krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/user/user_config
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/user/user_config')

-rw-r--r--

doc/html/user/user_config/index.html

-rw-r--r--

doc/html/user/user_config/k5identity.html

-rw-r--r--

doc/html/user/user_config/k5login.html

-rw-r--r--

doc/html/user/user_config/kerberos.html

310

4 files changed, 385 insertions, 77 deletions

diff --git a/doc/html/user/user_config/index.html b/doc/html/user/user_config/index.html
index 2d3bdd742bbc..da05e8baf631 100644
--- a/doc/html/user/user_config/index.html
+++ b/doc/html/user/user_config/index.html

@@ -1,34 +1,32 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>User config files — MIT Kerberos Documentation</title>

+ <title>User config files — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="For users" href="../index.html" />

- <link rel="next" title=".k5login" href="k5login.html" />

+ <link rel="next" title="kerberos" href="kerberos.html" />

</head>

<body>

@@ -44,7 +42,7 @@

accesskey="C">Contents</a> |

<a href="../tkt_mgmt.html" title="Ticket management"

accesskey="P">previous</a> |

- <a href="k5login.html" title=".k5login"

+ <a href="kerberos.html" title="kerberos"

accesskey="N">next</a> |

<a href="../../genindex.html" title="General Index"

accesskey="I">index</a> |

@@ -61,15 +59,16 @@

- <div class="body">

+ <div class="body" role="main">

<h1>User config files<a class="headerlink" href="#user-config-files" title="Permalink to this headline">¶</a></h1>

<p>The following files in your home directory can be used to control the

behavior of Kerberos as it applies to your account (unless they have

-been disabled by your host’s configuration):</p>

+been disabled by your host’s configuration):</p>

<ul>

+<li class="toctree-l1"><a class="reference internal" href="kerberos.html">kerberos</a></li>

<li class="toctree-l1"><a class="reference internal" href="k5login.html">.k5login</a></li>

<li class="toctree-l1"><a class="reference internal" href="k5identity.html">.k5identity</a></li>

</ul>

@@ -93,7 +92,8 @@ been disabled by your host’s configuration):</p>

<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For users</a><ul class="current">

<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">User config files</a><ul>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">User config files</a><ul>

+<li class="toctree-l3"><a class="reference internal" href="kerberos.html">kerberos</a></li>

<li class="toctree-l3"><a class="reference internal" href="k5login.html">.k5login</a></li>

<li class="toctree-l3"><a class="reference internal" href="k5identity.html">.k5identity</a></li>

</ul>

@@ -129,8 +129,8 @@ been disabled by your host’s configuration):</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

@@ -138,7 +138,7 @@ been disabled by your host’s configuration):</p>

>Contents</a> |

<a href="../tkt_mgmt.html" title="Ticket management"

>previous</a> |

- <a href="k5login.html" title=".k5login"

+ <a href="kerberos.html" title="kerberos"

>next</a> |

<a href="../../genindex.html" title="General Index"

>index</a> |

diff --git a/doc/html/user/user_config/k5identity.html b/doc/html/user/user_config/k5identity.html
index d1155590d7bc..fc38fdb6ec2c 100644
--- a/doc/html/user/user_config/k5identity.html
+++ b/doc/html/user/user_config/k5identity.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>.k5identity — MIT Kerberos Documentation</title>

+ <title>.k5identity — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User config files" href="index.html" />

</head>

@@ -61,20 +59,20 @@

- <div class="body">

+ <div class="body" role="main">

<span id="k5identity-5"></span><h1>.k5identity<a class="headerlink" href="#k5identity" title="Permalink to this headline">¶</a></h1>

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

-<p>The .k5identity file, which resides in a user’s home directory,

+<p>The .k5identity file, which resides in a user’s home directory,

contains a list of rules for selecting a client principals based on

the server being accessed. These rules are used to choose a

credential cache within the cache collection when possible.</p>

-<p>Blank lines and lines beginning with <tt class="docutils literal"><span class="pre">#</span></tt> are ignored. Each line has

+<p>Blank lines and lines beginning with <code class="docutils literal"><span class="pre">#</span></code> are ignored. Each line has

the form:</p>

-<div><em>principal</em> <em>field</em>=<em>value</em> ...</div></blockquote>

+<div><em>principal</em> <em>field</em>=<em>value</em> …</div></blockquote>

<p>If the server principal meets all of the field constraints, then

principal is chosen as the client principal. The following fields are

recognized:</p>

@@ -83,8 +81,8 @@ recognized:</p>

<dd>If the realm of the server principal is known, it is matched

against <em>value</em>, which may be a pattern using shell wildcards.

For host-based server principals, the realm will generally only be

-known if there is a <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#domain-realm"><em>[domain_realm]</em></a> section in

-<a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> with a mapping for the hostname.</dd>

+known if there is a <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> section in

+<a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> with a mapping for the hostname.</dd>

<dt><strong>service</strong></dt>

<dd>If the server principal is a host-based principal, its service

component is matched against <em>value</em>, which may be a pattern using

@@ -104,19 +102,19 @@ cache.</p>

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

<p>The following example .k5identity file selects the client principal

-<tt class="docutils literal"><span class="pre">alice@KRBTEST.COM</span></tt> if the server principal is within that realm,

-the principal <tt class="docutils literal"><span class="pre">alice/root@EXAMPLE.COM</span></tt> if the server host is within

-a servers subdomain, and the principal <tt class="docutils literal"><span class="pre">alice/mail@EXAMPLE.COM</span></tt> when

-accessing the IMAP service on <tt class="docutils literal"><span class="pre">mail.example.com</span></tt>:</p>

-<div class="highlight-python"><div class="highlight"><pre>alice@KRBTEST.COM realm=KRBTEST.COM

-alice/root@EXAMPLE.COM host=*.servers.example.com

-alice/mail@EXAMPLE.COM host=mail.example.com service=imap

+<code class="docutils literal"><span class="pre">alice@KRBTEST.COM</span></code> if the server principal is within that realm,

+the principal <code class="docutils literal"><span class="pre">alice/root@EXAMPLE.COM</span></code> if the server host is within

+a servers subdomain, and the principal <code class="docutils literal"><span class="pre">alice/mail@EXAMPLE.COM</span></code> when

+accessing the IMAP service on <code class="docutils literal"><span class="pre">mail.example.com</span></code>:</p>

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">alice</span><span class="nd">@KRBTEST</span><span class="o">.</span><span class="n">COM</span> <span class="n">realm</span><span class="o">=</span><span class="n">KRBTEST</span><span class="o">.</span><span class="n">COM</span>

+<span class="n">alice</span><span class="o">/</span><span class="n">root</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">host</span><span class="o">=*.</span><span class="n">servers</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>

+<span class="n">alice</span><span class="o">/</span><span class="n">mail</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> <span class="n">host</span><span class="o">=</span><span class="n">mail</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span> <span class="n">service</span><span class="o">=</span><span class="n">imap</span>

</pre></div>

</div>

-<p>kerberos(1), <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a></p>

+<p>kerberos(1), <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a></p>

</div>

@@ -143,8 +141,9 @@ alice/mail@EXAMPLE.COM host=mail.example.com service=imap

<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

<li class="toctree-l2 current"><a class="reference internal" href="index.html">User config files</a><ul class="current">

+<li class="toctree-l3"><a class="reference internal" href="kerberos.html">kerberos</a></li>

<li class="toctree-l3"><a class="reference internal" href="k5login.html">.k5login</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">.k5identity</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">.k5identity</a></li>

</ul>

</li>

<li class="toctree-l2"><a class="reference internal" href="../user_commands/index.html">User commands</a></li>

@@ -178,8 +177,8 @@ alice/mail@EXAMPLE.COM host=mail.example.com service=imap

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

diff --git a/doc/html/user/user_config/k5login.html b/doc/html/user/user_config/k5login.html
index f46db5c5f513..0d0fcdb24000 100644
--- a/doc/html/user/user_config/k5login.html
+++ b/doc/html/user/user_config/k5login.html

@@ -1,35 +1,33 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>.k5login — MIT Kerberos Documentation</title>

+ <title>.k5login — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />

- <link rel="up" title="User config files" href="index.html" />

- <link rel="prev" title="User config files" href="index.html" />

+ <link rel="prev" title="kerberos" href="kerberos.html" />

</head>

<body>

@@ -42,7 +40,7 @@

<a href="../../index.html" title="Full Table of Contents"

accesskey="C">Contents</a> |

- <a href="index.html" title="User config files"

+ <a href="kerberos.html" title="kerberos"

accesskey="P">previous</a> |

<a href="k5identity.html" title=".k5identity"

accesskey="N">next</a> |

@@ -61,48 +59,48 @@

- <div class="body">

+ <div class="body" role="main">

<span id="k5login-5"></span><h1>.k5login<a class="headerlink" href="#k5login" title="Permalink to this headline">¶</a></h1>

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

-<p>The .k5login file, which resides in a user’s home directory, contains

+<p>The .k5login file, which resides in a user’s home directory, contains

a list of the Kerberos principals. Anyone with valid tickets for a

principal in the file is allowed host access with the UID of the user

in whose home directory the file resides. One common use is to place

-a .k5login file in root’s home directory, thereby granting system

+a .k5login file in root’s home directory, thereby granting system

administrators remote root access to the host via Kerberos.</p>

</div>

<h2>EXAMPLES<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h2>

-<p>Suppose the user <tt class="docutils literal"><span class="pre">alice</span></tt> had a .k5login file in her home directory

+<p>Suppose the user <code class="docutils literal"><span class="pre">alice</span></code> had a .k5login file in her home directory

containing just the following line:</p>

-<div class="highlight-python"><div class="highlight"><pre>bob@FOOBAR.ORG

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">bob</span><span class="nd">@FOOBAR</span><span class="o">.</span><span class="n">ORG</span>

</pre></div>

</div>

-<p>This would allow <tt class="docutils literal"><span class="pre">bob</span></tt> to use Kerberos network applications, such as

-ssh(1), to access <tt class="docutils literal"><span class="pre">alice</span></tt>‘s account, using <tt class="docutils literal"><span class="pre">bob</span></tt>‘s Kerberos

+<p>This would allow <code class="docutils literal"><span class="pre">bob</span></code> to use Kerberos network applications, such as

+ssh(1), to access <code class="docutils literal"><span class="pre">alice</span></code>’s account, using <code class="docutils literal"><span class="pre">bob</span></code>’s Kerberos

tickets. In a default configuration (with <strong>k5login_authoritative</strong> set

-to true in <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>), this .k5login file would not let

-<tt class="docutils literal"><span class="pre">alice</span></tt> use those network applications to access her account, since

+to true in <a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>), this .k5login file would not let

+<code class="docutils literal"><span class="pre">alice</span></code> use those network applications to access her account, since

she is not listed! With no .k5login file, or with <strong>k5login_authoritative</strong>

-set to false, a default rule would permit the principal <tt class="docutils literal"><span class="pre">alice</span></tt> in the

-machine’s default realm to access the <tt class="docutils literal"><span class="pre">alice</span></tt> account.</p>

-<p>Let us further suppose that <tt class="docutils literal"><span class="pre">alice</span></tt> is a system administrator.

+set to false, a default rule would permit the principal <code class="docutils literal"><span class="pre">alice</span></code> in the

+machine’s default realm to access the <code class="docutils literal"><span class="pre">alice</span></code> account.</p>

+<p>Let us further suppose that <code class="docutils literal"><span class="pre">alice</span></code> is a system administrator.

Alice and the other system administrators would have their principals

-in root’s .k5login file on each host:</p>

-<div class="highlight-python"><div class="highlight"><pre>alice@BLEEP.COM

+in root’s .k5login file on each host:</p>

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>

-joeadmin/root@BLEEP.COM

+<span class="n">joeadmin</span><span class="o">/</span><span class="n">root</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>

</pre></div>

</div>

<p>This would allow either system administrator to log in to these hosts

using their Kerberos tickets instead of having to type the root

-password. Note that because <tt class="docutils literal"><span class="pre">bob</span></tt> retains the Kerberos tickets for

-his own principal, <tt class="docutils literal"><span class="pre">bob@FOOBAR.ORG</span></tt>, he would not have any of the

-privileges that require <tt class="docutils literal"><span class="pre">alice</span></tt>‘s tickets, such as root access to

-any of the site’s hosts, or the ability to change <tt class="docutils literal"><span class="pre">alice</span></tt>‘s

+password. Note that because <code class="docutils literal"><span class="pre">bob</span></code> retains the Kerberos tickets for

+his own principal, <code class="docutils literal"><span class="pre">bob@FOOBAR.ORG</span></code>, he would not have any of the

+privileges that require <code class="docutils literal"><span class="pre">alice</span></code>’s tickets, such as root access to

+any of the site’s hosts, or the ability to change <code class="docutils literal"><span class="pre">alice</span></code>’s

password.</p>

</div>

@@ -134,7 +132,8 @@ password.</p>

<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>

<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

<li class="toctree-l2 current"><a class="reference internal" href="index.html">User config files</a><ul class="current">

-<li class="toctree-l3 current"><a class="current reference internal" href="">.k5login</a></li>

+<li class="toctree-l3"><a class="reference internal" href="kerberos.html">kerberos</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">.k5login</a></li>

<li class="toctree-l3"><a class="reference internal" href="k5identity.html">.k5identity</a></li>

</ul>

</li>

@@ -169,14 +168,14 @@ password.</p>

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT.

</div>

<a href="../../index.html" title="Full Table of Contents"

>Contents</a> |

- <a href="index.html" title="User config files"

+ <a href="kerberos.html" title="kerberos"

>previous</a> |

<a href="k5identity.html" title=".k5identity"

>next</a> |

diff --git a/doc/html/user/user_config/kerberos.html b/doc/html/user/user_config/kerberos.html
new file mode 100644
index 000000000000..02227a3508ed
--- /dev/null
+++ b/doc/html/user/user_config/kerberos.html

@@ -0,0 +1,310 @@

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<html xmlns="http://www.w3.org/1999/xhtml">

+ <head>

+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <title>kerberos — MIT Kerberos Documentation</title>

+ <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

+ <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

+ <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

+ <script type="text/javascript">

+ var DOCUMENTATION_OPTIONS = {

+ URL_ROOT: '../../',

+ VERSION: '1.21.1',

+ COLLAPSE_INDEX: false,

+ FILE_SUFFIX: '.html',

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

+ };

+ </script>

+ <script type="text/javascript" src="../../_static/jquery.js"></script>

+ <script type="text/javascript" src="../../_static/underscore.js"></script>

+ <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="author" title="About these documents" href="../../about.html" />

+ <link rel="index" title="Index" href="../../genindex.html" />

+ <link rel="search" title="Search" href="../../search.html" />

+ <link rel="copyright" title="Copyright" href="../../copyright.html" />

+ <link rel="next" title=".k5login" href="k5login.html" />

+ <link rel="prev" title="User config files" href="index.html" />

+ </head>

+ <body>

+ <div class="header-wrapper">

+ <div class="header">

+ <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>

+ <div class="rel">

+ <a href="../../index.html" title="Full Table of Contents"

+ accesskey="C">Contents</a> |

+ <a href="index.html" title="User config files"

+ accesskey="P">previous</a> |

+ <a href="k5login.html" title=".k5login"

+ accesskey="N">next</a> |

+ <a href="../../genindex.html" title="General Index"

+ accesskey="I">index</a> |

+ <a href="../../search.html" title="Enter search criteria"

+ accesskey="S">Search</a> |

+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kerberos">feedback</a>

+ </div>

+ <div class="content-wrapper">

+ <div class="content">

+ <div class="document">

+ <div class="documentwrapper">

+ <div class="bodywrapper">

+ <div class="body" role="main">

+ <div class="section" id="kerberos">

+<span id="kerberos-7"></span><h1>kerberos<a class="headerlink" href="#kerberos" title="Permalink to this headline">¶</a></h1>

+<div class="section" id="description">

+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

+<p>The Kerberos system authenticates individual users in a network

+environment. After authenticating yourself to Kerberos, you can use

+Kerberos-enabled programs without having to present passwords or

+certificates to those programs.</p>

+<p>If you receive the following response from <a class="reference internal" href="../user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>:</p>

+<p>kinit: Client not found in Kerberos database while getting initial

+credentials</p>

+<p>you haven’t been registered as a Kerberos user. See your system

+administrator.</p>

+<p>A Kerberos name usually contains three parts. The first is the

+<strong>primary</strong>, which is usually a user’s or service’s name. The second

+is the <strong>instance</strong>, which in the case of a user is usually null.

+Some users may have privileged instances, however, such as <code class="docutils literal"><span class="pre">root</span></code> or

+<code class="docutils literal"><span class="pre">admin</span></code>. In the case of a service, the instance is the fully

+qualified name of the machine on which it runs; i.e. there can be an

+ssh service running on the machine ABC (<a class="reference external" href="mailto:ssh/ABC%40REALM">ssh/ABC<span>@</span>REALM</a>), which is

+different from the ssh service running on the machine XYZ

+(<a class="reference external" href="mailto:ssh/XYZ%40REALM">ssh/XYZ<span>@</span>REALM</a>). The third part of a Kerberos name is the <strong>realm</strong>.

+The realm corresponds to the Kerberos service providing authentication

+for the principal. Realms are conventionally all-uppercase, and often

+match the end of hostnames in the realm (for instance, host01.example.com

+might be in realm EXAMPLE.COM).</p>

+<p>When writing a Kerberos name, the principal name is separated from the

+instance (if not null) by a slash, and the realm (if not the local

+realm) follows, preceded by an “@” sign. The following are examples

+of valid Kerberos names:</p>

+<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">david</span>

+<span class="n">jennifer</span><span class="o">/</span><span class="n">admin</span>

+<span class="n">joeuser</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>

+<span class="n">cbrown</span><span class="o">/</span><span class="n">root</span><span class="nd">@FUBAR</span><span class="o">.</span><span class="n">ORG</span>

+</pre></div>

+</div>

+<p>When you authenticate yourself with Kerberos you get an initial

+Kerberos <strong>ticket</strong>. (A Kerberos ticket is an encrypted protocol

+message that provides authentication.) Kerberos uses this ticket for

+network utilities such as ssh. The ticket transactions are done

+transparently, so you don’t have to worry about their management.</p>

+<p>Note, however, that tickets expire. Administrators may configure more

+privileged tickets, such as those with service or instance of <code class="docutils literal"><span class="pre">root</span></code>

+or <code class="docutils literal"><span class="pre">admin</span></code>, to expire in a few minutes, while tickets that carry

+more ordinary privileges may be good for several hours or a day. If

+your login session extends beyond the time limit, you will have to

+re-authenticate yourself to Kerberos to get new tickets using the

+<a class="reference internal" href="../user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> command.</p>

+<p>Some tickets are <strong>renewable</strong> beyond their initial lifetime. This

+means that <code class="docutils literal"><span class="pre">kinit</span> <span class="pre">-R</span></code> can extend their lifetime without requiring

+you to re-authenticate.</p>

+<p>If you wish to delete your local tickets, use the <a class="reference internal" href="../user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>

+command.</p>

+<p>Kerberos tickets can be forwarded. In order to forward tickets, you

+must request <strong>forwardable</strong> tickets when you kinit. Once you have

+forwardable tickets, most Kerberos programs have a command line option

+to forward them to the remote host. This can be useful for, e.g.,

+running kinit on your local machine and then sshing into another to do

+work. Note that this should not be done on untrusted machines since

+they will then have your tickets.</p>

+</div>

+<div class="section" id="environment-variables">

+<h2>ENVIRONMENT VARIABLES<a class="headerlink" href="#environment-variables" title="Permalink to this headline">¶</a></h2>

+<p>Several environment variables affect the operation of Kerberos-enabled

+programs. These include:</p>

+<dl class="docutils">

+<dt><strong>KRB5CCNAME</strong></dt>

+<dd><p class="first">Default name for the credentials cache file, in the form

+<em>TYPE</em>:<em>residual</em>. The type of the default cache may determine

+the availability of a cache collection. <code class="docutils literal"><span class="pre">FILE</span></code> is not a

+collection type; <code class="docutils literal"><span class="pre">KEYRING</span></code>, <code class="docutils literal"><span class="pre">DIR</span></code>, and <code class="docutils literal"><span class="pre">KCM</span></code> are.</p>

+<p class="last">If not set, the value of <strong>default_ccache_name</strong> from

+configuration files (see <strong>KRB5_CONFIG</strong>) will be used. If that

+is also not set, the default <em>type</em> is <code class="docutils literal"><span class="pre">FILE</span></code>, and the

+<em>residual</em> is the path /tmp/krb5cc_*uid*, where <em>uid</em> is the

+decimal user ID of the user.</p>

+</dd>

+<dt><strong>KRB5_KTNAME</strong></dt>

+<dd>Specifies the location of the default keytab file, in the form

+<em>TYPE</em>:<em>residual</em>. If no <em>type</em> is present, the <strong>FILE</strong> type is

+assumed and <em>residual</em> is the pathname of the keytab file. If

+unset, <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a> will be used.</dd>

+<dt><strong>KRB5_CONFIG</strong></dt>

+<dd>Specifies the location of the Kerberos configuration file. The

+default is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal"><span class="pre">/krb5.conf</span></code>. Multiple filenames can

+be specified, separated by a colon; all files which are present

+will be read.</dd>

+<dt><strong>KRB5_KDC_PROFILE</strong></dt>

+<dd>Specifies the location of the KDC configuration file, which

+contains additional configuration directives for the Key

+Distribution Center daemon and associated programs. The default

+is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kdc.conf</span></code>.</dd>

+<dt><strong>KRB5RCACHENAME</strong></dt>

+<dd>(New in release 1.18) Specifies the location of the default replay

+cache, in the form <em>type</em>:<em>residual</em>. The <code class="docutils literal"><span class="pre">file2</span></code> type with a

+pathname residual specifies a replay cache file in the version-2

+format in the specified location. The <code class="docutils literal"><span class="pre">none</span></code> type (residual is

+ignored) disables the replay cache. The <code class="docutils literal"><span class="pre">dfl</span></code> type (residual is

+ignored) indicates the default, which uses a file2 replay cache in

+a temporary directory. The default is <code class="docutils literal"><span class="pre">dfl:</span></code>.</dd>

+<dt><strong>KRB5RCACHETYPE</strong></dt>

+<dd>Specifies the type of the default replay cache, if

+<strong>KRB5RCACHENAME</strong> is unspecified. No residual can be specified,

+so <code class="docutils literal"><span class="pre">none</span></code> and <code class="docutils literal"><span class="pre">dfl</span></code> are the only useful types.</dd>

+<dt><strong>KRB5RCACHEDIR</strong></dt>

+<dd>Specifies the directory used by the <code class="docutils literal"><span class="pre">dfl</span></code> replay cache type.

+The default is the value of the <strong>TMPDIR</strong> environment variable,

+or <code class="docutils literal"><span class="pre">/var/tmp</span></code> if <strong>TMPDIR</strong> is not set.</dd>

+<dt><strong>KRB5_TRACE</strong></dt>

+<dd>Specifies a filename to write trace log output to. Trace logs can

+help illuminate decisions made internally by the Kerberos

+libraries. For example, <code class="docutils literal"><span class="pre">env</span> <span class="pre">KRB5_TRACE=/dev/stderr</span> <span class="pre">kinit</span></code>

+would send tracing information for <a class="reference internal" href="../user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> to

+<code class="docutils literal"><span class="pre">/dev/stderr</span></code>. The default is not to write trace log output

+anywhere.</dd>

+<dt><strong>KRB5_CLIENT_KTNAME</strong></dt>

+<dd>Default client keytab file name. If unset, <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFCKTNAME</span></a> will be

+used).</dd>

+<dt><strong>KPROP_PORT</strong></dt>

+<dd><a class="reference internal" href="../../admin/admin_commands/kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> port to use. Defaults to 754.</dd>

+<dt><strong>GSS_MECH_CONFIG</strong></dt>

+<dd>Specifies a filename containing GSSAPI mechanism module

+configuration. The default is to read <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal"><span class="pre">/gss/mech</span></code>

+and files with a <code class="docutils literal"><span class="pre">.conf</span></code> suffix within the directory

+<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SYSCONFDIR</span></a><code class="docutils literal"><span class="pre">/gss/mech.d</span></code>.</dd>

+</dl>

+<p>Most environment variables are disabled for certain programs, such as

+login system programs and setuid programs, which are designed to be

+secure when run within an untrusted process environment.</p>

+</div>

+<div class="section" id="see-also">

+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>

+<p><a class="reference internal" href="../user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, <a class="reference internal" href="../user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, <a class="reference internal" href="../user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>,

+<a class="reference internal" href="../user_commands/kswitch.html#kswitch-1"><span class="std std-ref">kswitch</span></a>, <a class="reference internal" href="../user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="../user_commands/ksu.html#ksu-1"><span class="std std-ref">ksu</span></a>,

+<a class="reference internal" href="../../admin/conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, <a class="reference internal" href="../../admin/conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../../admin/admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>,

+<a class="reference internal" href="../../admin/admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../admin/admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../admin/admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a></p>

+</div>

+<div class="section" id="bugs">

+<h2>BUGS<a class="headerlink" href="#bugs" title="Permalink to this headline">¶</a></h2>

+</div>

+<div class="section" id="authors">

+<h2>AUTHORS<a class="headerlink" href="#authors" title="Permalink to this headline">¶</a></h2>

+<div class="line-block">

+<div class="line">Steve Miller, MIT Project Athena/Digital Equipment Corporation</div>

+<div class="line">Clifford Neuman, MIT Project Athena</div>

+<div class="line">Greg Hudson, MIT Kerberos Consortium</div>

+<div class="line">Robbie Harwood, Red Hat, Inc.</div>

+</div>

+<div class="section" id="history">

+<h2>HISTORY<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2>

+<p>The MIT Kerberos 5 implementation was developed at MIT, with

+contributions from many outside parties. It is currently maintained

+by the MIT Kerberos Consortium.</p>

+</div>

+<div class="section" id="restrictions">

+<h2>RESTRICTIONS<a class="headerlink" href="#restrictions" title="Permalink to this headline">¶</a></h2>

+Institute of Technology</p>

+</div>

+ </div>

+ <div class="sidebar">

+ <h2>On this page</h2>

+ <ul>

+<li><a class="reference internal" href="#">kerberos</a><ul>

+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>

+<li><a class="reference internal" href="#environment-variables">ENVIRONMENT VARIABLES</a></li>

+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>

+<li><a class="reference internal" href="#bugs">BUGS</a></li>

+<li><a class="reference internal" href="#authors">AUTHORS</a></li>

+<li><a class="reference internal" href="#history">HISTORY</a></li>

+<li><a class="reference internal" href="#restrictions">RESTRICTIONS</a></li>

+</ul>

+</li>

+</ul>

+ <br/>

+ <h2>Table of contents</h2>

+ <ul class="current">

+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For users</a><ul class="current">

+<li class="toctree-l2"><a class="reference internal" href="../pwd_mgmt.html">Password management</a></li>

+<li class="toctree-l2"><a class="reference internal" href="../tkt_mgmt.html">Ticket management</a></li>

+<li class="toctree-l2 current"><a class="reference internal" href="index.html">User config files</a><ul class="current">

+<li class="toctree-l3 current"><a class="current reference internal" href="#">kerberos</a></li>

+<li class="toctree-l3"><a class="reference internal" href="k5login.html">.k5login</a></li>

+<li class="toctree-l3"><a class="reference internal" href="k5identity.html">.k5identity</a></li>

+</ul>

+</li>

+<li class="toctree-l2"><a class="reference internal" href="../user_commands/index.html">User commands</a></li>

+</ul>

+</li>

+<li class="toctree-l1"><a class="reference internal" href="../../admin/index.html">For administrators</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>

+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>

+</ul>

+ <br/>

+ <h4><a href="../../index.html">Full Table of Contents</a></h4>

+ <h4>Search</h4>

+ <form class="search" action="../../search.html" method="get">

+ <input type="text" name="q" size="18" />

+ <input type="submit" value="Go" />

+ <input type="hidden" name="check_keywords" value="yes" />

+ <input type="hidden" name="area" value="default" />

+ </form>

+ </div>

+ <div class="clearer"></div>

+ </div>

+ <div class="footer-wrapper">

+ <div class="footer" >

+ <div class="right" ><i>Release: 1.21.1</i><br />

+ </div>

+ <div class="left">

+ <a href="../../index.html" title="Full Table of Contents"

+ >Contents</a> |

+ <a href="index.html" title="User config files"

+ >previous</a> |

+ <a href="k5login.html" title=".k5login"

+ >next</a> |

+ <a href="../../genindex.html" title="General Index"

+ >index</a> |

+ <a href="../../search.html" title="Enter search criteria"

+ >Search</a> |

+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kerberos">feedback</a>

+ </div>

+ </body>

+</html> \ No newline at end of file