summaryrefslogtreecommitdiff
path: root/crypto/kerberosIV/lib/auth/sia/README
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/lib/auth/sia/README')
-rw-r--r--crypto/kerberosIV/lib/auth/sia/README87
1 files changed, 0 insertions, 87 deletions
diff --git a/crypto/kerberosIV/lib/auth/sia/README b/crypto/kerberosIV/lib/auth/sia/README
deleted file mode 100644
index 65957345dad1..000000000000
--- a/crypto/kerberosIV/lib/auth/sia/README
+++ /dev/null
@@ -1,87 +0,0 @@
-
-Digital SIA
------------
-
-To install the SIA module you will have to do the following:
-
- * Make sure `libsia_krb4.so' is available in `/usr/athena/lib'. If
- `/usr/athena' is not on local disk, you might want to put it in
- `/usr/shlib' or someplace else. If you do, you'll have to edit
- `krb4_matrix.conf' to reflect the new location (you will also have
- to do this if you installed in some other directory than
- `/usr/athena'). If you built with shared libraries, you will have
- to copy the shared `libkrb.so', `libdes.so', `libkadm.so', and
- `libkafs.so' to a place where the loader can find them (such as
- `/usr/shlib').
-
- * Copy (your possibly edited) `krb4_matrix.conf' to `/etc/sia'.
-
- * Apply `security.patch' to `/sbin/init.d/security'.
-
- * Turn on KRB4 security by issuing `rcmgr set SECURITY KRB4' and
- `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'.
-
- * Digital thinks you should reboot your machine, but that really
- shouldn't be necessary. It's usually sufficient just to run
- `/sbin/init.d/security start' (and restart any applications that
- use SIA, like `xdm'.)
-
-Users with local passwords (like `root') should be able to login safely.
-
-When using Digital's xdm the `KRBTKFILE' environment variable isn't
-passed along as it should (since xdm zaps the environment). Instead you
-have to set `KRBTKFILE' to the correct value in
-`/usr/lib/X11/xdm/Xsession'. Add a line similar to
- KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
-If you use CDE, `dtlogin' allows you to specify which additional
-environment variables it should export. To add `KRBTKFILE' to this
-list, edit `/usr/dt/config/Xconfig', and look for the definition of
-`exportList'. You want to add something like:
- Dtlogin.exportList: KRBTKFILE
-
-Notes to users with Enhanced security
-.....................................
-
-Digital's `ENHANCED' (C2) security, and Kerberos solves two different
-problems. C2 deals with local security, adds better control of who can
-do what, auditing, and similar things. Kerberos deals with network
-security.
-
-To make C2 security work with Kerberos you will have to do the
-following.
-
- * Replace all occurencies of `krb4_matrix.conf' with
- `krb4+c2_matrix.conf' in the directions above.
-
- * You must enable "vouching" in the `default' database. This will
- make the OSFC2 module trust other SIA modules, so you can login
- without giving your C2 password. To do this use `edauth' to edit
- the default entry `/usr/tcb/bin/edauth -dd default', and add a
- `d_accept_alternate_vouching' capability, if not already present.
-
- * For each user that does _not_ have a local C2 password, you should
- set the password expiration field to zero. You can do this for each
- user, or in the `default' table. To do this use `edauth' to set
- (or change) the `u_exp' capability to `u_exp#0'.
-
- * You also need to be aware that the shipped `login', `rcp', and
- `rshd', doesn't do any particular C2 magic (such as checking to
- various forms of disabled accounts), so if you rely on those
- features, you shouldn't use those programs. If you configure with
- `--enable-osfc2', these programs will, however, set the login UID.
- Still: use at your own risk.
-
-At present `su' does not accept the vouching flag, so it will not work
-as expected.
-
-Also, kerberised ftp will not work with C2 passwords. You can solve this
-by using both Digital's ftpd and our on different ports.
-
-*Remember*, if you do these changes you will get a system that most
-certainly does _not_ fulfill the requirements of a C2 system. If C2 is
-what you want, for instance if someone else is forcing you to use it,
-you're out of luck. If you use enhanced security because you want a
-system that is more secure than it would otherwise be, you probably got
-an even more secure system. Passwords will not be sent in the clear,
-for instance.
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-22 15:32:53 +0000