('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1),
('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5),
('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5),
+ ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7),
('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8),
('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1),
('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a replica server', [u'MIT'], 8),
.. toctree::
:maxdepth: 1
+ kerberos.rst
k5login.rst
k5identity.rst
--- /dev/null
+.. _kerberos(7):
+
+kerberos
+========
+
+DESCRIPTION
+-----------
+
+The Kerberos system authenticates individual users in a network
+environment. After authenticating yourself to Kerberos, you can use
+Kerberos-enabled programs without having to present passwords.
+
+If you enter your username and :ref:`kinit(1)` responds with this
+message:
+
+kinit(v5): Client not found in Kerberos database while getting initial
+credentials
+
+you haven't been registered as a Kerberos user. See your system
+administrator.
+
+A Kerberos name usually contains three parts. The first is the
+**primary**, which is usually a user's or service's name. The second
+is the **instance**, which in the case of a user is usually null.
+Some users may have privileged instances, however, such as ``root`` or
+``admin``. In the case of a service, the instance is the fully
+qualified name of the machine on which it runs; i.e. there can be an
+rlogin service running on the machine ABC, which is different from the
+rlogin service running on the machine XYZ. The third part of a
+Kerberos name is the **realm**. The realm corresponds to the Kerberos
+service providing authentication for the principal.
+
+When writing a Kerberos name, the principal name is separated from the
+instance (if not null) by a slash, and the realm (if not the local
+realm) follows, preceded by an "@" sign. The following are examples
+of valid Kerberos names::
+
+ david
+ jennifer/admin
+ joeuser@BLEEP.COM
+ cbrown/root@FUBAR.ORG
+
+When you authenticate yourself with Kerberos you get an initial
+Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol
+message that provides authentication.) Kerberos uses this ticket for
+network utilities such as rlogin and rcp. The ticket transactions are
+done transparently, so you don't have to worry about their management.
+
+Note, however, that tickets expire. Privileged tickets, such as those
+with the instance ``root``, expire in a few minutes, while tickets
+that carry more ordinary privileges may be good for several hours or a
+day, depending on the installation's policy. If your login session
+extends beyond the time limit, you will have to re-authenticate
+yourself to Kerberos to get new tickets. Use the :ref:`kinit(1)`
+command to re-authenticate yourself.
+
+If you use the kinit command to get your tickets, make sure you use
+the kdestroy command to destroy your tickets before you end your login
+session. You should put the kdestroy command in your ``.logout`` file
+so that your tickets will be destroyed automatically when you logout.
+For more information about the kinit and kdestroy commands, see the
+:ref:`kinit(1)` and :ref:`kdestroy(1)` manual pages.
+
+Kerberos tickets can be forwarded. In order to forward tickets, you
+must request **forwardable** tickets when you kinit. Once you have
+forwardable tickets, most Kerberos programs have a command line option
+to forward them to the remote host.
+
+ENVIRONMENT VARIABLES
+---------------------
+
+Several environment variables affect the operation of Kerberos-enabled
+programs. These inclide:
+
+**KRB5CCNAME**
+ Specifies the location of the credential cache, in the form
+ *TYPE*:*residual*. If no *type* prefix is present, the **FILE**
+ type is assumed and *residual* is the pathname of the cache file.
+ A collection of multiple caches may be used by specifying the
+ **dir** type and the pathname of a private directory (which must
+ already exist). The default cache file is /tmp/krb5cc_*uid*,
+ where *uid* is the decimal user ID of the user.
+
+**KRB5_KTNAME**
+ Specifies the location of the keytab file, in the form
+ *TYPE*:*residual*. If no *type* is present, the **FILE** type is
+ assumed and *residual* is the pathname of the keytab file. The
+ default keytab file is ``/etc/krb5.keytab``.
+
+**KRB5_CONFIG**
+ Specifies the location of the Kerberos configuration file. The
+ default is ``/etc/krb5.conf``.
+
+**KRB5_KDC_PROFILE**
+ Specifies the location of the KDC configuration file, which
+ contains additional configuration directives for the Key
+ Distribution Center daemon and associated programs. The default
+ is ``/usr/local/var/krb5kdc/kdc.conf``.
+
+**KRB5RCACHETYPE**
+ Specifies the default type of replay cache to use for servers.
+ Valid types include **dfl** for the normal file type and **none**
+ for no replay cache.
+
+**KRB5RCACHEDIR**
+ Specifies the default directory for replay caches used by servers.
+ The default is the value of the **TMPDIR** environment variable,
+ or ``/var/tmp`` if **TMPDIR** is not set.
+
+**KRB5_TRACE**
+ Specifies a filename to write trace log output to. Trace logs can
+ help illuminate decisions made internally by the Kerberos
+ libraries. The default is not to write trace log output anywhere.
+
+Most environment variables are disabled for certain programs, such as
+login system programs and setuid programs, which are designed to be
+secure when run within an untrusted process environment.
+
+SEE ALSO
+--------
+
+:ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`,
+:ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`,
+:ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`,
+:ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`
+
+BUGS
+----
+
+AUTHORS
+-------
+
+| Steve Miller, MIT Project Athena/Digital Equipment Corporation
+| Clifford Neuman, MIT Project Athena
+| Greg Hudson, MIT Kerberos Consortium
+
+HISTORY
+-------
+
+The MIT Kerberos 5 implementation was developed at MIT, with
+contributions from many outside parties. It is currently maintained
+by the MIT Kerberos Consortium.
+
+RESTRICTIONS
+------------
+
+Copyright 1985, 1986, 1989-1996, 2002, 2011 Masachusetts Institute of
+Technology
INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
$(ADMIN_BINDIR) $(SERVER_BINDIR) $(CLIENT_BINDIR) \
$(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \
- $(FILE_MANDIR) \
+ $(FILE_MANDIR) $(OVERVIEW_MANDIR) \
$(ADMIN_CATDIR) $(SERVER_CATDIR) $(CLIENT_CATDIR) \
- $(FILE_CATDIR) \
+ $(FILE_CATDIR) $(OVERVIEW_CATDIR) \
$(KRB5_LIBDIR) $(KRB5_INCDIR) \
$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \
$(KRB5_AD_MODULE_DIR) \
SERVER_CATDIR = $(KRB5MANROOT)/cat8
CLIENT_CATDIR = $(KRB5MANROOT)/cat1
FILE_CATDIR = $(KRB5MANROOT)/cat5
+OVERVIEW_MANDIR = $(KRB5MANROOT)/man7
+OVERVIEW_CATDIR = $(KRB5MANROOT)/cat7
KRB5_LIBDIR = @libdir@
KRB5_INCDIR = @includedir@
MODULE_DIR = @libdir@/krb5/plugins
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
kdestroy.sub kinit.sub klist.sub kpasswd.sub kprop.sub kpropd.sub \
kproplog.sub krb5.conf.sub krb5-config.sub krb5kdc.sub ksu.sub \
- kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub
+ kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub kerberos.sub
docsrc=$(top_srcdir)/../doc
clean:
rm -rf $(MANSUBS) rst_man
-install: install-clientman install-fileman install-adminman install-serverman
+install: install-clientman install-fileman install-adminman \
+ install-overviewman install-serverman
-install-catman: install-clientcat install-filecat install-admincat install-servercat
+install-catman: install-clientcat install-filecat install-admincat \
+ install-overviewcat install-servercat
install-clientman:
$(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1
$(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5
$(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5
+install-overviewman:
+ $(INSTALL_DATA) kerberos.sub $(DESTDIR)$(OVERVIEW_MANDIR)/kerberos.7
+
install-adminman:
$(INSTALL_DATA) $(srcdir)/kadmin.local.8 \
$(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8
$(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5
$(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5
+install-overviewcat:
+ $(GROFF_MAN) kerberos.sub > $(DESTDIR)$(OVERVIEW_CATDIR)/kerberos.7
+
install-admincat:
($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \
$(LN_S) $(CLIENT_CATDIR)/kadmin.1 \
--- /dev/null
+.\" Man page generated from reStructuredText.
+.
+.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos"
+.SH NAME
+kerberos \- Overview of using Kerberos
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The Kerberos system authenticates individual users in a network
+environment. After authenticating yourself to Kerberos, you can use
+Kerberos\-enabled programs without having to present passwords.
+.sp
+If you enter your username and kinit(1) responds with this
+message:
+.sp
+kinit(v5): Client not found in Kerberos database while getting initial
+credentials
+.sp
+you haven\(aqt been registered as a Kerberos user. See your system
+administrator.
+.sp
+A Kerberos name usually contains three parts. The first is the
+\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second
+is the \fBinstance\fP, which in the case of a user is usually null.
+Some users may have privileged instances, however, such as \fBroot\fP or
+\fBadmin\fP\&. In the case of a service, the instance is the fully
+qualified name of the machine on which it runs; i.e. there can be an
+rlogin service running on the machine ABC, which is different from the
+rlogin service running on the machine XYZ. The third part of a
+Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos
+service providing authentication for the principal.
+.sp
+When writing a Kerberos name, the principal name is separated from the
+instance (if not null) by a slash, and the realm (if not the local
+realm) follows, preceded by an "@" sign. The following are examples
+of valid Kerberos names:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+david
+jennifer/admin
+joeuser@BLEEP.COM
+cbrown/root@FUBAR.ORG
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When you authenticate yourself with Kerberos you get an initial
+Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol
+message that provides authentication.) Kerberos uses this ticket for
+network utilities such as rlogin and rcp. The ticket transactions are
+done transparently, so you don\(aqt have to worry about their management.
+.sp
+Note, however, that tickets expire. Privileged tickets, such as those
+with the instance \fBroot\fP, expire in a few minutes, while tickets
+that carry more ordinary privileges may be good for several hours or a
+day, depending on the installation\(aqs policy. If your login session
+extends beyond the time limit, you will have to re\-authenticate
+yourself to Kerberos to get new tickets. Use the kinit(1)
+command to re\-authenticate yourself.
+.sp
+If you use the kinit command to get your tickets, make sure you use
+the kdestroy command to destroy your tickets before you end your login
+session. You should put the kdestroy command in your \fB\&.logout\fP file
+so that your tickets will be destroyed automatically when you logout.
+For more information about the kinit and kdestroy commands, see the
+kinit(1) and kdestroy(1) manual pages.
+.sp
+Kerberos tickets can be forwarded. In order to forward tickets, you
+must request \fBforwardable\fP tickets when you kinit. Once you have
+forwardable tickets, most Kerberos programs have a command line option
+to forward them to the remote host.
+.SH ENVIRONMENT VARIABLES
+.sp
+Several environment variables affect the operation of Kerberos\-enabled
+programs. These inclide:
+.INDENT 0.0
+.TP
+\fBKRB5CCNAME\fP
+Specifies the location of the credential cache, in the form
+\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP
+type is assumed and \fIresidual\fP is the pathname of the cache file.
+A collection of multiple caches may be used by specifying the
+\fBdir\fP type and the pathname of a private directory (which must
+already exist). The default cache file is /tmp/krb5cc_*uid*,
+where \fIuid\fP is the decimal user ID of the user.
+.TP
+\fBKRB5_KTNAME\fP
+Specifies the location of the keytab file, in the form
+\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is
+assumed and \fIresidual\fP is the pathname of the keytab file. The
+default keytab file is \fB/etc/krb5.keytab\fP\&.
+.TP
+\fBKRB5_CONFIG\fP
+Specifies the location of the Kerberos configuration file. The
+default is \fB/etc/krb5.conf\fP\&.
+.TP
+\fBKRB5_KDC_PROFILE\fP
+Specifies the location of the KDC configuration file, which
+contains additional configuration directives for the Key
+Distribution Center daemon and associated programs. The default
+is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&.
+.TP
+\fBKRB5RCACHETYPE\fP
+Specifies the default type of replay cache to use for servers.
+Valid types include \fBdfl\fP for the normal file type and \fBnone\fP
+for no replay cache.
+.TP
+\fBKRB5RCACHEDIR\fP
+Specifies the default directory for replay caches used by servers.
+The default is the value of the \fBTMPDIR\fP environment variable,
+or \fB/var/tmp\fP if \fBTMPDIR\fP is not set.
+.TP
+\fBKRB5_TRACE\fP
+Specifies a filename to write trace log output to. Trace logs can
+help illuminate decisions made internally by the Kerberos
+libraries. The default is not to write trace log output anywhere.
+.UNINDENT
+.sp
+Most environment variables are disabled for certain programs, such as
+login system programs and setuid programs, which are designed to be
+secure when run within an untrusted process environment.
+.SH SEE ALSO
+.sp
+kdestroy(1), kinit(1), klist(1),
+kswitch(1), kpasswd(1), ksu(1),
+krb5.conf(5), kdc.conf(5), kadmin(1),
+kadmind(8), kdb5_util(8), krb5kdc(8)
+.SH BUGS
+.SH AUTHORS
+.nf
+Steve Miller, MIT Project Athena/Digital Equipment Corporation
+Clifford Neuman, MIT Project Athena
+Greg Hudson, MIT Kerberos Consortium
+.fi
+.sp
+.SH HISTORY
+.sp
+The MIT Kerberos 5 implementation was developed at MIT, with
+contributions from many outside parties. It is currently maintained
+by the MIT Kerberos Consortium.
+.SH RESTRICTIONS
+.sp
+Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of
+Technology
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+1985-2018, MIT
+.\" Generated by docutils manpage writer.
+.
projects / thirdparty / krb5.git / commitdiff
