which -must be used to decrypt tickets. -.PP -If called with a non-zero second argument, -.I krb_set_key -will first convert the input from a string of arbitrary length to a DES -key by encrypting it with a one-way function. -.PP -In most cases it should not be necessary to call -.I krb_set_key. -The necessary keys will usually be obtained and set inside -.I krb_rd_req. krb_set_key -is provided for those applications that do not wish to place the -application keys on disk. -.PP -.I krb_get_cred -searches the caller's ticket file for a ticket for the given service, instance, -and realm; and, if a ticket is found, fills in the given CREDENTIALS structure -with the ticket information. -.PP -If the ticket was found, -.I krb_get_cred -returns GC_OK. -If the ticket file can't be found, can't be read, doesn't belong to -the user (other than root), isn't a regular file, or is in the wrong -mode, the error GC_TKFIL is returned. -.PP -.I krb_mk_priv -creates an encrypted, authenticated -message from any arbitrary application data, pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key -and the key schedule, -.I schedule, -are used to encrypt the data and some header information using -.I pcbc_encrypt. -.I sender -and -.I receiver -point to the Internet address of the two parties. -In addition to providing privacy, this protocol message protects -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -.PP -.I krb_rd_priv -decrypts and authenticates a received -.I krb_mk_priv -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -and the key schedule, -.I schedule, -are used to decrypt and verify the received message. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h. -The routine fills in the -.I app_data -field with a pointer to the decrypted application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_safe -creates an authenticated, but unencrypted message from any arbitrary -application data, -pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key, -is used to seed the -.I quad_cksum() -checksum algorithm used as part of the authentication. -.I sender -and -.I receiver -point to the Internet address of the two parties. -This message does not provide privacy, but does protect (via detection) -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -The authentication provided by this routine is not as strong as that -provided by -.I krb_mk_priv -or by computing the checksum using -.I cbc_cksum -instead, both of which authenticate via DES. -.PP - -.I krb_rd_safe -authenticates a received -.I krb_mk_safe -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -is used to seed the quad_cksum() routine as part of the authentication. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: -the -.I app_data -field with a pointer to the application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. -(The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_err -constructs an application level error message that may be used along -with -.I krb_mk_priv -or -.I krb_mk_safe. -.I out -is a pointer to the output buffer, -.I code -is an application specific error code, and -.I string -is an application specific error string. - -.PP -.I krb_rd_err -unpacks a received -.I krb_mk_err -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -.I code -is a pointer to a value to be filled in with the error -value provided by the application. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: the -.I app_data -field with a pointer to the application error text, -.I app_length -with the length of the -.I app_data -field, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). - -The routine returns zero if the error message has been successfully received, -or a Kerberos error code. -.PP -The -.I KTEXT -structure is used to pass around text of varying lengths. It consists -of a buffer for the data, and a length. krb_rd_req takes an argument of this -type containing the authenticator, and krb_mk_req returns the -authenticator in a structure of this type. KTEXT itself is really a -pointer to the structure. The actual structure is of type KTEXT_ST. -.PP -The -.I AUTH_DAT -structure is filled in by krb_rd_req. It must be allocated before -calling krb_rd_req, and a pointer to it is passed. The structure is -filled in with data obtained from Kerberos. -.I MSG_DAT -structure is filled in by either krb_rd_priv, krb_rd_safe, or -krb_rd_err. It must be allocated before the call and a pointer to it -is passed. The structure is -filled in with data obtained from Kerberos. -.PP -.SH FILES -/usr/include/krb.h -.br -/usr/lib/libkrb.a -.br -/usr/include/des.h -.br -/usr/lib/libdes.a -.br -/etc/aname -.br -/etc/srvtab -.br -/tmp/tkt[uid] -.SH "SEE ALSO" -kerberos(1), des_crypt(3) -.SH DIAGNOSTICS -.SH BUGS -The caller of -.I krb_rd_req, krb_rd_priv, and krb_rd_safe -must check time order and for replay attempts. -.I krb_ck_repl -is not implemented yet. -.SH AUTHORS -Clifford Neuman, MIT Project Athena -.br -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology diff --git a/eBones/man/kerberos.point b/eBones/man/kerberos.point deleted file mode 100644 index a75ae2c7e1ad..000000000000 --- a/eBones/man/kerberos.point +++ /dev/null @@ -1 +0,0 @@ -.so man3/kerberos.3 diff --git a/eBones/man/kinit.1 b/eBones/man/kinit.1 deleted file mode 100644 index f9a97a738201..000000000000 --- a/eBones/man/kinit.1 +++ /dev/null @@ -1,133 +0,0 @@ -.\" from: kinit.1,v 4.6 89/01/23 11:39:11 jtkohl Exp $ -.\" $Id: kinit.1,v 1.2 1994/07/19 19:27:36 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KINIT 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kinit \- Kerberos login utility -.SH SYNOPSIS -.B kinit -[ -.B \-irvl -] -.SH DESCRIPTION -The -.I kinit -command is used to login to the -Kerberos -authentication and authorization system. -Note that only registered -Kerberos -users can use the -Kerberos -system. -For information about registering as a -Kerberos -user, -see the -.I kerberos(1) -manual page. -.PP -If you are logged in to a workstation that is running the -.I toehold -service, -you do not have to use -.I kinit. -The -.I toehold -login procedure will log you into -Kerberos -automatically. -You will need to use -.I kinit -only in those situations in which -your original tickets have expired. -(Tickets expire in about a day.) -Note as well that -.I toehold -will automatically destroy your tickets when you logout from the workstation. -.PP -When you use -.I kinit -without options, -the utility -prompts for your username and Kerberos password, -and tries to authenticate your login with the local -Kerberos -server. -.PP -If -Kerberos -authenticates the login attempt, -.I kinit -retrieves your initial ticket and puts it in the ticket file specified by -your KRBTKFILE environment variable. -If this variable is undefined, -your ticket will be stored in the -.IR /tmp -directory, -in the file -.I tktuid , -where -.I uid -specifies your user identification number. -.PP -If you have logged in to -Kerberos -without the benefit of the workstation -.I toehold -system, -make sure you use the -.I kdestroy -command to destroy any active tickets before you end your login session. -You may want to put the -.I kdestroy -command in your -.I \.logout -file so that your tickets will be destroyed automatically when you logout. -.PP -The options to -.I kinit -are as follows: -.TP 7 -.B \-i -.I kinit -prompts you for a -Kerberos -instance. -.TP -.B \-r -.I kinit -prompts you for a -Kerberos -realm. -This option lets you authenticate yourself with a remote -Kerberos -server. -.TP -.B \-v -Verbose mode. -.I kinit -prints the name of the ticket file used, and -a status message indicating the success or failure of -your login attempt. -.TP -.B \-l -.I kinit -prompts you for a ticket lifetime in minutes. Due to protocol -restrictions in Kerberos Version 4, this value must be between 5 and -1275 minutes. -.SH SEE ALSO -.PP -kerberos(1), kdestroy(1), klist(1), toehold(1) -.SH BUGS -The -.B \-r -option has not been fully implemented. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena diff --git a/eBones/man/klist.1 b/eBones/man/klist.1 deleted file mode 100644 index a66e668a430e..000000000000 --- a/eBones/man/klist.1 +++ /dev/null @@ -1,84 +0,0 @@ -.\" from: klist.1,v 4.8 89/01/24 14:35:09 jtkohl Exp $ -.\" $Id: klist.1,v 1.2 1994/07/19 19:27:38 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KLIST 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -klist \- list currently held Kerberos tickets -.SH SYNOPSIS -.B klist -[ -\fB\-s \fR|\fB \-t\fR -] [ -.B \-file -name ] [ -.B \-srvtab -] -.br -.SH DESCRIPTION -.I klist -prints the name of the tickets file and the -identity of the principal the tickets are for (as listed in the -tickets file), and -lists the principal names of all Kerberos tickets currently held by -the user, along with the issue and expire time for each authenticator. -Principal names are listed in the form -.I name.instance@realm, -with the '.' omitted if the instance is null, -and the '@' omitted if the realm is null. - -If given the -.B \-s -option, -.I klist -does not print the issue and expire times, the name of the tickets file, -or the identity of the principal. - -If given the -.B \-t -option, -.B klist -checks for the existence of a non-expired ticket-granting-ticket in the -ticket file. If one is present, it exits with status 0, else it exits -with status 1. No output is generated when this option is specified. - -If given the -.B \-file -option, the following argument is used as the ticket file. -Otherwise, if the -.B KRBTKFILE -environment variable is set, it is used. -If this environment variable -is not set, the file -.B /tmp/tkt[uid] -is used, where -.B uid -is the current user-id of the user. - -If given the -.B \-srvtab -option, the file is treated as a service key file, and the names of the -keys contained therein are printed. If no file is -specified with a -.B \-file -option, the default is -.IR /etc/srvtab . -.SH FILES -.TP 2i -/etc/krb.conf -to get the name of the local realm -.TP -/tmp/tkt[uid] -as the default ticket file ([uid] is the decimal UID of the user). -.TP -/etc/srvtab -as the default service key file -.SH SEE ALSO -.PP -kerberos(1), kinit(1), kdestroy(1) -.SH BUGS -When reading a file as a service key file, very little sanity or error -checking is performed. diff --git a/eBones/man/klogind.8 b/eBones/man/klogind.8 deleted file mode 100644 index 459cd263380a..000000000000 --- a/eBones/man/klogind.8 +++ /dev/null @@ -1,122 +0,0 @@ -.\" from: klogind.8,v 4.1 89/01/23 11:39:30 jtkohl Exp $ -.\" $Id: klogind.8,v 1.2 1994/07/19 19:27:39 g89r4222 Exp $ -.\" -.\" Copyright (c) 1983 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)rlogind.8 6.4 (Berkeley) 9/19/88 -.\" -.TH KLOGIND 8 "Kerberos Version 4.0" "MIT Project Athena" -.UC 5 -.SH NAME -klogind \- remote login server -.SH SYNOPSIS -.B /usr/etc/klogind -.br -.B /usr/etc/Klogind -.br -.B /usr/etc/eklogind -.SH DESCRIPTION -.I Klogind -is the server for the Kerberos version of the -.IR rlogin (1) -program. The server provides a remote login facility -with authentication provided by Kerberos. -.PP -.I Klogind -listens for service requests at the port indicated in -the ``klogin'' or ``eklogin'' service specification; see -.IR services (5). -.PP -Invocation as Klogind is intended for secure -hosts to which no password access will be granted; invocation as klogind -is intended for normal hosts to which password access may be granted if -Kerberos authorization fails; invocation as eklogind provides an -encrypted communications channel. A host can run either Klogind or -klogind but not both (they use the same port, ``klogin''). Eklogind may -be run independently. -.PP -When a service request is received, the server checks the client's -source address and requests the corresponding host name (see -.IR gethostbyaddr (3N), -.IR hosts (5) -and -.IR named (8)). -If the hostname cannot be determined, -the dot-notation representation of the host address is used. -.PP -Once the source address has been checked, -.I klogind -allocates a pseudo terminal (see -.IR pty (4)), -and manipulates file descriptors so that the slave -half of the pseudo terminal becomes the -.B stdin , -.B stdout , -and -.B stderr -for a login process. -The login process is an instance of the -.IR login (1) -program, invoked with the -.B \-k, -.B \-K, -or -.B \-e -option, depending on whether the klogind was started as klogind, Klogind -or eklogind, respectively. -The login process then proceeds with the -authentication process as described in -.IR kshd (8), -but if automatic authentication fails, it reprompts the user -to login as one finds on a standard terminal line. -.PP -The parent of the login process manipulates the master side of -the pseudo terminal, operating as an intermediary -between the login process and the client instance of the -.I rlogin -program. If klogind is invoked as eklogind, all data passed over -the network are encrypted. -In normal operation, the packet protocol described -in -.IR pty (4) -is invoked to provide ^S/^Q type facilities and propagate -interrupt signals to the remote programs. The login process -propagates the client terminal's baud rate and terminal type, -as found in the environment variable, ``TERM''; see -.IR environ (7). -The screen or window size of the terminal is requested from the client, -and window size changes from the client are propagated to the pseudo terminal. -.SH DIAGNOSTICS -All diagnostic messages are returned on the connection -associated with the -.BR stderr , -after which any network connections are closed. -An error is indicated by a leading byte with a value of 1. -.PP -.B ``Try again.'' -.br -A -.I fork -by the server failed. -.PP -.B ``/bin/sh: ...'' -.br -The user's login shell could not be started. -.SH SEE ALSO -kerberos(3) -.SH BUGS -.PP -A more extensible protocol should be used. diff --git a/eBones/man/kpasswd.1 b/eBones/man/kpasswd.1 deleted file mode 100644 index 2283f1fa4c79..000000000000 --- a/eBones/man/kpasswd.1 +++ /dev/null @@ -1,86 +0,0 @@ -.\" from: kpasswd.1,v 4.2 89/07/25 17:23:08 jtkohl Exp $ -.\" $Id: kpasswd.1,v 1.2 1994/07/19 19:27:40 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KPASSWD 1 "Kerberos Version 4.0" "MIT Project Athena" -.FM mit -.SH NAME -kpasswd \- change a user's Kerberos password -.SH SYNOPSIS -.B kpasswd -[ -.B \-h -] [ -.B \-n -.I name -] [ -.B \-i -.I instance -] [ -.B \-r -.I realm -] [ -\-u -.IR username[.instance][@realm] ] -.SH DESCRIPTION -The -.I kpasswd -command is used to change a Kerberos principal's password. -.PP -If the -.I \-h -option is specified, a brief summary of the options is printed, and -.I kpasswd -then exits. -.PP -If the -.I \-n -option is specified, -.I name -is used as the principal name rather than the username of the user -running -.IR kpasswd . -(This is determined from the ticket file if it exists; -otherwise, it is determined from the unix user id.) -.PP -If the -.I \-i -option is specified, -.I instance -is used as the instance rather than a null instance. -.PP -If the -.I \-r -option is specified, -.I realm -is used as the realm rather than the local realm. -.PP -If the -.I \-u -option is specified, a fully qualified kerberos -principal can be given. -.PP - -The utility prompts for the current Kerberos password (printing -the name of the principal for which it intends to change the password), -which is verified by the Kerberos server. If the old password is -correct, the user is prompted twice for the new password. A message is -printed indicating the success or failure of the password changing -operation. - -.SH BUGS - -.I kpasswd -does not handle names, instances, or realms with special -characters in them when the -n, -i, or -r options are used. Any -valid fullname is accepted, however, if the -u option is used. - -If the principal whose password you are trying to change does -not exist, you will not be told until after you have entered the -old password. - -.SH SEE ALSO -kerberos(1), kinit(1), passwd(1), kadmin(8) diff --git a/eBones/man/krb.3 b/eBones/man/krb.3 deleted file mode 100644 index 208f034947cc..000000000000 --- a/eBones/man/krb.3 +++ /dev/null @@ -1,462 +0,0 @@ -.\" $Source: /usr/src/kerberosIV/man/RCS/krb.3,v $ -.\" $Author: bostic $ -.\" $Header: /usr/src/kerberosIV/man/RCS/krb.3,v 4.11 1994/04/19 14:16:56 bostic Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <mit-copyright.h>. -.\" -.TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred, -krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err, -krb_rd_err, krb_ck_repl \- Kerberos authentication library -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/des.h> -#include <kerberosIV/krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -int krb_mk_req(authent,service,instance,realm,checksum) -KTEXT authent; -char *service; -char *instance; -char *realm; -u_long checksum; -.PP -.ft B -int krb_rd_req(authent,service,instance,from_addr,ad,fn) -KTEXT authent; -char *service; -char *instance; -u_long from_addr; -AUTH_DAT *ad; -char *fn; -.PP -.ft B -int krb_kntoln(ad,lname) -AUTH_DAT *ad; -char *lname; -.PP -.ft B -int krb_set_key(key,cvt) -char *key; -int cvt; -.PP -.ft B -int krb_get_cred(service,instance,realm,c) -char *service; -char *instance; -char *realm; -CREDENTIALS *c; -.PP -.ft B -long krb_mk_priv(in,out,in_length,schedule,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -des_key_schedule schedule; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_priv(in,in_length,schedule,key,sender,receiver,msg_data) -u_char *in; -u_long in_length; -Key_schedule schedule; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_safe(in,out,in_length,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_safe(in,length,key,sender,receiver,msg_data) -u_char *in; -u_long length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_err(out,code,string) -u_char *out; -long code; -char *string; -.PP -.ft B -long krb_rd_err(in,length,code,msg_data) -u_char *in; -u_long length; -long code; -MSG_DAT *msg_data; -.fi -.ft R -.SH DESCRIPTION -This library supports network authentication and various related -operations. The library contains many routines beyond those described -in this man page, but they are not intended to be used directly. -Instead, they are called by the routines that are described, the -authentication server and the login program. -.PP -.I krb_err_txt[] -contains text string descriptions of various Kerberos error codes returned -by some of the routines below. -.PP -.I krb_mk_req -takes a pointer to a text structure in which an authenticator is to be -built. It also takes the name, instance, and realm of the service to be -used and an optional checksum. It is up to the application to decide -how to generate the checksum. -.I krb_mk_req -then retrieves a ticket for the desired service and creates an -authenticator. The authenticator is built in -.I authent -and is accessible -to the calling procedure. -.PP -It is up to the application to get the authenticator to the service -where it will be read by -.I krb_rd_req. -Unless an attacker possesses the session key contained in the ticket, it -will be unable to modify the authenticator. Thus, the checksum can be -used to verify the authenticity of the other data that will pass through -a connection. -.PP -.I krb_rd_req -takes an authenticator of type -.B KTEXT, -a service name, an instance, the address of the -host originating the request, and a pointer to a structure of type -.B AUTH_DAT -which is filled in with information obtained from the authenticator. -It also optionally takes the name of the file in which it will find the -secret key(s) for the service. -If the supplied -.I instance -contains "*", then the first service key with the same service name -found in the service key file will be used, and the -.I instance -argument will be filled in with the chosen instance. This means that -the caller must provide space for such an instance name. -.PP -It is used to find out information about the principal when a request -has been made to a service. It is up to the application protocol to get -the authenticator from the client to the service. The authenticator is -then passed to -.I krb_rd_req -to extract the desired information. -.PP -.I krb_rd_req -returns zero (RD_AP_OK) upon successful authentication. If a packet was -forged, modified, or replayed, authentication will fail. If the -authentication fails, a non-zero value is returned indicating the -particular problem encountered. See -.I krb.h -for the list of error codes. -.PP -If the last argument is the null string (""), krb_rd_req will use the -file /etc/srvtab to find its keys. If the last argument is NULL, it -will assume that the key has been set by -.I krb_set_key -and will not bother looking further. -.PP -.I krb_kntoln -converts a Kerberos name to a local name. It takes a structure -of type AUTH_DAT and uses the name and instance to look in the database -/etc/aname to find the corresponding local name. The local name is -returned and can be used by an application to change uids, directories, -or other parameters. It is not an integral part of Kerberos, but is -instead provided to support the use of Kerberos in existing utilities. -.PP -.I krb_set_key -takes as an argument a des key. It then creates -a key schedule from it and saves the original key to be used as an -initialization vector. -It is used to set the server's key which -must be used to decrypt tickets. -.PP -If called with a non-zero second argument, -.I krb_set_key -will first convert the input from a string of arbitrary length to a DES -key by encrypting it with a one-way function. -.PP -In most cases it should not be necessary to call -.I krb_set_key. -The necessary keys will usually be obtained and set inside -.I krb_rd_req. krb_set_key -is provided for those applications that do not wish to place the -application keys on disk. -.PP -.I krb_get_cred -searches the caller's ticket file for a ticket for the given service, instance, -and realm; and, if a ticket is found, fills in the given CREDENTIALS structure -with the ticket information. -.PP -If the ticket was found, -.I krb_get_cred -returns GC_OK. -If the ticket file can't be found, can't be read, doesn't belong to -the user (other than root), isn't a regular file, or is in the wrong -mode, the error GC_TKFIL is returned. -.PP -.I krb_mk_priv -creates an encrypted, authenticated -message from any arbitrary application data, pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key -and the key schedule, -.I schedule, -are used to encrypt the data and some header information using -.I pcbc_encrypt. -.I sender -and -.I receiver -point to the Internet address of the two parties. -In addition to providing privacy, this protocol message protects -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -.PP -.I krb_rd_priv -decrypts and authenticates a received -.I krb_mk_priv -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -and the key schedule, -.I schedule, -are used to decrypt and verify the received message. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h. -The routine fills in the -.I app_data -field with a pointer to the decrypted application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_safe -creates an authenticated, but unencrypted message from any arbitrary -application data, -pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key, -is used to seed the -.I quad_cksum() -checksum algorithm used as part of the authentication. -.I sender -and -.I receiver -point to the Internet address of the two parties. -This message does not provide privacy, but does protect (via detection) -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -The authentication provided by this routine is not as strong as that -provided by -.I krb_mk_priv -or by computing the checksum using -.I cbc_cksum -instead, both of which authenticate via DES. -.PP - -.I krb_rd_safe -authenticates a received -.I krb_mk_safe -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -is used to seed the quad_cksum() routine as part of the authentication. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: -the -.I app_data -field with a pointer to the application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. -(The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_err -constructs an application level error message that may be used along -with -.I krb_mk_priv -or -.I krb_mk_safe. -.I out -is a pointer to the output buffer, -.I code -is an application specific error code, and -.I string -is an application specific error string. - -.PP -.I krb_rd_err -unpacks a received -.I krb_mk_err -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -.I code -is a pointer to a value to be filled in with the error -value provided by the application. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: the -.I app_data -field with a pointer to the application error text, -.I app_length -with the length of the -.I app_data -field, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). - -The routine returns zero if the error message has been successfully received, -or a Kerberos error code. -.PP -The -.I KTEXT -structure is used to pass around text of varying lengths. It consists -of a buffer for the data, and a length. krb_rd_req takes an argument of this -type containing the authenticator, and krb_mk_req returns the -authenticator in a structure of this type. KTEXT itself is really a -pointer to the structure. The actual structure is of type KTEXT_ST. -.PP -The -.I AUTH_DAT -structure is filled in by krb_rd_req. It must be allocated before -calling krb_rd_req, and a pointer to it is passed. The structure is -filled in with data obtained from Kerberos. -.I MSG_DAT -structure is filled in by either krb_rd_priv, krb_rd_safe, or -krb_rd_err. It must be allocated before the call and a pointer to it -is passed. The structure is -filled in with data obtained from Kerberos. -.PP -.SH FILES -/usr/include/kerberosIV/krb.h -.br -/usr/lib/libkrb.a -.br -/usr/include/kerberosIV/des.h -.br -/usr/lib/libdes.a -.br -/etc/kerberosIV/aname -.br -/etc/kerberosIV/srvtab -.br -/tmp/tkt[uid] -.SH "SEE ALSO" -kerberos(1), des_crypt(3) -.SH DIAGNOSTICS -.SH BUGS -The caller of -.I krb_rd_req, krb_rd_priv, and krb_rd_safe -must check time order and for replay attempts. -.I krb_ck_repl -is not implemented yet. -.SH AUTHORS -Clifford Neuman, MIT Project Athena -.br -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology diff --git a/eBones/man/krb.conf.5 b/eBones/man/krb.conf.5 deleted file mode 100644 index ac977bb699c4..000000000000 --- a/eBones/man/krb.conf.5 +++ /dev/null @@ -1,32 +0,0 @@ -.\" from: krb.conf.5,v 4.1 89/01/23 11:10:34 jtkohl Exp $ -.\" $Id: krb.conf.5,v 1.2 1994/07/19 19:27:43 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB.CONF 5 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -/etc/krb.conf \- Kerberos configuration file -.SH DESCRIPTION -.I krb.conf -contains configuration information describing the Kerberos realm and the -Kerberos key distribution center (KDC) servers for known realms. -.PP -.I krb.conf -contains the name of the local realm in the first -line, followed by lines indicating realm/host -entries. The first token is a realm name, and the second is the hostname -of a host running a KDC for that realm. -The words "admin server" following the hostname indicate that -the host also provides an administrative database server. -For example: -.nf -.in +1i -ATHENA.MIT.EDU -ATHENA.MIT.EDU kerberos-1.mit.edu admin server -ATHENA.MIT.EDU kerberos-2.mit.edu -LCS.MIT.EDU kerberos.lcs.mit.edu admin server -.in -1i -.SH SEE ALSO -krb.realms(5), krb_get_krbhst(3), krb_get_lrealm(3) diff --git a/eBones/man/krb.realms.5 b/eBones/man/krb.realms.5 deleted file mode 100644 index 90226a975e9e..000000000000 --- a/eBones/man/krb.realms.5 +++ /dev/null @@ -1,39 +0,0 @@ -.\" from: krb.realms.5,v 4.1 89/01/23 11:10:41 jtkohl Exp $ -.\" $Id: krb.realms.5,v 1.2 1994/07/19 19:27:45 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB.REALMS 5 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -/etc/krb.realms \- host to Kerberos realm translation file -.SH DESCRIPTION -.I krb.realms -provides a translation from a hostname to the Kerberos realm name for -the services provided by that host. -.PP -Each line of the translation file is in one of the following forms -(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU): -.nf -.in +5n -host_name kerberos_realm -domain_name kerberos_realm -.in -5n -.fi -If a hostname exactly matches the -.I host_name -field in a line of the first -form, the corresponding realm is the realm of the host. -If a hostname does not match any -.I host_name -in the file, but its -domain exactly matches the -.I domain_name -field in a line of the second -form, the corresponding realm is the realm of the host. -.PP -If no translation entry applies, the host's realm is considered to be -the hostname's domain portion converted to upper case. -.SH SEE ALSO -krb_realmofhost(3) diff --git a/eBones/man/krb_realmofhost.3 b/eBones/man/krb_realmofhost.3 deleted file mode 100644 index f284069a9016..000000000000 --- a/eBones/man/krb_realmofhost.3 +++ /dev/null @@ -1,161 +0,0 @@ -.\" from: krb_realmofhost.3,v 4.1 89/01/23 11:10:47 jtkohl Exp $ -.\" $Id: krb_realmofhost.3,v 1.2 1994/07/19 19:27:46 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_REALMOFHOST 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_realmofhost, krb_get_phost, krb_get_krbhst, krb_get_admhst, -krb_get_lrealm \- additional Kerberos utility routines -.SH SYNOPSIS -.nf -.nj -.ft B -#include <krb.h> -#include <des.h> -#include <netinet/in.h> -.PP -.ft B -char *krb_realmofhost(host) -char *host; -.PP -.ft B -char *krb_get_phost(alias) -char *alias; -.PP -.ft B -krb_get_krbhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_admhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_lrealm(realm,n) -char *realm; -int n; -.fi -.ft R -.SH DESCRIPTION -.I krb_realmofhost -returns the Kerberos realm of the host -.IR host , -as determined by the translation table -.IR /etc/krb.realms . -.I host -should be the fully-qualified domain-style primary host name of the host -in question. In order to prevent certain security attacks, this routine -must either have -.I a priori -knowledge of a host's realm, or obtain such information securely. -.PP -The format of the translation file is described by -.IR krb.realms (5). -If -.I host -exactly matches a host_name line, the corresponding realm -is returned. -Otherwise, if the domain portion of -.I host -matches a domain_name line, the corresponding realm -is returned. -If -.I host -contains a domain, but no translation is found, -.IR host 's -domain is converted to upper-case and returned. -If -.I host -contains no discernable domain, or an error occurs, -the local realm name, as supplied by -.IR krb_get_lrealm (3), -is returned. -.PP -.I krb_get_phost -converts the hostname -.I alias -(which can be either an official name or an alias) into the instance -name to be used in obtaining Kerberos tickets for most services, -including the Berkeley rcmd suite (rlogin, rcp, rsh). -.br -The current convention is to return the first segment of the official -domain-style name after conversion to lower case. -.PP -.I krb_get_krbhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos key distribution center (KDC) -for realm -.IR realm , -as specified in the configuration file (\fI/etc/krb.conf\fR). -The configuration file is described by -.IR krb.conf (5). -If the host is successfully filled in, the routine -returns KSUCCESS. -If the file cannot be opened, and -.I n -equals 1, then the value of KRB_HOST as defined in -.I <krb.h> -is filled in, and KSUCCESS is returned. If there are fewer than -.I n -hosts running a Kerberos KDC for the requested realm, or the -configuration file is malformed, the routine -returns KFAILURE. -.PP -.I krb_get_admhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos KDC database administration server -for realm -.IR realm , -as specified in the configuration file (\fI/etc/krb.conf\fR). -If the file cannot be opened or is malformed, or there are fewer than -.I n -hosts running a Kerberos KDC database administration server, -the routine returns KFAILURE. -.PP -The character arrays used as return values for -.IR krb_get_krbhst , -.IR krb_get_admhst , -should be large enough to -hold any hostname (MAXHOSTNAMELEN from <sys/param.h>). -.PP -.I krb_get_lrealm -fills in -.I realm -with the -.IR n th -realm of the local host, as specified in the configuration file. -.I realm -should be at least REALM_SZ (from -.IR <krb.h>) characters long. -.PP -.SH SEE ALSO -kerberos(3), krb.conf(5), krb.realms(5) -.SH FILES -.TP 20n -/etc/krb.realms -translation file for host-to-realm mapping. -.TP -/etc/krb.conf -local realm-name and realm/server configuration file. -.SH BUGS -The current convention for instance names is too limited; the full -domain name should be used. -.PP -.I krb_get_lrealm -currently only supports -.I n -= 1. It should really consult the user's ticket cache to determine the -user's current realm, rather than consulting a file on the host. diff --git a/eBones/man/krb_sendauth.3 b/eBones/man/krb_sendauth.3 deleted file mode 100644 index f5e95b7eabb4..000000000000 --- a/eBones/man/krb_sendauth.3 +++ /dev/null @@ -1,348 +0,0 @@ -.\" from: krb_sendauth.3,v 4.1 89/01/23 11:10:58 jtkohl Exp $ -.\" $Id: krb_sendauth.3,v 1.2 1994/07/19 19:27:47 g89r4222 Exp $ -.\" Copyright 1988 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_SENDAUTH 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_sendauth, krb_recvauth, krb_net_write, krb_net_read \- -Kerberos routines for sending authentication via network stream sockets -.SH SYNOPSIS -.nf -.nj -.ft B -#include <krb.h> -#include <des.h> -#include <netinet/in.h> -.PP -.fi -.HP 1i -.ft B -int krb_sendauth(options, fd, ktext, service, inst, realm, checksum, -msg_data, cred, schedule, laddr, faddr, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst, *realm; -u_long checksum; -MSG_DAT *msg_data; -CREDENTIALS *cred; -Key_schedule schedule; -struct sockaddr_in *laddr, *faddr; -char *version; -.PP -.fi -.HP 1i -.ft B -int krb_recvauth(options, fd, ktext, service, inst, faddr, laddr, -auth_data, filename, schedule, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst; -struct sockaddr_in *faddr, *laddr; -AUTH_DAT *auth_data; -char *filename; -Key_schedule schedule; -char *version; -.PP -.ft B -int krb_net_write(fd, buf, len) -int fd; -char *buf; -int len; -.PP -.ft B -int krb_net_read(fd, buf, len) -int fd; -char *buf; -int len; -.fi -.SH DESCRIPTION -.PP -These functions, -which are built on top of the core Kerberos library, -provide a convenient means for client and server -programs to send authentication messages -to one another through network connections. -The -.I krb_sendauth -function sends an authenticated ticket from the client program to -the server program by writing the ticket to a network socket. -The -.I krb_recvauth -function receives the ticket from the client by -reading from a network socket. - -.SH KRB_SENDAUTH -.PP -This function writes the ticket to -the network socket specified by the -file descriptor -.IR fd, -returning KSUCCESS if the write proceeds successfully, -and an error code if it does not. - -The -.I ktext -argument should point to an allocated KTEXT_ST structure. -The -.IR service, -.IR inst, -and -.IR realm -arguments specify the server program's Kerberos principal name, -instance, and realm. -If you are writing a client that uses the local realm exclusively, -you can set the -.I realm -argument to NULL. - -The -.I version -argument allows the client program to pass an application-specific -version string that the server program can then match against -its own version string. -The -.I version -string can be up to KSEND_VNO_LEN (see -.IR <krb.h> ) -characters in length. - -The -.I checksum -argument can be used to pass checksum information to the -server program. -The client program is responsible for specifying this information. -This checksum information is difficult to corrupt because -.I krb_sendauth -passes it over the network in encrypted form. -The -.I checksum -argument is passed as the checksum argument to -.IR krb_mk_req . - -You can set -.IR krb_sendauth's -other arguments to NULL unless you want the -client and server programs to mutually authenticate -themselves. -In the case of mutual authentication, -the client authenticates itself to the server program, -and demands that the server in turn authenticate itself to -the client. - -.SH KRB_SENDAUTH AND MUTUAL AUTHENTICATION -.PP -If you want mutual authentication, -make sure that you read all pending data from the local socket -before calling -.IR krb_sendauth. -Set -.IR krb_sendauth's -.I options -argument to -.BR KOPT_DO_MUTUAL -(this macro is defined in the -.IR krb.h -file); -make sure that the -.I laddr -argument points to -the address of the local socket, -and that -.I faddr -points to the foreign socket's network address. - -.I Krb_sendauth -fills in the other arguments-- -.IR msg_data , -.IR cred , -and -.IR schedule --before -sending the ticket to the server program. -You must, however, allocate space for these arguments -before calling the function. - -.I Krb_sendauth -supports two other options: -.BR KOPT_DONT_MK_REQ, -and -.BR KOPT_DONT_CANON. -If called with -.I options -set as KOPT_DONT_MK_REQ, -.I krb_sendauth -will not use the -.I krb_mk_req -function to retrieve the ticket from the Kerberos server. -The -.I ktext -argument must point to an existing ticket and authenticator (such as -would be created by -.IR krb_mk_req ), -and the -.IR service, -.IR inst, -and -.IR realm -arguments can be set to NULL. - -If called with -.I options -set as KOPT_DONT_CANON, -.I krb_sendauth -will not convert the service's instance to canonical form using -.IR krb_get_phost (3). - -If you want to call -.I krb_sendauth -with a multiple -.I options -specification, -construct -.I options -as a bitwise-OR of the options you want to specify. - -.SH KRB_RECVAUTH -.PP -The -.I krb_recvauth -function -reads a ticket/authenticator pair from the socket pointed to by the -.I fd -argument. -Set the -.I options -argument -as a bitwise-OR of the options desired. -Currently only KOPT_DO_MUTUAL is useful to the receiver. - -The -.I ktext -argument -should point to an allocated KTEXT_ST structure. -.I Krb_recvauth -fills -.I ktext -with the -ticket/authenticator pair read from -.IR fd , -then passes it to -.IR krb_rd_req . - -The -.I service -and -.I inst -arguments -specify the expected service and instance for which the ticket was -generated. They are also passed to -.IR krb_rd_req. -The -.I inst -argument may be set to "*" if the caller wishes -.I krb_mk_req -to fill in the instance used (note that there must be space in the -.I inst -argument to hold a full instance name, see -.IR krb_mk_req (3)). - -The -.I faddr -argument -should point to the address of the peer which is presenting the ticket. -It is also passed to -.IR krb_rd_req . - -If the client and server plan to mutually authenticate -one another, -the -.I laddr -argument -should point to the local address of the file descriptor. -Otherwise you can set this argument to NULL. - -The -.I auth_data -argument -should point to an allocated AUTH_DAT area. -It is passed to and filled in by -.IR krb_rd_req . -The checksum passed to the corresponding -.I krb_sendauth -is available as part of the filled-in AUTH_DAT area. - -The -.I filename -argument -specifies the filename -which the service program should use to obtain its service key. -.I Krb_recvauth -passes -.I filename -to the -.I krb_rd_req -function. -If you set this argument to "", -.I krb_rd_req -looks for the service key in the file -.IR /etc/srvtab. - -If the client and server are performing mutual authenication, -the -.I schedule -argument -should point to an allocated Key_schedule. -Otherwise it is ignored and may be NULL. - -The -.I version -argument should point to a character array of at least KSEND_VNO_LEN -characters. It is filled in with the version string passed by the client to -.IR krb_sendauth. -.PP -.SH KRB_NET_WRITE AND KRB_NET_READ -.PP -The -.I krb_net_write -function -emulates the write(2) system call, but guarantees that all data -specified is written to -.I fd -before returning, unless an error condition occurs. -.PP -The -.I krb_net_read -function -emulates the read(2) system call, but guarantees that the requested -amount of data is read from -.I fd -before returning, unless an error condition occurs. -.PP -.SH BUGS -.IR krb_sendauth, -.IR krb_recvauth, -.IR krb_net_write, -and -.IR krb_net_read -will not work properly on sockets set to non-blocking I/O mode. - -.SH SEE ALSO - -krb_mk_req(3), krb_rd_req(3), krb_get_phost(3) - -.SH AUTHOR -John T. Kohl, MIT Project Athena -.SH RESTRICTIONS -Copyright 1988, Massachusetts Instititute of Technology. -For copying and distribution information, -please see the file <mit-copyright.h>. diff --git a/eBones/man/krb_set_tkt_string.3 b/eBones/man/krb_set_tkt_string.3 deleted file mode 100644 index c9f3dcfd37d5..000000000000 --- a/eBones/man/krb_set_tkt_string.3 +++ /dev/null @@ -1,43 +0,0 @@ -.\" from: krb_set_tkt_string.3,v 4.1 89/01/23 11:11:09 jtkohl Exp $ -.\" $Id: krb_set_tkt_string.3,v 1.2 1994/07/19 19:27:49 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KRB_SET_TKT_STRING 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_set_tkt_string \- set Kerberos ticket cache file name -.SH SYNOPSIS -.nf -.nj -.ft B -#include <krb.h> -.PP -.ft B -void krb_set_tkt_string(filename) -char *filename; -.fi -.ft R -.SH DESCRIPTION -.I krb_set_tkt_string -sets the name of the file that holds the user's -cache of Kerberos server tickets and associated session keys. -.PP -The string -.I filename -passed in is copied into local storage. -Only MAXPATHLEN-1 (see <sys/param.h>) characters of the filename are -copied in for use as the cache file name. -.PP -This routine should be called during initialization, before other -Kerberos routines are called; otherwise the routines which fetch the -ticket cache file name may be called and return an undesired ticket file -name until this routine is called. -.SH FILES -.TP 20n -/tmp/tkt[uid] -default ticket file name, unless the environment variable KRBTKFILE is set. -[uid] denotes the user's uid, in decimal. -.SH SEE ALSO -kerberos(3), setenv(3) diff --git a/eBones/man/ksend.point b/eBones/man/ksend.point deleted file mode 100644 index 2dbe5de4ca5a..000000000000 --- a/eBones/man/ksend.point +++ /dev/null @@ -1 +0,0 @@ -.so man3/krb_sendauth.3 diff --git a/eBones/man/kshd.8 b/eBones/man/kshd.8 deleted file mode 100644 index e1ecc22fc4b7..000000000000 --- a/eBones/man/kshd.8 +++ /dev/null @@ -1,152 +0,0 @@ -.\" from: kshd.8,v 4.1 89/01/23 11:39:41 jtkohl Exp $ -.\" $Id: kshd.8,v 1.2 1994/07/19 19:27:50 g89r4222 Exp $ -.\" -.\" Copyright (c) 1983 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)rshd.8 6.5 (Berkeley) 9/19/88 -.\" -.TH KSHD 8 "Kerberos Version 4.0" "MIT Project Athena" -.UC 5 -.SH NAME -kshd \- remote shell server -.SH SYNOPSIS -.B /usr/etc/kshd -.SH DESCRIPTION -.I Kshd -is the server for the -.IR kcmd (3) -routine and, consequently, for the -.IR rsh (1) -program. The server provides remote execution facilities -with authentication based on Kerberos. -.PP -.I Kshd -listens for service requests at the port indicated in -the ``kshell'' service specification; see -.IR services (5). -When a service request is received the following protocol -is initiated: -.IP 1) -The server reads characters from the socket up -to a null (`\e0') byte. The resultant string is -interpreted as an ASCII number, base 10. -.IP 2) -If the number received in step 1 is non-zero, -it is interpreted as the port number of a secondary -stream to be used for the -.BR stderr . -A second connection is then created to the specified -port on the client's machine. -.IP 3) -The server checks the client's source address -and requests the corresponding host name (see -.IR gethostbyaddr (3N), -.IR hosts (5) -and -.IR named (8)). -If the hostname cannot be determined, -the dot-notation representation of the host address is used. -.IP 4) -A Kerberos ticket/authenticator pair are retrieved on the initial socket. -.IP 5) -A null terminated user name of at most 16 characters -is retrieved on the initial socket. This user name -is interpreted as a user identity to use on the -.BR server 's -machine. -.IP 6) -A null terminated command to be passed to a -shell is retrieved on the initial socket. The length of -the command is limited by the upper bound on the size of -the system's argument list. -.IP 7) -.I Kshd -then validates the user according to the following steps. -The local (server-end) user name is looked up in the password file -and a -.I chdir -is performed to the user's home directory. If either -the lookup or -.I chdir -fail, the connection is terminated. The \&.klogin file in the home -directory is used to mediate access to the account (via \fIkuserok\fP(3)) -by the Kerberos principal named in the ticket/authenticator. If this -authorization check fails, the connection is terminated. -.IP 8) -A null byte is returned on the initial socket -and the command line is passed to the normal login -shell of the user. The -shell inherits the network connections established -by -.IR kshd . -.SH DIAGNOSTICS -Except for the last one listed below, -all diagnostic messages -are returned on the initial socket, -after which any network connections are closed. -An error is indicated by a leading byte with a value of -1 (0 is returned in step 8 above upon successful completion -of all the steps prior to the execution of the login shell). -.PP -.B ``remuser too long'' -.br -The name of the user on the remote machine is -longer than 16 characters. -.PP -.B ``command too long '' -.br -The command line passed exceeds the size of the argument -list (as configured into the system). -.PP -.B ``Login incorrect.'' -.br -No password file entry for the user name existed. -.PP -.B ``No remote directory.'' -.br -The -.I chdir -command to the home directory failed. -.PP -.B ``Permission denied.'' -.br -The authorization procedure described above failed. -.PP -.B ``Can't make pipe.'' -.br -The pipe needed for the -.BR stderr , -wasn't created. -.PP -.B ``Try again.'' -.br -A -.I fork -by the server failed. -.PP -.B ``<shellname>: ...'' -.br -The user's login shell could not be started. This message is returned -on the connection associated with the -.BR stderr , -and is not preceded by a flag byte. -.SH SEE ALSO -rsh(1), kerberos(3), kuserok(3) -.SH BUGS -A facility to allow all data exchanges to be encrypted should be -present. -.PP -A more extensible protocol should be used. diff --git a/eBones/man/ksrvtgt.1 b/eBones/man/ksrvtgt.1 deleted file mode 100644 index 25fd9399ea3e..000000000000 --- a/eBones/man/ksrvtgt.1 +++ /dev/null @@ -1,51 +0,0 @@ -.\" from: ksrvtgt.1,v 4.1 89/01/24 14:36:28 jtkohl Exp $ -.\" $Id: ksrvtgt.1,v 1.2 1994/07/19 19:27:52 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KSRVTGT 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ksrvtgt \- fetch and store Kerberos ticket-granting-ticket using a -service key -.SH SYNOPSIS -.B ksrvtgt -name instance [[realm] srvtab] -.SH DESCRIPTION -.I ksrvtgt -retrieves a ticket-granting ticket with a lifetime of five (5) minutes -for the principal -.I name.instance@realm -(or -.I name.instance@localrealm -if -.I realm -is not supplied on the command line), decrypts the response using -the service key found in -.I srvtab -(or in -.B /etc/srvtab -if -.I srvtab -is not specified on the command line), and stores the ticket in the -standard ticket cache. -.PP -This command is intended primarily for use in shell scripts and other -batch-type facilities. -.SH DIAGNOSTICS -"Generic kerberos failure (kfailure)" can indicate a whole range of -problems, the most common of which is the inability to read the service -key file. -.SH FILES -.TP 2i -/etc/krb.conf -to get the name of the local realm. -.TP -/tmp/tkt[uid] -The default ticket file. -.TP -/etc/srvtab -The default service key file. -.SH SEE ALSO -kerberos(1), kinit(1), kdestroy(1) diff --git a/eBones/man/ksrvutil.8 b/eBones/man/ksrvutil.8 deleted file mode 100644 index a7fed8290071..000000000000 --- a/eBones/man/ksrvutil.8 +++ /dev/null @@ -1,93 +0,0 @@ -.\" from: /mit/kerberos/src/man/RCS/ksrvutil.8,v 4.0 89/07/27 18:35:33 jtkohl Exp $ -.\" $Id: ksrvutil.8,v 1.2 1994/07/19 19:27:53 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KSRVUTIL 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ksrvutil \- host kerberos keyfile (srvtab) manipulation utility -.SH SYNOPSIS -ksrvutil -.B operation -[ -.B \-k -] [ -.B \-i -] [ -.B \-f filename -] -.SH DESCRIPTION -.I ksrvutil -allows a system manager to list or change keys currently in his -keyfile or to add new keys to the keyfile. -.PP - -Operation must be one of the following: -.TP 10n -.I list -lists the keys in a keyfile showing version number and principal -name. If the \-k option is given, keys will also be shown. -.TP 10n -.I change -changes all the keys in the keyfile by using the regular admin -protocol. If the \-i flag is given, -.I ksrvutil -will prompt for yes or no before changing each key. If the \-k -option is used, the old and new keys will be displayed. -.TP 10n -.I add -allows the user to add a key. -.I add -prompts for name, instance, realm, and key version number, asks -for confirmation, and then asks for a password. -.I ksrvutil -then converts the password to a key and appends the keyfile with -the new information. If the \-k option is used, the key is -displayed. - -.PP -In all cases, the default file used is KEY_FILE as defined in -krb.h unless this is overridden by the \-f option. - -.PP -A good use for -.I ksrvutil -would be for adding keys to a keyfile. A system manager could -ask a kerberos administrator to create a new service key with -.IR kadmin (8) -and could supply an initial password. Then, he could use -.I ksrvutil -to add the key to the keyfile and then to change the key so that -it will be random and unknown to either the system manager or -the kerberos administrator. - -.I ksrvutil -always makes a backup copy of the keyfile before making any -changes. - -.SH DIAGNOSTICS -If -.I ksrvutil -should exit on an error condition at any time during a change or -add, a copy of the -original keyfile can be found in -.IR filename .old -where -.I filename -is the name of the keyfile, and a copy of the file with all new -keys changed or added so far can be found in -.IR filename .work. -The original keyfile is left unmodified until the program exits -at which point it is removed and replaced it with the workfile. -Appending the workfile to the backup copy and replacing the -keyfile with the result should always give a usable keyfile, -although the resulting keyfile will have some out of date keys -in it. - -.SH SEE ALSO -kadmin(8), ksrvtgt(1) - -.SH AUTHOR -Emanuel Jay Berkenbilt, MIT Project Athena diff --git a/eBones/man/kstash.8 b/eBones/man/kstash.8 deleted file mode 100644 index d83379ad6ca9..000000000000 --- a/eBones/man/kstash.8 +++ /dev/null @@ -1,41 +0,0 @@ -.\" from: kstash.8,v 4.1 89/01/23 11:11:39 jtkohl Exp $ -.\" $Id: kstash.8,v 1.2 1994/07/19 19:27:55 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KSTASH 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kstash \- stash Kerberos key distribution center database master key -.SH SYNOPSIS -kstash -.SH DESCRIPTION -.I kstash -saves the Kerberos key distribution center (KDC) database master key in -the master key cache file. -.PP -The user is prompted to enter the key, to verify the authenticity of the -key and the authorization to store the key in the file. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.TP -"kstash: Unable to open master key file" -The attempt to open the cache file for writing failed (probably due to a -system or access permission error). -.TP -"kstash: Write I/O error on master key file" -The -.BR write (2) -system call returned an error while -.I kstash -was attempting to write the key to the file. -.SH FILES -.TP 20n -/kerberos/principal.pag, /kerberos/principal.dir -DBM files containing database -.TP -/.k -Master key cache file. diff --git a/eBones/man/ksu.1 b/eBones/man/ksu.1 deleted file mode 100644 index fe434d3adf15..000000000000 --- a/eBones/man/ksu.1 +++ /dev/null @@ -1,83 +0,0 @@ -.\" from: ksu.1,v 4.1 89/01/23 11:38:16 jtkohl Exp $ -.\" $Id: ksu.1,v 1.2 1994/07/19 19:27:57 g89r4222 Exp $ -.\" -.\" Copyright (c) 1988 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)su.1 6.7 (Berkeley) 12/7/88 -.\" -.TH KSU 1 "Kerberos Version 4.0" "MIT Project Athena" -.UC -.SH NAME -ksu \- substitute user id, using Kerberos -.SH SYNOPSIS -.B ksu -[-flm] [login] -.SH DESCRIPTION -\fIKsu\fP requests the password for \fIlogin\fP (or for ``root'', if no -login is provided), and switches to that user and group ID. A shell is -then invoked. -.PP -By default, your environment is unmodified with the exception of -\fIUSER\fP, \fIHOME\fP, and \fISHELL\fP. \fIHOME\fP and \fISHELL\fP -are set to the target login's \fI/etc/passwd\fP values. \fIUSER\fP -is set to the target login, unless the target login has a UID of 0, -in which case it is unmodified. The invoked shell is the target -login's. This is the traditional behavior of \fIksu\fP. -.PP -The \fI-l\fP option simulates a full login. The environment is discarded -except for \fIHOME\fP, \fISHELL\fP, \fIPATH\fP, \fITERM\fP, and \fIUSER\fP. -\fIHOME\fP and \fISHELL\fP are modified as above. \fIUSER\fP is set to -the target login. \fIPATH\fP is set to ``/usr/ucb:/bin:/usr/bin''. -\fITERM\fP is imported from your current environment. The invoked shell -is the target login's, and \fIksu\fP will change directory to the target -login's home directory. -.PP -The \fI-m\fP option causes the environment to remain unmodified, and -the invoked shell to be your login shell. No directory changes are -made. As a security precaution, if the -.I -m -option is specified, the target user's shell is a non-standard shell -(as defined by \fIgetusershell\fP(3)) and the caller's real uid is -non-zero, -.I su -will fail. -.PP -If the invoked shell is \fIcsh\fP, the \fI-f\fP option prevents it from -reading the \fI.cshrc\fP file. Otherwise, this option is ignored. -.PP -Only users with root instances listed in /\&.klogin may \fIksu\fP to -``root'' (The format of this file is described by \fIrlogin\fP(1).). When -attempting root access, \fIksu\fP attempts to fetch a -ticket-granting-ticket for ``username.root@localrealm'', where -\fIusername\fP is the username of the process. If possible, the tickets -are used to obtain, use, and verify tickets for the service -``rcmd.host@localrealm'' where \fIhost\fP is the canonical host name (as -determined by -.IR krb_get_phost (3)) -of the machine. If this verification -fails, the \fIksu\fP is disallowed (If the service -``rcmd.host@localrealm'' is not registered, the \fIksu\fP is allowed.). -.PP -By default (unless the prompt is reset by a startup file) the super-user -prompt is set to ``#'' to remind one of its awesome power. -.PP -When not attempting to switch to the ``root'' user, -.I ksu -behaves exactly like -.IR su (1). -.SH "SEE ALSO" -su(1), csh(1), login(1), rlogin(1), sh(1), krb_get_phost(3), passwd(5), -group(5), environ(7) diff --git a/eBones/man/kuserok.3 b/eBones/man/kuserok.3 deleted file mode 100644 index 36968baa2341..000000000000 --- a/eBones/man/kuserok.3 +++ /dev/null @@ -1,63 +0,0 @@ -.\" from: kuserok.3,v 4.1 89/01/23 11:11:49 jtkohl Exp $ -.\" $Id: kuserok.3,v 1.2 1994/07/19 19:27:58 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH KUSEROK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kuserok \- Kerberos version of ruserok -.SH SYNOPSIS -.nf -.nj -.ft B -#include <krb.h> -.PP -.ft B -kuserok(kdata, localuser) -AUTH_DAT *auth_data; -char *localuser; -.fi -.ft R -.SH DESCRIPTION -.I kuserok -determines whether a Kerberos principal described by the structure -.I auth_data -is authorized to login as user -.I localuser -according to the authorization file -("~\fIlocaluser\fR/.klogin" by default). It returns 0 (zero) if authorized, -1 (one) if not authorized. -.PP -If there is no account for -.I localuser -on the local machine, authorization is not granted. -If there is no authorization file, and the Kerberos principal described -by -.I auth_data -translates to -.I localuser -(using -.IR krb_kntoln (3)), -authorization is granted. -If the authorization file -can't be accessed, or the file is not owned by -.IR localuser, -authorization is denied. Otherwise, the file is searched for -a matching principal name, instance, and realm. If a match is found, -authorization is granted, else authorization is denied. -.PP -The file entries are in the format: -.nf -.in +5n - name.instance@realm -.in -5n -.fi -with one entry per line. -.SH SEE ALSO -kerberos(3), ruserok(3), krb_kntoln(3) -.SH FILES -.TP 20n -~\fIlocaluser\fR/.klogin -authorization list diff --git a/eBones/man/rcp.1 b/eBones/man/rcp.1 deleted file mode 100644 index 1f298f6a251d..000000000000 --- a/eBones/man/rcp.1 +++ /dev/null @@ -1,129 +0,0 @@ -.\" from: rcp.1,v 4.1 89/01/23 11:39:00 jtkohl Exp $ -.\" $Id: rcp.1,v 1.2 1994/07/19 19:28:00 g89r4222 Exp $ -.\" -.\" Copyright (c) 1983 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)rcp.1 6.6 (Berkeley) 9/20/88 -.\" -.TH RCP 1 "Kerberos Version 4.0" "MIT Project Athena" -.UC 5 -.SH NAME -rcp \- remote file copy -.SH SYNOPSIS -.B rcp -[ -.B \-p -] [ -.B \-x -] [ -.B \-k -realm ] file1 file2 -.br -.B rcp -[ -.B \-p -] [ -.B \-x -] [ -.B \-k -realm ] [ -.B \-r -] file ... directory -.SH DESCRIPTION -.I Rcp -copies files between machines. Each -.I file -or -.I directory -argument is either a remote file name of the -form ``rhost:path'', or a local file name (containing no `:' characters, -or a `/' before any `:'s). -.PP -If the -.B \-r -option -is specified and any of the source files are directories, -.I rcp -copies each subtree rooted at that name; in this case -the destination must be a directory. -.PP -By default, the mode and owner of -.I file2 -are preserved if it already existed; otherwise the mode of the source file -modified by the -.IR umask (2) -on the destination host is used. -The -.B \-p -option causes -.I rcp -to attempt to preserve (duplicate) in its copies the modification -times and modes of the source files, ignoring the -.IR umask . -.PP -If -.I path -is not a full path name, it is interpreted relative to -your login directory on -.IR rhost . -A -.I path -on a remote host may be quoted (using \e, ", or \(aa) -so that the metacharacters are interpreted remotely. -.PP -.I Rcp -does not prompt for passwords; it uses Kerberos authentication when -connecting to -.IR rhost . -Authorization is as described in -.IR rlogin (1). -.PP -The -.B \-x -option selects encryption of all information transferring between hosts. -The -.B \-k -.I realm -option causes -.I rcp -to obtain tickets for the remote host in -.I realm -instead of the remote host's realm as determined by -.IR krb_realmofhost (3). -.PP -.I Rcp -handles third party copies, where neither source nor target files -are on the current machine. -Hostnames may also take the form ``rname@rhost'' to use -.I rname -rather than the current user name on the remote host. -.SH SEE ALSO -cp(1), ftp(1), rsh(1), rlogin(1), kerberos(3), krb_getrealm(3), -rcp(1) [UCB version] -.SH BUGS -Doesn't detect all cases where the target of a copy might -be a file in cases where only a directory should be legal. -.PP -Is confused by any output generated by commands in a -\&.login, \&.profile, or \&.cshrc file on the remote host. -.PP -The destination user and hostname may have to be specified as -``rhost.rname'' when the destination machine is running the 4.2BSD -version of \fIrcp\fP. -.PP -Kerberos is only used for the first connection of a third-party copy; -the second connection uses the standard Berkeley rcp protocol. - diff --git a/eBones/man/realm.point b/eBones/man/realm.point deleted file mode 100644 index 9c6940f1207a..000000000000 --- a/eBones/man/realm.point +++ /dev/null @@ -1 +0,0 @@ -.so man3/krb_realmofhost.3 diff --git a/eBones/man/rlogin.1 b/eBones/man/rlogin.1 deleted file mode 100644 index 3e0dc62d78b9..000000000000 --- a/eBones/man/rlogin.1 +++ /dev/null @@ -1,199 +0,0 @@ -.\" from: rlogin.1,v 4.2 89/11/02 11:20:39 jtkohl Exp $ -.\" $Id: rlogin.1,v 1.2 1994/07/19 19:28:01 g89r4222 Exp $ -.\" -.\" Copyright (c) 1983 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)rlogin.1 6.9 (Berkeley) 9/19/88 -.\" -.TH RLOGIN 1 "Kerberos Version 4.0" "MIT Project Athena" -.UC 5 -.SH NAME -rlogin \- remote login -.SH SYNOPSIS -.B rlogin -rhost [ -\fB\-e\fR\fI\|c\fR -] [ -.B \-8 -] [ -.B \-c -] [ -.B \-a -] [ -.B \-t -termtype ] [ -.B \-n -] [ -.B \-7 -] [ -.B \-d -] [ -.B \-k -realm ] [ -.B \-x -] [ -.B \-noflow -] [ -.B \-L -] [ -.B \-l -username ] -.br -rhost [ -\fB\-e\fR\fIc\fR -] [ -.B \-8 -] [ -.B \-c -] [ -.B \-a -] [ -.B \-t -termtype ] [ -.B \-n -] [ -.B \-7 -] [ -.B \-d -] [ -.B \-k -realm ] [ -.B \-x -] [ -.B \-noflow -] [ -.B \-L -] [ -.B \-l -username ] -.SH DESCRIPTION -.I Rlogin -connects your terminal on the current local host system -.I lhost -to the remote host system -.I rhost. -.PP -The version built to use Kerberos authentication is very similar to the -standard Berkeley rlogin(1), except that instead of the \fIrhosts\fP -mechanism, it uses Kerberos authentication to determine the -authorization to use a remote account. -.PP -Each user may have a private authorization list in a file \&.klogin -in his login directory. Each line in this file should contain a -Kerberos principal name of the form -.IR principal.instance@realm . -If the originating user is authenticated to one of the principals named -in \&.klogin, access is granted to the account. The principal -\fIaccountname\fP.@\fIlocalrealm\fP is granted access if there is no -\&.klogin file. -Otherwise -a login and password will be prompted for on the remote machine as in -.IR login (1). -To avoid some security problems, the \&.klogin file must be owned by -the remote user. -.PP -If there is some problem in marshaling the Kerberos authentication -information, an error message is printed and the standard UCB rlogin is -executed in place of the Kerberos rlogin. -.PP -A line of the form ``~.'' disconnects from the remote host, where -``~'' is the escape character. -Similarly, the line ``~^Z'' (where ^Z, control-Z, is the suspend character) -will suspend the rlogin session. -Substitution of the delayed-suspend character (normally ^Y) -for the suspend character suspends the send portion of the rlogin, -but allows output from the remote system. -.PP -The remote terminal type is the same as your local -terminal type (as given in your environment TERM variable), unless the -.B \-t -option is specified (see below). -The terminal or window size is also copied to the remote system -if the server supports the option, -and changes in size are reflected as well. -.PP -All echoing takes place at the remote site, so that (except for -delays) the rlogin is transparent. Flow control via ^S and ^Q and -flushing of input and output on interrupts are handled properly. -.PP -The -.B \-8 -option allows an eight-bit input data path at all times; -otherwise parity bits are stripped except when the remote side's -stop and start characters are other than ^S/^Q. Eight-bit mode is the default. -.PP -The -.B \-L -option allows the rlogin session to be run in litout mode. -.PP -The -.B \-e -option allows specification of a different escape character. -There is no space separating this option flag and the new escape -character. -.PP -The -.B \-c -option requires confirmation before disconnecting via ``~.'' -.PP -The -.B \-a -option forces the remote machine to ask for a password by sending a null local -username. This option has no effect unless the standard UCB rlogin is -executed in place of the Kerberos rlogin (see above). -.PP -The -.B \-t -option replaces the terminal type passed to the remote host with -\fItermtype\fP. -.PP -The -.B \-n -option prevents suspension of rlogin via ``~^Z'' or ``~^Y''. -.PP -The -.B \-7 -option forces seven-bit transmissions. -.PP -The -.B \-d -option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP -sockets used for communication with the remote host. -.PP -The -.B \-noflow -option forces transmission of flow control characters (^S/^Q) to the -remote system. -.PP -The -.B \-k -option requests rlogin to obtain tickets for the remote host in realm -.I realm -instead of the remote host's realm as determined by -.IR krb_realmofhost (3). -.PP -The -.B \-x -option turns on DES encryption for all data passed via the -rlogin session. This significantly reduces response time and -significantly increases CPU utilization. -.SH SEE ALSO -rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), -rlogin(1) [UCB version] -.SH FILES -/usr/hosts/* for \fIrhost\fP version of the command -.SH BUGS -More of the environment should be propagated. diff --git a/eBones/man/rsh.1 b/eBones/man/rsh.1 deleted file mode 100644 index 8d0974ce814f..000000000000 --- a/eBones/man/rsh.1 +++ /dev/null @@ -1,152 +0,0 @@ -.\" from: rsh.1,v 4.1 89/01/23 11:39:11 jtkohl Exp $ -.\" $Id: rsh.1,v 1.2 1994/07/19 19:28:03 g89r4222 Exp $ -.\" -.\" Copyright (c) 1983 The Regents of the University of California. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms are permitted -.\" provided that the above copyright notice and this paragraph are -.\" duplicated in all such forms and that any documentation, -.\" advertising materials, and other materials related to such -.\" distribution and use acknowledge that the software was developed -.\" by the University of California, Berkeley. The name of the -.\" University may not be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -.\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. -.\" -.\" @(#)rsh.1 6.2 (Berkeley) 9/20/88 -.\" -.TH RSH 1 "Kerberos Version 4.0" "MIT Project Athena" -.UC 5 -.SH NAME -rsh \- remote shell -.SH SYNOPSIS -.B rsh -host -[ -.B \-l -username -] [ -.B \-n -] [ -.B \-d -] [ -.B \-k -realm ] command -.br -host -[ -.B \-l -username -] [ -.B \-n -] [ -.B \-d -] [ -.B \-k -realm ] command -.SH DESCRIPTION -.I Rsh -connects to the specified -.I host, -and executes the specified \fIcommand\fR. -.I Rsh -copies its standard input to the remote command, the standard -output of the remote command to its standard output, and the -standard error of the remote command to its standard error. -Interrupt, quit and terminate signals are propagated to the remote -command; \fIrsh\fP normally terminates when the remote command does. -.PP -The remote username used is the same as your local username, -unless you specify a different remote name with the -.B \-l -option. -Kerberos authentication is used, and authorization is determined as in -rlogin(1). -.PP -The -.B \-k -\fIrealm\fP option causes -.I rsh -to obtain tickets for the remote host in -.I realm -instead of the remote host's realm as determined by -.IR krb_realmofhost (3). -.PP -The -.B \-d -option turns on socket debugging (via \fIsetsockopt(2)\fR) on the TCP -sockets used for communication with the remote host. -.PP -The -.B \-n -option redirects input from the special device -.I /dev/null -(see the BUGS section below). -.PP -If you omit -.I command, -then instead of executing a single command, you will be logged in -on the remote host using -.IR rlogin (1). -.PP -Shell metacharacters which are not quoted are interpreted -on local machine, while quoted metacharacters are interpreted on -the remote machine. -Thus the command -.PP -\ \ \ rsh otherhost cat remotefile >> localfile -.PP -appends the remote file -.I remotefile -to the local file -.I localfile, -while -.PP -\ \ \ rsh otherhost cat remotefile ">>" otherremotefile -.PP -appends -.I remotefile -to -.I otherremotefile. -.PP -The host names for local machines are also commands in the directory -/usr/hosts; if you put this directory in your search path -then the -.B rsh -on the command line can be omitted. -.SH FILES -.ta 2i -/etc/hosts -.br -/usr/hosts/* -.DT -.SH SEE ALSO -rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3) -.SH BUGS -If you are using -.IR csh (1) -and put a -.IR rsh (1) -in the background without redirecting its input -away from the terminal, it will block even if no reads -are posted by the remote command. If no input is desired -you should redirect the input of -.I rsh -to /dev/null using the -.B \-n -option. -.PP -You cannot run an interactive command -(like -.IR rogue (6) -or -.IR vi (1)); -use -.IR rlogin (1). -.PP -Stop signals stop the local \fIrsh\fP process only; this is arguably -wrong, but currently hard to fix for reasons too complicated to -explain here. diff --git a/eBones/man/tcom.8 b/eBones/man/tcom.8 deleted file mode 100644 index 23317cc3eec4..000000000000 --- a/eBones/man/tcom.8 +++ /dev/null @@ -1,54 +0,0 @@ -.\" from: tcom.8,v 4.2 89/05/03 14:34:53 jtkohl Exp $ -.\" $Id: tcom.8,v 1.2 1994/07/19 19:28:04 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH TCOM 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tcom \- control operation of server tftp daemon -.SH SYNOPSIS -tcom -.SH DESCRIPTION -.I Tcom -is a program to control the execution of the server trivial file transfer -daemon. It sends user commands to the daemon by writing them into a -shared file and signalling the daemon; it watches the daemon's log to -obtain the results of the commands. The following commands are supported: -.TP 20 -help -display a list of commands -.TP -input trace on|off -turn tracing of input packets on or off -.TP -output trace on|off -turn tracing of output packets on or off -.TP -trace on|off -turn all packet tracing on or off -.TP -times -display server parent and children process times -.TP -uptime -display daemon up time -.TP -exit -force daemon to shut down and exit -.SH FILES -.TP 20 -/tftpd/lock -lock file containing daemon's PID -.TP -/tftpd/command -command file to daemon -.TP -/tftpd/slog -daemon's log file -.SH "SEE ALSO" -tftpd (8) -.SH BUGS -Two tcom's running at the same time will result in chaos. Also, -watching the daemon's log file uses a lot of CPU time. diff --git a/eBones/man/tf_util.3 b/eBones/man/tf_util.3 deleted file mode 100644 index 3a9bc941188b..000000000000 --- a/eBones/man/tf_util.3 +++ /dev/null @@ -1,151 +0,0 @@ -.\" from: tf_util.3,v 4.2 89/04/25 17:17:11 jtkohl Exp $ -.\" $Id: tf_util.3,v 1.2 1994/07/19 19:28:05 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH TF_UTIL 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tf_init, tf_get_pname, tf_get_pinst, tf_get_cred, tf_close \ -\- Routines for manipulating a Kerberos ticket file -.SH SYNOPSIS -.nf -.nj -.ft B -#include <krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -tf_init(tf_name, rw) -char *tf_name; -int rw; -.PP -.ft B -tf_get_pname(pname) -char *pname; -.PP -.ft B -tf_get_pinst(pinst) -char *pinst; -.PP -.ft B -tf_get_cred(c) -CREDENTIALS *c; -.PP -.ft B -tf_close() -.PP -.fi -.SH DESCRIPTION -This group of routines are provided to manipulate the Kerberos tickets -file. A ticket file has the following format: -.nf -.in +4 -.sp -principal's name (null-terminated string) -principal's instance (null-terminated string) -CREDENTIAL_1 -CREDENTIAL_2 - ... -CREDENTIAL_n -EOF -.sp -.in -4 -.LP -Where "CREDENTIAL_x" consists of the following fixed-length -fields from the CREDENTIALS structure (defined in <krb.h>): -.nf -.sp -.in +4 - char service[ANAME_SZ] - char instance[INST_SZ] - char realm[REALM_SZ] - des_cblock session - int lifetime - int kvno - KTEXT_ST ticket_st - long issue_date -.in -4 -.sp -.fi -.PP -.I tf_init -must be called before the other ticket file -routines. -It takes the name of the ticket file to use, -and a read/write flag as arguments. -It tries to open the ticket file, checks the mode and if -everything is okay, locks the file. If it's opened for -reading, the lock is shared. If it's opened for writing, -the lock is exclusive. -KSUCCESS is returned if all went well, otherwise one of the -following: -.nf -.sp -NO_TKT_FIL - file wasn't there -TKT_FIL_ACC - file was in wrong mode, etc. -TKT_FIL_LCK - couldn't lock the file, even after a retry -.sp -.fi -.PP -The -.I tf_get_pname -reads the principal's name from a ticket file. -It should only be called after tf_init has been called. The -principal's name is filled into the -.I pname -parameter. If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If the principal's name was null, or EOF was encountered, or the -name was longer than ANAME_SZ, TKT_FIL_FMT is returned. -.PP -The -.I tf_get_pinst -reads the principal's instance from a ticket file. -It should only be called after tf_init and tf_get_pname -have been called. -The principal's instance is filled into the -.I pinst -parameter. -If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If EOF was encountered, or the -name was longer than INST_SZ, TKT_FIL_FMT is returned. -Note that, unlike the principal name, the instance name may be null. -.PP -The -.I tf_get_cred -routine reads a CREDENTIALS record from a ticket file and -fills in the given structure. -It should only be called after -tf_init, tf_get_pname, and tf_get_pinst have been called. -If all goes well, KSUCCESS is returned. Possible error codes -are: -.nf -.sp -TKT_FIL_INI - tf_init wasn't called first -TKT_FIL_FMT - bad format -EOF - end of file encountered -.sp -.fi -.PP -.I tf_close -closes the ticket file and releases the lock on it. -.SH "SEE ALSO" -krb(3) -.SH DIAGNOSTICS -.SH BUGS -The ticket file routines have to be called in a certain order. -.SH AUTHORS -Jennifer Steiner, MIT Project Athena -.br -Bill Bryant, MIT Project Athena -.SH RESTRICTIONS -Copyright 1987 Massachusetts Institute of Technology diff --git a/eBones/man/tftp.1 b/eBones/man/tftp.1 deleted file mode 100644 index 4abd7ac66850..000000000000 --- a/eBones/man/tftp.1 +++ /dev/null @@ -1,66 +0,0 @@ -.\" from: tftp.1,v 4.1 89/01/23 11:36:23 jtkohl Exp $ -.\" $Id: tftp.1,v 1.2 1994/07/19 19:28:07 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH TFTP 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tftp \- trivial file transfer protocol -.SH SYNOPSIS -.B tftp --action localname host foreignname [mode] -.SH DESCRIPTION -If -.I action -is -.B w, -.B p, -or -.B ap, -.I tftp -writes the local file, called localname, onto the foreign host's -file system as foreignname. If -.I action -is -.B ap, -Kerberos authentication is used. -Note that foreignname must be quoted if it -contains shell special characters. If -.I action -is -.B r, -.B g, -or -.B ag, -.I tftp -reads foreign host's file foreignname into the local file, -localname. If -.I action -is -.B ag, -Kerberos authentication is used. -.I Tftp -will not supersede or overwrite existing local files, however; to do so, -use -.I action -.B o. -.sp 2 -.I Mode -may be -.B netascii, -or -.B image. -Netascii, the default mode, transfers -the file as standard ascii characters. Image mode transfers -the file in binary, with no character conversion. -.sp 1 -If Kerberos authentication is not used with -.B tftp, -access will be denied unless the remote and local host are on the same -local-area network. -.SH "SEE ALSO" -.nf -\fIInternet Protocol Handbook\fR -kerberosintro(1) diff --git a/eBones/man/tftpd.8 b/eBones/man/tftpd.8 deleted file mode 100644 index 22a7fe886e0b..000000000000 --- a/eBones/man/tftpd.8 +++ /dev/null @@ -1,39 +0,0 @@ -.\" from: tftpd.8,v 4.1 89/01/23 11:36:12 jtkohl Exp $ -.\" $Id: tftpd.8,v 1.2 1994/07/19 19:28:08 g89r4222 Exp $ -.\" Copyright 1989 by the Massachusetts Institute of Technology. -.\" -.\" For copying and distribution information, -.\" please see the file <Copyright.MIT>. -.\" -.TH TFTPD 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tftpd \- server tftp daemon -.SH SYNOPSIS -.B /etc/tftpd -.SH DESCRIPTION -.I Tftpd -is a daemon which runs the trivial file transfer protocol server for the -MIT Internet software. It listens for incoming connections, and forks a -child to perform each requested transfer. It uses the directory -.IR /tftpd ; -the file -.I lock -in that directory is used to prevent two daemons from becoming -active simultaneously; it also contains the daemon's process ID, -which is used by the tftp command program -.IR tcom (8) -to control the daemon's operation. -.SH FILES -.br -.TP 20n -/tftpd/lock -interlock, PID storage -.TP -/dev/net -the network device -.i0 -.dt -.SH "SEE ALSO" -tftp (1), tcom (8) -.br -\fIInternet Protocol Handbook\fR |