Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove formatted manpages.

Browse Source
This commit is contained in:
thorpej 2000-06-20 22:00:14 +00:00
parent 4e81b0f0e5
commit b914f28687
59 changed files with 0 additions and 7152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
crypto/dist/krb4/appl/push/push.cat8 vendored
View File

@ -1,77 +0,0 @@
PUSH(8) System Manager's Manual PUSH(8)
NNAAMMEE
ppuusshh - fetch mail via POP
SSYYNNOOPPSSIISS
ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll |
----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-
_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e
DDEESSCCRRIIPPTTIIOONN
ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail
in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following for-
mats:
`hostname:username'
`po:hostname:username'
`username@hostname'
`po:username@hostname'
`hostname'
`po:username'
If no username is specified, ppuusshh assumes that it's the same as on the
local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment
variable.
Supported options:
--44, ----kkrrbb44
use Kerberos 4 (if compiled with support for Kerberos 4)
--55, ----kkrrbb55
use Kerberos 5 (if compiled with support for Kerberos 5)
--ff, ----ffoorrkk
fork before starting to delete messages
--ll, ----lleeaavvee
don't delete fetched mail
----ffrroomm behave like from.
--cc, ----ccoouunntt
first print how many messages and bytes there are.
----hheeaaddeerr
which header from should print.
--pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt==_p_o_r_t_-_s_p_e_c
use this port instead of the default `kpop' or `1109'.
The default is to first try Kerberos 5 authentication and then, if that
fails, Kerberos 4.
EENNVVIIRROONNMMEENNTT
MAILHOST
points to the post office, if no other hostname is specified.
EEXXAAMMPPLLEESS
$ push cornfield:roosta ~/.gnus-crash-box
tries to fetch mail for the user _r_o_o_s_t_a from the post office at
``cornfield'', and stores the mail in _~_/_._g_n_u_s_-_c_r_a_s_h_-_b_o_x (you are using
Gnus, aren't you?)
$ push --from -5 havregryn
tries to fetch FFrroomm:: lines for current user at post office ``havregryn''
using Kerberos 5.
SSEEEE AALLSSOO
movemail(8), popper(8), from(1)
HHIISSTTOORRYY
ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail.
HEIMDAL May 31, 1998 2

198
crypto/dist/krb4/lib/editline/editline.cat3 vendored
View File

@ -1,198 +0,0 @@
EEDDIITTLLIINNEE((33)) EEDDIITTLLIINNEE((33))
NNAAMMEE
editline - command-line editing library with history
SSYYNNOOPPSSIISS
cchhaarr **
rreeaaddlliinnee((pprroommpptt))
cchhaarr **pprroommpptt;;
vvooiidd
aadddd__hhiissttoorryy((lliinnee))
cchhaarr **lliinnee;;
DDEESSCCRRIIPPTTIIOONN
_E_d_i_t_l_i_n_e is a library that provides an line-editing interface with
text recall. It is intended to be compatible with the _r_e_a_d_l_i_n_e
library provided by the Free Software Foundation, but much smaller.
The bulk of this manual page describes the user interface.
The _r_e_a_d_l_i_n_e routine returns a line of text with the trailing newline
removed. The data is returned in a buffer allocated with _m_a_l_l_o_c(3),
so the space should be released with _f_r_e_e(3) when the calling program
is done with it. Before accepting input from the user, the specified
_p_r_o_m_p_t is displayed on the terminal.
The _a_d_d___h_i_s_t_o_r_y routine makes a copy of the specified _l_i_n_e and adds it
to the internal history list.
UUsseerr IInntteerrffaaccee
A program that uses this library provides a simple emacs-like editing
interface to its users. A line may be edited before it is sent to the
calling program by typing either control characters or escape
sequences. A control character, shown as a caret followed by a
letter, is typed by holding down the ``control'' key while the letter
is typed. For example, ``^A'' is a control-A. An escape sequence is
entered by typing the ``escape'' key followed by one or more
characters. The escape key is abbreviated as ``ESC.'' Note that
unlike control keys, case matters in escape sequences; ``ESC F'' is
not the same as ``ESC f''.
An editing command may be typed anywhere on the line, not just at the
beginning. In addition, a return may also be typed anywhere on the
line, not just at the end.
Most editing commands may be given a repeat count, _n, where _n is a
number. To enter a repeat count, type the escape key, the number, and
then the command to execute. For example, ``ESC 4 ^f'' moves forward
four characters. If a command may be given a repeat count then the
text ``[n]'' is given at the end of its description.
The following control characters are accepted:
^A Move to the beginning of the line
- 1 - Formatted: March 12, 2000
EEDDIITTLLIINNEE((33)) EEDDIITTLLIINNEE((33))
^B Move left (backwards) [n]
^D Delete character [n]
^E Move to end of line
^F Move right (forwards) [n]
^G Ring the bell
^H Delete character before cursor (backspace key) [n]
^I Complete filename (tab key); see below
^J Done with line (return key)
^K Kill to end of line (or column [n])
^L Redisplay line
^M Done with line (alternate return key)
^N Get next line from history [n]
^P Get previous line from history [n]
^R Search backward (forward if [n]) through history for text;
must start line if text begins with an uparrow
^T Transpose characters
^V Insert next character, even if it is an edit command
^W Wipe to the mark
^X^X Exchange current location and mark
^Y Yank back last killed text
^[ Start an escape sequence (escape key)
^]c Move forward to next character ``c''
^? Delete character before cursor (delete key) [n]
The following escape sequences are provided.
ESC ^H Delete previous word (backspace key) [n]
ESC DEL Delete previous word (delete key) [n]
ESC SP Set the mark (space key); see ^X^X and ^Y above
ESC . Get the last (or [n]'th) word from previous line
ESC ? Show possible completions; see below
ESC < Move to start of history
ESC > Move to end of history
ESC b Move backward a word [n]
ESC d Delete word under cursor [n]
ESC f Move forward a word [n]
ESC l Make word lowercase [n]
ESC u Make word uppercase [n]
ESC y Yank back last killed text
ESC v Show library version
ESC w Make area up to mark yankable
ESC nn Set repeat count to the number nn
ESC C Read from environment variable ``_C_'', where C is
an uppercase letter
The _e_d_i_t_l_i_n_e library has a small macro facility. If you type the
escape key followed by an uppercase letter, _C, then the contents of
the environment variable ___C__ are read in as if you had typed them at
the keyboard. For example, if the variable ___L__ contains the
following:
^A^Kecho '^V^[[H^V^[[2J'^M
Then typing ``ESC L'' will move to the beginning of the line, kill the
- 2 - Formatted: March 12, 2000
EEDDIITTLLIINNEE((33)) EEDDIITTLLIINNEE((33))
entire line, enter the echo command needed to clear the terminal (if
your terminal is like a VT-100), and send the line back to the shell.
The _e_d_i_t_l_i_n_e library also does filename completion. Suppose the root
directory has the following files in it:
bin vmunix
core vmunix.old
If you type ``rm /v'' and then the tab key. _E_d_i_t_l_i_n_e will then finish
off as much of the name as possible by adding ``munix''. Because the
name is not unique, it will then beep. If you type the escape key and
a question mark, it will display the two choices. If you then type a
period and a tab, the library will finish off the filename for you:
rm /v[TAB]_m_u_n_i_x.TAB_o_l_d
The tab key is shown by ``[TAB]'' and the automatically-entered text
is shown in italics.
BBUUGGSS AANNDD LLIIMMIITTAATTIIOONNSS
Cannot handle lines more than 80 columns.
AAUUTTHHOORRSS
Simmule R. Turner <uunet.uu.net!capitol!sysgo!simmy> and Rich $alz
<rsalz@osf.org>. Original manual page by DaviD W. Sanderson
<dws@ssec.wisc.edu>.
- 3 - Formatted: March 12, 2000

198
crypto/dist/krb4/man/acl_check.cat3 vendored
View File

@ -1,198 +0,0 @@
AACCLL__CCHHEECCKK((33)) MMIITT PPrroojjeecctt AAtthheennaa AACCLL__CCHHEECCKK((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
acl_canonicalize_principal, acl_check, acl_exact_match, acl_add,
acl_delete, acl_initialize - Access control list routines
SSYYNNOOPPSSIISS
cccc <<ffiilleess>> --llaaccll --llkkrrbb
##iinncclluuddee <<kkrrbb..hh>>
aaccll__ccaannoonniiccaalliizzee__pprriinncciippaall((pprriinncciippaall,, bbuuff))
cchhaarr **pprriinncciippaall;;
cchhaarr **bbuuff;;
aaccll__cchheecckk((aaccll,, pprriinncciippaall))
cchhaarr **aaccll;;
cchhaarr **pprriinncciippaall;;
aaccll__eexxaacctt__mmaattcchh((aaccll,, pprriinncciippaall))
cchhaarr **aaccll;;
cchhaarr **pprriinncciippaall;;
aaccll__aadddd((aaccll,, pprriinncciippaall))
cchhaarr **aaccll;;
cchhaarr **pprriinncciippaall;;
aaccll__ddeelleettee((aaccll,, pprriinncciippaall))
cchhaarr **aaccll;;
cchhaarr **pprriinncciippaall;;
aaccll__iinniittiiaalliizzee((aaccll__ffiillee,, mmooddee))
cchhaarr **aaccll__ffiillee;;
iinntt mmooddee;;
DDEESSCCRRIIPPTTIIOONN
IInnttrroodduuccttiioonn
An access control list (ACL) is a list of principals, where each
principal is represented by a text string which cannot contain
whitespace. The library allows application programs to refer to named
access control lists to test membership and to atomically add and
delete principals using a natural and intuitive interface. At
present, the names of access control lists are required to be Unix
filenames, and refer to human-readable Unix files; in the future, when
a networked ACL server is implemented, the names may refer to a
different namespace specific to the ACL service.
PPrriinncciippaall NNaammeess
Principal names have the form
<name>[.<instance>][@<realm>]
e.g.:
asp
asp.root
- 1 - Formatted: March 12, 2000
AACCLL__CCHHEECCKK((33)) MMIITT PPrroojjeecctt AAtthheennaa AACCLL__CCHHEECCKK((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
asp@ATHENA.MIT.EDU
asp.@ATHENA.MIT.EDU
asp.root@ATHENA.MIT.EDU
It is possible for principals to be underspecified. If an instance is
missing, it is assumed to be "". If realm is missing, it is assumed
to be the local realm as determined by _k_r_b___g_e_t___l_r_e_a_l_m(3). The
canonical form contains all of name, instance, and realm; the acl_add
and acl_delete routines will always leave the file in that form. Note
that the canonical form of asp@ATHENA.MIT.EDU is actually
asp.@ATHENA.MIT.EDU.
RRoouuttiinneess
_a_c_l___c_a_n_o_n_i_c_a_l_i_z_e___p_r_i_n_c_i_p_a_l stores the canonical form of _p_r_i_n_c_i_p_a_l in
_b_u_f. _B_u_f must contain enough space to store a principal, given the
limits on the sizes of name, instance, and realm specified as
ANAME_SZ, INST_SZ, and REALM_SZ, respectively, in _/_u_s_r_/_i_n_c_l_u_d_e_/_k_r_b_._h.
_a_c_l___c_h_e_c_k returns nonzero if _p_r_i_n_c_i_p_a_l appears in _a_c_l. Returns 0 if
principal does not appear in acl, or if an error occurs.
Canonicalizes principal before checking, and allows the ACL to contain
wildcards. The only supported wildcards are entries of the form
name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for
the its component field. For example, "jtkohl.*@*" would match
principal jtkohl, with any instance and any realm.
_a_c_l___e_x_a_c_t___m_a_t_c_h performs like _a_c_l___c_h_e_c_k, but does no canonicalization
or wildcard matching.
_a_c_l___a_d_d atomically adds _p_r_i_n_c_i_p_a_l to _a_c_l. Returns 0 if successful,
nonzero otherwise. It is considered a failure if _p_r_i_n_c_i_p_a_l is already
in _a_c_l. This routine will canonicalize _p_r_i_n_c_i_p_a_l, but will treat
wildcards literally.
_a_c_l___d_e_l_e_t_e atomically deletes _p_r_i_n_c_i_p_a_l from _a_c_l. Returns 0 if
successful, nonzero otherwise. It is considered a failure if
_p_r_i_n_c_i_p_a_l is not already in _a_c_l. This routine will canonicalize
_p_r_i_n_c_i_p_a_l, but will treat wildcards literally.
_a_c_l___i_n_i_t_i_a_l_i_z_e initializes _a_c_l___f_i_l_e. If the file _a_c_l___f_i_l_e does not
exist, _a_c_l___i_n_i_t_i_a_l_i_z_e creates it with mode _m_o_d_e. If the file _a_c_l___f_i_l_e
exists, _a_c_l___i_n_i_t_i_a_l_i_z_e removes all members. Returns 0 if successful,
nonzero otherwise. WARNING: Mode argument is likely to change with
the eventual introduction of an ACL service.
NNOOTTEESS
In the presence of concurrency, there is a very small chance that
_a_c_l___a_d_d or _a_c_l___d_e_l_e_t_e could report success even though it would have
had no effect. This is a necessary side effect of using lock files
for concurrency control rather than flock(2), which is not supported
by NFS.
- 2 - Formatted: March 12, 2000
AACCLL__CCHHEECCKK((33)) MMIITT PPrroojjeecctt AAtthheennaa AACCLL__CCHHEECCKK((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
The current implementation caches ACLs in memory in a hash-table
format for increased efficiency in checking membership; one effect of
the caching scheme is that one file descriptor will be kept open for
each ACL cached, up to a maximum of 8.
SSEEEE AALLSSOO
kerberos(3), krb_get_lrealm(3)
AAUUTTHHOORR
James Aspnes (MIT Project Athena)
- 3 - Formatted: March 12, 2000

39
crypto/dist/krb4/man/afslog.cat1 vendored
View File

@ -1,39 +0,0 @@
AFSLOG(1) System Reference Manual AFSLOG(1)
NNAAMMEE
aaffsslloogg - obtains AFS tokens for specified cells
SSYYNNOOPPSSIISS
aaffsslloogg [--dd] [--cc _c_e_l_l] [--kk _r_e_a_l_m] [--pp _p_a_t_h] [--uunnlloogg] [--ccrreeaatteeuusseerr] [_a_r_g_s]
DDEESSCCRRIIPPTTIIOONN
The aaffsslloogg command obtains AFS tokens, _a_r_g_s are either a name of a cell
or a pathnames of a file in the cell to get tokens for. If an argument is
. or .. or contains a slash it is assumed to be a pathname. Otherwise it
is assumed to be a name of a cell or a prefix thereof.
The --cc and --pp flags can be used to resolve ambiguities.
aaffsslloogg might fail to guess the Kerberos realm to get tickets for (for in-
stance if the volume location servers of the cell does not reside in the
kerberos realm that holds the AFS service key, and the correct realm
isn't the same as the cell name or the local realm (I didn't say this was
a common problem)). Anyway, the --kk can be used to give a hint. It should
not be used unless there is a problem, since all tickets will be taken
from the specified realm and this is not (usually) what you want.
--ccrreeaatteeuusseerr means that aaffsslloogg should try to run ppttss to create a remote
user principal in another cell. --dd can be used for debugging.
If the --uunnlloogg flag is given any tokens are removed and all other argu-
ments are ignored.
SSEEEE AALLSSOO
kauth(1), kafs(3)
BBUUGGSS
It should be able to handle the MIT Athena aakklloogg flags --hhoossttss, --zzssuubbss,
and --nnoopprrddbb, but does not.
KTH-KRB April 27, 1996 1

132
crypto/dist/krb4/man/des.cat1 vendored
View File

@ -1,132 +0,0 @@
DDEESS((11)) DDEESS((11))
NNAAMMEE
des - encrypt or decrypt data using Data Encryption Standard
SSYYNNOOPPSSIISS
ddeess ( --ee | --EE ) | ( --dd | --DD ) | ( --[ccCC][cckknnaammee] ) | [ --bb33hhffss ] [ --kk _k_e_y
] ] [ --uu[_u_u_n_a_m_e] [ _i_n_p_u_t_-_f_i_l_e [ _o_u_t_p_u_t_-_f_i_l_e ] ]
DDEESSCCRRIIPPTTIIOONN
ddeess encrypts and decrypts data using the Data Encryption Standard
algorithm. One of --ee,, --EE (for encrypt) or --dd,, --DD (for decrypt) must
be specified. It is also possible to use --cc or --CC in conjunction or
instead of the a encrypt/decrypt option to generate a 16 character
hexadecimal checksum, generated via the _d_e_s___c_b_c___c_k_s_u_m_. Two standard
encryption modes are supported by the ddeess program, Cipher Block
Chaining (the default) and Electronic Code Book (specified with --bb ).
The key used for the DES algorithm is obtained by prompting the user
unless the ``--kk _k_e_y_' option is given. If the key is an argument to the
ddeess command, it is potentially visible to users executing ppss(1) or a
derivative. To minimise this possibility, ddeess takes care to destroy
the key argument immediately upon entry. If your shell keeps a
history file be careful to make sure it is not world readable. Since
this program attempts to maintain compatability with sunOS's des(1)
command, there are 2 different methods used to convert the user
supplied key to a des key. Whenever and one or more of --EE,, --DD,, --CC or
--33 options are used, the key conversion procedure will not be
compatible with the sunOS des(1) version but will use all the user
supplied character to generate the des key. ddeess command reads from
standard input unless _i_n_p_u_t_-_f_i_l_e is specified and writes to standard
output unless _o_u_t_p_u_t_-_f_i_l_e is given.
OOPPTTIIOONNSS
--bb Select ECB (eight bytes at a time) encryption mode.
--33 Encrypt using triple encryption. By default triple cbc
encryption is used but if the --bb option is used then triple ecb
encryption is performed. If the key is less than 8 characters
long, the flag has no effect.
--ee Encrypt data using an 8 byte key in a manner compatible with
sunOS des(1).
--EE Encrypt data using a key of nearly unlimited length (1024 bytes).
This will product a more secure encryption.
--dd Decrypt data that was encrypted with the -e option.
--DD Decrypt data that was encrypted with the -E option.
--cc Generate a 16 character hexadecimal cbc checksum and output this
to stderr. If a filename was specified after the --cc option, the
checksum is output to that file. The checksum is generated using
- 1 - Formatted: March 12, 2000
DDEESS((11)) DDEESS((11))
a key generated in a sunOS compatible manner.
--CC A cbc checksum is generated in the same manner as described for
the --cc option but the DES key is generated in the same manner as
used for the --EE and --DD options
--ff Does nothing - allowed for compatibility with sunOS des(1)
command.
--ss Does nothing - allowed for compatibility with sunOS des(1)
command.
--kk _k_e_y
Use the encryption _k_e_y specified.
--hh The _k_e_y is assumed to be a 16 character hexadecimal number. If
the --33 option is used the key is assumed to be a 32 character
hexadecimal number.
--uu This flag is used to read and write uuencoded files. If
decrypting, the input file is assumed to contain uuencoded, DES
encrypted data. If encrypting, the characters following the -u
are used as the name of the uuencoded file to embed in the begin
line of the uuencoded output. If there is no name specified
after the -u, the name text.des will be embedded in the header.
SSEEEE AALLSSOO
ppss ((11)) ddeess__ccrryypptt((33))
BBUUGGSS
The problem with using the --ee option is the short key length. It
would be better to use a real 56-bit key rather than an ASCII-based
56-bit pattern. Knowing that the key was derived from ASCII radically
reduces the time necessary for a brute-force cryptographic attack. My
attempt to remove this problem is to add an alternative text-key to
DES-key function. This alternative function (accessed via --EE,, --DD,, --SS
and --33 ) uses DES to help generate the key. Be carefully when using
the -u option. Doing des -ud <filename> will not decrypt filename
(the -u option will gobble the d option). The VMS operating system
operates in a world where files are always a multiple of 512 bytes.
This causes problems when encrypted data is send from unix to VMS
since a 88 byte file will suddenly be padded with 424 null bytes. To
get around this problem, use the -u option to uuencode the data before
it is send to the VMS system.
AAUUTTHHOORR
Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au)
- 2 - Formatted: March 12, 2000

330
crypto/dist/krb4/man/des_crypt.cat3 vendored
View File

@ -1,330 +0,0 @@
DDEESS__CCRRYYPPTT((33)) MMIITT PPrroojjeecctt AAtthheennaa DDEESS__CCRRYYPPTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
des_read_password, des_string_to_key, des_random_key, des_set_key,
des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum,
des_quad_cksum, - (new) DES encryption
SSYYNNOOPPSSIISS
##iinncclluuddee <<ddeess..hh>>
iinntt ddeess__rreeaadd__ppaasssswwoorrdd((kkeeyy,,pprroommpptt,,vveerriiffyy))
des_cblock *key;
char *prompt;
int verify;
iinntt ddeess__ssttrriinngg__ttoo__kkeeyy((ssttrr,,kkeeyy))
cchhaarr **ssttrr;;
ddeess__ccbblloocckk kkeeyy;;
iinntt ddeess__rraannddoomm__kkeeyy((kkeeyy))
ddeess__ccbblloocckk **kkeeyy;;
iinntt ddeess__sseett__kkeeyy((kkeeyy,,sscchheedduullee))
ddeess__ccbblloocckk **kkeeyy;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
iinntt ddeess__eeccbb__eennccrryypptt((iinnppuutt,,oouuttppuutt,,sscchheedduullee,,eennccrryypptt))
ddeess__ccbblloocckk **iinnppuutt;;
ddeess__ccbblloocckk **oouuttppuutt;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
iinntt eennccrryypptt;;
iinntt ddeess__ccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt))
ddeess__ccbblloocckk **iinnppuutt;;
ddeess__ccbblloocckk **oouuttppuutt;;
lloonngg lleennggtthh;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
ddeess__ccbblloocckk **iivveecc;;
iinntt eennccrryypptt;;
iinntt ddeess__ppccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt))
ddeess__ccbblloocckk **iinnppuutt;;
ddeess__ccbblloocckk **oouuttppuutt;;
lloonngg lleennggtthh;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
ddeess__ccbblloocckk **iivveecc;;
iinntt eennccrryypptt;;
uunnssiiggnneedd lloonngg ddeess__ccbbcc__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc))
ddeess__ccbblloocckk **iinnppuutt;;
ddeess__ccbblloocckk **oouuttppuutt;;
lloonngg lleennggtthh;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
- 1 - Formatted: March 12, 2000
DDEESS__CCRRYYPPTT((33)) MMIITT PPrroojjeecctt AAtthheennaa DDEESS__CCRRYYPPTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
ddeess__ccbblloocckk **iivveecc;;
uunnssiiggnneedd lloonngg qquuaadd__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,oouutt__ccoouunntt,,sseeeedd))
ddeess__ccbblloocckk **iinnppuutt;;
ddeess__ccbblloocckk **oouuttppuutt;;
lloonngg lleennggtthh;;
iinntt oouutt__ccoouunntt;;
ddeess__ccbblloocckk **sseeeedd;;
DDEESSCCRRIIPPTTIIOONN
This library supports various DES encryption related operations. It
differs from the _c_r_y_p_t_, _s_e_t_k_e_y_, _a_n_d _e_n_c_r_y_p_t library routines in that
it provides a true DES encryption, without modifying the algorithm,
and executes much faster.
For each key that may be simultaneously active, create a
ddeess__kkeeyy__sscchheedduullee struct, defined in "des.h". Next, create key
schedules (from the 8-byte keys) as needed, via _d_e_s___s_e_t___k_e_y_, prior to
using the encryption or checksum routines. Then setup the input and
output areas. Make sure to note the restrictions on lengths being
multiples of eight bytes. Finally, invoke the encryption/decryption
routines, _d_e_s___e_c_b___e_n_c_r_y_p_t or _d_e_s___c_b_c___e_n_c_r_y_p_t or _d_e_s___p_c_b_c___e_n_c_r_y_p_t_, or,
to generate a cryptographic checksum, use _q_u_a_d___c_k_s_u_m (fast) or
_d_e_s___c_b_c___c_k_s_u_m (slow).
A _d_e_s___c_b_l_o_c_k struct is an 8 byte block used as the fundamental unit
for DES data and keys, and is defined as:
ttyyppeeddeeff uunnssiiggnneedd cchhaarr ddeess__ccbblloocckk[[88]];;
and a _d_e_s___k_e_y___s_c_h_e_d_u_l_e_, is defined as:
ttyyppeeddeeff ssttrruucctt ddeess__kkss__ssttrruucctt {{ddeess__ccbblloocckk __;;}} ddeess__kkeeyy__sscchheedduullee[[1166]];;
_d_e_s___r_e_a_d___p_a_s_s_w_o_r_d writes the string specified by _p_r_o_m_p_t to the
standard output, turns off echo (if possible) and reads an input
string from standard input until terminated with a newline. If _v_e_r_i_f_y
is non-zero, it prompts and reads input again, for use in applications
such as changing a password; both versions are compared, and the input
is requested repeatedly until they match. Then _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d
converts the input string into a valid DES key, internally using the
_d_e_s___s_t_r_i_n_g___t_o___k_e_y routine. The newly created key is copied to the
area pointed to by the _k_e_y argument. _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d returns a zero
if no errors occurred, or a -1 indicating that an error occurred
trying to manipulate the terminal echo.
_d_e_s___s_t_r_i_n_g___t_o___k_e_y converts an arbitrary length null-terminated string
to an 8 byte DES key, with odd byte parity, per FIPS specification. A
one-way function is used to convert the string to a key, making it
very difficult to reconstruct the string from the key. The _s_t_r
argument is a pointer to the string, and _k_e_y should point to a
- 2 - Formatted: March 12, 2000
DDEESS__CCRRYYPPTT((33)) MMIITT PPrroojjeecctt AAtthheennaa DDEESS__CCRRYYPPTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
_d_e_s___c_b_l_o_c_k supplied by the caller to receive the generated key. No
meaningful value is returned. Void is not used for compatibility with
other compilers.
_d_e_s___r_a_n_d_o_m___k_e_y generates a random DES encryption key (eight bytes),
set to odd parity per FIPS specifications. This routine uses the
current time, process id, and a counter as a seed for the random
number generator. The caller must supply space for the output
key, pointed to by argument _k_e_y_, then after calling _d_e_s___r_a_n_d_o_m___k_e_y
should call the _d_e_s___s_e_t___k_e_y routine when needed. No meaningful value
is returned. Void is not used for compatibility with other compilers.
_d_e_s___s_e_t___k_e_y calculates a key schedule from all eight bytes of the
input key, pointed to by the _k_e_y argument, and outputs the schedule
into the _d_e_s___k_e_y___s_c_h_e_d_u_l_e indicated by the _s_c_h_e_d_u_l_e argument. Make
sure to pass a valid eight byte key; no padding is done. The key
schedule may then be used in subsequent encryption/decryption/checksum
operations. Many key schedules may be cached for later use. The user
is responsible to clear keys and schedules as soon as no longer
needed, to prevent their disclosure. The routine also checks the key
parity, and returns a zero if the key parity is correct (odd), a -1
indicating a key parity error, or a -2 indicating use of an illegal
weak key. If an error is returned, the key schedule was not created.
_d_e_s___e_c_b___e_n_c_r_y_p_t is the basic DES encryption routine that encrypts or
decrypts a single 8-byte block in eelleeccttrroonniicc ccooddee bbooookk mode. It
always transforms the input data, pointed to by _i_n_p_u_t_, into the output
data, pointed to by the _o_u_t_p_u_t argument.
If the _e_n_c_r_y_p_t argument is non-zero, the _i_n_p_u_t (cleartext) is
encrypted into the _o_u_t_p_u_t (ciphertext) using the key_schedule
specified by the _s_c_h_e_d_u_l_e argument, previously set via _d_e_s___s_e_t___k_e_y
If encrypt is zero, the _i_n_p_u_t (now ciphertext) is decrypted into the
_o_u_t_p_u_t (now cleartext).
Input and output may overlap.
No meaningful value is returned. Void is not used for compatibility
with other compilers.
_d_e_s___c_b_c___e_n_c_r_y_p_t encrypts/decrypts using the cciipphheerr--bblloocckk--cchhaaiinniinngg mmooddee
ooff DDEESS.. If the _e_n_c_r_y_p_t argument is non-zero, the routine cipher-
block-chain encrypts the cleartext data pointed to by the _i_n_p_u_t
argument into the ciphertext pointed to by the _o_u_t_p_u_t argument, using
the key schedule provided by the _s_c_h_e_d_u_l_e argument, and initialization
vector provided by the _i_v_e_c argument. If the _l_e_n_g_t_h argument is not
an integral multiple of eight bytes, the last block is copied to a
temp and zero filled (highest addresses). The output is ALWAYS an
integral multiple of eight bytes.
- 3 - Formatted: March 12, 2000
DDEESS__CCRRYYPPTT((33)) MMIITT PPrroojjeecctt AAtthheennaa DDEESS__CCRRYYPPTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
If _e_n_c_r_y_p_t is zero, the routine cipher-block chain decrypts the (now)
ciphertext data pointed to by the _i_n_p_u_t argument into (now) cleartext
pointed to by the _o_u_t_p_u_t argument using the key schedule provided by
the _s_c_h_e_d_u_l_e argument, and initialization vector provided by the _i_v_e_c
argument. Decryption ALWAYS operates on integral multiples of 8 bytes,
so it will round the _l_e_n_g_t_h provided up to the appropriate multiple.
Consequently, it will always produce the rounded-up number of bytes of
output cleartext. The application must determine if the output
cleartext was zero-padded due to original cleartext lengths that were
not integral multiples of 8.
No errors or meaningful values are returned. Void is not used for
compatibility with other compilers.
A characteristic of cbc mode is that changing a single bit of the
cleartext, then encrypting using cbc mode, affects ALL the subsequent
ciphertext. This makes cryptanalysis much more difficult. However,
modifying a single bit of the ciphertext, then decrypting, only
affects the resulting cleartext from the modified block and the
succeeding block. Therefore, _d_e_s___p_c_b_c___e_n_c_r_y_p_t is STRONGLY recommended
for applications where indefinite propagation of errors is required in
order to detect modifications.
_d_e_s___p_c_b_c___e_n_c_r_y_p_t encrypts/decrypts using a modified block chaining
mode. Its calling sequence is identical to _d_e_s___c_b_c___e_n_c_r_y_p_t_. It
differs in its error propagation characteristics.
_d_e_s___p_c_b_c___e_n_c_r_y_p_t is highly recommended for most encryption purposes,
in that modification of a single bit of the ciphertext will affect ALL
the subsequent (decrypted) cleartext. Similarly, modifying a single
bit of the cleartext will affect ALL the subsequent (encrypted)
ciphertext. "PCBC" mode, on encryption, "xors" both the cleartext of
block N and the ciphertext resulting from block N with the cleartext
for block N+1 prior to encrypting block N+1.
_d_e_s___c_b_c___c_k_s_u_m produces an 8 byte cryptographic checksum by cipher-
block-chain encrypting the cleartext data pointed to by the _i_n_p_u_t
argument. All of the ciphertext output is discarded, except the last
8-byte ciphertext block, which is written into the area pointed to by
the _o_u_t_p_u_t argument. It uses the key schedule, provided by the
_s_c_h_e_d_u_l_e argument and initialization vector provided by the _i_v_e_c
argument. If the _l_e_n_g_t_h argument is not an integral multiple of eight
bytes, the last cleartext block is copied to a temp and zero filled
(highest addresses). The output is ALWAYS eight bytes.
The routine also returns an unsigned long, which is the last (highest
address) half of the 8 byte checksum computed.
_q_u_a_d___c_k_s_u_m produces a checksum by chaining quadratic operations on the
cleartext data pointed to by the _i_n_p_u_t argument. The _l_e_n_g_t_h argument
specifies the length of the input -- only exactly that many bytes are
- 4 - Formatted: March 12, 2000
DDEESS__CCRRYYPPTT((33)) MMIITT PPrroojjeecctt AAtthheennaa DDEESS__CCRRYYPPTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
included for the checksum, without any padding.
The algorithm may be iterated over the same input data, if the
_o_u_t___c_o_u_n_t argument is 2, 3 or 4, and the optional _o_u_t_p_u_t argument is a
non-null pointer . The default is one iteration, and it will not run
more than 4 times. Multiple iterations run slower, but provide a
longer checksum if desired. The _s_e_e_d argument provides an 8-byte seed
for the first iteration. If multiple iterations are requested, the
results of one iteration are automatically used as the seed for the
next iteration.
It returns both an unsigned long checksum value, and if the _o_u_t_p_u_t
argument is not a null pointer, up to 16 bytes of the computed
checksum are written into the output.
FFIILLEESS
/usr/include/des.h
/usr/lib/libdes.a
SSEEEE AALLSSOO
DDIIAAGGNNOOSSTTIICCSS
BBUUGGSS
This software has not yet been compiled or tested on machines other
than the VAX and the IBM PC.
AAUUTTHHOORRSS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
RREESSTTRRIICCTTIIOONNSS
COPYRIGHT 1985,1986 Massachusetts Institute of Technology
This software may not be exported outside of the US without a special
license from the US Dept of Commerce. It may be replaced by any secret
key block cipher with block length and key length of 8 bytes, as long
as the interface is the same as described here.
- 5 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/ext_srvtab.cat8 vendored
View File

@ -1,66 +0,0 @@
EEXXTT__SSRRVVTTAABB((88)) MMIITT PPrroojjeecctt AAtthheennaa EEXXTT__SSRRVVTTAABB((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
ext_srvtab - extract service key files from Kerberos key distribution
center database
SSYYNNOOPPSSIISS
ext_srvtab [ --nn ] [ --rr rreeaallmm ] [ hhoossttnnaammee ...... ]
DDEESSCCRRIIPPTTIIOONN
_e_x_t___s_r_v_t_a_b extracts service key files from the Kerberos key
distribution center (KDC) database.
Upon execution, it prompts the user to enter the master key string for
the database. If the --nn option is specified, the master key is
instead fetched from the master key cache file.
For each _h_o_s_t_n_a_m_e specified on the command line, _e_x_t___s_r_v_t_a_b creates
the service key file _h_o_s_t_n_a_m_e-new-srvtab, containing all the entries
in the database with an instance field of _h_o_s_t_n_a_m_e_. This new file
contains all the keys registered for Kerberos-mediated service
providing programs which use the _k_r_b___g_e_t___p_h_o_s_t(3) principal and
instance conventions to run on the host _h_o_s_t_n_a_m_e. If the --rr option is
specified, the realm fields in the extracted file will match the given
realm rather than the local realm.
DDIIAAGGNNOOSSTTIICCSS
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
FFIILLEESS
_h_o_s_t_n_a_m_e-new-srvtab Service key file generated for _h_o_s_t_n_a_m_e
/var/kerberos/principal.pag, /var/kerberos/principal.dir
DBM files containing database
/.k Master key cache file.
SSEEEE AALLSSOO
read_service_key(3), krb_get_phost(3)
- 1 - Formatted: March 12, 2000

646
crypto/dist/krb4/man/ftp.cat1 vendored
View File

@ -1,646 +0,0 @@
FTP(1) System Reference Manual FTP(1)
NNAAMMEE
ffttpp - ARPANET file transfer program
SSYYNNOOPPSSIISS
ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [_h_o_s_t]
DDEESSCCRRIIPPTTIIOONN
FFttpp is the user interface to the ARPANET standard File Transfer Protocol.
The program allows a user to transfer files to and from a remote network
site.
Modifications has been made so that it almost follows the ftpsec Internet
draft.
Options may be specified at the command line, or to the command inter-
preter.
--tt Enables packet tracing.
--vv Verbose option forces ffttpp to show all responses from the remote
server, as well as report on data transfer statistics.
--nn Restrains ffttpp from attempting ``auto-login'' upon initial connec-
tion. If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be-
low) file in the user's home directory for an entry describing an
account on the remote machine. If no entry exists, ffttpp will prompt
for the remote machine login name (default is the user identity on
the local machine), and, if necessary, prompt for a password and an
account with which to login.
--ii Turns off interactive prompting during multiple file transfers.
--pp Turn on passive mode.
--dd Enables debugging.
--gg Disables file name globbing.
The client host with which ffttpp is to communicate may be specified on the
command line. If this is done, ffttpp will immediately attempt to establish
a connection to an FTP server on that host; otherwise, ffttpp will enter its
command interpreter and await instructions from the user. When ffttpp is
awaiting commands from the user the prompt `ftp>' is provided to the us-
er. The following commands are recognized by ffttpp:
!! [_c_o_m_m_a_n_d [_a_r_g_s]]
Invoke an interactive shell on the local machine. If there
are arguments, the first is taken to be a command to execute
directly, with the rest of the arguments as its arguments.
$$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s]
Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff
command. Arguments are passed to the macro unglobbed.
aaccccoouunntt [_p_a_s_s_w_d]
Supply a supplemental password required by a remote system
for access to resources once a login has been successfully
completed. If no argument is included, the user will be
prompted for an account password in a non-echoing input mode.
aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
Append a local file to a file on the remote machine. If
_r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used
in naming the remote file after being altered by any nnttrraannss
or nnmmaapp setting. File transfer uses the current settings for
ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
aasscciiii Set the file transfer ttyyppee to network ASCII. This is the de-
fault type.
bbeellll Arrange that a bell be sounded after each file transfer com-
mand is completed.
bbiinnaarryy Set the file transfer ttyyppee to support binary image transfer.
bbyyee Terminate the FTP session with the remote server and exit
ffttpp. An end of file will also terminate the session and exit.
ccaassee Toggle remote computer file name case mapping during mmggeett
commands. When ccaassee is on (default is off), remote computer
file names with all letters in upper case are written in the
local directory with the letters mapped to lower case.
ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y
Change the working directory on the remote machine to _r_e_m_o_t_e_-
_d_i_r_e_c_t_o_r_y.
ccdduupp Change the remote machine working directory to the parent of
the current remote machine working directory.
cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e
Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re-
mote sytem to _m_o_d_e.
cclloossee Terminate the FTP session with the remote server, and return
to the command interpreter. Any defined macros are erased.
ccrr Toggle carriage return stripping during ascii type file re-
trieval. Records are denoted by a carriage return/linefeed
sequence during ascii type file transfer. When ccrr is on (the
default), carriage returns are stripped from this sequence to
conform with the UNIX single linefeed record delimiter.
Records on non-UNIX remote systems may contain single line-
feeds; when an ascii type transfer is made, these linefeeds
may be distinguished from a record delimiter only when ccrr is
off.
ddeelleettee _r_e_m_o_t_e_-_f_i_l_e
Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine.
ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e]
Toggle debugging mode. If an optional _d_e_b_u_g_-_v_a_l_u_e is speci-
fied it is used to set the debugging level. When debugging
is on, ffttpp prints each command sent to the remote machine,
preceded by the string `-->'
ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a listing of the directory contents in the directory,
_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in
_l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt
the user to verify that the last argument is indeed the tar-
get local file for receiving ddiirr output. If no directory is
specified, the current working directory on the remote ma-
chine is used. If no local file is specified, or _l_o_c_a_l_-_f_i_l_e
is --, output comes to the terminal.
ddiissccoonnnneecctt A synonym for _c_l_o_s_e.
ffoorrmm _f_o_r_m_a_t
Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is
``file''.
ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine.
If the local file name is not specified, it is given the same
name it has on the remote machine, subject to alteration by
the current ccaassee, nnttrraannss, and nnmmaapp settings. The current
settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while
transferring the file.
gglloobb Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If
globbing is turned off with gglloobb, the file name arguments are
taken literally and not expanded. Globbing for mmppuutt is done
as in csh(1). For mmddeelleettee and mmggeett, each remote file name is
expanded separately on the remote machine and the lists are
not merged. Expansion of a directory name is likely to be
different from expansion of the name of an ordinary file: the
exact result depends on the foreign operating system and ftp
server, and can be previewed by doing `mls remote-files -'.
As a security measure, remotely globbed files that starts
with `/' or contains `../', will not be automatically re-
ceived. If you have interactive prompting turned off, these
filenames will be ignored. Note: mmggeett and mmppuutt are not meant
to transfer entire directory subtrees of files. That can be
done by transferring a tar(1) archive of the subtree (in bi-
nary mode).
hhaasshh Toggle hash-sign (``#'') printing for each data block trans-
ferred. The size of a data block is 1024 bytes.
hheellpp [_c_o_m_m_a_n_d]
Print an informative message about the meaning of _c_o_m_m_a_n_d. If
no argument is given, ffttpp prints a list of the known com-
mands.
iiddllee [_s_e_c_o_n_d_s]
Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec-
onds. If _s_e_c_o_n_d_s is omitted, the current inactivity timer is
printed.
llccdd [_d_i_r_e_c_t_o_r_y]
Change the working directory on the local machine. If no
_d_i_r_e_c_t_o_r_y is specified, the user's home directory is used.
llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a listing of the contents of a directory on the remote
machine. The listing includes any system-dependent informa-
tion that the server chooses to include; for example, most
UNIX systems will produce output from the command `ls -l'.
(See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified,
the current working directory is used. If interactive
prompting is on, ffttpp will prompt the user to verify that the
last argument is indeed the target local file for receiving
llss output. If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e
is `--', the output is sent to the terminal.
mmaaccddeeff _m_a_c_r_o_-_n_a_m_e
Define a macro. Subsequent lines are stored as the macro
_m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a
file or carriage returns from the terminal) terminates macro
input mode. There is a limit of 16 macros and 4096 total
characters in all defined macros. Macros remain defined un-
til a cclloossee command is executed. The macro processor inter-
prets `$' and `\' as special characters. A `$' followed by a
number (or numbers) is replaced by the corresponding argument
on the macro invocation command line. A `$' followed by an
`i' signals that macro processor that the executing macro is
to be looped. On the first pass `$i' is replaced by the
first argument on the macro invocation command line, on the
second pass it is replaced by the second argument, and so on.
A `\' followed by any character is replaced by that charac-
ter. Use the `\' to prevent special treatment of the `$'.
mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s]
Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine.
mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
Like ddiirr, except multiple remote files may be specified. If
interactive prompting is on, ffttpp will prompt the user to ver-
ify that the last argument is indeed the target local file
for receiving mmddiirr output.
mmggeett _r_e_m_o_t_e_-_f_i_l_e_s
Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett
for each file name thus produced. See gglloobb for details on
the filename expansion. Resulting file names will then be
processed according to ccaassee, nnttrraannss, and nnmmaapp settings.
Files are transferred into the local working directory, which
can be changed with `lcd directory'; new local directories
can be created with `! mkdir directory'.
mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
Make a directory on the remote machine.
mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
Like nnlliisstt, except multiple remote files may be specified,
and the _l_o_c_a_l_-_f_i_l_e must be specified. If interactive prompt-
ing is on, ffttpp will prompt the user to verify that the last
argument is indeed the target local file for receiving mmllss
output.
mmooddee [_m_o_d_e_-_n_a_m_e]
Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is
``stream'' mode.
mmooddttiimmee _f_i_l_e_-_n_a_m_e
Show the last modification time of the file on the remote ma-
chine.
mmppuutt _l_o_c_a_l_-_f_i_l_e_s
Expand wild cards in the list of local files given as argu-
ments and do a ppuutt for each file in the resulting list. See
gglloobb for details of filename expansion. Resulting file names
will then be processed according to nnttrraannss and nnmmaapp settings.
nneewweerr _f_i_l_e_-_n_a_m_e
Get the file only if the modification time of the remote file
is more recent that the file on the current system. If the
file does not exist on the current system, the remote file is
considered nneewweerr. Otherwise, this command is identical to
_g_e_t.
nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a list of the files in a directory on the remote ma-
chine. If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current
working directory is used. If interactive prompting is on,
ffttpp will prompt the user to verify that the last argument is
indeed the target local file for receiving nnlliisstt output. If
no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output
is sent to the terminal.
nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n]
Set or unset the filename mapping mechanism. If no arguments
are specified, the filename mapping mechanism is unset. If
arguments are specified, remote filenames are mapped during
mmppuutt commands and ppuutt commands issued without a specified re-
mote target filename. If arguments are specified, local
filenames are mapped during mmggeett commands and ggeett commands
issued without a specified local target filename. This com-
mand is useful when connecting to a non-UNIX remote computer
with different file naming conventions or practices. The
mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n.
[_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may
have already been processed according to the nnttrraannss and ccaassee
settings). Variable templating is accomplished by including
the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to
prevent this special treatment of the `$' character. All
other characters are treated literally, and are used to de-
termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values. For example,
given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data",
$1 would have the value "mydata", and $2 would have the value
"data". The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file-
name. The sequences `$1', `$2', ...., `$9' are replaced by
any value resulting from the _i_n_p_a_t_t_e_r_n template. The se-
quence `$0' is replace by the original filename. Additional-
ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1
is not a null string; otherwise it is replaced by _s_e_q_2. For
example, the command
nmap $1.$2.$3 [$1,$2].[$2,file]
would yield the output filename "myfile.data" for input file-
names "myfile.data" and "myfile.data.old", "myfile.file" for
the input filename "myfile", and "myfile.myfile" for the in-
put filename ".myfile". Spaces may be included in
_o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/ *$//" > $1'
. Use the `\' character to prevent special treatment of the
`$','[','[', and `,' characters.
nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]]
Set or unset the filename character translation mechanism.
If no arguments are specified, the filename character trans-
lation mechanism is unset. If arguments are specified, char-
acters in remote filenames are translated during mmppuutt com-
mands and ppuutt commands issued without a specified remote tar-
get filename. If arguments are specified, characters in lo-
cal filenames are translated during mmggeett commands and ggeett
commands issued without a specified local target filename.
This command is useful when connecting to a non-UNIX remote
computer with different file naming conventions or practices.
Characters in a filename matching a character in _i_n_c_h_a_r_s are
replaced with the corresponding character in _o_u_t_c_h_a_r_s. If the
character's position in _i_n_c_h_a_r_s is longer than the length of
_o_u_t_c_h_a_r_s, the character is deleted from the file name.
ooppeenn _h_o_s_t [_p_o_r_t]
Establish a connection to the specified _h_o_s_t FTP server. An
optional port number may be supplied, in which case, ffttpp will
attempt to contact an FTP server at that port. If the aauuttoo--
llooggiinn option is on (default), ffttpp will also attempt to auto-
matically log the user in to the FTP server (see below).
ppaassssiivvee Toggle passive mode. If passive mode is turned on (default
is off), the ftp client will send a PASV command for all data
connections instead of the usual PORT command. The PASV com-
mand requests that the remote server open a port for the data
connection and return the address of that port. The remote
server listens on that port and the client connects to it.
When using the more traditional PORT command, the client lis-
tens on a port and sends that address to the remote server,
who connects back to it. Passive mode is useful when using
ffttpp through a gateway router or host that controls the direc-
tionality of traffic. (Note that though ftp servers are re-
quired to support the PASV command by RFC 1123, some do not.)
pprroommpptt Toggle interactive prompting. Interactive prompting occurs
during multiple file transfers to allow the user to selec-
tively retrieve or store files. If prompting is turned off
(default is on), any mmggeett or mmppuutt will transfer all files,
and any mmddeelleettee will delete all files.
pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d
Execute an ftp command on a secondary control connection.
This command allows simultaneous connection to two remote ftp
servers for transferring files between the two servers. The
first pprrooxxyy command should be an ooppeenn, to establish the sec-
ondary control connection. Enter the command "proxy ?" to
see other ftp commands executable on the secondary connec-
tion. The following commands behave differently when pref-
aced by pprrooxxyy: ooppeenn will not define new macros during the au-
to-login process, cclloossee will not erase existing macro defini-
tions, ggeett and mmggeett transfer files from the host on the pri-
mary control connection to the host on the secondary control
connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the
host on the secondary control connection to the host on the
primary control connection. Third party file transfers de-
pend upon support of the ftp protocol PASV command by the
server on the secondary control connection.
ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
Store a local file on the remote machine. If _r_e_m_o_t_e_-_f_i_l_e is
left unspecified, the local file name is used after process-
ing according to any nnttrraannss or nnmmaapp settings in naming the
remote file. File transfer uses the current settings for
ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
ppwwdd Print the name of the current working directory on the remote
machine.
qquuiitt A synonym for bbyyee.
qquuoottee _a_r_g_1 _a_r_g_2 _._._.
The arguments specified are sent, verbatim, to the remote FTP
server.
rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
A synonym for get.
rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is
smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par-
tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is
continued from the apparent point of failure. This command
is useful when transferring very large files over networks
that are prone to dropping connections.
rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e]
Request help from the remote FTP server. If a _c_o_m_m_a_n_d_-_n_a_m_e
is specified it is supplied to the server as well.
rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e]
With no arguments, show status of remote machine. If _f_i_l_e_-
_n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma-
chine.
rreennaammee [_f_r_o_m] [_t_o]
Rename the file _f_r_o_m on the remote machine, to the file _t_o.
rreesseett Clear reply queue. This command re-synchronizes command/re-
ply sequencing with the remote ftp server. Resynchronization
may be necessary following a violation of the ftp protocol by
the remote server.
rreessttaarrtt _m_a_r_k_e_r
Restart the immediately following ggeett or ppuutt at the indicated
_m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset into
the file.
rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
Delete a directory on the remote machine.
rruunniiqquuee Toggle storing of files on the local system with unique file-
names. If a file already exists with a name equal to the
target local filename for a ggeett or mmggeett command, a ".1" is
appended to the name. If the resulting name matches another
existing file, a ".2" is appended to the original name. If
this process continues up to ".99", an error message is
printed, and the transfer does not take place. The generated
unique filename will be reported. Note that rruunniiqquuee will not
affect local files generated from a shell command (see be-
low). The default value is off.
sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
A synonym for put.
sseennddppoorrtt Toggle the use of PORT commands. By default, ffttpp will at-
tempt to use a PORT command when establishing a connection
for each data transfer. The use of PORT commands can prevent
delays when performing multiple file transfers. If the PORT
command fails, ffttpp will use the default data port. When the
use of PORT commands is disabled, no attempt will be made to
use PORT commands for each data transfer. This is useful for
certain FTP implementations which do ignore PORT commands
but, incorrectly, indicate they've been accepted.
ssiittee _a_r_g_1 _a_r_g_2 _._._.
The arguments specified are sent, verbatim, to the remote FTP
server as a SITE command.
ssiizzee _f_i_l_e_-_n_a_m_e
Return size of _f_i_l_e_-_n_a_m_e on remote machine.
ssttaattuuss Show the current status of ffttpp.
ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e]
Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default
``stream'' structure is used.
ssuunniiqquuee Toggle storing of files on remote machine under unique file
names. Remote ftp server must support ftp protocol STOU com-
mand for successful completion. The remote server will re-
port unique name. Default value is off.
ssyysstteemm Show the type of operating system running on the remote ma-
chine.
tteenneexx Set the file transfer type to that needed to talk to TENEX
machines.
ttrraaccee Toggle packet tracing.
ttyyppee [_t_y_p_e_-_n_a_m_e]
Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is speci-
fied, the current type is printed. The default type is net-
work ASCII.
uummaasskk [_n_e_w_m_a_s_k]
Set the default umask on the remote server to _n_e_w_m_a_s_k. If
_n_e_w_m_a_s_k is omitted, the current umask is printed.
uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t]
Identify yourself to the remote FTP server. If the _p_a_s_s_w_o_r_d
is not specified and the server requires it, ffttpp will prompt
the user for it (after disabling local echo). If an _a_c_c_o_u_n_t
field is not specified, and the FTP server requires it, the
user will be prompted for it. If an _a_c_c_o_u_n_t field is speci-
fied, an account command will be relayed to the remote server
after the login sequence is completed if the remote server
did not require it for logging in. Unless ffttpp is invoked
with ``auto-login'' disabled, this process is done automati-
cally on initial connection to the FTP server.
vveerrbboossee Toggle verbose mode. In verbose mode, all responses from the
FTP server are displayed to the user. In addition, if ver-
bose is on, when a file transfer completes, statistics re-
garding the efficiency of the transfer are reported. By de-
fault, verbose is on.
?? [_c_o_m_m_a_n_d]
A synonym for help.
The following command can be used with ftpsec-aware servers.
pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e
Set the data protection level to the requested level.
The following command can be used with ftp servers that has implemented
the KAUTH site command.
kkaauutthh [_p_r_i_n_c_i_p_a_l]
Obtain remote tickets.
Command arguments which have embedded spaces may be quoted with quote `"'
marks.
AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR
To abort a file transfer, use the terminal interrupt key (usually Ctrl-
C). Sending transfers will be immediately halted. Receiving transfers
will be halted by sending a ftp protocol ABOR command to the remote serv-
er, and discarding any further data received. The speed at which this is
accomplished depends upon the remote server's support for ABOR process-
ing. If the remote server does not support the ABOR command, an `ftp>'
prompt will not appear until the remote server has completed sending the
requested file.
The terminal interrupt key sequence will be ignored when ffttpp has complet-
ed any local processing and is awaiting a reply from the remote server.
A long delay in this mode may result from the ABOR processing described
above, or from unexpected behavior by the remote server, including viola-
tions of the ftp protocol. If the delay results from unexpected remote
server behavior, the local ffttpp program must be killed by hand.
FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS
Files specified as arguments to ffttpp commands are processed according to
the following rules.
1. If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t
(for writing) is used.
2. If the first character of the file name is `|', the remainder of the
argument is interpreted as a shell command. FFttpp then forks a shell,
using popen(3) with the argument supplied, and reads (writes) from
the stdout (stdin). If the shell command includes spaces, the argu-
ment must be quoted; e.g. ``" ls -lt"''. A particularly useful ex-
ample of this mechanism is: ``dir more''.
3. Failing the above checks, if ``globbing'' is enabled, local file
names are expanded according to the rules used in the csh(1); c.f.
the gglloobb command. If the ffttpp command expects a single local file
(.e.g. ppuutt), only the first filename generated by the "globbing"
operation is used.
4. For mmggeett commands and ggeett commands with unspecified local file
names, the local filename is the remote filename, which may be al-
tered by a ccaassee, nnttrraannss, or nnmmaapp setting. The resulting filename
may then be altered if rruunniiqquuee is on.
5. For mmppuutt commands and ppuutt commands with unspecified remote file
names, the remote filename is the local filename, which may be al-
tered by a nnttrraannss or nnmmaapp setting. The resulting filename may then
be altered by the remote server if ssuunniiqquuee is on.
FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS
The FTP specification specifies many parameters which may affect a file
transfer. The ttyyppee may be one of ``ascii'', ``image'' (binary),
``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly).
FFttpp supports the ascii and image types of file transfer, plus local byte
size 8 for tteenneexx mode transfers.
FFttpp supports only the default values for the remaining file transfer pa-
rameters: mmooddee, ffoorrmm, and ssttrruucctt.
TTHHEE ..nneettrrcc FFIILLEE
The _._n_e_t_r_c file contains login and initialization information used by the
auto-login process. It resides in the user's home directory. The fol-
lowing tokens are recognized; they may be separated by spaces, tabs, or
new-lines:
mmaacchhiinnee _n_a_m_e
Identify a remote machine _n_a_m_e. The auto-login process searches
the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote ma-
chine specified on the ffttpp command line or as an ooppeenn command
argument. Once a match is made, the subsequent _._n_e_t_r_c tokens
are processed, stopping when the end of file is reached or an-
other mmaacchhiinnee or a ddeeffaauulltt token is encountered.
ddeeffaauulltt This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches
any name. There can be only one ddeeffaauulltt token, and it must be
after all mmaacchhiinnee tokens. This is normally used as:
default login anonymous password user@site
thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma-
chines not specified in _._n_e_t_r_c. This can be overridden by using
the --nn flag to disable auto-login.
llooggiinn _n_a_m_e
Identify a user on the remote machine. If this token is pre-
sent, the auto-login process will initiate a login using the
specified _n_a_m_e.
ppaasssswwoorrdd _s_t_r_i_n_g
Supply a password. If this token is present, the auto-login
process will supply the specified string if the remote server
requires a password as part of the login process. Note that if
this token is present in the _._n_e_t_r_c file for any user other
than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the
_._n_e_t_r_c is readable by anyone besides the user.
aaccccoouunntt _s_t_r_i_n_g
Supply an additional account password. If this token is pre-
sent, the auto-login process will supply the specified string
if the remote server requires an additional account password,
or the auto-login process will initiate an ACCT command if it
does not.
mmaaccddeeff _n_a_m_e
Define a macro. This token functions like the ffttpp mmaaccddeeff com-
mand functions. A macro is defined with the specified name;
its contents begin with the next _._n_e_t_r_c line and continue until
a null line (consecutive new-line characters) is encountered.
If a macro named iinniitt is defined, it is automatically executed
as the last step in the auto-login process.
EENNVVIIRROONNMMEENNTT
FFttpp utilizes the following environment variables.
HOME For default location of a _._n_e_t_r_c file, if one exists.
SHELL For default shell.
SSEEEE AALLSSOO
ftpd(8), _R_F_C_2_2_2_8
HHIISSTTOORRYY
The ffttpp command appeared in 4.2BSD.
BBUUGGSS
Correct execution of many commands depends upon proper behavior by the
remote server.
An error in the treatment of carriage returns in the 4.2BSD ascii-mode
transfer code has been corrected. This correction may result in incor-
rect transfers of binary files to and from 4.2BSD servers using the ascii
type. Avoid this problem by using the binary image type.
4.2 Berkeley Distribution April 27, 1996 10

290
crypto/dist/krb4/man/ftpd.cat8 vendored
View File

@ -1,290 +0,0 @@
FTPD(8) System Manager's Manual FTPD(8)
NNAAMMEE
ffttppdd - Internet File Transfer Protocol server
SSYYNNOOPPSSIISS
ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvv] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt
_t_i_m_e_o_u_t] [--uu _d_e_f_a_u_l_t _u_m_a_s_k]
DDEESSCCRRIIPPTTIIOONN
FFttppdd is the Internet File Transfer Protocol server process. The server
uses the TCP protocol and listens at the port specified in the ``ftp''
service specification; see services(5).
Available options:
--aa Select the level of authentication required. Kerberised login
can not be turned off. The default is to only allow kerberised
login. Other possibilities can be turned on by giving a string
of comma separated flags as argument to --aa. Recognised flags are:
_p_l_a_i_n Allow logging in with plaintext password. The password can
be a(n) OTP or an ordinary password.
_o_t_p Same as _p_l_a_i_n, but only OTP is allowed.
_f_t_p Allow anonymous login.
The following combination modes exists for backwards compatibili-
ty:
_n_o_n_e Same as _p_l_a_i_n_,_f_t_p.
_s_a_f_e Same as _f_t_p.
_u_s_e_r Ignored.
--dd Debugging information is written to the syslog using LOG_FTP.
--gg Anonymous users will get a umask of _u_m_a_s_k.
--ii Open a socket and wait for a connection. This is mainly used for
debugging when ftpd isn't started by inetd.
--ll Each successful and failed ftp(1) session is logged using syslog
with a facility of LOG_FTP. If this option is specified twice,
the retrieve (get), store (put), append, delete, make directory,
remove directory and rename operations and their filename argu-
ments are also logged.
--pp Use _p_o_r_t (a service name or number) instead of the default
_f_t_p_/_t_c_p.
--TT A client may also request a different timeout period; the maximum
period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option.
The default limit is 2 hours.
--tt The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de-
fault is 15 minutes).
--uu Set the initial umask to something else than the default 027.
--vv Verbose mode.
The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access. If the file ex-
ists, ffttppdd displays it and exits. If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists,
ffttppdd prints it before issuing the ``ready'' message. If the file
_/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login.
The ftp server currently supports the following ftp requests. The case
of the requests is ignored.
Request Description
ABOR abort previous command
ACCT specify account (ignored)
ALLO allocate storage (vacuously)
APPE append to a file
CDUP change to parent of current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give list files in a directory (``ls -lgA'')
MKD make a directory
MDTM show last modification time of file
MODE specify data transfer _m_o_d_e
NLST give name list of files in directory
NOOP do nothing
PASS specify password
PASV prepare for server-to-server transfer
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REST restart incomplete transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from file name
RNTO specify rename-to file name
SITE non-standard commands (see next section)
SIZE return size of file
STAT return status of server
STOR store a file
STOU store a file with a unique name
STRU specify data transfer _s_t_r_u_c_t_u_r_e
SYST show operating system type of server system
TYPE specify data transfer _t_y_p_e
USER specify user name
XCUP change to parent of current working directory
(deprecated)
XCWD change working directory (deprecated)
XMKD make a directory (deprecated)
XPWD print the current working directory (deprecated)
XRMD remove a directory (deprecated)
The following commands are specified by RFC2228.
AUTH authentication/security mechanism
ADAT authentication/security data
PROT data channel protection level
PBSZ protection buffer size
MIC integrity protected command
CONF confidentiality protected command
ENC privacy protected command
CCC clear command channel
The following non-standard or UNIX specific commands are supported by the
SITE request.
UMASK change umask, (e.g. SSIITTEE UUMMAASSKK 000022)
IDLE set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600)
CHMOD change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee)
FIND quickly find a specific file with GNU locate(1).
HELP give help information.
The following Kerberos related site commands are understood.
KAUTH obtain remote tickets.
KLIST show remote tickets
The remaining ftp requests specified in Internet RFC 959 are recognized,
but not implemented. MDTM and SIZE are not specified in RFC 959, but
will appear in the next updated FTP RFC.
The ftp server will abort an active file transfer only when the ABOR com-
mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet
"Synch" signal in the command Telnet stream, as described in Internet RFC
959. If a STAT command is received during a data transfer, preceded by a
Telnet IP and Synch, transfer status will be returned.
FFttppdd interprets file names according to the ``globbing'' conventions used
by csh(1). This allows users to utilize the metacharacters ``*?[]{}~''.
FFttppdd authenticates users according to these rules.
1. If Kerberos authentication is used, the user must pass valid
tickets and the principal must be allowed to login as the re-
mote user.
2. The login name must be in the password data base, and not have
a null password (if kerberos is used the password field is not
checked). In this case a password must be provided by the
client before any file operations may be performed. If the
user has an OTP key, the response from a successful USER com-
mand will include an OTP challenge. The client may choose to
respond with a PASS command giving either a standard password
or an OTP one-time password. The server will automatically de-
termine which type of password it has been given and attempt
to authenticate accordingly. See otp(1) for more information
on OTP authentication.
3. The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s.
4. The user must have a standard shell returned by
getusershell(3).
5. If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses-
sion's root will be changed to the user's login directory by
chroot(2) as for an ``anonymous'' or ``ftp'' account (see next
item). However, the user must still supply a password. This
feature is intended as a compromise between a fully anonymous
account and a fully privileged account. The account should
also be set up as for an anonymous account.
6. If the user name is ``anonymous'' or ``ftp'', an anonymous ftp
account must be present in the password file (user ``ftp'').
In this case the user is allowed to log in by specifying any
password (by convention an email address for the user should
be used as the password).
In the last case, ffttppdd takes special measures to restrict the client's
access privileges. The server performs a chroot(2) to the home directory
of the ``ftp'' user. In order that system security is not breached, it
is recommended that the ``ftp'' subtree be constructed with care, consid-
er following these guidelines for anonymous ftp.
In general all files should be owned by ``root'', and have non-write per-
missions (644 or 755 depending on the kind of file). No files should be
owned or writable by ``ftp'' (possibly with exception for the
_~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below).
_~_f_t_p The ``ftp'' homedirectory should be owned by root.
_~_f_t_p_/_b_i_n The directory for external programs (such as ls(1)).
These programs must either be statically linked, or you
must setup an environment for dynamic linking when run-
ning chrooted. These programs will be used if present:
ls Used when listing files.
compress
When retrieving a filename that ends in _._Z,
and that file isn't present, ffttppdd will try
to find the filename without _._Z and com-
press it on the fly.
gzip Same as compress, just with files ending in
_._g_z.
gtar Enables retrieval of whole directories as
files ending in _._t_a_r. Can also be combined
with compression. You must use GNU Tar (or
some other that supports the --zz and --ZZ
flags).
locate Will enable ``fast find'' with the SSIITTEE
FFIINNDD command. You must also create a
_l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c.
_~_f_t_p_/_e_t_c If you put copies of the passwd(5) and group(5) files
here, ls will be able to produce owner names rather than
numbers. Remember to remove any passwords from these
files.
The file _m_o_t_d, if present, will be printed after a suc-
cessful login.
_~_f_t_p_/_d_e_v Put a copy of /dev/null(7) here.
_~_f_t_p_/_p_u_b Traditional place to put whatever you want to make pub-
lic.
If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di-
rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure
``ftp'' is member of group ``ftp''). The following restrictions apply to
anonymous users:
++oo Directories created will have mode 700.
++oo Uploaded files will be created with an umask of 777, if not changed
with the --gg option.
++oo These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK,
and SSIITTEE CCHHMMOODD.
++oo Filenames must start with an alpha-numeric character, and consist of
alpha-numeric characters or any of the following: + (plus), - (mi-
nus), = (equal), _ (underscore), . (period), and , (comma).
FFIILLEESS
/etc/ftpusers Access list for users.
/etc/ftpchroot List of normal users who should be chroot'd.
/etc/ftpwelcome Welcome notice.
/etc/motd Welcome notice after login.
/etc/nologin Displayed and access refused.
~/.klogin Login access for Kerberos.
SSEEEE AALLSSOO
ftp(1), otp(1), getusershell(3), ftpusers(5), syslogd(8),
SSTTAANNDDAARRDDSS
RRFFCC 995599 FTP PROTOCOL SPECIFICATION
RRFFCC 11993388 OTP Specification
RRFFCC 22222288 FTP Security Extensions.
BBUUGGSS
The server must run as the super-user to create sockets with privileged
port numbers. It maintains an effective user id of the logged in user,
reverting to the super-user only when binding addresses to sockets. The
possible security holes have been extensively scrutinized, but are possi-
bly incomplete.
HHIISSTTOORRYY
The ffttppdd command appeared in 4.2BSD.
4.2 Berkeley Distribution April 19, 1997 5

27
crypto/dist/krb4/man/ftpusers.cat5 vendored
View File

@ -1,27 +0,0 @@
FTPUSERS(5) System Programmer's Manual FTPUSERS(5)
NNAAMMEE
_/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file.
DDEESSCCRRIIPPTTIIOONN
_/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied
FTP access. Each line contains a user, optionally followed by ``allow''
(anything but ``allow'' is ignored). The semi-user ``*'' matches any us-
er. Users that has an explicit ``allow'', or that does not match any
line, are allowed access. Anyone else is denied access.
Note that this is compatible with the old format, where this file con-
tained a list of users that should be denied access.
EEXXAAMMPPLLEESS
This will deny anyone but ``foo'' and ``bar'' to use FTP:
foo allow
bar allow
*
SSEEEE AALLSSOO
ftpd(8)
KTH-KRB May 7, 1997 1

110
crypto/dist/krb4/man/kadmin.cat8 vendored
View File

@ -1,110 +0,0 @@
KADMIN(8) System Manager's Manual KADMIN(8)
NNAAMMEE
kkaaddmmiinn - network utility for Kerberos database administration
SSYYNNOOPPSSIISS
kkaaddmmiinn [--pp _p_r_i_n_c_i_p_a_l] [--uu _u_s_e_r_n_a_m_e] [--rr _r_e_a_l_m] [--mm] [--TT _t_i_m_e_o_u_t] [--tt]
[----vveerrssiioonn] [--hh] [----hheellpp] _[_c_o_m_m_a_n_d_]
DDEESSCCRRIIPPTTIIOONN
This utility provides a unified administration interface to the Kerberos
master database. Kerberos administrators use kkaaddmmiinn to register new
users and services to the master database, and to change information
about existing database entries, such as changing a user's Kerberos pass-
word. A Kerberos administrator is a user with an ``admin'' instance whose
name appears on one of the Kerberos administration access control lists.
Supported options:
--pp _p_r_i_n_c_i_p_a_l
This is the adminstrator principal to use when talking to the
Kadmin server. The default is taken from the users environment.
--rr _r_e_a_l_m
This is the default realm to use for transactions. Default is the
local realm.
--uu _u_s_e_r_n_a_m_e
This is similar to --pp, but specifies a name, that gets appended
with a ``admin'' instance.
--TT _t_i_m_e_o_u_t
To prevent someone from walking up to an unguarded terminal and
doing malicious things, administrator tickets are destroyed after
a period of inactivity. This flag changes the timeout from the
default of one minute. A timeout of zero seconds disables this
functionality.
--mm Historically kkaaddmmiinn destroyed tickets after every command; this
flag used to stop this behaviour (only destroying tickets upon
exit). Now it's just a synonym for --TT _0.
--tt Use existing tickets (if any are available), this also disbles
timeout, and doesn't destroy any tickets upon exit.
These tickets have to be for the changepw.kerberos service. Use
kkiinniitt --pp to acquire them.
The kkaaddmmiinn program communicates over the network with the kkaaddmmiinndd pro-
gram, which runs on the machine housing the Kerberos master database, and
does the actual modifications to the database.
When you enter the kkaaddmmiinn command, the program displays a message that
welcomes you and explains how to ask for help. Then kkaaddmmiinn waits for you
to enter commands (which are described below). It then asks you for your
administrator's password before accessing the database.
All commands can be abbreviated as long as they are unique. Some short
versions of the commands are also recognized for backwards compatibility.
Recognised commands:
add_new_key _p_r_i_n_c_i_p_a_l
Creates a new principal in the Kerberos database. You give the
name of the new principal as an argument. You will then be asked
for a maximum ticket lifetime, attributes, the expiration date of
the principal, and finally the password of the principal.
change_password _p_r_i_n_c_i_p_a_l
Changes a principal's password. You will be prompted for the new
password.
change_key _p_r_i_n_c_i_p_a_l
This is the same as change_password, but the password is given as
a raw DES key (for the few occations when you need this).
change_admin_password
Changes your own admin password. It will prompt you for you old
and new passwords.
del_entry _p_r_i_n_c_i_p_a_l
Removes principal from the database.
get_entry _p_r_i_n_c_i_p_a_l
Show various information for the given principal. Note that the
key is shown as zeros.
mod_entry _p_r_i_n_c_i_p_a_l
Modifies a particular entry, for instance to change the expira-
tion date.
destroy_tickets
Destroys your admin tickets explicitly.
quit Obvious.
SSEEEE AALLSSOO
kerberos(1), kadmind(8), kpasswd(1), kinit(1), ksrvutil(8)
AAUUTTHHOORRSS
Jeffrey I. Schiller, MIT Project Athena
Emanuel Jay Berkenbilt, MIT Project Athena
BBUUGGSS
The user interface is primitive, and the command names could be better.
KTH-KRB February 3, 1998 2

132
crypto/dist/krb4/man/kadmind.cat8 vendored
View File

@ -1,132 +0,0 @@
KKAADDMMIINNDD((88)) MMIITT PPrroojjeecctt AAtthheennaa KKAADDMMIINNDD((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kadmind - network daemon for Kerberos database administration
SSYYNNOOPPSSIISS
kkaaddmmiinndd [ --nn ] [ --mm ] [ --hh ] [ --rr rreeaallmm ] [ --ff ffiilleennaammee ] [ --dd ddbbnnaammee ]
[ --aa aaccllddiirr ] [ --ii aaddddrreessss ]
DDEESSCCRRIIPPTTIIOONN
_k_a_d_m_i_n_d is the network database server for the Kerberos password-
changing and administration tools.
Upon execution, it fetches the master key from the key cache file.
If the --mm option is specified, it instead prompts the user to enter
the master key string for the database.
The --nn option is a no-op and is left for compatibility reasons.
If the --rr _r_e_a_l_m option is specified, the admin server will pretend
that its local realm is _r_e_a_l_m instead of the actual local realm of the
host it is running on. This makes it possible to run a server for a
foreign kerberos realm.
If the --ff _f_i_l_e_n_a_m_e option is specified, then that file is used to hold
the log information instead of the default.
If the --dd _d_b_n_a_m_e option is specified, then that file is used as the
database name instead of the default.
If the --aa _a_c_l_d_i_r option is specified, then _a_c_l_d_i_r is used as the
directory in which to search for access control lists instead of the
default.
If the --hh option is specified, _k_a_d_m_i_n_d prints out a short summary of
the permissible control arguments, and then exits.
If the --ii option is specified, _k_a_d_m_i_n_d will only listen on that
particular address and not on all configured addresses of the host,
which is the default.
When performing requests on behalf of clients, _k_a_d_m_i_n_d checks access
control lists (ACLs) to determine the authorization of the client to
perform the requested action. Currently four distinct access types
are supported:
Addition (.add ACL file). If a principal is on this list, it may add
new principals to the database.
Retrieval (.get ACL file). If a principal is on this list, it may
retrieve database entries. NOTE: A principal's private key
is never returned by the get functions.
- 1 - Formatted: March 12, 2000
KKAADDMMIINNDD((88)) MMIITT PPrroojjeecctt AAtthheennaa KKAADDMMIINNDD((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
Modification
(.mod ACL file). If a principal is on this list, it may
modify entries in the database.
Deletions (.del ACL file). If a principal is on this list, if may
delete entries from the database.
A principal is always granted authorization to change its own
password.
FFIILLEESS
/var/log/admin_server.syslog
Default log file.
/var/kerberos Default access control list directory.
admin_acl.{add,get,mod}
Access control list files (within the directory)
/var/kerberos/principal.pag, /var/kerberos/principal.dir
Default DBM files containing database
/.k Master key cache file.
SSEEEE AALLSSOO
kerberos(1), kpasswd(1), kadmin(8), acl_check(3)
AAUUTTHHOORRSS
Douglas A. Church, MIT Project Athena
John T. Kohl, Project Athena/Digital Equipment Corporation
- 2 - Formatted: March 12, 2000

118
crypto/dist/krb4/man/kafs.cat3 vendored
View File

@ -1,118 +0,0 @@
KAFS(3) System Programmer's Manual KAFS(3)
NNAAMMEE
kk__hhaassaaffss, kk__ppiiooccttll, kk__uunnlloogg, kk__sseettppaagg, kk__aaffss__cceellll__ooff__ffiillee, kkrrbb__aaffsslloogg,
kkrrbb__aaffsslloogg__uuiidd
- AFS library
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkaaffss..hh>>
_i_n_t
kk__aaffss__cceellll__ooff__ffiillee(_c_o_n_s_t _c_h_a_r _*_p_a_t_h, _c_h_a_r _*_c_e_l_l, _i_n_t _l_e_n)
_i_n_t
kk__hhaassaaffss()
_i_n_t
kk__ppiiooccttll(_c_h_a_r _*_a___p_a_t_h, _i_n_t _o___o_p_c_o_d_e, _s_t_r_u_c_t _V_i_c_e_I_o_c_t_l _*_a___p_a_r_a_m_s_P,
_i_n_t _a___f_o_l_l_o_w_S_y_m_l_i_n_k_s)
_i_n_t
kk__sseettppaagg()
_i_n_t
kk__uunnlloogg()
_i_n_t
kkrrbb__aaffsslloogg(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m)
_i_n_t
kkrrbb__aaffsslloogg__uuiidd(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m, _u_i_d___t _u_i_d)
DDEESSCCRRIIPPTTIIOONN
kk__hhaassaaffss() initializes some library internal structures, and tests for
the presense of AFS in the kernel, none of the other functions should be
called before kk__hhaassaaffss() is called, or if it fails.
kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd() obtains new tokens (and possibly tick-
ets) for the specified _c_e_l_l and _r_e_a_l_m. If _c_e_l_l is NULL, the local cell is
used. If _r_e_a_l_m is NULL, the function tries to guess what realm to use.
Unless you have some good knowledge of what cell or realm to use, you
should pass NULL. kkrrbb__aaffsslloogg() will use the real user-id for the ViceId
field in the token, kkrrbb__aaffsslloogg__uuiidd() will use _u_i_d.
kk__aaffss__cceellll__ooff__ffiillee() will in _c_e_l_l return the cell of a specified file, no
more than _l_e_n characters is put in _c_e_l_l.
kk__ppiiooccttll() does a ppiiooccttll() syscall with the specified arguments. This
function is equivalent to llppiiooccttll().
kk__sseettppaagg() initializes a new PAG.
kk__uunnlloogg() removes destroys all tokens in the current PAG.
EENNVVIIRROONNMMEENNTT
The following environment variable affect the mode of operation of kkaaffss:
AFS_SYSCALL
Normally, kkaaffss will try to figure out the correct system call(s) that
are used by AFS by itself. If it does not manage to do that, or does
it incorrectly, you can set this variable to the system call number or
list of system call numbers that should be used.
RREETTUURRNN VVAALLUUEESS
kk__hhaassaaffss() returns 1 if AFS is present in the kernel, 0 otherwise.
kkrrbb__aaffsslloogg() and kkrrbb__aaffsslloogg__uuiidd() returns 0 on success, or a kerberos er-
ror number on failure. kk__aaffss__cceellll__ooff__ffiillee(), kk__ppiiooccttll(), kk__sseettppaagg(), and
kk__uunnlloogg() all return the value of the underlaying system call, 0 on suc-
cess.
EEXXAAMMPPLLEESS
The following code from llooggiinn will obtain a new PAG and tokens for the
local cell and the cell of the users home directory.
if (k_hasafs()) {
char cell[64];
k_setpag();
if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, NULL);
krb_afslog(NULL, NULL);
}
EERRRROORRSS
If any of these functions (appart from kk__hhaassaaffss()) is called without AFS
beeing present in the kernel, the process will usually (depending on the
operating system) receive a SIGSYS signal.
SSEEEE AALLSSOO
Transarc Corporation, "File Server/Cache Manager Interface", _A_F_S_-_3
_P_r_o_g_r_a_m_m_e_r_'_s _R_e_f_e_r_e_n_c_e, 1991.
BBUUGGSS
AFS_SYSCALL has no effect under AIX.
KTH-KRB May 7, 1997 2

47
crypto/dist/krb4/man/kauth.cat1 vendored
View File

@ -1,47 +0,0 @@
KAUTH(1) System Reference Manual KAUTH(1)
NNAAMMEE
kkaauutthh - overworked Kerberos login program
SSYYNNOOPPSSIISS
kkaauutthh [--nn _n_a_m_e] [--rr _r_e_m_o_t_e _u_s_e_r] [--tt _r_e_m_o_t_e _t_i_c_k_e_t _f_i_l_e] [--hh _h_o_s_t_s_._._.]
[--ll _l_i_f_e_t_i_m_e] [--ff _s_r_v_t_a_b] [--cc _c_e_l_l] [_c_o_m_m_a_n_d _._._.]
DDEESSCCRRIIPPTTIIOONN
The kkaauutthh command obtains ticket granting tickets as well as AFS ticket
and tokens. It also does a whole lot of other stuff.
The following flags are supported:
--nn Principal to get tickets for. If no other arguments are present
this can be given without the --nn flag.
--hh Remote hosts to obtain tickets for. This works similar to the MIT
Athena Kerberos 4 patchlevel 10 command rkinit(1), however not in
a compatible way. It requires that the remote host runs the
kauthd(8), server. The --rr and --tt flags are useful only with this
option.
--rr User on the remote host that should own the ticket file.
--tt Ticket file on remote host.
--ll Lifetime of tickets in minutes. A value of -1 is used for maximum
ticket lifetime.
--ff Srvtab to get service keys from. Default is _/_e_t_c_/_s_r_v_t_a_b. This is
mainly used with batch services that need to run authenticated. If
any command is given, it will be executed in an authenticated fash-
ion and when the program exits the tickets are destroyed. For long
running jobs the tickets will be renewed.
--cc AFS cell to get tokens for, default is your local cell.
SSEEEE AALLSSOO
kinit(1), kauthd(8), kafs(3)
BBUUGGSS
There is no help-switch.
KTH-KRB May 4, 1996 1

22
crypto/dist/krb4/man/kauthd.cat8 vendored
View File

@ -1,22 +0,0 @@
KAUTHD(8) System Manager's Manual KAUTHD(8)
NNAAMMEE
kkaauutthhdd - remote Kerberos login daemon
SSYYNNOOPPSSIISS
kkaauutthhdd
DDEESSCCRRIIPPTTIIOONN
Daemon for the kauth(1) command.
Options supported by kkaauutthhdd:
--ii Interactive. Do not expect to be started by iinneettdd,, but allocate
and listen to the socket yourself. Handy for testing and debug-
ging.
SSEEEE AALLSSOO
kauth(1)
KTH-KRB September 27, 1996 1

66
crypto/dist/krb4/man/kdb_destroy.cat8 vendored
View File

@ -1,66 +0,0 @@
KKDDBB__DDEESSTTRROOYY((88)) MMIITT PPrroojjeecctt AAtthheennaa KKDDBB__DDEESSTTRROOYY((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kdb_destroy - destroy Kerberos key distribution center database
SSYYNNOOPPSSIISS
kdb_destroy
DDEESSCCRRIIPPTTIIOONN
_k_d_b___d_e_s_t_r_o_y deletes a Kerberos key distribution center database.
The user is prompted to verify that the database should be destroyed.
A response beginning with `y' or `Y' confirms deletion. Any other
response aborts deletion.
DDIIAAGGNNOOSSTTIICCSS
"Database cannot be deleted at /var/kerberos/principal"
The attempt to delete the database failed
(probably due to a system or access permission
error).
"Database not deleted."
The user aborted the deletion.
FFIILLEESS
/var/kerberos/principal.pag, /var/kerberos/principal.dir
DBM files containing database
SSEEEE AALLSSOO
kdb_init(8)
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/kdb_edit.cat8 vendored
View File

@ -1,66 +0,0 @@
KKDDBB__EEDDIITT((88)) MMIITT PPrroojjeecctt AAtthheennaa KKDDBB__EEDDIITT((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kdb_edit - Kerberos key distribution center database editing utility
SSYYNNOOPPSSIISS
kdb_edit [ --nn ]
DDEESSCCRRIIPPTTIIOONN
_k_d_b___e_d_i_t is used to create or change principals stored in the Kerberos
key distribution center (KDC) database.
When executed, _k_d_b___e_d_i_t prompts for the master key string and verifies
that it matches the master key stored in the database. If the --nn
option is specified, the master key is instead fetched from the master
key cache file.
Once the master key has been verified, _k_d_b___e_d_i_t begins a prompt loop.
The user is prompted for the principal and instance to be modified.
If the entry is not found the user may create it. Once an entry is
found or created, the user may set the password, expiration date,
maximum ticket lifetime, and attributes. Default expiration dates,
maximum ticket lifetimes, and attributes are presented in brackets; if
the user presses return the default is selected. There is no default
password. The password RANDOM is interpreted specially, and if
entered the user may have the program select a random DES key for the
principal.
Upon successfully creating or changing the entry, ``Edit O.K.'' is
printed.
DDIIAAGGNNOOSSTTIICCSS
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
FFIILLEESS
/var/kerberos/principal.pag, /var/kerberos/principal.dir
DBM files containing database
/.k Master key cache file.
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/kdb_init.cat8 vendored
View File

@ -1,66 +0,0 @@
KKDDBB__IINNIITT((88)) MMIITT PPrroojjeecctt AAtthheennaa KKDDBB__IINNIITT((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kdb_init - Initialize Kerberos key distribution center database
SSYYNNOOPPSSIISS
kdb_init [ rreeaallmm ]
DDEESSCCRRIIPPTTIIOONN
_k_d_b___i_n_i_t initializes a Kerberos key distribution center database,
creating the necessary principals.
If the optional _r_e_a_l_m argument is not present, _k_d_b___i_n_i_t prompts for a
realm name. After determining the realm to be created, it prompts for
a master key password. The master key password is used to encrypt
every encryption key stored in the database.
DDIIAAGGNNOOSSTTIICCSS
"/var/kerberos/principal: File exists"
An attempt was made to create a database on a
machine which already had an existing database.
FFIILLEESS
/var/kerberos/principal.pag, /var/kerberos/principal.dir
DBM files containing database
SSEEEE AALLSSOO
kdb_destroy(8)
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/kdb_util.cat8 vendored
View File

@ -1,66 +0,0 @@
KKDDBB__UUTTIILL((88)) MMIITT PPrroojjeecctt AAtthheennaa KKDDBB__UUTTIILL((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kdb_util - Kerberos key distribution center database utility
SSYYNNOOPPSSIISS
kdb_util ooppeerraattiioonn ffiilleennaammee
DDEESSCCRRIIPPTTIIOONN
_k_d_b___u_t_i_l allows the Kerberos key distribution center (KDC) database
administrator to perform utility functions on the database.
_O_p_e_r_a_t_i_o_n must be one of the following:
_l_o_a_d initializes the KDC database with the records described by
the text contained in the file _f_i_l_e_n_a_m_e. Any existing
database is overwritten.
_d_u_m_p dumps the KDC database into a text representation in the
file _f_i_l_e_n_a_m_e.
_s_l_a_v_e___d_u_m_p
performs a database dump like the _d_u_m_p operation, and
additionally creates a semaphore file signalling the
propagation software that an update is available for
distribution to slave KDC databases.
_m_e_r_g_e merges in the entries from _f_i_l_e_n_a_m_e into the database.
_n_e_w___m_a_s_t_e_r___k_e_y
prompts for the old and new master key strings, and then
dumps the KDC database into a text representation in the
file _f_i_l_e_n_a_m_e. The keys in the text representation are
encrypted in the new master key.
_c_o_n_v_e_r_t___o_l_d___d_b
prompts for the master key string, and then dumps the KDC
database into a text representation in the file _f_i_l_e_n_a_m_e.
The existing database is assumed to be encrypted using the
old format (encrypted by the key schedule of the master
key); the dumped database is encrypted using the new format
(encrypted directly with master key).
DDIIAAGGNNOOSSTTIICCSS
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
FFIILLEESS
/kerberos/principal.pag, /kerberos/principal.dir
DBM files containing database
_f_i_l_e_n_a_m_e.ok semaphore file created by _s_l_a_v_e___d_u_m_p_.
- 1 - Formatted: March 12, 2000

132
crypto/dist/krb4/man/kdestroy.cat1 vendored
View File

@ -1,132 +0,0 @@
KKDDEESSTTRROOYY((11)) MMIITT PPrroojjeecctt AAtthheennaa KKDDEESSTTRROOYY((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kdestroy - destroy Kerberos tickets
SSYYNNOOPPSSIISS
kkddeessttrrooyy [ --ff ] [ --qq ] [ --tt ]
DDEESSCCRRIIPPTTIIOONN
The _k_d_e_s_t_r_o_y utility destroys the user's active Kerberos authorization
tickets by writing zeros to the file that contains them. If the
ticket file does not exist, _k_d_e_s_t_r_o_y displays a message to that
effect.
After overwriting the file, _k_d_e_s_t_r_o_y removes the file from the system.
The utility displays a message indicating the success or failure of
the operation. If _k_d_e_s_t_r_o_y is unable to destroy the ticket file, the
utility will warn you by making your terminal beep.
In the Athena workstation environment, the _t_o_e_h_o_l_d service
automatically destroys your tickets when you end a workstation
session. If your site does not provide a similar ticket-destroying
mechanism, you can place the _k_d_e_s_t_r_o_y command in your _._l_o_g_o_u_t file so
that your tickets are destroyed automatically when you logout.
The options to _k_d_e_s_t_r_o_y are as follows:
--ff _k_d_e_s_t_r_o_y runs without displaying the status message.
--qq _k_d_e_s_t_r_o_y will not make your terminal beep if it fails to
destroy the tickets.
--tt destroy tickets only and keep all AFS tokens.
--uu unlog, i.e remove any AFS tokens associated with the current
PAG but leave the ticket file alone.
If neither --tt nor --uu is given, both tickets and AFS tokens are
destroyed.
FFIILLEESS
KRBTKFILE environment variable if set, otherwise
/tmp/tkt[uid]
SSEEEE AALLSSOO
kerberos(1), kinit(1), klist(1)
BBUUGGSS
Only the tickets in the user's current ticket file are destroyed.
Separate ticket files are used to hold root instance and password
changing tickets. These files should probably be destroyed too, or
all of a user's tickets kept in a single ticket file.
- 1 - Formatted: March 12, 2000
KKDDEESSTTRROOYY((11)) MMIITT PPrroojjeecctt AAtthheennaa KKDDEESSTTRROOYY((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
AAUUTTHHOORRSS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
Bill Sommerfeld, MIT Project Athena
- 2 - Formatted: March 12, 2000

198
crypto/dist/krb4/man/kerberos.cat1 vendored
View File

@ -1,198 +0,0 @@
KKEERRBBEERROOSS((11)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kerberos - introduction to the Kerberos system
DDEESSCCRRIIPPTTIIOONN
The Kerberos system authenticates individual users in a network
environment. After authenticating yourself to Kerberos, you can use
network utilities such as _r_l_o_g_i_n, _r_c_p, and _r_s_h without having to
present passwords to remote hosts and without having to bother with
_._r_h_o_s_t_s files. Note that these utilities will work without passwords
only if the remote machines you deal with support the Kerberos system.
All Athena timesharing machines and public workstations support
Kerberos.
Before you can use Kerberos, you must register as an Athena user, and
you must make sure you have been added to the Kerberos database. You
can use the _k_i_n_i_t command to find out. This command tries to log you
into the Kerberos system. _k_i_n_i_t will prompt you for a username and
password. Enter your username and password. If the utility lets you
login without giving you a message, you have already been registered.
If you enter your username and _k_i_n_i_t responds with this message:
Principal unknown (kerberos)
you haven't been registered as a Kerberos user. See your system
administrator.
A Kerberos name contains three parts. The first is the _p_r_i_n_c_i_p_a_l
_n_a_m_e_, which is usually a user's or service's name. The second is the
_i_n_s_t_a_n_c_e_, which in the case of a user is usually null. Some users may
have privileged instances, however, such as ``root'' or ``admin''. In
the case of a service, the instance is the name of the machine on
which it runs; i.e. there can be an _r_l_o_g_i_n service running on the
machine ABC, which is different from the rlogin service running on the
machine XYZ. The third part of a Kerberos name is the _r_e_a_l_m_. The
realm corresponds to the Kerberos service providing authentication for
the principal. For example, at MIT there is a Kerberos running at the
Laboratory for Computer Science and one running at Project Athena.
When writing a Kerberos name, the principal name is separated from the
instance (if not null) by a period, and the realm (if not the local
realm) follows, preceded by an ``@'' sign. The following are examples
of valid Kerberos names:
billb
jis.admin
srz@lcs.mit.edu
treese.root@athena.mit.edu
When you authenticate yourself with Kerberos, through either the
- 1 - Formatted: March 12, 2000
KKEERRBBEERROOSS((11)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
workstation _t_o_e_h_o_l_d system or the _k_i_n_i_t command, Kerberos gives you an
initial Kerberos _t_i_c_k_e_t. (A Kerberos ticket is an encrypted protocol
message that provides authentication.) Kerberos uses this ticket for
network utilities such as _r_l_o_g_i_n and _r_c_p. The ticket transactions are
done transparently, so you don't have to worry about their management.
Note, however, that tickets expire. Privileged tickets, such as root
instance tickets, expire in a few minutes, while tickets that carry
more ordinary privileges may be good for several hours or a day,
depending on the installation's policy. If your login session extends
beyond the time limit, you will have to re-authenticate yourself to
Kerberos to get new tickets. Use the _k_i_n_i_t command to re-authenticate
yourself.
If you use the _k_i_n_i_t command to get your tickets, make sure you use
the _k_d_e_s_t_r_o_y command to destroy your tickets before you end your login
session. You should probably put the _k_d_e_s_t_r_o_y command in your _._l_o_g_o_u_t
file so that your tickets will be destroyed automatically when you
logout. For more information about the _k_i_n_i_t and _k_d_e_s_t_r_o_y commands,
see the _k_i_n_i_t_(_1_) and _k_d_e_s_t_r_o_y_(_1_) manual pages.
Currently, Kerberos supports the following network services: _r_l_o_g_i_n,
_r_s_h, _r_c_p, _p_o_p, _f_t_p, _t_e_l_n_e_t, _A_F_S and _N_F_S_.
SSEEEE AALLSSOO
kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3),
kerberos(3), kadmin(8)
BBUUGGSS
Kerberos will not do authentication forwarding. In other words, if
you use _r_l_o_g_i_n to login to a remote host, you cannot use Kerberos
services from that host until you authenticate yourself explicitly on
that host. Although you may need to authenticate yourself on the
remote host, be aware that when you do so, _r_l_o_g_i_n sends your password
across the network in clear text.
AAUUTTHHOORRSS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
The following people helped out on various aspects of the system:
Jeff Schiller designed and wrote the administration server and its
user interface, kadmin. He also wrote the dbm version of the database
management system.
Mark Colan developed the Kerberos versions of _r_l_o_g_i_n, _r_s_h, and _r_c_p, as
well as contributing work on the servers.
- 2 - Formatted: March 12, 2000
KKEERRBBEERROOSS((11)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
John Ostlund developed the Kerberos versions of _p_a_s_s_w_d and _u_s_e_r_r_e_g.
Stan Zanarotti pioneered Kerberos in a foreign realm (LCS), and made
many contributions based on that experience.
Many people contributed code and/or useful ideas, including Jim
Aspnes, Bob Baldwin, John Barba, Richard Basch, Jim Bloom, Bill
Bryant, Rob French, Dan Geer, David Jedlinsky, John Kohl, John
Kubiatowicz, Bob McKie, Brian Murphy, Ken Raeburn, Chris Reed, Jon
Rochlis, Mike Shanzer, Bill Sommerfeld, Jennifer Steiner, Ted Ts'o,
and Win Treese.
RREESSTTRRIICCTTIIOONNSS
COPYRIGHT 1985,1986 Massachusetts Institute of Technology
- 3 - Formatted: March 12, 2000

396
crypto/dist/krb4/man/kerberos.cat3 vendored
View File

@ -1,396 +0,0 @@
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred,
krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err,
krb_rd_err, krb_ck_repl - Kerberos authentication library
SSYYNNOOPPSSIISS
##iinncclluuddee <<ddeess..hh>>
##iinncclluuddee <<kkrrbb..hh>>
eexxtteerrnn cchhaarr **kkrrbb__eerrrr__ttxxtt[[]];;
iinntt kkrrbb__mmkk__rreeqq((aauutthheenntt,,sseerrvviiccee,,iinnssttaannccee,,rreeaallmm,,cchheecckkssuumm))
KKTTEEXXTT aauutthheenntt;;
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
cchhaarr **rreeaallmm;;
uu__lloonngg cchheecckkssuumm;;
iinntt kkrrbb__rrdd__rreeqq((aauutthheenntt,,sseerrvviiccee,,iinnssttaannccee,,ffrroomm__aaddddrr,,aadd,,ffnn))
KKTTEEXXTT aauutthheenntt;;
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
uu__lloonngg ffrroomm__aaddddrr;;
AAUUTTHH__DDAATT **aadd;;
cchhaarr **ffnn;;
iinntt kkrrbb__kknnttoollnn((aadd,,llnnaammee))
AAUUTTHH__DDAATT **aadd;;
cchhaarr **llnnaammee;;
iinntt kkrrbb__sseett__kkeeyy((kkeeyy,,ccvvtt))
cchhaarr **kkeeyy;;
iinntt ccvvtt;;
iinntt kkrrbb__ggeett__ccrreedd((sseerrvviiccee,,iinnssttaannccee,,rreeaallmm,,cc))
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
cchhaarr **rreeaallmm;;
CCRREEDDEENNTTIIAALLSS **cc;;
lloonngg kkrrbb__mmkk__pprriivv((iinn,,oouutt,,iinn__lleennggtthh,,sscchheedduullee,,kkeeyy,,sseennddeerr,,rreecceeiivveerr))
uu__cchhaarr **iinn;;
uu__cchhaarr **oouutt;;
uu__lloonngg iinn__lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
lloonngg kkrrbb__rrdd__pprriivv((iinn,,iinn__lleennggtthh,,sscchheedduullee,,kkeeyy,,sseennddeerr,,rreecceeiivveerr,,mmssgg__ddaattaa))
uu__cchhaarr **iinn;;
- 1 - Formatted: March 12, 2000
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
uu__lloonngg iinn__lleennggtthh;;
KKeeyy__sscchheedduullee sscchheedduullee;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;
lloonngg kkrrbb__mmkk__ssaaffee((iinn,,oouutt,,iinn__lleennggtthh,,kkeeyy,,sseennddeerr,,rreecceeiivveerr))
uu__cchhaarr **iinn;;
uu__cchhaarr **oouutt;;
uu__lloonngg iinn__lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
lloonngg kkrrbb__rrdd__ssaaffee((iinn,,lleennggtthh,,kkeeyy,,sseennddeerr,,rreecceeiivveerr,,mmssgg__ddaattaa))
uu__cchhaarr **iinn;;
uu__lloonngg lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;
lloonngg kkrrbb__mmkk__eerrrr((oouutt,,ccooddee,,ssttrriinngg))
uu__cchhaarr **oouutt;;
lloonngg ccooddee;;
cchhaarr **ssttrriinngg;;
lloonngg kkrrbb__rrdd__eerrrr((iinn,,lleennggtthh,,ccooddee,,mmssgg__ddaattaa))
uu__cchhaarr **iinn;;
uu__lloonngg lleennggtthh;;
lloonngg ccooddee;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;
DDEESSCCRRIIPPTTIIOONN
This library supports network authentication and various related
operations. The library contains many routines beyond those described
in this man page, but they are not intended to be used directly.
Instead, they are called by the routines that are described, the
authentication server and the login program.
_k_r_b___e_r_r___t_x_t_[_] contains text string descriptions of various Kerberos
error codes returned by some of the routines below.
_k_r_b___m_k___r_e_q takes a pointer to a text structure in which an
authenticator is to be built. It also takes the name, instance, and
realm of the service to be used and an optional checksum. It is up to
the application to decide how to generate the checksum. _k_r_b___m_k___r_e_q
then retrieves a ticket for the desired service and creates an
authenticator. The authenticator is built in _a_u_t_h_e_n_t and is
accessible to the calling procedure.
- 2 - Formatted: March 12, 2000
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
It is up to the application to get the authenticator to the service
where it will be read by _k_r_b___r_d___r_e_q_. Unless an attacker posesses the
session key contained in the ticket, it will be unable to modify the
authenticator. Thus, the checksum can be used to verify the
authenticity of the other data that will pass through a connection.
_k_r_b___r_d___r_e_q takes an authenticator of type KKTTEEXXTT,, a service name, an
instance, the address of the host originating the request, and a
pointer to a structure of type AAUUTTHH__DDAATT which is filled in with
information obtained from the authenticator. It also optionally takes
the name of the file in which it will find the secret key(s) for the
service. If the supplied _i_n_s_t_a_n_c_e contains "*", then the first
service key with the same service name found in the service key file
will be used, and the _i_n_s_t_a_n_c_e argument will be filled in with the
chosen instance. This means that the caller must provide space for
such an instance name.
It is used to find out information about the principal when a request
has been made to a service. It is up to the application protocol to
get the authenticator from the client to the service. The
authenticator is then passed to _k_r_b___r_d___r_e_q to extract the desired
information.
_k_r_b___r_d___r_e_q returns zero (RD_AP_OK) upon successful authentication. If
a packet was forged, modified, or replayed, authentication will fail.
If the authentication fails, a non-zero value is returned indicating
the particular problem encountered. See _k_r_b_._h for the list of error
codes.
If the last argument is the null string (""), krb_rd_req will use the
file /etc/srvtab to find its keys. If the last argument is NULL, it
will assume that the key has been set by _k_r_b___s_e_t___k_e_y and will not
bother looking further.
_k_r_b___k_n_t_o_l_n converts a Kerberos name to a local name. It takes a
structure of type AUTH_DAT and uses the name and instance to look in
the database /etc/aname to find the corresponding local name. The
local name is returned and can be used by an application to change
uids, directories, or other parameters. It is not an integral part of
Kerberos, but is instead provided to support the use of Kerberos in
existing utilities.
_k_r_b___s_e_t___k_e_y takes as an argument a des key. It then creates a key
schedule from it and saves the original key to be used as an
initialization vector. It is used to set the server's key which must
be used to decrypt tickets.
If called with a non-zero second argument, _k_r_b___s_e_t___k_e_y will first
convert the input from a string of arbitrary length to a DES key by
encrypting it with a one-way function.
- 3 - Formatted: March 12, 2000
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
In most cases it should not be necessary to call _k_r_b___s_e_t___k_e_y_. The
necessary keys will usually be obtained and set inside _k_r_b___r_d___r_e_q_.
_k_r_b___s_e_t___k_e_y is provided for those applications that do not wish to
place the application keys on disk.
_k_r_b___g_e_t___c_r_e_d searches the caller's ticket file for a ticket for the
given service, instance, and realm; and, if a ticket is found, fills
in the given CREDENTIALS structure with the ticket information.
If the ticket was found, _k_r_b___g_e_t___c_r_e_d returns GC_OK. If the ticket
file can't be found, can't be read, doesn't belong to the user (other
than root), isn't a regular file, or is in the wrong mode, the error
GC_TKFIL is returned.
_k_r_b___m_k___p_r_i_v creates an encrypted, authenticated message from any
arbitrary application data, pointed to by _i_n and _i_n___l_e_n_g_t_h bytes long.
The private session key, pointed to by _k_e_y and the key schedule,
_s_c_h_e_d_u_l_e_, are used to encrypt the data and some header information
using _p_c_b_c___e_n_c_r_y_p_t_. _s_e_n_d_e_r and _r_e_c_e_i_v_e_r point to the Internet address
of the two parties. In addition to providing privacy, this protocol
message protects against modifications, insertions or replays. The
encapsulated message and header are placed in the area pointed to by
_o_u_t and the routine returns the length of the output, or -1 indicating
an error.
_k_r_b___r_d___p_r_i_v decrypts and authenticates a received _k_r_b___m_k___p_r_i_v message.
_i_n points to the beginning of the received message, whose length is
specified in _i_n___l_e_n_g_t_h_. The private session key, pointed to by _k_e_y_,
and the key schedule, _s_c_h_e_d_u_l_e_, are used to decrypt and verify the
received message. _m_s_g___d_a_t_a is a pointer to a _M_S_G___D_A_T struct, defined
in _k_r_b_._h_. The routine fills in the _a_p_p___d_a_t_a field with a pointer to
the decrypted application data, _a_p_p___l_e_n_g_t_h with the length of the
_a_p_p___d_a_t_a field, _t_i_m_e___s_e_c and _t_i_m_e___5_m_s with the timestamps in the
message, and _s_w_a_p with a 1 if the byte order of the receiver is
different than that of the sender. (The application must still
determine if it is appropriate to byte-swap application data; the
Kerberos protocol fields are already taken care of). The _h_a_s_h field
returns a value useful as input to the _k_r_b___c_k___r_e_p_l routine.
The routine returns zero if ok, or a Kerberos error code. Modified
messages and old messages cause errors, but it is up to the caller to
check the time sequence of messages, and to check against recently
replayed messages using _k_r_b___c_k___r_e_p_l if so desired.
_k_r_b___m_k___s_a_f_e creates an authenticated, but unencrypted message from any
arbitrary application data, pointed to by _i_n and _i_n___l_e_n_g_t_h bytes long.
The private session key, pointed to by _k_e_y_, is used to seed the
_q_u_a_d___c_k_s_u_m_(_) checksum algorithm used as part of the authentication.
_s_e_n_d_e_r and _r_e_c_e_i_v_e_r point to the Internet address of the two parties.
This message does not provide privacy, but does protect (via
detection) against modifications, insertions or replays. The
- 4 - Formatted: March 12, 2000
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
encapsulated message and header are placed in the area pointed to by
_o_u_t and the routine returns the length of the output, or -1 indicating
an error. The authentication provided by this routine is not as
strong as that provided by _k_r_b___m_k___p_r_i_v or by computing the checksum
using _c_b_c___c_k_s_u_m instead, both of which authenticate via DES.
_k_r_b___r_d___s_a_f_e authenticates a received _k_r_b___m_k___s_a_f_e message. _i_n points
to the beginning of the received message, whose length is specified in
_i_n___l_e_n_g_t_h_. The private session key, pointed to by _k_e_y_, is used to
seed the quad_cksum() routine as part of the authentication. _m_s_g___d_a_t_a
is a pointer to a _M_S_G___D_A_T struct, defined in _k_r_b_._h _. The routine
fills in these _M_S_G___D_A_T fields: the _a_p_p___d_a_t_a field with a pointer to
the application data, _a_p_p___l_e_n_g_t_h with the length of the _a_p_p___d_a_t_a
field, _t_i_m_e___s_e_c and _t_i_m_e___5_m_s with the timestamps in the message, and
_s_w_a_p with a 1 if the byte order of the receiver is different than that
of the sender. (The application must still determine if it is
appropriate to byte-swap application data; the Kerberos protocol
fields are already taken care of). The _h_a_s_h field returns a value
useful as input to the _k_r_b___c_k___r_e_p_l routine.
The routine returns zero if ok, or a Kerberos error code. Modified
messages and old messages cause errors, but it is up to the caller to
check the time sequence of messages, and to check against recently
replayed messages using _k_r_b___c_k___r_e_p_l if so desired.
_k_r_b___m_k___e_r_r constructs an application level error message that may be
used along with _k_r_b___m_k___p_r_i_v or _k_r_b___m_k___s_a_f_e_. _o_u_t is a pointer to the
output buffer, _c_o_d_e is an application specific error code, and _s_t_r_i_n_g
is an application specific error string.
_k_r_b___r_d___e_r_r unpacks a received _k_r_b___m_k___e_r_r message. _i_n points to the
beginning of the received message, whose length is specified in
_i_n___l_e_n_g_t_h_. _c_o_d_e is a pointer to a value to be filled in with the
error value provided by the application. _m_s_g___d_a_t_a is a pointer to a
_M_S_G___D_A_T struct, defined in _k_r_b_._h _. The routine fills in these _M_S_G___D_A_T
fields: the _a_p_p___d_a_t_a field with a pointer to the application error
text, _a_p_p___l_e_n_g_t_h with the length of the _a_p_p___d_a_t_a field, and _s_w_a_p with
a 1 if the byte order of the receiver is different than that of the
sender. (The application must still determine if it is appropriate to
byte-swap application data; the Kerberos protocol fields are already
taken care of).
The routine returns zero if the error message has been successfully
received, or a Kerberos error code.
The _K_T_E_X_T structure is used to pass around text of varying lengths.
It consists of a buffer for the data, and a length. krb_rd_req takes
an argument of this type containing the authenticator, and krb_mk_req
returns the authenticator in a structure of this type. KTEXT itself
is really a pointer to the structure. The actual structure is of
- 5 - Formatted: March 12, 2000
KKEERRBBEERROOSS((33)) MMIITT PPrroojjeecctt AAtthheennaa KKEERRBBEERROOSS((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
type KTEXT_ST.
The _A_U_T_H___D_A_T structure is filled in by krb_rd_req. It must be
allocated before calling krb_rd_req, and a pointer to it is passed.
The structure is filled in with data obtained from Kerberos. _M_S_G___D_A_T
structure is filled in by either krb_rd_priv, krb_rd_safe, or
krb_rd_err. It must be allocated before the call and a pointer to it
is passed. The structure is filled in with data obtained from
Kerberos.
FFIILLEESS
/usr/include/krb.h
/usr/lib/libkrb.a
/usr/include/des.h
/usr/lib/libdes.a
/etc/aname
/etc/srvtab
/tmp/tkt[uid]
SSEEEE AALLSSOO
kerberos(1), des_crypt(3)
DDIIAAGGNNOOSSTTIICCSS
BBUUGGSS
The caller of _k_r_b___r_d___r_e_q_, _k_r_b___r_d___p_r_i_v_, _a_n_d _k_r_b___r_d___s_a_f_e must check time
order and for replay attempts. _k_r_b___c_k___r_e_p_l is not implemented yet.
AAUUTTHHOORRSS
Clifford Neuman, MIT Project Athena
Steve Miller, MIT Project Athena/Digital Equipment Corporation
RREESSTTRRIICCTTIIOONNSS
COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology
- 6 - Formatted: March 12, 2000

147
crypto/dist/krb4/man/kerberos.cat8 vendored
View File

@ -1,147 +0,0 @@
KERBEROS(8) System Manager's Manual KERBEROS(8)
NNAAMMEE
kkeerrbbeerrooss - The kerberos daemon
SSYYNNPPOOSSIISS
kkeerrbbeerrooss [--mmnnss] [--aa _m_a_x _a_g_e] [--ii _a_d_d_r_e_s_s] [--ll _l_o_g] [--pp _p_a_u_s_e] [--PP
_p_o_r_t_s_p_e_c] [--rr _r_e_a_l_m] [_d_a_t_a_b_a_s_e]
DDEESSCCRRIIPPTTIIOONN
This is the kkeerrbbeerrooss daemon.
Options:
--aa Set the _m_a_x _a_g_e before the database is considered stale.
--ii Only listen on _a_d_d_r_e_s_s. Normally, the kerberos server listens on
all addresses of all interfaces.
--ll Write the log to _l_o_g
--mm Run manually and prompt for master key.
--nn Do not check max age.
--pp Pause for _p_a_u_s_e before dying.
--PP Listen to the ports specified by _p_o_r_t_s_p_e_c. This should be a
white-space separated list of port specificatios. A port specifi-
cation follows the format: _p_o_r_t[/_p_r_o_t_o_c_o_l]. The _p_o_r_t can be ei-
ther a symbolic port name (from _/_e_t_c_/_s_e_r_v_i_c_e_s_)_, _o_r _a _n_u_m_b_e_r_;
_p_r_o_t_o_c_o_l _c_a_n _b_e _e_i_t_h_e_r udp, or tcp. If left out, the KDC will
listen to both UDP and TCP sockets on the specified port.
The special string + mean that the default set of ports (TCP and
UDP on ports 88 and 750) should be included.
--rr Run as a server for realm _r_e_a_l_m
--ss Set slave parameters. This will enable check to see if data is
getting too stale relative to the master.
If no _d_a_t_a_b_a_s_e is given a default datbase will be used, normally
_/_v_a_r_/_k_e_r_b_e_r_o_s_/_p_r_i_n_c_i_p_a_l.
DDIIAAGGNNOOSSTTIICCSS
The server logs several messages in a log file (_/_v_a_r_/_r_u_n_/_k_e_r_b_e_r_o_s_._l_o_g by
default). The logging mechanism opens and closes the log file for each
message, so you can safely rename the log file when the server is run-
ning.
OOppeerraattiioonnaall mmeessssaaggeess
These are normal messages that you will see in the log. They might be
followed by some error message.
Getting key for _R_E_A_L_M
The server fetched the key for `krbtgt.REALM' for the specific
realm. You will see this at startup, and for every attempt to use
cross realm authentication.
Starting Kerberos for _R_E_A_L_M (kvno _k_v_n_o)
You will see this also if you start with --mm.
AS REQ _n_a_m_e_._i_n_s_t_a_n_c_e_@_R_E_A_L_M for _s_n_a_m_e_._s_i_n_s_t_a_n_c_e from _i_p_-_n_u_m_b_e_r
An initial (password authenticated) request was received.
APPL REQ _n_a_m_e_._i_n_s_t_a_n_c_e_@_R_E_A_L_M for _s_n_a_m_e_._s_i_n_s_t_a_n_c_e from _i_p_-_n_u_m_b_e_r
A tgt-based request for a ticket was made.
EErrrroorr mmeessssaaggeess
These messages reflects misconfigured clients, invalid requests, or pos-
sibly attepted attacks.
UNKNOWN _n_a_m_e_._i_n_s_t_a_n_c_e
The server received a request with an unknown principal. This is
most likely because someone typed the wrong name at a login
prompt. It could also be someone trying to get a list of possible
users.
Unknown realm _R_E_A_L_M from _i_p_-_n_u_m_b_e_r
There isn't a principal for `krbtgt.REALM' in the database.
Can't hop realms: _R_E_A_L_M_1 -> _R_E_A_L_M_2
There was a request for a ticket for another realm. This might be
because of a misconfigured client.
Principal not unique _n_a_m_e_._i_n_s_t_a_n_c_e
There is more than one entry for this principal in the database.
This is not very good.
Null key _n_a_m_e_._i_n_s_t_a_n_c_e
Someone tried to use a principal that for some reason doesn't have
a key.
Incorrect master key version for _n_a_m_e_._i_n_s_t_a_n_c_e : _n_u_m_b_e_r (should be _n_u_m_-
_b_e_r)
The principal has it's key encrypted with the wrong master key.
Principal _n_a_m_e_._i_n_s_t_a_n_c_e expired at _d_a_t_e
The principal's key has expired.
krb_rd_req from _i_p_-_n_u_m_b_e_r: _e_r_r_o_r_-_m_e_s_s_a_g_e
The message couldn't be decoded properly. The error message will
give you further hints. You will see this if someone is trying to
use expired tickets.
Unknown message type: _n_u_m_b_e_r from _i_p_-_n_u_m_b_e_r
The message received was not one that is understood by this serv-
er.
Can't authorize password changed based on TGT
Someone tried to get a `changepw.kerberos' via a tgt exchange.
This is because of a broken client, or possibly an attack.
KRB protocol version mismatch (_n_u_m_b_e_r)
The server received a request with an unknown version number.
FFaattaall eerrrroorr mmeessssaaggeess
The following messages indicate problems when starting the server.
Database unavailable!
There was some problem reading the database.
Database currently being updated!
Someone is currently updating the database (possibly via krop).
Database out of date!
The database is older than the maximum age specified.
Couldn't get master key.
The master key file wasn't found or the file is damaged.
Can't verify master key.
The key in the keyfile doesn't match the current databse.
Ticket granting ticket service unknown
The database doesn't contain a `krbtgt.REALM' for the local realm.
SSEEEE AALLSSOO
kprop(8), kpropd(8)
KTH-KRB September 26, 1997 3

132
crypto/dist/krb4/man/kinit.cat1 vendored
View File

@ -1,132 +0,0 @@
KKIINNIITT((11)) MMIITT PPrroojjeecctt AAtthheennaa KKIINNIITT((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kinit - Kerberos login utility
SSYYNNOOPPSSIISS
kkiinniitt [ --iirrvvllpp ]
DDEESSCCRRIIPPTTIIOONN
The _k_i_n_i_t command is used to login to the Kerberos authentication and
authorization system. Note that only registered Kerberos users can
use the Kerberos system. For information about registering as a
Kerberos user, see the _k_e_r_b_e_r_o_s_(_1_) manual page.
If you are logged in to a workstation that is running the _t_o_e_h_o_l_d
service, you do not have to use _k_i_n_i_t_. The _t_o_e_h_o_l_d login procedure
will log you into Kerberos automatically. You will need to use _k_i_n_i_t
only in those situations in which your original tickets have expired.
(Tickets expire in about a day.) Note as well that _t_o_e_h_o_l_d will
automatically destroy your tickets when you logout from the
workstation.
When you use _k_i_n_i_t without options, the utility prompts for your
username and Kerberos password, and tries to authenticate your login
with the local Kerberos server.
If Kerberos authenticates the login attempt, _k_i_n_i_t retrieves your
initial ticket and puts it in the ticket file specified by your
KRBTKFILE environment variable. If this variable is undefined, your
ticket will be stored in the _/_t_m_p directory, in the file _t_k_t_u_i_d _,
where _u_i_d specifies your user identification number.
If you have logged in to Kerberos without the benefit of the
workstation _t_o_e_h_o_l_d system, make sure you use the _k_d_e_s_t_r_o_y command to
destroy any active tickets before you end your login session. You may
want to put the _k_d_e_s_t_r_o_y command in your _._l_o_g_o_u_t file so that your
tickets will be destroyed automatically when you logout.
The options to _k_i_n_i_t are as follows:
--ii _k_i_n_i_t prompts you for a Kerberos instance.
--rr _k_i_n_i_t prompts you for a Kerberos realm. This option lets you
authenticate yourself with a remote Kerberos server.
--vv Verbose mode. _k_i_n_i_t prints the name of the ticket file used,
and a status message indicating the success or failure of your
login attempt.
--ll _k_i_n_i_t prompts you for a ticket lifetime in minutes. Due to
protocol restrictions in Kerberos Version 4, this value must be
between 5 and 1275 minutes.
- 1 - Formatted: March 12, 2000
KKIINNIITT((11)) MMIITT PPrroojjeecctt AAtthheennaa KKIINNIITT((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
--pp _k_i_n_i_t will acquires a ticket for changepw.kerberos.
SSEEEE AALLSSOO
kerberos(1), kdestroy(1), klist(1), toehold(1)
BBUUGGSS
The --rr option has not been fully implemented.
AAUUTTHHOORRSS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
- 2 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/klist.cat1 vendored
View File

@ -1,66 +0,0 @@
KKLLIISSTT((11)) MMIITT PPrroojjeecctt AAtthheennaa KKLLIISSTT((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
klist - list currently held Kerberos tickets
SSYYNNOOPPSSIISS
kklliisstt [ --ss | --tt ] [ --ffiillee name ] [ --ssrrvvttaabb ]
DDEESSCCRRIIPPTTIIOONN
_k_l_i_s_t prints the name of the tickets file and the identity of the
principal the tickets are for (as listed in the tickets file), and
lists the principal names of all Kerberos tickets currently held by
the user, along with the issue and expire time for each authenticator.
Principal names are listed in the form _n_a_m_e_._i_n_s_t_a_n_c_e_@_r_e_a_l_m_, with the
'.' omitted if the instance is null, and the '@' omitted if the realm
is null.
If given the --ss option, _k_l_i_s_t does not print the issue and expire
times, the name of the tickets file, or the identity of the principal.
If given the --tt option, kklliisstt checks for the existence of a non-
expired ticket-granting-ticket in the ticket file. If one is present,
it exits with status 0, else it exits with status 1. No output is
generated when this option is specified.
If given the --ffiillee option, the following argument is used as the
ticket file. Otherwise, if the KKRRBBTTKKFFIILLEE environment variable is set,
it is used. If this environment variable is not set, the file
//ttmmpp//ttkktt[[uuiidd]] is used, where uuiidd is the current user-id of the user.
If given the --ssrrvvttaabb option, the file is treated as a service key
file, and the names of the keys contained therein are printed. If no
file is specified with a --ffiillee option, the default is _/_e_t_c_/_s_r_v_t_a_b.
FFIILLEESS
/etc/krb.conf to get the name of the local realm
/tmp/tkt[uid] as the default ticket file ([uid] is the decimal
UID of the user).
/etc/srvtab as the default service key file
SSEEEE AALLSSOO
kerberos(1), kinit(1), kdestroy(1)
BBUUGGSS
When reading a file as a service key file, very little sanity or error
checking is performed.
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/kpasswd.cat1 vendored
View File

@ -1,66 +0,0 @@
KKPPAASSSSWWDD((11)) MMIITT PPrroojjeecctt AAtthheennaa KKPPAASSSSWWDD((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kpasswd - change a user's Kerberos password
SSYYNNOOPPSSIISS
kkppaasssswwdd [ --hh ] [ --nn _n_a_m_e ] [ --ii _i_n_s_t_a_n_c_e ] [ --rr _r_e_a_l_m ] [ -u
_u_s_e_r_n_a_m_e_[_._i_n_s_t_a_n_c_e_]_[_@_r_e_a_l_m_]]
DDEESSCCRRIIPPTTIIOONN
The _k_p_a_s_s_w_d command is used to change a Kerberos principal's password.
If the _-_h option is specified, a brief summary of the options is
printed, and _k_p_a_s_s_w_d then exits.
If the _-_n option is specified, _n_a_m_e is used as the principal name
rather than the username of the user running _k_p_a_s_s_w_d. (This is
determined from the ticket file if it exists; otherwise, it is
determined from the unix user id.)
If the _-_i option is specified, _i_n_s_t_a_n_c_e is used as the instance rather
than a null instance.
If the _-_r option is specified, _r_e_a_l_m is used as the realm rather than
the local realm.
If the _-_u option is specified, a fully qualified kerberos principal
can be given.
The utility prompts for the current Kerberos password (printing the
name of the principal for which it intends to change the password),
which is verified by the Kerberos server. If the old password is
correct, the user is prompted twice for the new password. A message
is printed indicating the success or failure of the password changing
operation.
BBUUGGSS
_k_p_a_s_s_w_d does not handle names, instances, or realms with special
characters in them when the -n, -i, or -r options are used. Any valid
fullname is accepted, however, if the -u option is used.
If the principal whose password you are trying to change does not
exist, you will not be told until after you have entered the old
password.
SSEEEE AALLSSOO
kerberos(1), kinit(1), passwd(1), kadmin(8)
- 1 - Formatted: March 12, 2000

44
crypto/dist/krb4/man/kprop.cat8 vendored
View File

@ -1,44 +0,0 @@
KPROP(8) System Manager's Manual KPROP(8)
NNAAMMEE
kkpprroopp - the kerberos slave server update client
SSYYNNOOPPSSIISS
kkpprroopp [--ffoorrccee] [--rreeaallmm _r_e_a_l_m] [_d_u_m_p_-_f_i_l_e] [_s_l_a_v_e_-_f_i_l_e]
DDEESSCCRRIIPPTTIIOONN
Changes to the database, such as changed passwords, are only made to the
master server through the kkaaddmmiinndd service. To propagate these changes to
the slave servers, kkpprroopp should be run regularly on the master server.
The following options are recognised.
--ffoorrccee Propagate even if there hasn't been an update to the dump file
since last time.
--rreeaallmm Realm if other than the default.
dump-file
is a file created with kkddbb__uuttiill ssllaavvee__dduummpp, default is
_/_v_a_r_/_k_e_r_b_e_r_o_s_/_s_l_a_v_e___d_u_m_p.
slave-file
Contains the names of the slave servers. Default is
_/_v_a_r_/_k_e_r_b_e_r_o_s_/_s_l_a_v_e_s.
kkpprroopp will use the principal rrccmmdd..kkeerrbbeerrooss to authenticate to the master
servers. This principal has to be added to the database, and it should
also be put into the service key file on the master server.
FFIILLEESS
/var/kerberos/slave_dump
/var/kerberos/slaves
/etc/srvtab
SSEEEE AALLSSOO
kpropd(8), kerberos(8), kadmind(8)
KTH-KRB June 7, 1996 1

42
crypto/dist/krb4/man/kpropd.cat8 vendored
View File

@ -1,42 +0,0 @@
KPROPD(8) System Manager's Manual KPROPD(8)
NNAAMMEE
kkpprrooppdd - the kerberos slave server update facility
SSYYNNOOPPSSIISS
kkpprrooppdd [--ii] [--dd _d_a_t_a_b_a_s_e] [--ll _l_o_g_f_i_l_e] [--mm] [--pp _k_d_b___u_t_i_l] [--rr _r_e_a_l_m] [--ss
_s_r_v_t_a_b]
DDEESSCCRRIIPPTTIIOONN
The kkpprrooppdd responds to database update requests from the kkpprroopp command.
It can either be started from iinneettdd or as an ordinary program.
The following options are recognised:
--ii Run stand-alone. If this flag is not given, it is assumed to have
been started by iinneettdd.
--dd What database file to use, default is _/_v_a_r_/_k_e_r_b_e_r_o_s_/_p_r_i_n_c_i_p_a_l.
--ll Logfile to use, default is _/_v_a_r_/_l_o_g_/_k_p_r_o_p_d_._l_o_g.
--mm Treat data as changes to the database rather than a complete
database.
--pp The path to kkddbb__uuttiill, default is _/_u_s_r_/_a_t_h_e_n_a_/_s_b_i_n_/_k_d_b___u_t_i_l.
--rr Realm if other than the default realm.
--ss Srvtab if other than _/_e_t_c_/_s_r_v_t_a_b.
FFIILLEESS
/var/kerberos/principal.{db,dir,pag}
/var/log/kpropd.log
/etc/srvtab
SSEEEE AALLSSOO
kprop(8), kerberos(8), kadmind(8)
KTH-KRB June 7, 1996 1

66
crypto/dist/krb4/man/krb.conf.cat5 vendored
View File

@ -1,66 +0,0 @@
KKRRBB..CCOONNFF((55)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB..CCOONNFF((55))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
/etc/krb.conf - Kerberos configuration file
DDEESSCCRRIIPPTTIIOONN
_k_r_b_._c_o_n_f contains configuration information describing the Kerberos
realm(s) and the Kerberos key distribution center (KDC) servers for
known realms.
_k_r_b_._c_o_n_f starts with a definition of the local realm on the first
line, this is followed by any number lines defining supplementary
local realms. The rest of the file consists of lines indicating
realm/host entries. The first token is a realm name, and the second is
a server specification of a host running a KDC for that realm. The
words "admin server" following the hostname indicate that the host
also provides an administrative database server.
To be able to communicate with the KDC through a firewall it is
sometimes necessary to tunnel requests over HTTP or TCP. Tunnel
protocols and port numbers are specified in the server specification
using the syntax [(UDP|TCP|HTTP)/]hostname[:port].
For example:
SICS.SE
NADA.KTH.SE
SICS.SE TCP/kerberos.sics.se:88 admin server
NADA.KTH.SE kerberos.nada.kth.se admin server
NADA.KTH.SE kerberos-1.nada.kth.se
NADA.KTH.SE kerberos-2.nada.kth.se
NADA.KTH.SE HTTP/kerberos-3.nada.kth.se
KTH.SE kerberos.kth.se admin server
SSEEEE AALLSSOO
krb.realms(5), krb_get_krbhst(3), krb_get_lrealm(3)
- 1 - Formatted: March 12, 2000

24
crypto/dist/krb4/man/krb.equiv.cat5 vendored
View File

@ -1,24 +0,0 @@
KRB.EQUIV(5) System Programmer's Manual KRB.EQUIV(5)
NNAAMMEE
kkrrbb..eeqquuiivv - Kerberos equivalent hosts file
DDEESSCCRRIIPPTTIIOONN
kkrrbb..eeqquuiivv contains a list of IP addresses that is to be considered being
the same host for Kerberos purposes. Plain addresses match a single host.
Addresses followed by a slash (/) and a number is taken as a sub-network
that should be considered equal.
Hash (#) starts a comment. Backslash (\) is a continuation character.
EEXXAAMMPPLLEESS
# A machine with two interfaces.
130.237.232.113 130.237.221.42 # emma emma-ether
# A machine with *many* interfaces
193.10.156.0/24 193.10.157.0/24 # syk-* syk-*-hps
SSEEEE AALLSSOO
krb_equiv(3), krb.conf(5), krb.realms(5)
KTH-KRB June 18, 1996 1

66
crypto/dist/krb4/man/krb.realms.cat5 vendored
View File

@ -1,66 +0,0 @@
KKRRBB..RREEAALLMMSS((55)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB..RREEAALLMMSS((55))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
/etc/krb.realms - host to Kerberos realm translation file
DDEESSCCRRIIPPTTIIOONN
_k_r_b_._r_e_a_l_m_s provides a translation from a hostname to the Kerberos
realm name for the services provided by that host.
Each line of the translation file is in one of the following forms
(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU):
host_name kerberos_realm
domain_name kerberos_realm
If a hostname exactly matches the _h_o_s_t___n_a_m_e field in a line of the
first form, the corresponding realm is the realm of the host. If a
hostname does not match any _h_o_s_t___n_a_m_e in the file, but its domain
exactly matches the _d_o_m_a_i_n___n_a_m_e field in a line of the second form,
the corresponding realm is the realm of the host.
If no translation entry applies, the host's realm is considered to be
the hostname's domain portion converted to upper case.
SSEEEE AALLSSOO
krb_realmofhost(3)
- 1 - Formatted: March 12, 2000

132
crypto/dist/krb4/man/krb_realmofhost.cat3 vendored
View File

@ -1,132 +0,0 @@
KKRRBB__RREEAALLMMOOFFHHOOSSTT((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__RREEAALLMMOOFFHHOOSSTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
krb_realmofhost, krb_get_phost, krb_get_krbhst, krb_get_admhst,
krb_get_lrealm - additional Kerberos utility routines
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkrrbb..hh>>
##iinncclluuddee <<ddeess..hh>>
##iinncclluuddee <<nneettiinneett//iinn..hh>>
cchhaarr **kkrrbb__rreeaallmmooffhhoosstt((hhoosstt))
cchhaarr **hhoosstt;;
cchhaarr **kkrrbb__ggeett__pphhoosstt((aalliiaass))
cchhaarr **aalliiaass;;
kkrrbb__ggeett__kkrrbbhhsstt((hhoosstt,,rreeaallmm,,nn))
cchhaarr **hhoosstt;;
cchhaarr **rreeaallmm;;
iinntt nn;;
kkrrbb__ggeett__aaddmmhhsstt((hhoosstt,,rreeaallmm,,nn))
cchhaarr **hhoosstt;;
cchhaarr **rreeaallmm;;
iinntt nn;;
kkrrbb__ggeett__llrreeaallmm((rreeaallmm,,nn))
cchhaarr **rreeaallmm;;
iinntt nn;;
DDEESSCCRRIIPPTTIIOONN
_k_r_b___r_e_a_l_m_o_f_h_o_s_t returns the Kerberos realm of the host _h_o_s_t, as
determined by the translation table _/_e_t_c_/_k_r_b_._r_e_a_l_m_s. _h_o_s_t should be
the fully-qualified domain-style primary host name of the host in
question. In order to prevent certain security attacks, this routine
must either have _a _p_r_i_o_r_i knowledge of a host's realm, or obtain such
information securely.
The format of the translation file is described by _k_r_b_._r_e_a_l_m_s(5). If
_h_o_s_t exactly matches a host_name line, the corresponding realm is
returned. Otherwise, if the domain portion of _h_o_s_t matches a
domain_name line, the corresponding realm is returned. If _h_o_s_t
contains a domain, but no translation is found, _h_o_s_t's domain is
converted to upper-case and returned. If _h_o_s_t contains no discernable
domain, or an error occurs, the local realm name, as supplied by
_k_r_b___g_e_t___l_r_e_a_l_m(3), is returned.
_k_r_b___g_e_t___p_h_o_s_t converts the hostname _a_l_i_a_s (which can be either an
official name or an alias) into the instance name to be used in
obtaining Kerberos tickets for most services, including the Berkeley
rcmd suite (rlogin, rcp, rsh).
The current convention is to return the first segment of the official
- 1 - Formatted: March 12, 2000
KKRRBB__RREEAALLMMOOFFHHOOSSTT((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__RREEAALLMMOOFFHHOOSSTT((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
domain-style name after conversion to lower case.
_k_r_b___g_e_t___k_r_b_h_s_t fills in _h_o_s_t with the hostname of the _nth host running
a Kerberos key distribution center (KDC) for realm _r_e_a_l_m, as specified
in the configuration file (_/_e_t_c_/_k_r_b_._c_o_n_f). The configuration file is
described by _k_r_b_._c_o_n_f(5). If the host is successfully filled in, the
routine returns KSUCCESS. If the file cannot be opened, and _n equals
1, then the value of KRB_HOST as defined in _<_k_r_b_._h_> is filled in, and
KSUCCESS is returned. If there are fewer than _n hosts running a
Kerberos KDC for the requested realm, or the configuration file is
malformed, the routine returns KFAILURE.
_k_r_b___g_e_t___a_d_m_h_s_t fills in _h_o_s_t with the hostname of the _nth host running
a Kerberos KDC database administration server for realm _r_e_a_l_m, as
specified in the configuration file (_/_e_t_c_/_k_r_b_._c_o_n_f). If the file
cannot be opened or is malformed, or there are fewer than _n hosts
running a Kerberos KDC database administration server, the routine
returns KFAILURE.
The character arrays used as return values for _k_r_b___g_e_t___k_r_b_h_s_t,
_k_r_b___g_e_t___a_d_m_h_s_t, should be large enough to hold any hostname
(MAXHOSTNAMELEN from <sys/param.h>).
_k_r_b___g_e_t___l_r_e_a_l_m fills in _r_e_a_l_m with the _nth realm of the local host, as
specified in the configuration file. _r_e_a_l_m should be at least
REALM_SZ (from _<_k_r_b_._h_>_)characters_l_o_n_g_.
SSEEEE AALLSSOO
kerberos(3), krb.conf(5), krb.realms(5)
FFIILLEESS
/etc/krb.realms translation file for host-to-realm mapping.
/etc/krb.conf local realm-name and realm/server configuration
file.
BBUUGGSS
The current convention for instance names is too limited; the full
domain name should be used.
_k_r_b___g_e_t___l_r_e_a_l_m currently only supports _n = 1. It should really
consult the user's ticket cache to determine the user's current realm,
rather than consulting a file on the host.
- 2 - Formatted: March 12, 2000

264
crypto/dist/krb4/man/krb_sendauth.cat3 vendored
View File

@ -1,264 +0,0 @@
KKRRBB__SSEENNDDAAUUTTHH((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__SSEENNDDAAUUTTHH((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
krb_sendauth, krb_recvauth, krb_net_write, krb_net_read - Kerberos
routines for sending authentication via network stream sockets
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkrrbb..hh>>
##iinncclluuddee <<ddeess..hh>>
##iinncclluuddee <<nneettiinneett//iinn..hh>>
iinntt kkrrbb__sseennddaauutthh((ooppttiioonnss,, ffdd,, kktteexxtt,, sseerrvviiccee,, iinnsstt,, rreeaallmm,, cchheecckkssuumm,,
mmssgg__ddaattaa,, ccrreedd,, sscchheedduullee,, llaaddddrr,, ffaaddddrr,, vveerrssiioonn))
lloonngg ooppttiioonnss;;
iinntt ffdd;;
KKTTEEXXTT kktteexxtt;;
cchhaarr **sseerrvviiccee,, **iinnsstt,, **rreeaallmm;;
uu__lloonngg cchheecckkssuumm;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;
CCRREEDDEENNTTIIAALLSS **ccrreedd;;
KKeeyy__sscchheedduullee sscchheedduullee;;
ssttrruucctt ssoocckkaaddddrr__iinn **llaaddddrr,, **ffaaddddrr;;
cchhaarr **vveerrssiioonn;;
iinntt kkrrbb__rreeccvvaauutthh((ooppttiioonnss,, ffdd,, kktteexxtt,, sseerrvviiccee,, iinnsstt,, ffaaddddrr,, llaaddddrr,,
aauutthh__ddaattaa,, ffiilleennaammee,, sscchheedduullee,, vveerrssiioonn))
lloonngg ooppttiioonnss;;
iinntt ffdd;;
KKTTEEXXTT kktteexxtt;;
cchhaarr **sseerrvviiccee,, **iinnsstt;;
ssttrruucctt ssoocckkaaddddrr__iinn **ffaaddddrr,, **llaaddddrr;;
AAUUTTHH__DDAATT **aauutthh__ddaattaa;;
cchhaarr **ffiilleennaammee;;
KKeeyy__sscchheedduullee sscchheedduullee;;
cchhaarr **vveerrssiioonn;;
iinntt kkrrbb__nneett__wwrriittee((ffdd,, bbuuff,, lleenn))
iinntt ffdd;;
cchhaarr **bbuuff;;
iinntt lleenn;;
iinntt kkrrbb__nneett__rreeaadd((ffdd,, bbuuff,, lleenn))
iinntt ffdd;;
cchhaarr **bbuuff;;
iinntt lleenn;;
DDEESSCCRRIIPPTTIIOONN
These functions, which are built on top of the core Kerberos library,
provide a convenient means for client and server programs to send
authentication messages to one another through network connections.
The _k_r_b___s_e_n_d_a_u_t_h function sends an authenticated ticket from the
client program to the server program by writing the ticket to a
network socket. The _k_r_b___r_e_c_v_a_u_t_h function receives the ticket from
- 1 - Formatted: March 12, 2000
KKRRBB__SSEENNDDAAUUTTHH((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__SSEENNDDAAUUTTHH((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
the client by reading from a network socket.
KKRRBB__SSEENNDDAAUUTTHH
This function writes the ticket to the network socket specified by the
file descriptor _f_d_, returning KSUCCESS if the write proceeds
successfully, and an error code if it does not.
The _k_t_e_x_t argument should point to an allocated KTEXT_ST structure.
The _s_e_r_v_i_c_e_, _i_n_s_t_, and _r_e_a_l_m arguments specify the server program's
Kerberos principal name, instance, and realm. If you are writing a
client that uses the local realm exclusively, you can set the _r_e_a_l_m
argument to NULL.
The _v_e_r_s_i_o_n argument allows the client program to pass an application-
specific version string that the server program can then match against
its own version string. The _v_e_r_s_i_o_n string can be up to KSEND_VNO_LEN
(see _<_k_r_b_._h_>) characters in length.
The _c_h_e_c_k_s_u_m argument can be used to pass checksum information to the
server program. The client program is responsible for specifying this
information. This checksum information is difficult to corrupt
because _k_r_b___s_e_n_d_a_u_t_h passes it over the network in encrypted form.
The _c_h_e_c_k_s_u_m argument is passed as the checksum argument to
_k_r_b___m_k___r_e_q.
You can set _k_r_b___s_e_n_d_a_u_t_h_'_s other arguments to NULL unless you want the
client and server programs to mutually authenticate themselves. In
the case of mutual authentication, the client authenticates itself to
the server program, and demands that the server in turn authenticate
itself to the client.
KKRRBB__SSEENNDDAAUUTTHH AANNDD MMUUTTUUAALL AAUUTTHHEENNTTIICCAATTIIOONN
If you want mutual authentication, make sure that you read all pending
data from the local socket before calling _k_r_b___s_e_n_d_a_u_t_h_. Set
_k_r_b___s_e_n_d_a_u_t_h_'_s _o_p_t_i_o_n_s argument to KKOOPPTT__DDOO__MMUUTTUUAALL (this macro is
defined in the _k_r_b_._h file); make sure that the _l_a_d_d_r argument points
to the address of the local socket, and that _f_a_d_d_r points to the
foreign socket's network address.
_K_r_b___s_e_n_d_a_u_t_h fills in the other arguments-- _m_s_g___d_a_t_a, _c_r_e_d, and
_s_c_h_e_d_u_l_e--before sending the ticket to the server program. You must,
however, allocate space for these arguments before calling the
function.
_K_r_b___s_e_n_d_a_u_t_h supports two other options: KKOOPPTT__DDOONNTT__MMKK__RREEQQ,, and
KKOOPPTT__DDOONNTT__CCAANNOONN.. If called with _o_p_t_i_o_n_s set as KOPT_DONT_MK_REQ,
_k_r_b___s_e_n_d_a_u_t_h will not use the _k_r_b___m_k___r_e_q function to retrieve the
ticket from the Kerberos server. The _k_t_e_x_t argument must point to an
existing ticket and authenticator (such as would be created by
- 2 - Formatted: March 12, 2000
KKRRBB__SSEENNDDAAUUTTHH((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__SSEENNDDAAUUTTHH((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
_k_r_b___m_k___r_e_q), and the _s_e_r_v_i_c_e_, _i_n_s_t_, and _r_e_a_l_m arguments can be set to
NULL.
If called with _o_p_t_i_o_n_s set as KOPT_DONT_CANON, _k_r_b___s_e_n_d_a_u_t_h will not
convert the service's instance to canonical form using
_k_r_b___g_e_t___p_h_o_s_t(3).
If you want to call _k_r_b___s_e_n_d_a_u_t_h with a multiple _o_p_t_i_o_n_s
specification, construct _o_p_t_i_o_n_s as a bitwise-OR of the options you
want to specify.
KKRRBB__RREECCVVAAUUTTHH
The _k_r_b___r_e_c_v_a_u_t_h function reads a ticket/authenticator pair from the
socket pointed to by the _f_d argument. Set the _o_p_t_i_o_n_s argument as a
bitwise-OR of the options desired. Currently only KOPT_DO_MUTUAL is
useful to the receiver.
The _k_t_e_x_t argument should point to an allocated KTEXT_ST structure.
_K_r_b___r_e_c_v_a_u_t_h fills _k_t_e_x_t with the ticket/authenticator pair read from
_f_d, then passes it to _k_r_b___r_d___r_e_q.
The _s_e_r_v_i_c_e and _i_n_s_t arguments specify the expected service and
instance for which the ticket was generated. They are also passed to
_k_r_b___r_d___r_e_q_. The _i_n_s_t argument may be set to "*" if the caller wishes
_k_r_b___m_k___r_e_q to fill in the instance used (note that there must be space
in the _i_n_s_t argument to hold a full instance name, see _k_r_b___m_k___r_e_q(3)).
The _f_a_d_d_r argument should point to the address of the peer which is
presenting the ticket. It is also passed to _k_r_b___r_d___r_e_q.
If the client and server plan to mutually authenticate one another,
the _l_a_d_d_r argument should point to the local address of the file
descriptor. Otherwise you can set this argument to NULL.
The _a_u_t_h___d_a_t_a argument should point to an allocated AUTH_DAT area. It
is passed to and filled in by _k_r_b___r_d___r_e_q. The checksum passed to the
corresponding _k_r_b___s_e_n_d_a_u_t_h is available as part of the filled-in
AUTH_DAT area.
The _f_i_l_e_n_a_m_e argument specifies the filename which the service program
should use to obtain its service key. _K_r_b___r_e_c_v_a_u_t_h passes _f_i_l_e_n_a_m_e to
the _k_r_b___r_d___r_e_q function. If you set this argument to "", _k_r_b___r_d___r_e_q
looks for the service key in the file _/_e_t_c_/_s_r_v_t_a_b_.
If the client and server are performing mutual authenication, the
_s_c_h_e_d_u_l_e argument should point to an allocated Key_schedule.
Otherwise it is ignored and may be NULL.
The _v_e_r_s_i_o_n argument should point to a character array of at least
KSEND_VNO_LEN characters. It is filled in with the version string
- 3 - Formatted: March 12, 2000
KKRRBB__SSEENNDDAAUUTTHH((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__SSEENNDDAAUUTTHH((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
passed by the client to _k_r_b___s_e_n_d_a_u_t_h_.
KKRRBB__NNEETT__WWRRIITTEE AANNDD KKRRBB__NNEETT__RREEAADD
The _k_r_b___n_e_t___w_r_i_t_e function emulates the write(2) system call, but
guarantees that all data specified is written to _f_d before returning,
unless an error condition occurs.
The _k_r_b___n_e_t___r_e_a_d function emulates the read(2) system call, but
guarantees that the requested amount of data is read from _f_d before
returning, unless an error condition occurs.
BBUUGGSS
_k_r_b___s_e_n_d_a_u_t_h_, _k_r_b___r_e_c_v_a_u_t_h_, _k_r_b___n_e_t___w_r_i_t_e_, and _k_r_b___n_e_t___r_e_a_d will not
work properly on sockets set to non-blocking I/O mode.
SSEEEE AALLSSOO
krb_mk_req(3), krb_rd_req(3), krb_get_phost(3)
AAUUTTHHOORR
John T. Kohl, MIT Project Athena
RREESSTTRRIICCTTIIOONNSS
Copyright 1988, Massachusetts Instititute of Technology. For copying
and distribution information, please see the file <mit-copyright.h>.
- 4 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/krb_set_tkt_string.cat3 vendored
View File

@ -1,66 +0,0 @@
KKRRBB__SSEETT__TTKKTT__SSTTRRIINNGG((33)) MMIITT PPrroojjeecctt AAtthheennaa KKRRBB__SSEETT__TTKKTT__SSTTRRIINNGG((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
krb_set_tkt_string - set Kerberos ticket cache file name
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkrrbb..hh>>
vvooiidd kkrrbb__sseett__ttkktt__ssttrriinngg((ffiilleennaammee))
cchhaarr **ffiilleennaammee;;
DDEESSCCRRIIPPTTIIOONN
_k_r_b___s_e_t___t_k_t___s_t_r_i_n_g sets the name of the file that holds the user's
cache of Kerberos server tickets and associated session keys.
The string _f_i_l_e_n_a_m_e passed in is copied into local storage. Only
MAXPATHLEN-1 (see <sys/param.h>) characters of the filename are copied
in for use as the cache file name.
This routine should be called during initialization, before other
Kerberos routines are called; otherwise the routines which fetch the
ticket cache file name may be called and return an undesired ticket
file name until this routine is called.
FFIILLEESS
/tmp/tkt[uid] default ticket file name, unless the environment
variable KRBTKFILE is set. [uid] denotes the
user's uid, in decimal.
SSEEEE AALLSSOO
kerberos(3), setenv(3)
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/ksrvtgt.cat1 vendored
View File

@ -1,66 +0,0 @@
KKSSRRVVTTGGTT((11)) MMIITT PPrroojjeecctt AAtthheennaa KKSSRRVVTTGGTT((11))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
ksrvtgt - fetch and store Kerberos ticket-granting-ticket using a
service key
SSYYNNOOPPSSIISS
kkssrrvvttggtt name instance [[realm] srvtab]
DDEESSCCRRIIPPTTIIOONN
_k_s_r_v_t_g_t retrieves a ticket-granting ticket with a lifetime of five (5)
minutes for the principal _n_a_m_e_._i_n_s_t_a_n_c_e_@_r_e_a_l_m (or
_n_a_m_e_._i_n_s_t_a_n_c_e_@_l_o_c_a_l_r_e_a_l_m if _r_e_a_l_m is not supplied on the command
line), decrypts the response using the service key found in _s_r_v_t_a_b (or
in //eettcc//ssrrvvttaabb if _s_r_v_t_a_b is not specified on the command line), and
stores the ticket in the standard ticket cache.
This command is intended primarily for use in shell scripts and other
batch-type facilities.
DDIIAAGGNNOOSSTTIICCSS
"Generic kerberos failure (kfailure)" can indicate a whole range of
problems, the most common of which is the inability to read the
service key file.
FFIILLEESS
/etc/krb.conf to get the name of the local realm.
/tmp/tkt[uid] The default ticket file.
/etc/srvtab The default service key file.
SSEEEE AALLSSOO
kerberos(1), kinit(1), kdestroy(1)
- 1 - Formatted: March 12, 2000

70
crypto/dist/krb4/man/ksrvutil.cat8 vendored
View File

@ -1,70 +0,0 @@
KSRVUTIL(8) System Manager's Manual KSRVUTIL(8)
NNAAMMEE
kkssrrvvuuttiill host kerberos keyfile (srvtab) manipulation utility
SSYYNNOOPPSSIISS
kkssrrvvuuttiill [--ff _k_e_y_f_i_l_e] [--ii] [--kk] [--pp _p_r_i_n_c_i_p_a_l] [--rr _r_e_a_l_m] _o_p_e_r_a_t_i_o_n
DDEESSCCRRIIPPTTIIOONN
kkssrrvvuuttiill allows a system manager to list or change keys currently in his
keyfile or to add new keys to the keyfile.
Operation must be one of the following:
list lists the keys in a keyfile showing version number and principal
name. If the --kk option is given, keys will also be shown.
change changes all the keys in the keyfile by using the regular admin
protocol. If the --ii flag is given, kkssrrvvuuttiill will prompt for yes
or no before changing each key. If the --kk option is used, the
old and new keys will be displayed.
add allows the user to add a key. add prompts for name, instance,
realm, and key version number, asks for confirmation, and then
asks for a password. kkssrrvvuuttiill then converts the password to a
key and appends the keyfile with the new information. If the --kk
option is used, the key is displayed.
get gets a service from the Kerberos server, possibly creating the
principal. Names, instances and realms for the service keys to
get are prompted for. The default principal used in the kadmin
transcation is your root instance. This can be changed with the
--pp option.
In all cases, the default file used is KEY_FILE as defined in krb.h un-
less this is overridden by the --ff option.
A good use for kkssrrvvuuttiill would be for adding keys to a keyfile. A system
manager could ask a kerberos administrator to create a new service key
with kadmin(8) and could supply an initial password. Then, he could use
kkssrrvvuuttiill to add the key to the keyfile and then to change the key so that
it will be random and unknown to either the system manager or the ker-
beros administrator.
kkssrrvvuuttiill always makes a backup copy of the keyfile before making any
changes.
DDIIAAGGNNOOSSTTIICCSS
If kkssrrvvuuttiill should exit on an error condition at any time during a change
or add, a copy of the original keyfile can be found in _f_i_l_e_n_a_m_e.old where
_f_i_l_e_n_a_m_e is the name of the keyfile, and a copy of the file with all new
keys changed or added so far can be found in _f_i_l_e_n_a_m_e.work. The original
keyfile is left unmodified until the program exits at which point it is
removed and replaced it with the workfile. Appending the workfile to the
backup copy and replacing the keyfile with the result should always give
a usable keyfile, although the resulting keyfile will have some out of
date keys in it.
SSEEEE AALLSSOO
kadmin(8), ksrvtgt(1)
AAUUTTHHOORR
Emanuel Jay Berkenbilt, MIT Project Athena
KTH-KRB May 4, 1996 2

66
crypto/dist/krb4/man/kstash.cat8 vendored
View File

@ -1,66 +0,0 @@
KKSSTTAASSHH((88)) MMIITT PPrroojjeecctt AAtthheennaa KKSSTTAASSHH((88))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kstash - stash Kerberos key distribution center database master key
SSYYNNOOPPSSIISS
kstash
DDEESSCCRRIIPPTTIIOONN
_k_s_t_a_s_h saves the Kerberos key distribution center (KDC) database
master key in the master key cache file.
The user is prompted to enter the key, to verify the authenticity of
the key and the authorization to store the key in the file.
DDIIAAGGNNOOSSTTIICCSS
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
"kstash: Unable to open master key file"
The attempt to open the cache file for writing
failed (probably due to a system or access
permission error).
"kstash: Write I/O error on master key file"
The wwrriittee(2) system call returned an error while
_k_s_t_a_s_h was attempting to write the key to the
file.
FFIILLEESS
/var/kerberos/principal.pag, /var/kerberos/principal.dir
DBM files containing database
/.k Master key cache file.
- 1 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/kuserok.cat3 vendored
View File

@ -1,66 +0,0 @@
KKUUSSEERROOKK((33)) MMIITT PPrroojjeecctt AAtthheennaa KKUUSSEERROOKK((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
kuserok - Kerberos version of ruserok
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkrrbb..hh>>
kkuusseerrookk((kkddaattaa,, llooccaalluusseerr))
AAUUTTHH__DDAATT **aauutthh__ddaattaa;;
cchhaarr **llooccaalluusseerr;;
DDEESSCCRRIIPPTTIIOONN
_k_u_s_e_r_o_k determines whether a Kerberos principal described by the
structure _a_u_t_h___d_a_t_a is authorized to login as user _l_o_c_a_l_u_s_e_r according
to the authorization file ("~_l_o_c_a_l_u_s_e_r/.klogin" by default). It
returns 0 (zero) if authorized, 1 (one) if not authorized.
If there is no account for _l_o_c_a_l_u_s_e_r on the local machine,
authorization is not granted. If there is no authorization file, and
the Kerberos principal described by _a_u_t_h___d_a_t_a translates to _l_o_c_a_l_u_s_e_r
(using _k_r_b___k_n_t_o_l_n(3)), authorization is granted. If the authorization
file can't be accessed, or the file is not owned by _l_o_c_a_l_u_s_e_r_,
authorization is denied. Otherwise, the file is searched for a
matching principal name, instance, and realm. If a match is found,
authorization is granted, else authorization is denied.
The file entries are in the format:
name.instance@realm
with one entry per line.
For convenience ~localuser@LOCALREALM is always considered to be an
entry in the file even when there is no file or the file is
unreadable.
SSEEEE AALLSSOO
kerberos(3), ruserok(3), krb_kntoln(3)
FFIILLEESS
~_l_o_c_a_l_u_s_e_r/.klogin authorization list
- 1 - Formatted: March 12, 2000

39
crypto/dist/krb4/man/kx.cat1 vendored
View File

@ -1,39 +0,0 @@
KX(1) System Reference Manual KX(1)
NNAAMMEE
kkxx - securely forward X conections
SSYYNNOOPPSSIISS
_k_x [--ll _u_s_e_r_n_a_m_e] [--kk] [--dd] [--tt] [--pp _p_o_r_t] [--PP] _h_o_s_t
DDEESSCCRRIIPPTTIIOONN
The kkxx program forwards a X connection from a remote client to a local
screen through an authenticated and encrypted stream. Options supported
by kkxx:
--ll Log in on remote the host as user _u_s_e_r_n_a_m_e.
--kk Do not enable keep-alives on the TCP connections.
--dd Do not fork. This is mainly useful for debugging.
--tt Listen not only on a UNIX-domain socket but on a TCP socket as
well.
--pp Use the port _p_o_r_t.
--PP Force passive mode.
This program is used by rrxxtteellnneett and rrxxtteerrmm and you should not need to
run it directly.
It connects to a kkxxdd on the host _h_o_s_t and then will relay the traffic
from the remote X clients to the local server. When started, it prints
the display and Xauthority-file to be used on host _h_o_s_t and then goes to
the background, waiting for connections from the remote kkxxdd..
SSEEEE AALLSSOO
rxtelnet(1), rxterm(1), kxd(8)
KTH-KRB September 27, 1996 1

38
crypto/dist/krb4/man/kxd.cat8 vendored
View File

@ -1,38 +0,0 @@
KXD(8) System Manager's Manual KXD(8)
NNAAMMEE
kkxxdd - securely forward X conections
SSYYNNOOPPSSIISS
_k_x_d [--tt] [--ii] [--pp _p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
This is the daemon for kkxx.
Options supported by kkxxdd:
--tt TCP. Normally kkxxdd will only listen for X connections on a UNIX
socket, but some machines (for example, Cray) have X libraries
that are not able to use UNIX sockets and thus you need to use
TCP to talk to the pseudo-xserver created by kkxxdd.. This option de-
creases the security significantly and should only be used when
it is necessary and you have considered the consequences of doing
so.
--ii Interactive. Do not expect to be started by iinneettdd,, but allocate
and listen to the socket yourself. Handy for testing and debug-
ging.
--pp Port. Listen on the port _p_o_r_t. Only usable with --ii.
EEXXAAMMPPLLEESS
Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
kx stream tcp nowait root /usr/athena/libexec/kxd kxd
SSEEEE AALLSSOO
kx(1), rxtelnet(1), rxterm(1)
KTH-KRB September 27, 1996 1

44
crypto/dist/krb4/man/login.access.cat5 vendored
View File

@ -1,44 +0,0 @@
SKEY.ACCESS(5) System Programmer's Manual SKEY.ACCESS(5)
NNAAMMEE
llooggiinn..aacccceessss - Login access control table
DDEESSCCRRIIPPTTIIOONN
The llooggiinn..aacccceessss file specifies (user, host) combinations and/or (user,
tty) combinations for which a login will be either accepted or refused.
When someone logs in, the llooggiinn..aacccceessss is scanned for the first entry
that matches the (user, host) combination, or, in case of non-networked
logins, the first entry that matches the (user, tty) combination. The
permissions field of that table entry determines whether the login will
be accepted or refused.
Each line of the login access control table has three fields separated by
a ":" character: permission : users : origins
The first field should be a "+" (access granted) or "-" (access denied)
character. The second field should be a list of one or more login names,
group names, or ALL (always matches). The third field should be a list
of one or more tty names (for non-networked logins), host names, domain
names (begin with "."), host addresses, internet network numbers (end
with "."), ALL (always matches) or LOCAL (matches any string that does
not contain a "." character). If you run NIS you can use @netgroupname in
host or user patterns.
The EXCEPT operator makes it possible to write very compact rules.
The group file is searched only when a name does not match that of the
logged-in user. Only groups are matched in which users are explicitly
listed: the program does not look at a user's primary group id value.
FFIILLEESS
/etc/login.access The llooggiinn..aacccceessss file resides in _/_e_t_c.
SSEEEE AALLSSOO
login(1)
AAUUTTHHOORR
Guido van Rooij
FreeBSD April 30, 1994 1

73
crypto/dist/krb4/man/login.cat1 vendored
View File

@ -1,73 +0,0 @@
LOGIN(1) System Reference Manual LOGIN(1)
NNAAMMEE
llooggiinn - log into the computer
SSYYNNOOPPSSIISS
llooggiinn [--ffpp] [--hh _h_o_s_t_n_a_m_e] [_u_s_e_r]
DDEESSCCRRIIPPTTIIOONN
NNoottee:: this manual page describes the original login program for NetBSD.
Everything in here might not be true.
The llooggiinn utility logs users (and pseudo-users) into the computer system.
If no user is specified, or if a user is specified and authentication of
the user fails, llooggiinn prompts for a user name. Authentication of users
is done via passwords.
The options are as follows:
--ff The --ff option is used when a user name is specified to indicate
that proper authentication has already been done and that no
password need be requested. This option may only be used by the
super-user or when an already logged in user is logging in as
themselves.
--hh The --hh option specifies the host from which the connection was
received. It is used by various daemons such as telnetd(8).
This option may only be used by the super-user.
--pp By default, llooggiinn discards any previous environment. The --pp op-
tion disables this behavior.
If the file _/_e_t_c_/_n_o_l_o_g_i_n exists, llooggiinn dislays its contents to the user
and exits. This is used by shutdown(8) to prevent users from logging in
when the system is about to go down.
If the file _/_e_t_c_/_f_b_t_a_b exists, llooggiinn changes the protection and ownership
of certain devices specified in this file.
Immediately after logging a user in, llooggiinn displays the system copyright
notice, the date and time the user last logged in, the message of the day
as well as other information. If the file ``_._h_u_s_h_l_o_g_i_n'' exists in the
user's home directory, all of these messages are suppressed. This is to
simplify logins for non-human users, such as uucp(1). LLooggiinn then records
an entry in the wtmp(5) and utmp(5) files and executes the user's command
interpretor.
Login enters information into the environment (see environ(7)) specify-
ing the user's home directory (HOME), command interpreter (SHELL), search
path (PATH), terminal type (TERM) and user name (both LOGNAME and USER).
The standard shells, csh(1) and sh(1), do not fork before executing the
llooggiinn utility.
FFIILLEESS
/etc/fbtab changes device protections
/etc/motd message-of-the-day
/etc/nologin disallows logins
/var/run/utmp current logins
/var/log/wtmp login account records
/var/mail/user system mailboxes
.hushlogin makes login quieter
SSEEEE AALLSSOO
chpass(1), passwd(1), rlogin(1), getpass(3), fbtab(5), utmp(5), en-
viron(7)
HHIISSTTOORRYY
A llooggiinn appeared in Version 6 AT&T UNIX.
4th Berkeley Distribution June 9, 1993 2

27
crypto/dist/krb4/man/movemail.cat1 vendored
View File

@ -1,27 +0,0 @@
MOVEMAIL(1) System Reference Manual MOVEMAIL(1)
NNAAMMEE
mmoovveemmaaiill - Fetch mail from a spool file or using the KPOP protocol
SSYYNNPPOOSSYYSS
mmoovveemmaaiill _i_n_b_o_x _d_e_s_t_f_i_l_e
DDEESSCCRRIIPPTTIIOONN
The mmoovveemmaaiill program fetches mail from _i_n_b_o_x, which can be a file name or
po:username meaning fetch the mails with KPOP from the host MAILHOST.
This program is intended to be called from mail user agents that are
themselves not able to fetch the mail. The primary example of this is
Emacs.
EENNVVIIRROONNMMEENNTT
MAILHOST The host from which to fetch the mail.
SSEEEE AALLSSOO
popper(8)
HHIISSTTOORRYY
movemail comes from Emacs 19.30
KTH-KRB November 14, 1996 1

44
crypto/dist/krb4/man/otp.cat1 vendored
View File

@ -1,44 +0,0 @@
OTP(1) System Reference Manual OTP(1)
NNAAMMEE
oottpp - manages one-time passwords
SSYYNNOOPPSSIISS
_o_t_p [--rr] [--dd] [--oo] [--ll] [--hh] [--ff _a_l_g_o_r_i_t_h_m] [--uu _u_s_e_r] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r
_s_e_e_d
DDEESSCCRRIIPPTTIIOONN
The oottpp program initializes and updates your current series of one-time
passwords (OTPs).
Use this to set a new series of one-time passwords. Only perform this on
the console or over an encrypted link as you will have to supply your
pass-phrase. The other two parameters are _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
Options are:
--rr To renew a one-time password series. This operation can be per-
formed over an potentially eavesdropped link because you do not
supply the pass-phrase. First you need to supply the current
one-time password and then the new one corresponding to the sup-
plied _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
--dd To delete a one-time password.
--oo To open (unlock) the otp-entry for a user.
--ll List the current table of one-time passwords.
--hh For getting a help message.
--ff Choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any of:
md4, md5, and sha.
--uu To choose a different _u_s_e_r to set one-time passwords for. This
only works when running oottpp as root.
SSEEEE AALLSSOO
otpprint(1)
KTH-KRB November 17, 1996 1

36
crypto/dist/krb4/man/otpprint.cat1 vendored
View File

@ -1,36 +0,0 @@
OTP(1) System Reference Manual OTP(1)
NNAAMMEE
oottpppprriinntt - print lists of one-time passwords
SSYYNNOOPPSSIISS
_o_t_p [--nn _c_o_u_n_t] [--ee] [--hh] [--ff _a_l_g_o_r_i_t_h_m] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d
DDEESSCCRRIIPPTTIIOONN
The oottpppprriinntt program prints lists of OTPs.
Use this to print out a series of one-time passwords. You will have to
supply the _s_e_q_u_e_n_c_e _n_u_m_b_e_r and the _s_e_e_d as arguments and then the program
will prompt you for your pass-phrase.
There are several different print formats. The default is to print each
password with six short english words.
Options are:
--nn Print _c_o_u_n_t one-time passwords, starting at _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and
going backwards. The default is 10.
--hh Print the passwords in hex.
--ee Print the passwords in ``extended'' format. In this format a
prefix that says ``hex:'' or ``word:'' is included.
--ff To choose a different _a_l_g_o_r_i_t_h_m from the default md5. Pick any
of: md4, md5, and sha.
SSEEEE AALLSSOO
otp(1)
KTH-KRB November 17, 1996 1

17
crypto/dist/krb4/man/pagsh.cat1 vendored
View File

@ -1,17 +0,0 @@
PAGSH(1) System Reference Manual PAGSH(1)
NNAAMMEE
ppaaggsshh - execute a command without authentication
SSYYNNOOPPSSIISS
ppaaggsshh [[--cc]ccoommmmaanndd _a_r_g_s]
DDEESSCCRRIIPPTTIIOONN
Starts a new subprocess that is detached from any Kerberos ticket cache
and AFS tokens. Without ccoommmmaanndd a new shell is started.
EENNVVIIRROONNMMEENNTT
$SHELL Default shell.
KTH-KRB April 27, 1996 1

198
crypto/dist/krb4/man/popper.cat8 vendored
View File

@ -1,198 +0,0 @@
ppooppppeerr((88)) ppooppppeerr((88))
AAuugguusstt 11999900
NNAAMMEE
popper - pop 3 server
SSYYNNOOPPSSIISS
//uussrr//eettcc//ppooppppeerr [ -d ] [ -a ] [ -k ] [ -t trace-file] [ -i ] [ -p
portnum]
DDEESSCCRRIIPPTTIIOONN
_P_o_p_p_e_r is an implementation of the Post Office Protocol server that
runs on a variety of Unix computers to manage electronic mail for
Macintosh and MS-DOS computers. The server was developed at the
University of California at Berkeley and conforms fully to the
specifications in RFC 1081 and RFC 1082. The Berkeley server also has
extensions to send electronic mail on behalf of a client.
The --dd flag sets the socket to debugging and turns on debugging. All
debugging information is saved using syslog(8).
The --tt ttrraaccee--ffiillee flag turns on debugging and saves the trace
information in _t_r_a_c_e_-_f_i_l_e using fprintf(s).
The --kk flag tells popper to talk the kerberised POP protocol (KPOP).
The --aa flag tells popper not to accept any cleartext passwords, but
only OTPs.
The --ii flag tells popper it has not been started by inetd and should
create its own socket and listen on it. This is useful for debugging.
The --pp ppoorrttnnuumm flag tells popper on which port it should listen for
connections when creating a socket.
HHOOWW TTOO OOBBTTAAIINN TTHHEE SSEERRVVEERR
The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU
(128.32.136.9, 128.32.206.12). It is in two files in the pub
directory: a compressed tar file popper.tar.Z and a Macintosh StuffIt
archive in BinHex format called MacPOP.sit.hqx.
TTHHEE PPOOPP TTRRAANNSSAACCTTIIOONN CCYYCCLLEE
The Berkeley POP server is a single program (called popper) that is
launched by inetd when it gets a service request on the POP TCP port.
(The official port number specified in RFC 1081 for POP version 3 is
port 110. However, some POP3 clients attempt to contact the server at
port 109, the POP version 2 port. Unless you are running both POP2
and POP3 servers, you can simply define both ports for use by the POP3
server. This is explained in the installation instructions later on.)
The popper program initializes and verifies that the peer IP address
is registered in the local domain, logging a warning message when a
connection is made to a client whose IP address does not have a
canonical name. For systems using BSD 4.3 bind, it also checks to see
if a cannonical name lookup for the client returns the same peer IP
- 1 - Formatted: March 12, 2000
ppooppppeerr((88)) ppooppppeerr((88))
AAuugguusstt 11999900
address, logging a warning message if it does not. The the server
enters the authorization state, during which the client must correctly
identify itself by providing a valid Unix userid and password on the
server's host machine. No other exchanges are allowed during this
state (other than a request to quit.) If authentication fails, a
warning message is logged and the session ends. Once the user is
identified, popper changes its user and group ids to match that of the
user and enters the transaction state. The server makes a temporary
copy of the user's maildrop (ordinarily in /usr/spool/mail) which is
used for all subsequent transactions. These include the bulk of POP
commands to retrieve mail, delete mail, undelete mail, and so forth.
A Berkeley extension also allows the user to submit a mail parcel to
the server who mails it using the sendmail program (this extension is
supported in the HyperMail client distributed with the server). When
the client quits, the server enters the final update state during
which the network connection is terminated and the user's maildrop is
updated with the (possibly) modified temporary maildrop.
LLOOGGGGIINNGG
The POP server uses syslog to keep a record of its activities. On
systems with BSD 4.3 syslogging, the server logs (by default) to the
"local0" facility at priority "notice" for all messages except
debugging which is logged at priority "debug". The default log file
is /usr/spool/mqueue/POPlog. These can be changed, if desired. On
systems with 4.2 syslogging all messages are logged to the local log
file, usually /usr/spool/mqueue/syslog.
DDEEBBUUGGGGIINNGG
The popper program will log debugging information when the -d
parameter is specified after its invocation in the inetd.conf file.
Care should be exercised in using this option since it generates
considerable output in the syslog file. Alternatively, the "-t <file-
name>" option will place debugging information into file "<file-name>"
using fprintf instead of syslog.
For SunOS version 3.5, the popper program is launched by inetd from
/etc/servers. This file does not allow you to specify command line
arguments. Therefore, if you want to enable debugging, you can
specify a shell script in /etc/servers to be launched instead of
popper and in this script call popper with the desired arguments.
You can confirm that the POP server is running on Unix by telneting to
port 110 (or 109 if you set it up that way). For example:
%telnet myhost 110
Trying...
Connected to myhost.berkeley.edu.
Escape character is '^]'.
+OK UCB Pop server (version 1.6) at myhost starting.
quit
Connection closed by foreign host.
- 2 - Formatted: March 12, 2000
ppooppppeerr((88)) ppooppppeerr((88))
AAuugguusstt 11999900
VVEERRSSIIOONN 11..77 RREELLEEAASSEE NNOOTTEESS
Extensive re-write of the maildrop processing code contributed by
Viktor Dukhovni <viktor@math.princeton.edu> that greatly reduces the
possibility that the maildrop can be corrupted as the result of
simultaneous access by two or more processes.
Added "pop_dropcopy" module to create a temporary maildrop from the
existing, standard maildrop as root before the setuid and setgid for
the user is done. This allows the temporary maildrop to be created in
a mail spool area that is not world read-writable.
This version does *not* send the sendmail "From " delimiter line in
response to a TOP or RETR command.
Encased all debugging code in #ifdef DEBUG constructs. This code can
be included by specifying the DEGUG compiler flag. Note: You still
need to use the -d or -t option to obtain debugging output.
LLIIMMIITTAATTIIOONNSS
The POP server copies the user's entire maildrop to /tmp and then
operates on that copy. If the maildrop is particularly large, or
inadequate space is available in /tmp, then the server will refuse to
continue and terminate the connection.
Simultaneous modification of a single maildrop can result in confusing
results. For example, manipulating messages in a maildrop using the
Unix /usr/ucb/mail command while a copy of it is being processed by
the POP server can cause the changes made by one program to be lost
when the other terminates. This problem is being worked on and will
be fixed in a later release.
FFIILLEESS
/usr/spool/mail mail files
/etc/inetd.conf pop program invocation
/etc/syslog.conf logging specifications
SSEEEE AALLSSOO
inetd(8), RFC1081, RFC1082
AAUUTTHHOORRSS
Bob Campbell, Edward Moy, Austin Shelton, Marshall T Rose, and cast of
thousands at Rand, UDel, UCI, and elsewhere
- 3 - Formatted: March 12, 2000

66
crypto/dist/krb4/man/rcp.cat1 vendored
View File

@ -1,66 +0,0 @@
RCP(1) System Reference Manual RCP(1)
NNAAMMEE
rrccpp - remote file copy
SSYYNNOOPPSSIISS
rrccpp [--KKppxx] [--kk _r_e_a_l_m] _f_i_l_e_1 _f_i_l_e_2
rrccpp [--KKpprrxx] [--kk _r_e_a_l_m] _f_i_l_e _._._. _d_i_r_e_c_t_o_r_y
DDEESSCCRRIIPPTTIIOONN
RRccpp copies files between machines. Each _f_i_l_e or _d_i_r_e_c_t_o_r_y argument is
either a remote file name of the form ``rname@rhost:path'', or a local
file name (containing no `:' characters, or a `/' before any `:'s).
--KK The --KK option turns off all Kerberos authentication.
--kk The --kk option requests rrccpp to obtain tickets for the remote host in
realm _r_e_a_l_m instead of the remote host's realm as determined by
krb_realmofhost(3).
--pp The --pp option causes rrccpp to attempt to preserve (duplicate) in its
copies the modification times and modes of the source files, ignor-
ing the _u_m_a_s_k. By default, the mode and owner of _f_i_l_e_2 are pre-
served if it already existed; otherwise the mode of the source file
modified by the umask(2) on the destination host is used.
--rr If any of the source files are directories, rrccpp copies each subtree
rooted at that name; in this case the destination must be a direc-
tory.
--xx The --xx option turns on DES encryption for all data passed by rrccpp.
This may impact response time and CPU utilization, but provides in-
creased security.
If _p_a_t_h is not a full path name, it is interpreted relative to the login
directory of the specified user _r_u_s_e_r on _r_h_o_s_t, or your current user name
if no other remote user name is specified. A _p_a_t_h on a remote host may
be quoted (using \, ", or ') so that the metacharacters are interpreted
remotely.
RRccpp does not prompt for passwords; it performs remote execution via
rsh(1), and requires the same authorization.
RRccpp handles third party copies, where neither source nor target files are
on the current machine.
SSEEEE AALLSSOO
cp(1), ftp(1), rsh(1), rlogin(1)
HHIISSTTOORRYY
The rrccpp command appeared in 4.2BSD. The version of rrccpp described here has
been reimplemented with Kerberos in 4.3BSD-Reno.
BBUUGGSS
Doesn't detect all cases where the target of a copy might be a file in
cases where only a directory should be legal.
Is confused by any output generated by commands in a _._l_o_g_i_n, _._p_r_o_f_i_l_e, or
_._c_s_h_r_c file on the remote host.
The destination user and hostname may have to be specified as
``rhost.rname'' when the destination machine is running the 4.2BSD ver-
sion of rrccpp.
4.3-Reno Berkeley Distribution May 31, 1993 1

92
crypto/dist/krb4/man/rlogin.cat1 vendored
View File

@ -1,92 +0,0 @@
RLOGIN(1) System Reference Manual RLOGIN(1)
NNAAMMEE
rrllooggiinn - remote login
SSYYNNOOPPSSIISS
_r_l_o_g_i_n [--88EEKKLLddxx] [--ee _c_h_a_r] [--kk _r_e_a_l_m] [--ll _u_s_e_r_n_a_m_e] [--pp _p_o_r_t_n_u_m_b_e_r] _h_o_s_t
DDEESSCCRRIIPPTTIIOONN
RRllooggiinn starts a terminal session on a remote host _h_o_s_t.
RRllooggiinn first attempts to use the Kerberos authorization mechanism, de-
scribed below. If the remote host does not supporting Kerberos the stan-
dard Berkeley _r_h_o_s_t_s authorization mechanism is used. The options are as
follows:
--88 The --88 option allows an eight-bit input data path at all times;
otherwise parity bits are stripped except when the remote side's
stop and start characters are other than ^S/^Q .
--EE The --EE option stops any character from being recognized as an es-
cape character. When used with the --88 option, this provides a com-
pletely transparent connection.
--KK The --KK option turns off all Kerberos authentication.
--LL The --LL option allows the rlogin session to be run in ``litout''
(see tty(4)) mode.
--dd The --dd option turns on socket debugging (see setsockopt(2)) on the
TCP sockets used for communication with the remote host.
--ee The --ee option allows user specification of the escape character,
which is ``~'' by default. This specification may be as a literal
character, or as an octal value in the form \nnn.
--kk The option requests rlogin to obtain tickets for the remote host in
realm _r_e_a_l_m instead of the remote host's realm as determined by
krb_realmofhost(3).
--xx The --xx option turns on DES encryption for all data passed via the
rlogin session. This may impact response time and CPU utilization,
but provides increased security.
--DD Use the TCP nodelay option (see setsockopt(2)).
--pp --ppoorrttnnuummbbeerr
Specifies the port number to connect to on the remote host.
A line of the form ``<escape char>.'' disconnects from the remote host.
Similarly, the line ``<escape char>^Z'' will suspend the rrllooggiinn session,
and ``<escape char><delayed-suspend char>'' suspends the send portion of
the rlogin, but allows output from the remote system. By default, the
tilde (``~'') character is the escape character, and normally control-Y
(``^Y'') is the delayed-suspend character.
All echoing takes place at the remote site, so that (except for delays)
the rrllooggiinn is transparent. Flow control via ^S/^Q and flushing of input
and output on interrupts are handled properly.
KKEERRBBEERROOSS AAUUTTHHEENNTTIICCAATTIIOONN
Each user may have a private authorization list in the file _._k_l_o_g_i_n in
their home directory. Each line in this file should contain a Kerberos
principal name of the form _p_r_i_n_c_i_p_a_l_._i_n_s_t_a_n_c_e_@_r_e_a_l_m. If the originating
user is authenticated to one of the principals named in _._k_l_o_g_i_n, access
is granted to the account. The principal _a_c_c_o_u_n_t_n_a_m_e_._@_l_o_c_a_l_r_e_a_l_m is
granted access if there is no _._k_l_o_g_i_n file. Otherwise a login and pass-
word will be prompted for on the remote machine as in login(1). To avoid
certain security problems, the _._k_l_o_g_i_n file must be owned by the remote
user.
If Kerberos authentication fails, a warning message is printed and the
standard Berkeley rrllooggiinn is used instead.
EENNVVIIRROONNMMEENNTT
The following environment variable is utilized by rrllooggiinn:
TERM Determines the user's terminal type.
SSEEEE AALLSSOO
rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3)
HHIISSTTOORRYY
The rrllooggiinn command appeared in 4.2BSD.
BBUUGGSS
RRllooggiinn will be replaced by telnet(1) in the near future.
More of the environment should be propagated.
4.2 Berkeley Distribution June 6, 1993 2

103
crypto/dist/krb4/man/rlogind.cat8 vendored
View File

@ -1,103 +0,0 @@
RLOGIND(8) System Manager's Manual RLOGIND(8)
NNAAMMEE
rrllooggiinndd - remote login server
SSYYNNOOPPSSIISS
rrllooggiinndd [--aaiillnnkkvvxxDD] [--pp _p_o_r_t_n_u_m_b_e_r] [--LL _/_b_i_n_/_l_o_g_i_n]
DDEESSCCRRIIPPTTIIOONN
RRllooggiinndd is the server for the rlogin(1) program. The server provides a
remote login facility with kerberos-based authentication or traditional
pseudo-authentication with privileged port numbers from trusted hosts.
Options supported by rrllooggiinndd:
--aa No-op. For backwards compatibility. Hostnames are always veri-
fied.
--ll Prevent any authentication based on the user's ``_._r_h_o_s_t_s'' file,
unless the user is logging in as the superuser.
--nn Disable keep-alive messages.
--kk Enable kerberos authentication.
--ii Do not expect to be spawned by inetd and create a socket and lis-
ten on it yourself.
--pp --ppoorrttnnuummbbeerr
Specifies the port number it should listen on in case the
--ii flag has been given.
--vv Vacuous, echo "Remote host requires Kerberos authentication" and
exit.
--xx Provides an encrypted communications channel. This options re-
quires the --kk flag.
--LL --ppaatthhnnaammee
Specify pathname to an alternative login program.
--DD Use the TCP nodelay option (see setsockopt(2)).
When a service request is received, rrllooggiinndd verifies the kerberos ticket
supplied by the user.
For non-kerberised connections, the following protocol is initiated:
1. The server checks the client's source port. If the port is not in
the range 512-1023, the server aborts the connection.
2. The server checks the client's source address and requests the cor-
responding host name (see gethostbyaddr(3), hosts(5) and named(8)).
If the hostname cannot be determined, the dot-notation representa-
tion of the host address is used. The addresses for the hostname
are requested, verifying that the name and address correspond. Nor-
mal authentication is bypassed if the address verification fails.
Once the source port and address have been checked, rrllooggiinndd proceeds with
the authentication process described in rshd(8).
It then allocates a pseudo terminal (see pty(4)), and manipulates file
descriptors so that the slave half of the pseudo terminal becomes the
_s_t_d_i_n, _s_t_d_o_u_t, and _s_t_d_e_r_r for a login process. The login process is an
instance of the login(1) program, invoked with the --ff option if authenti-
cation has succeeded. If automatic authentication fails, the user is
prompted to log in as if on a standard terminal line.
The parent of the login process manipulates the master side of the pseudo
terminal, operating as an intermediary between the login process and the
client instance of the rlogin program. In normal operation, the packet
protocol described in pty(4) is invoked to provide `^S/^Q' type facili-
ties and propagate interrupt signals to the remote programs. The login
process propagates the client terminal's baud rate and terminal type, as
found in the environment variable, `TERM'; see environ(7). The screen or
window size of the terminal is requested from the client, and window size
changes from the client are propagated to the pseudo terminal.
Transport-level keepalive messages are enabled unless the --nn option is
present. The use of keepalive messages allows sessions to be timed out
if the client crashes or becomes unreachable.
DDIIAAGGNNOOSSTTIICCSS
All initial diagnostic messages are indicated by a leading byte with a
value of 1, after which any network connections are closed. If there are
no errors before login is invoked, a null byte is returned as in indica-
tion of success.
TTrryy aaggaaiinn..
A fork by the server failed.
SSEEEE AALLSSOO
login(1), ruserok(3), rshd(8)
BBUUGGSS
A more extensible protocol should be used.
HHIISSTTOORRYY
The rrllooggiinndd command appeared in 4.2BSD.
4.2 Berkeley Distribution August 25, 1996 2

75
crypto/dist/krb4/man/rsh.cat1 vendored
View File

@ -1,75 +0,0 @@
RSH(1) System Reference Manual RSH(1)
NNAAMMEE
rrsshh - remote shell
SSYYNNOOPPSSIISS
rrsshh [--KKddnnxx] [--kk _r_e_a_l_m] [--ll _u_s_e_r_n_a_m_e] _h_o_s_t [command]
DDEESSCCRRIIPPTTIIOONN
RRsshh executes _c_o_m_m_a_n_d on _h_o_s_t.
RRsshh copies its standard input to the remote command, the standard output
of the remote command to its standard output, and the standard error of
the remote command to its standard error. Interrupt, quit and terminate
signals are propagated to the remote command; rrsshh normally terminates
when the remote command does. The options are as follows:
--KK The --KK option turns off all Kerberos authentication.
--dd The --dd option turns on socket debugging (using setsockopt(2)) on
the TCP sockets used for communication with the remote host.
--kk The --kk option causes rrsshh to obtain tickets for the remote host in
_r_e_a_l_m instead of the remote host's realm as determined by
krb_realmofhost(3).
--ll By default, the remote username is the same as the local username.
The --ll option allows the remote name to be specified. Kerberos au-
thentication is used, and authorization is determined as in
rlogin(1).
--nn The --nn option redirects input from the special device _/_d_e_v_/_n_u_l_l
(see the _B_U_G_S section of this manual page).
--xx The --xx option turns on DES encryption for all data exchange. This
may introduce a significant delay in response time.
If no _c_o_m_m_a_n_d is specified, you will be logged in on the remote host us-
ing rlogin(1).
Shell metacharacters which are not quoted are interpreted on local ma-
chine, while quoted metacharacters are interpreted on the remote machine.
For example, the command
rsh otherhost cat remotefile >> localfile
appends the remote file _r_e_m_o_t_e_f_i_l_e to the local file _l_o_c_a_l_f_i_l_e, while
rsh otherhost cat remotefile ">>" other_remotefile
appends _r_e_m_o_t_e_f_i_l_e to _o_t_h_e_r___r_e_m_o_t_e_f_i_l_e.
FFIILLEESS
/etc/hosts
SSEEEE AALLSSOO
rlogin(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3)
HHIISSTTOORRYY
The rrsshh command appeared in 4.2BSD.
BBUUGGSS
If you are using csh(1) and put a rrsshh in the background without redirect-
ing its input away from the terminal, it will block even if no reads are
posted by the remote command. If no input is desired you should redirect
the input of rrsshh to _/_d_e_v_/_n_u_l_l using the --nn option.
You cannot run an interactive command (like rogue(6) or vi(1)) using
rrsshh; use rlogin(1) instead.
Stop signals stop the local rrsshh process only; this is arguably wrong, but
currently hard to fix for reasons too complicated to explain here.
4.2 Berkeley Distribution July 24, 1991 2

138
crypto/dist/krb4/man/rshd.cat8 vendored
View File

@ -1,138 +0,0 @@
RSHD(8) System Manager's Manual RSHD(8)
NNAAMMEE
rrsshhdd - remote shell server
SSYYNNOOPPSSIISS
rrsshhdd [--aaiillnnkkvvxxLLPP] [--pp _p_o_r_t_n_u_m_b_e_r]
DDEESSCCRRIIPPTTIIOONN
The rrsshhdd server is the server for the rcmd(3) routine and, consequently,
for the rsh(1) program. The server provides remote execution facilities
with kerberos-based authentication or traditional pseudo-authentication
with privileged port numbers from trusted hosts.
The rrsshhdd server listens for service requests at the port indicated in the
``cmd'' service specification; see services(5). When a service request
is received rrsshhdd verifies the kerberos ticket supplied by the user.
For non-kerberised connections, the following protocol is initiated:
1. The server checks the client's source port. If the port is not in
the range 512-1023, the server aborts the connection.
2. The server reads characters from the socket up to a null (`\0')
byte. The resultant string is interpreted as an ASCII number, base
10.
3. If the number received in step 2 is non-zero, it is interpreted as
the port number of a secondary stream to be used for the _s_t_d_e_r_r. A
second connection is then created to the specified port on the
client's machine. The source port of this second connection is also
in the range 512-1023.
4. The server checks the client's source address and requests the cor-
responding host name (see gethostbyaddr(3), hosts(5) and named(8)).
If the hostname cannot be determined, the dot-notation representa-
tion of the host address is used. The addresses for the hostname
are requested, verifying that the name and address correspond. If
address verification fails, the connection is aborted with the mes-
sage, ``Host address mismatch.''
5. A null terminated user name of at most 16 characters is retrieved on
the initial socket. This user name is interpreted as the user iden-
tity on the _c_l_i_e_n_t's machine.
6. A null terminated user name of at most 16 characters is retrieved on
the initial socket. This user name is interpreted as a user identi-
ty to use on the sseerrvveerr's machine.
7. A null terminated command to be passed to a shell is retrieved on
the initial socket. The length of the command is limited by the up-
per bound on the size of the system's argument list.
8. RRsshhdd then validates the user using ruserok(3), which uses the file
_/_e_t_c_/_h_o_s_t_s_._e_q_u_i_v and the _._r_h_o_s_t_s file found in the user's home di-
rectory. The --ll option prevents ruserok(3) from doing any valida-
tion based on the user's ``.rhosts'' file, unless the user is the
superuser.
9. If the file _/_e_t_c_/_n_o_l_o_g_i_n exists and the user is not the superuser,
the connection is closed.
10. A null byte is returned on the initial socket and the command line
is passed to the normal login shell of the user. The shell inherits
the network connections established by rrsshhdd.
Transport-level keepalive messages are enabled unless the --nn option is
present. The use of keepalive messages allows sessions to be timed out
if the client crashes or becomes unreachable.
The --LL option causes all successful accesses to be logged to syslogd(8)
as auth.info messages.
--kk Enable kerberos authentication.
--ii Do not expect to be spawned by inetd and create a socket and lis-
ten on it yourself.
--pp --ppoorrttnnuummbbeerr
Specifies the port number it should listen on in case the
--ii flag has been given.
--vv Vacuous, echo "Remote host requires Kerberos authentication" and
exit.
--xx Provides an encrypted communications channel. This option re-
quires the --kk flag.
--PP AFS only! Doesn't put the remote proccess in a new PAG.
DDIIAAGGNNOOSSTTIICCSS
Except for the last one listed below, all diagnostic messages are re-
turned on the initial socket, after which any network connections are
closed. An error is indicated by a leading byte with a value of 1 (0 is
returned in step 10 above upon successful completion of all the steps
prior to the execution of the login shell).
LLooccuusseerr ttoooo lloonngg..
The name of the user on the client's machine is longer than 16
characters.
RRuusseerr ttoooo lloonngg..
The name of the user on the remote machine is longer than 16
characters.
CCoommmmaanndd ttoooo lloonngg.
The command line passed exceeds the size of the argument list (as
configured into the system).
LLooggiinn iinnccoorrrreecctt..
No password file entry for the user name existed.
RReemmoottee ddiirreeccttoorryy..
The chdir command to the home directory failed.
PPeerrmmiissssiioonn ddeenniieedd..
The authentication procedure described above failed.
CCaann''tt mmaakkee ppiippee..
The pipe needed for the _s_t_d_e_r_r, wasn't created.
CCaann''tt ffoorrkk;; ttrryy aaggaaiinn..
A fork by the server failed.
<<sshheellllnnaammee>>:: ......
The user's login shell could not be started. This message is re-
turned on the connection associated with the _s_t_d_e_r_r, and is not
preceded by a flag byte.
SSEEEE AALLSSOO
rsh(1), rcmd(3), ruserok(3)
BBUUGGSS
A more extensible protocol (such as Telnet) should be used.
4.2 Berkeley Distribution August 25, 1996 3

43
crypto/dist/krb4/man/rxtelnet.cat1 vendored
View File

@ -1,43 +0,0 @@
RXTELNET(1) System Reference Manual RXTELNET(1)
NNAAMMEE
rrxxtteellnneett - start a telnet and forward X-connections.
SSYYNNOOPPSSIISS
rrxxtteellnneett [--ll _u_s_e_r_n_a_m_e] [--kk ] [--tt _t_e_l_n_e_t___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
_t_e_r_m___e_m_u_l_a_t_o_r] [--nn] _h_o_s_t [_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
The rrxxtteellnneett program starts a xxtteerrmm window with a telnet to host _h_o_s_t.
From this window you will also be able to run X clients that will be able
to connect securily to your X server. If _p_o_r_t is given, that port will be
used instead of the default.
The supported options are:
--ll Log in on the remote host as user _u_s_e_r_n_a_m_e
--kk Disables keep-alives
--tt Send _t_e_l_n_e_t___a_r_g_s as arguments to tteellnneett
--xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
--ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
--nn Do not start any terminal emulator.
EEXXAAMMPPLLEE
To login from host _f_o_o (where your display is) to host _b_a_r, you might do
the following.
1. On foo: rrxxtteellnneett _b_a_r
2. You will get a new window with a tteellnneett to _b_a_r. In this window you
will be able to start X clients.
SSEEEE AALLSSOO
rxterm(1), tenletxr(1), kx(1), kxd(8), telnet(1)
KTH_KRB September 27, 1996 1

41
crypto/dist/krb4/man/rxterm.cat1 vendored
View File

@ -1,41 +0,0 @@
RXTERM(1) System Reference Manual RXTERM(1)
NNAAMMEE
rrxxtteerrmm - start a secure remote xterm
SSYYNNOOPPSSIISS
rrxxtteerrmm [--ll _u_s_e_r_n_a_m_e] [--kk] [--rr _r_s_h___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
_t_e_r_m___e_m_u_l_a_t_o_r] _h_o_s_t [_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
The rrxxtteerrmm program starts a xxtteerrmm window on host _h_o_s_t. From this window
you will also be able to run X clients that will be able to connect se-
curily to your X server. If _p_o_r_t is given, that port will be used instead
of the default.
The supported options are:
--ll Log in on the remote host as user _u_s_e_r_n_a_m_e
--kk Disable keep-alives
--rr Send _r_s_h___a_r_g_s as arguments to rrsshh
--xx Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
--ww Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
EEXXAAMMPPLLEE
To login from host _f_o_o (where your display is) to host _b_a_r, you might do
the following.
1. On foo: rrxxtteerrmm _b_a_r
2. You will get a new window running an xxtteerrmm on host _b_a_r. In this win-
dow you will be able to start X clients.
SSEEEE AALLSSOO
rxtelnet(1), tenletxr(1), kx(1), kxd(8), rsh(1)
KTH_KRB September 27, 1996 1

85
crypto/dist/krb4/man/su.cat1 vendored
View File

@ -1,85 +0,0 @@
SU(1) System Reference Manual SU(1)
NNAAMMEE
ssuu - substitute user identity
SSYYNNOOPPSSIISS
ssuu [--KKffllmmii] [_l_o_g_i_n [_s_h_e_l_l _a_r_g_u_m_e_n_t_s]]
DDEESSCCRRIIPPTTIIOONN
SSuu requests the Kerberos password for _l_o_g_i_n (or for ``_l_o_g_i_n.root'', if no
login is provided), and switches to that user and group ID after obtain-
ing a Kerberos ticket granting ticket. A shell is then executed, and any
additional _s_h_e_l_l _a_r_g_u_m_e_n_t_s after the login name are passed to the shell.
SSuu will resort to the local password file to find the password for _l_o_g_i_n
if there is a Kerberos error. If ssuu is executed by root, no password is
requested and a shell with the appropriate user ID is executed; no addi-
tional Kerberos tickets are obtained.
Alternately, if the user enters the password "s/key", they will be au-
thenticated using the S/Key one-time password system as described in
skey(1). S/Key is a Trademark of Bellcore.
By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
target login's. This is the traditional behavior of ssuu.
The options are as follows:
--KK Do not attempt to use Kerberos to authenticate the user.
--ff If the invoked shell is csh(1), this option prevents it from
reading the ``_._c_s_h_r_c'' file.
--ll Simulate a full login. The environment is discarded except for
HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified as
above. USER is set to the target login. PATH is set to
``_/_b_i_n_:_/_u_s_r_/_b_i_n''. TERM is imported from your current environ-
ment. The invoked shell is the target login's, and ssuu will
change directory to the target login's home directory.
--mm Leave the environment unmodified. The invoked shell is your lo-
gin shell, and no directory changes are made. As a security pre-
caution, if the target user's shell is a non-standard shell (as
defined by getusershell(3)) and the caller's real uid is non-ze-
ro, ssuu will fail.
--ii If the kerberos root instance is not root any other value can be
passed using this switch.
The --ll and --mm options are mutually exclusive; the last one specified
overrides any previous ones.
Only users mentioned in ``_~_r_o_o_t_/_._k_l_o_g_i_n'' (or in group 0 when not doing
kerberos) can ssuu to ``root''.
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to ``##'' to remind one of its awesome power.
SSEEEE AALLSSOO
csh(1), login(1), sh(1), skey(1), kinit(1), kerberos(1), passwd(5),
group(5), environ(7)
EENNVVIIRROONNMMEENNTT
Environment variables used by ssuu:
HOME Default home directory of real user ID unless modified as specified
above.
PATH Default search path of real user ID unless modified as specified
above.
TERM Provides terminal type which may be retained for the substituted
user ID.
USER The user ID is always the effective ID (the target user ID) after
an ssuu unless the user ID is 0 (root).
HHIISSTTOORRYY
A ssuu command appeared in Version 7 AT&T UNIX. The version described here
is an adaptation of the MIT Athena Kerberos command.
BSD Experimental July 29, 1991 2

722
crypto/dist/krb4/man/telnet.cat1 vendored
View File

@ -1,722 +0,0 @@
TELNET(1) System Reference Manual TELNET(1)
NNAAMMEE
tteellnneett - user interface to the TELNET protocol
SSYYNNOOPPSSIISS
tteellnneett [--7788EEFFKKLLaaccddffrrxx] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--ee _e_s_c_a_p_e_c_h_a_r] [--kk _r_e_a_l_m]
[--ll _u_s_e_r] [--nn _t_r_a_c_e_f_i_l_e] [_h_o_s_t [port]]
DDEESSCCRRIIPPTTIIOONN
The tteellnneett command is used to communicate with another host using the
TELNET protocol. If tteellnneett is invoked without the _h_o_s_t argument, it en-
ters command mode, indicated by its prompt (tteellnneett>>). In this mode, it
accepts and executes the commands listed below. If it is invoked with
arguments, it performs an ooppeenn command with those arguments.
Options:
--88 Specifies an 8-bit data path. This causes an attempt to negoti-
ate the TELNET BINARY option on both input and output.
--77 Do not try to negotiate TELNET BINARY option.
--EE Stops any character from being recognized as an escape character.
--FF If Kerberos V5 authentication is being used, the --FF option allows
the local credentials to be forwarded to the remote system, in-
cluding any credentials that have already been forwarded into the
local environment.
--KK Specifies no automatic login to the remote system.
--LL Specifies an 8-bit data path on output. This causes the BINARY
option to be negotiated on output.
--SS _t_o_s Sets the IP type-of-service (TOS) option for the telnet connec-
tion to the value _t_o_s_, which can be a numeric TOS value or, on
systems that support it, a symbolic TOS name found in the
/etc/iptos file.
--XX _a_t_y_p_e
Disables the _a_t_y_p_e type of authentication.
--aa Attempt automatic login. Currently, this sends the user name via
the USER variable of the ENVIRON option if supported by the re-
mote system. The name used is that of the current user as re-
turned by getlogin(2) if it agrees with the current user ID, oth-
erwise it is the name associated with the user ID.
--cc Disables the reading of the user's _._t_e_l_n_e_t_r_c file. (See the
ttooggggllee sskkiipprrcc command on this man page.)
--dd Sets the initial value of the ddeebbuugg toggle to TRUE
--ee _e_s_c_a_p_e _c_h_a_r
Sets the initial tteellnneett tteellnneett escape character to _e_s_c_a_p_e _c_h_a_r_.
If _e_s_c_a_p_e _c_h_a_r is omitted, then there will be no escape charac-
ter.
--ff If Kerberos V5 authentication is being used, the --ff option allows
the local credentials to be forwarded to the remote system.
--kk _r_e_a_l_m
If Kerberos authentication is being used, the --kk option requests
that telnet obtain tickets for the remote host in realm realm in-
stead of the remote host's realm, as determined by
krb_realmofhost(3).
--ll _u_s_e_r
When connecting to the remote system, if the remote system under-
stands the ENVIRON option, then _u_s_e_r will be sent to the remote
system as the value for the variable USER. This option implies
the --aa option. This option may also be used with the ooppeenn com-
mand.
--nn _t_r_a_c_e_f_i_l_e
Opens _t_r_a_c_e_f_i_l_e for recording trace information. See the sseett
ttrraacceeffiillee command below.
--rr Specifies a user interface similar to rlogin(1). In this mode,
the escape character is set to the tilde (~) character, unless
modified by the -e option.
--xx Turns on encryption of the data stream if possible. This is cur-
rently the default and when it fails a warning is issued.
_h_o_s_t Indicates the official name, an alias, or the Internet address of
a remote host.
_p_o_r_t Indicates a port number (address of an application). If a number
is not specified, the default tteellnneett port is used.
When in rlogin mode, a line of the form ~. disconnects from the remote
host; ~ is the telnet escape character. Similarly, the line ~^Z suspends
the telnet session. The line ~^] escapes to the normal telnet escape
prompt.
Once a connection has been opened, tteellnneett will attempt to enable the
TELNET LINEMODE option. If this fails, then tteellnneett will revert to one of
two input modes: either ``character at a time'' or ``old line by line''
depending on what the remote system supports.
When LINEMODE is enabled, character processing is done on the local sys-
tem, under the control of the remote system. When input editing or char-
acter echoing is to be disabled, the remote system will relay that infor-
mation. The remote system will also relay changes to any special charac-
ters that happen on the remote system, so that they can take effect on
the local system.
In ``character at a time'' mode, most text typed is immediately sent to
the remote host for processing.
In ``old line by line'' mode, all text is echoed locally, and (normally)
only completed lines are sent to the remote host. The ``local echo char-
acter'' (initially ``^E'') may be used to turn off and on the local echo
(this would mostly be used to enter passwords without the password being
echoed).
If the LINEMODE option is enabled, or if the llooccaallcchhaarrss toggle is TRUE
(the default for ``old line by line``; see below), the user's qquuiitt, iinnttrr,
and fflluusshh characters are trapped locally, and sent as TELNET protocol se-
quences to the remote side. If LINEMODE has ever been enabled, then the
user's ssuusspp and eeooff are also sent as TELNET protocol sequences, and qquuiitt
is sent as a TELNET ABORT instead of BREAK There are options (see ttooggggllee
aauuttoofflluusshh and ttooggggllee aauuttoossyynncchh below) which cause this action to flush
subsequent output to the terminal (until the remote host acknowledges the
TELNET sequence) and flush previous terminal input (in the case of qquuiitt
and iinnttrr).
While connected to a remote host, tteellnneett command mode may be entered by
typing the tteellnneett ``escape character'' (initially ``^]''). When in com-
mand mode, the normal terminal editing conventions are available.
The following tteellnneett commands are available. Only enough of each command
to uniquely identify it need be typed (this is also true for arguments to
the mmooddee, sseett, ttooggggllee, uunnsseett, ssllcc, eennvviirroonn, and ddiissppllaayy commands).
aauutthh _a_r_g_u_m_e_n_t _._._.
The auth command manipulates the information sent through the
TELNET AUTHENTICATE option. Valid arguments for the auth com-
mand are as follows:
ddiissaabbllee _t_y_p_e Disables the specified type of authentication.
To obtain a list of available types, use the
aauutthh ddiissaabbllee ?? command.
eennaabbllee _t_y_p_e Enables the specified type of authentication.
To obtain a list of available types, use the
aauutthh eennaabbllee ?? command.
ssttaattuuss Lists the current status of the various types of
authentication.
cclloossee Close a TELNET session and return to command mode.
ddiissppllaayy _a_r_g_u_m_e_n_t _._._.
Displays all, or some, of the sseett and ttooggggllee values (see be-
low).
eennccrryypptt _a_r_g_u_m_e_n_t _._._.
The encrypt command manipulates the information sent through
the TELNET ENCRYPT option.
Note: Because of export controls, the TELNET ENCRYPT option
is not supported outside of the United States and Canada.
Valid arguments for the encrypt command are as follows:
ddiissaabbllee _t_y_p_e [[iinnppuutt||oouuttppuutt]]
Disables the specified type of encryption. If
you omit the input and output, both input and
output are disabled. To obtain a list of avail-
able types, use the eennccrryypptt ddiissaabbllee ?? command.
eennaabbllee _t_y_p_e [[iinnppuutt||oouuttppuutt]]
Enables the specified type of encryption. If
you omit input and output, both input and output
are enabled. To obtain a list of available
types, use the eennccrryypptt eennaabbllee ?? command.
iinnppuutt This is the same as the eennccrryypptt ssttaarrtt iinnppuutt com-
mand.
--iinnppuutt This is the same as the eennccrryypptt ssttoopp iinnppuutt com-
mand.
oouuttppuutt This is the same as the eennccrryypptt ssttaarrtt oouuttppuutt
command.
--oouuttppuutt This is the same as the eennccrryypptt ssttoopp oouuttppuutt com-
mand.
ssttaarrtt [[iinnppuutt||oouuttppuutt]]
Attempts to start encryption. If you omit iinnppuutt
and oouuttppuutt,, both input and output are enabled.
To obtain a list of available types, use the
eennccrryypptt eennaabbllee ?? command.
ssttaattuuss Lists the current status of encryption.
ssttoopp [[iinnppuutt||oouuttppuutt]]
Stops encryption. If you omit input and output,
encryption is on both input and output.
ttyyppee _t_y_p_e Sets the default type of encryption to be used
with later eennccrryypptt ssttaarrtt or eennccrryypptt ssttoopp com-
mands.
eennvviirroonn _a_r_g_u_m_e_n_t_s_._._.
The eennvviirroonn command is used to manipulate the the variables
that my be sent through the TELNET ENVIRON option. The ini-
tial set of variables is taken from the users environment,
with only the DISPLAY and PRINTER variables being exported by
default. The USER variable is also exported if the --aa or --ll
options are used.
Valid arguments for the eennvviirroonn command are:
ddeeffiinnee _v_a_r_i_a_b_l_e _v_a_l_u_e
Define the variable _v_a_r_i_a_b_l_e to have a value of
_v_a_l_u_e_. Any variables defined by this command are
automatically exported. The _v_a_l_u_e may be enclosed
in single or double quotes so that tabs and spaces
may be included.
uunnddeeffiinnee _v_a_r_i_a_b_l_e
Remove _v_a_r_i_a_b_l_e from the list of environment vari-
ables.
eexxppoorrtt _v_a_r_i_a_b_l_e
Mark the variable _v_a_r_i_a_b_l_e to be exported to the
remote side.
uunneexxppoorrtt _v_a_r_i_a_b_l_e
Mark the variable _v_a_r_i_a_b_l_e to not be exported un-
less explicitly asked for by the remote side.
lliisstt List the current set of environment variables.
Those marked with a ** will be sent automatically,
other variables will only be sent if explicitly
requested.
?? Prints out help information for the eennvviirroonn com-
mand.
llooggoouutt Sends the TELNET LOGOUT option to the remote side. This com-
mand is similar to a cclloossee command; however, if the remote
side does not support the LOGOUT option, nothing happens. If,
however, the remote side does support the LOGOUT option, this
command should cause the remote side to close the TELNET con-
nection. If the remote side also supports the concept of sus-
pending a user's session for later reattachment, the logout
argument indicates that you should terminate the session imme-
diately.
mmooddee _t_y_p_e _T_y_p_e is one of several options, depending on the state of the
TELNET session. The remote host is asked for permission to go
into the requested mode. If the remote host is capable of en-
tering that mode, the requested mode will be entered.
cchhaarraacctteerr Disable the TELNET LINEMODE option, or, if the
remote side does not understand the LINEMODE op-
tion, then enter ``character at a time`` mode.
lliinnee Enable the TELNET LINEMODE option, or, if the
remote side does not understand the LINEMODE op-
tion, then attempt to enter ``old-line-by-line``
mode.
iissiigg (--iissiigg) Attempt to enable (disable) the TRAPSIG mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
eeddiitt (--eeddiitt) Attempt to enable (disable) the EDIT mode of the
LINEMODE option. This requires that the
LINEMODE option be enabled.
ssooffttttaabbss (--ssooffttttaabbss)
Attempt to enable (disable) the SOFT_TAB mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
lliitteecchhoo (--lliitteecchhoo)
Attempt to enable (disable) the LIT_ECHO mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
?? Prints out help information for the mmooddee com-
mand.
ooppeenn _h_o_s_t [[--ll] _u_s_e_r][--_p_o_r_t]
Open a connection to the named host. If no port number is
specified, tteellnneett will attempt to contact a TELNET server at
the default port. The host specification may be either a host
name (see hosts(5)) or an Internet address specified in the
``dot notation'' (see inet(3)). The [--ll] option may be used
to specify the user name to be passed to the remote system via
the ENVIRON option. When connecting to a non-standard port,
tteellnneett omits any automatic initiation of TELNET options. When
the port number is preceded by a minus sign, the initial op-
tion negotiation is done. After establishing a connection,
the file _._t_e_l_n_e_t_r_c in the users home directory is opened.
Lines beginning with a # are comment lines. Blank lines are
ignored. Lines that begin without white space are the start
of a machine entry. The first thing on the line is the name
of the machine that is being connected to. The rest of the
line, and successive lines that begin with white space are as-
sumed to be tteellnneett commands and are processed as if they had
been typed in manually to the tteellnneett command prompt.
qquuiitt Close any open TELNET session and exit tteellnneett. An end of file
(in command mode) will also close a session and exit.
sseenndd _a_r_g_u_m_e_n_t_s
Sends one or more special character sequences to the remote
host. The following are the arguments which may be specified
(more than one argument may be specified at a time):
aabboorrtt Sends the TELNET ABORT (Abort processes) sequence.
aaoo Sends the TELNET AO (Abort Output) sequence, which
should cause the remote system to flush all output
_f_r_o_m the remote system _t_o the user's terminal.
aayytt Sends the TELNET AYT (Are You There) sequence, to
which the remote system may or may not choose to re-
spond.
bbrrkk Sends the TELNET BRK (Break) sequence, which may have
significance to the remote system.
eecc Sends the TELNET EC (Erase Character) sequence, which
should cause the remote system to erase the last char-
acter entered.
eell Sends the TELNET EL (Erase Line) sequence, which
should cause the remote system to erase the line cur-
rently being entered.
eeooff Sends the TELNET EOF (End Of File) sequence.
eeoorr Sends the TELNET EOR (End of Record) sequence.
eessccaappee Sends the current tteellnneett escape character (initially
``^'').
ggaa Sends the TELNET GA (Go Ahead) sequence, which likely
has no significance to the remote system.
ggeettssttaattuuss
If the remote side supports the TELNET STATUS command,
ggeettssttaattuuss will send the subnegotiation to request that
the server send its current option status.
iipp Sends the TELNET IP (Interrupt Process) sequence,
which should cause the remote system to abort the cur-
rently running process.
nnoopp Sends the TELNET NOP (No OPeration) sequence.
ssuusspp Sends the TELNET SUSP (SUSPend process) sequence.
ssyynncchh Sends the TELNET SYNCH sequence. This sequence causes
the remote system to discard all previously typed (but
not yet read) input. This sequence is sent as TCP ur-
gent data (and may not work if the remote system is a
4.2BSD system -- if it doesn't work, a lower case
``r'' may be echoed on the terminal).
ddoo _c_m_d
ddoonntt _c_m_d
wwiillll _c_m_d
wwoonntt _c_m_d
Sends the TELNET DO _c_m_d sequence. _C_m_d can be either a
decimal number between 0 and 255, or a symbolic name
for a specific TELNET command. _C_m_d can also be either
hheellpp or ?? to print out help information, including a
list of known symbolic names.
?? Prints out help information for the sseenndd command.
sseett _a_r_g_u_m_e_n_t _v_a_l_u_e
uunnsseett _a_r_g_u_m_e_n_t _v_a_l_u_e
The sseett command will set any one of a number of tteellnneett vari-
ables to a specific value or to TRUE. The special value ooffff
turns off the function associated with the variable, this is
equivalent to using the uunnsseett command. The uunnsseett command will
disable or set to FALSE any of the specified functions. The
values of variables may be interrogated with the ddiissppllaayy com-
mand. The variables which may be set or unset, but not tog-
gled, are listed here. In addition, any of the variables for
the ttooggggllee command may be explicitly set or unset using the
sseett and uunnsseett commands.
aayytt If TELNET is in localchars mode, or LINEMODE is en-
abled, and the status character is typed, a TELNET AYT
sequence (see sseenndd aayytt preceding) is sent to the re-
mote host. The initial value for the "Are You There"
character is the terminal's status character.
eecchhoo This is the value (initially ``^E'') which, when in
``line by line'' mode, toggles between doing local
echoing of entered characters (for normal processing),
and suppressing echoing of entered characters (for en-
tering, say, a password).
eeooff If tteellnneett is operating in LINEMODE or ``old line by
line'' mode, entering this character as the first
character on a line will cause this character to be
sent to the remote system. The initial value of the
eof character is taken to be the terminal's eeooff char-
acter.
eerraassee If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below), aanndd if tteellnneett is operating in ``character at a
time'' mode, then when this character is typed, a
TELNET EC sequence (see sseenndd eecc above) is sent to the
remote system. The initial value for the erase char-
acter is taken to be the terminal's eerraassee character.
eessccaappee This is the tteellnneett escape character (initially ``^['')
which causes entry into tteellnneett command mode (when con-
nected to a remote system).
fflluusshhoouuttppuutt
If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the fflluusshhoouuttppuutt character is typed, a
TELNET AO sequence (see sseenndd aaoo above) is sent to the
remote host. The initial value for the flush charac-
ter is taken to be the terminal's fflluusshh character.
ffoorrww11
ffoorrww22 If TELNET is operating in LINEMODE, these are the
characters that, when typed, cause partial lines to be
forwarded to the remote system. The initial value for
the forwarding characters are taken from the termi-
nal's eol and eol2 characters.
iinntteerrrruupptt
If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the iinntteerrrruupptt character is typed, a TELNET
IP sequence (see sseenndd iipp above) is sent to the remote
host. The initial value for the interrupt character
is taken to be the terminal's iinnttrr character.
kkiillll If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below), aanndd if tteellnneett is operating in ``character at a
time'' mode, then when this character is typed, a
TELNET EL sequence (see sseenndd eell above) is sent to the
remote system. The initial value for the kill charac-
ter is taken to be the terminal's kkiillll character.
llnneexxtt If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's llnneexxtt character. The initial value for the
lnext character is taken to be the terminal's llnneexxtt
character.
qquuiitt If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the qquuiitt character is typed, a TELNET BRK
sequence (see sseenndd bbrrkk above) is sent to the remote
host. The initial value for the quit character is
taken to be the terminal's qquuiitt character.
rreepprriinntt
If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's rreepprriinntt character. The initial value for
the reprint character is taken to be the terminal's
rreepprriinntt character.
rrllooggiinn This is the rlogin escape character. If set, the nor-
mal TELNET escape character is ignored unless it is
preceded by this character at the beginning of a line.
This character, at the beginning of a line followed by
a "." closes the connection; when followed by a ^Z it
suspends the telnet command. The initial state is to
disable the rlogin escape character.
ssttaarrtt If the TELNET TOGGLE-FLOW-CONTROL option has been en-
abled, then this character is taken to be the termi-
nal's ssttaarrtt character. The initial value for the kill
character is taken to be the terminal's ssttaarrtt charac-
ter.
ssttoopp If the TELNET TOGGLE-FLOW-CONTROL option has been en-
abled, then this character is taken to be the termi-
nal's ssttoopp character. The initial value for the kill
character is taken to be the terminal's ssttoopp charac-
ter.
ssuusspp If tteellnneett is in llooccaallcchhaarrss mode, or LINEMODE is en-
abled, and the ssuussppeenndd character is typed, a TELNET
SUSP sequence (see sseenndd ssuusspp above) is sent to the re-
mote host. The initial value for the suspend charac-
ter is taken to be the terminal's ssuussppeenndd character.
ttrraacceeffiillee
This is the file to which the output, caused by
nneettddaattaa or ooppttiioonn tracing being TRUE, will be written.
If it is set to ``--'', then tracing information will
be written to standard output (the default).
wwoorrddeerraassee
If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's wwoorrddeerraassee character. The initial value for
the worderase character is taken to be the terminal's
wwoorrddeerraassee character.
?? Displays the legal sseett (uunnsseett) commands.
ssllcc _s_t_a_t_e The ssllcc command (Set Local Characters) is used to set or
change the state of the the special characters when the TELNET
LINEMODE option has been enabled. Special characters are
characters that get mapped to TELNET commands sequences (like
iipp or qquuiitt) or line editing characters (like eerraassee and kkiillll).
By default, the local special characters are exported.
cchheecckk Verify the current settings for the current spe-
cial characters. The remote side is requested to
send all the current special character settings,
and if there are any discrepancies with the local
side, the local side will switch to the remote
value.
eexxppoorrtt Switch to the local defaults for the special char-
acters. The local default characters are those of
the local terminal at the time when tteellnneett was
started.
iimmppoorrtt Switch to the remote defaults for the special
characters. The remote default characters are
those of the remote system at the time when the
TELNET connection was established.
?? Prints out help information for the ssllcc command.
ssttaattuuss Show the current status of tteellnneett. This includes the peer one
is connected to, as well as the current mode.
ttooggggllee _a_r_g_u_m_e_n_t_s _._._.
Toggle (between TRUE and FALSE) various flags that control how
tteellnneett responds to events. These flags may be set explicitly
to TRUE or FALSE using the sseett and uunnsseett commands listed
above. More than one argument may be specified. The state of
these flags may be interrogated with the ddiissppllaayy command.
Valid arguments are:
aauutthhddeebbuugg Turns on debugging information for the authenti-
cation code.
aauuttoofflluusshh If aauuttoofflluusshh and llooccaallcchhaarrss are both TRUE, then
when the aaoo, or qquuiitt characters are recognized
(and transformed into TELNET sequences; see sseett
above for details), tteellnneett refuses to display
any data on the user's terminal until the remote
system acknowledges (via a TELNET TIMING MARK
option) that it has processed those TELNET se-
quences. The initial value for this toggle is
TRUE if the terminal user had not done an "stty
noflsh", otherwise FALSE (see stty(1)).
aauuttooddeeccrryypptt When the TELNET ENCRYPT option is negotiated, by
default the actual encryption (decryption) of
the data stream does not start automatically.
The autoencrypt (autodecrypt) command states
that encryption of the output (input) stream
should be enabled as soon as possible.
Note: Because of export controls, the TELNET
ENCRYPT option is not supported outside the
United States and Canada.
aauuttoollooggiinn If the remote side supports the TELNET
AUTHENTICATION option TELNET attempts to use it
to perform automatic authentication. If the
AUTHENTICATION option is not supported, the us-
er's login name are propagated through the
TELNET ENVIRON option. This command is the same
as specifying _a option on the ooppeenn command.
aauuttoossyynncchh If aauuttoossyynncchh and llooccaallcchhaarrss are both TRUE, then
when either the iinnttrr or qquuiitt characters is typed
(see sseett above for descriptions of the iinnttrr and
qquuiitt characters), the resulting TELNET sequence
sent is followed by the TELNET SYNCH sequence.
This procedure sshhoouulldd cause the remote system to
begin throwing away all previously typed input
until both of the TELNET sequences have been
read and acted upon. The initial value of this
toggle is FALSE.
bbiinnaarryy Enable or disable the TELNET BINARY option on
both input and output.
iinnbbiinnaarryy Enable or disable the TELNET BINARY option on
input.
oouuttbbiinnaarryy Enable or disable the TELNET BINARY option on
output.
ccrrllff If this is TRUE, then carriage returns will be
sent as <CR><LF>. If this is FALSE, then car-
riage returns will be send as <CR><NUL>. The
initial value for this toggle is FALSE.
ccrrmmoodd Toggle carriage return mode. When this mode is
enabled, most carriage return characters re-
ceived from the remote host will be mapped into
a carriage return followed by a line feed. This
mode does not affect those characters typed by
the user, only those received from the remote
host. This mode is not very useful unless the
remote host only sends carriage return, but nev-
er line feed. The initial value for this toggle
is FALSE.
ddeebbuugg Toggles socket level debugging (useful only to
the ssuuppeerr uusseerr). The initial value for this tog-
gle is FALSE.
eennccddeebbuugg Turns on debugging information for the encryp-
tion code.
llooccaallcchhaarrss If this is TRUE, then the fflluusshh, iinntteerrrruupptt,
qquuiitt, eerraassee, and kkiillll characters (see sseett above)
are recognized locally, and transformed into
(hopefully) appropriate TELNET control sequences
(respectively aaoo, iipp, bbrrkk, eecc, and eell; see sseenndd
above). The initial value for this toggle is
TRUE in ``old line by line'' mode, and FALSE in
``character at a time'' mode. When the LINEMODE
option is enabled, the value of llooccaallcchhaarrss is
ignored, and assumed to always be TRUE. If
LINEMODE has ever been enabled, then qquuiitt is
sent as aabboorrtt, and eeooff aanndd are sent as eeooff aanndd
ssuusspp, see sseenndd above).
nneettddaattaa Toggles the display of all network data (in hex-
adecimal format). The initial value for this
toggle is FALSE.
ooppttiioonnss Toggles the display of some internal tteellnneett pro-
tocol processing (having to do with TELNET op-
tions). The initial value for this toggle is
FALSE.
pprreettttyydduummpp When the nneettddaattaa toggle is enabled, if
pprreettttyydduummpp is enabled the output from the
nneettddaattaa command will be formatted in a more user
readable format. Spaces are put between each
character in the output, and the beginning of
any TELNET escape sequence is preceded by a '*'
to aid in locating them.
sskkiipprrcc When the skiprc toggle is TRUE, TELNET skips the
reading of the _._t_e_l_n_e_t_r_c file in the users home
directory when connections are opened. The ini-
tial value for this toggle is FALSE.
tteerrmmddaattaa Toggles the display of all terminal data (in
hexadecimal format). The initial value for this
toggle is FALSE.
vveerrbboossee__eennccrryypptt
When the vveerrbboossee__eennccrryypptt toggle is TRUE, TELNET
prints out a message each time encryption is en-
abled or disabled. The initial value for this
toggle is FALSE. Note: Because of export con-
trols, data encryption is not supported outside
of the United States and Canada.
?? Displays the legal ttooggggllee commands.
zz Suspend tteellnneett. This command only works when the user is using
the csh(1).
!! [_c_o_m_m_a_n_d]
Execute a single command in a subshell on the local system.
If ccoommmmaanndd is omitted, then an interactive subshell is in-
voked.
?? [_c_o_m_m_a_n_d]
Get help. With no arguments, tteellnneett prints a help summary.
If a command is specified, tteellnneett will print the help informa-
tion for just that command.
EENNVVIIRROONNMMEENNTT
TTeellnneett uses at least the HOME, SHELL, DISPLAY, and TERM environment vari-
ables. Other environment variables may be propagated to the other side
via the TELNET ENVIRON option.
FFIILLEESS
~/.telnetrc user customized telnet startup values
HHIISSTTOORRYY
The TTeellnneett command appeared in 4.2BSD.
NNOOTTEESS
On some remote systems, echo has to be turned off manually when in ``old
line by line'' mode.
In ``old line by line'' mode or LINEMODE the terminal's eeooff character is
only recognized (and sent to the remote system) when it is the first
character on a line.
4.2 Berkeley Distribution June 1, 1994 11

297
crypto/dist/krb4/man/telnetd.cat8 vendored
View File

@ -1,297 +0,0 @@
TELNETD(8) System Manager's Manual TELNETD(8)
NNAAMMEE
tteellnneettdd - DARPA TELNET protocol server
SSYYNNOOPPSSIISS
tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e]
[--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
The tteellnneettdd command is a server which supports the DARPA standard TELNET
virtual terminal protocol. TTeellnneettdd is normally invoked by the internet
server (see inetd(8)) for requests to connect to the TELNET port as in-
dicated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)). The --ddeebbuugg option
may be used to start up tteellnneettdd manually, instead of through inetd(8).
If started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alter-
nate TCP port number.
The tteellnneettdd command accepts the following options:
--aa _a_u_t_h_m_o_d_e This option may be used for specifying what mode should be
used for authentication. Note that this option is only use-
ful if tteellnneettdd has been compiled with support for the
AUTHENTICATION option. There are several valid values for
_a_u_t_h_m_o_d_e_:
debug Turns on authentication debugging code.
user Only allow connections when the remote user can pro-
vide valid authentication information to identify the
remote user, and is allowed access to the specified
account without providing a password.
valid Only allow connections when the remote user can pro-
vide valid authentication information to identify the
remote user. The login(1) command will provide any
additional user verification needed if the remote us-
er is not allowed automatic access to the specified
account.
other Only allow connections that supply some authentica-
tion information. This option is currently not sup-
ported by any of the existing authentication mecha-
nisms, and is thus the same as specifying --aa vvaalliidd.
otp Only allow authenticated connections (as with --aa
uusseerr) and also logins with one-time passwords (OTPs).
This option will call login with an option so that
only OTPs are accepted. The user can of course still
type secret information at the prompt.
none This is the default state. Authentication informa-
tion is not required. If no or insufficient authen-
tication information is provided, then the login(1)
program will provide the necessary user verification.
off This disables the authentication code. All user ver-
ification will happen through the login(1) program.
--BB Ignored.
--DD _d_e_b_u_g_m_o_d_e
This option may be used for debugging purposes. This allows
tteellnneettdd to print out debugging information to the connec-
tion, allowing the user to see what tteellnneettdd is doing. There
are several possible values for _d_e_b_u_g_m_o_d_e_:
ooppttiioonnss Prints information about the negotiation of TELNET
options.
rreeppoorrtt Prints the ooppttiioonnss information, plus some addi-
tional information about what processing is going
on.
nneettddaattaa Displays the data stream received by tteellnneettdd..
ppttyyddaattaa Displays data written to the pty.
eexxeerrcciissee Has not been implemented yet.
--hh Disables the printing of host-specific information before
login has been completed.
--kk
--ll Ignored.
--nn Disable TCP keep-alives. Normally tteellnneettdd enables the TCP
keep-alive mechanism to probe connections that have been
idle for some period of time to determine if the client is
still there, so that idle connections from machines that
have crashed or can no longer be reached may be cleaned up.
--rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y
This option is only enabled when tteellnneettdd is compiled for
UNICOS. It specifies an inclusive range of pseudo-terminal
devices to use. If the system has sysconf variable
_SC_CRAY_NPTY configured, the default pty search range is 0
to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128.
Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing
either end of the search range. If _l_o_w_p_t_y is omitted, the -
character is still required so that tteellnneettdd can differenti-
ate _h_i_g_h_p_t_y from _l_o_w_p_t_y.
--SS _t_o_s
--uu _l_e_n This option is used to specify the size of the field in the
utmp structure that holds the remote host name. If the re-
solved host name is longer than _l_e_n, the dotted decimal val-
ue will be used instead. This allows hosts with very long
host names that overflow this field to still be uniquely
identified. Specifying --uu00 indicates that only dotted deci-
mal addresses should be put into the _u_t_m_p file.
--UU This option causes tteellnneettdd to refuse connections from ad-
dresses that cannot be mapped back into a symbolic name via
the gethostbyaddr(3) routine.
--XX _a_u_t_h_t_y_p_e This option is only valid if tteellnneettdd has been built with
support for the authentication option. It disables the use
of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily
disable a specific authentication type without having to re-
compile tteellnneettdd.
--LL --ppaatthhnnaammee
Specify pathname to an alternative login program.
TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4)) for
a client, then creating a login process which has the slave side of the
pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the mas-
ter side of the pseudo-terminal, implementing the TELNET protocol and
passing characters between the remote client and the login process.
When a TELNET session is started up, tteellnneettdd sends TELNET options to the
client side indicating a willingness to do the following TELNET options,
which are described in more detail below:
DO AUTHENTICATION
WILL ENCRYPT
DO TERMINAL TYPE
DO TSPEED
DO XDISPLOC
DO NEW-ENVIRON
DO ENVIRON
WILL SUPPRESS GO AHEAD
DO ECHO
DO LINEMODE
DO NAWS
WILL STATUS
DO LFLOW
DO TIMING-MARK
The pseudo-terminal allocated to the client is configured to operate in
cooked mode, and with XTABS and CRMOD enabled (see tty(4)).
TTeellnneettdd has support for enabling locally the following TELNET options:
WILL ECHO When the LINEMODE option is enabled, a WILL ECHO or
WONT ECHO will be sent to the client to indicate the
current state of terminal echoing. When terminal echo
is not desired, a WILL ECHO is sent to indicate that
telnetd will take care of echoing any data that needs
to be echoed to the terminal, and then nothing is
echoed. When terminal echo is desired, a WONT ECHO is
sent to indicate that telnetd will not be doing any
terminal echoing, so the client should do any terminal
echoing that is needed.
WILL BINARY Indicates that the client is willing to send a 8 bits
of data, rather than the normal 7 bits of the Network
Virtual Terminal.
WILL SGA Indicates that it will not be sending IAC GA, go
ahead, commands.
WILL STATUS Indicates a willingness to send the client, upon re-
quest, of the current status of all TELNET options.
WILL TIMING-MARK Whenever a DO TIMING-MARK command is received, it is
always responded to with a WILL TIMING-MARK
WILL LOGOUT When a DO LOGOUT is received, a WILL LOGOUT is sent in
response, and the TELNET session is shut down.
WILL ENCRYPT Only sent if tteellnneettdd is compiled with support for data
encryption, and indicates a willingness to decrypt the
data stream.
TTeellnneettdd has support for enabling remotely the following TELNET options:
DO BINARY Sent to indicate that telnetd is willing to receive an
8 bit data stream.
DO LFLOW Requests that the client handle flow control charac-
ters remotely.
DO ECHO This is not really supported, but is sent to identify
a 4.2BSD telnet(1) client, which will improperly re-
spond with WILL ECHO. If a WILL ECHO is received, a
DONT ECHO will be sent in response.
DO TERMINAL-TYPE Indicates a desire to be able to request the name of
the type of terminal that is attached to the client
side of the connection.
DO SGA Indicates that it does not need to receive IAC GA, the
go ahead command.
DO NAWS Requests that the client inform the server when the
window (display) size changes.
DO TERMINAL-SPEED Indicates a desire to be able to request information
about the speed of the serial line to which the client
is attached.
DO XDISPLOC Indicates a desire to be able to request the name of
the X windows display that is associated with the tel-
net client.
DO NEW-ENVIRON Indicates a desire to be able to request environment
variable information, as described in RFC 1572.
DO ENVIRON Indicates a desire to be able to request environment
variable information, as described in RFC 1408.
DO LINEMODE Only sent if tteellnneettdd is compiled with support for
linemode, and requests that the client do line by line
processing.
DO TIMING-MARK Only sent if tteellnneettdd is compiled with support for both
linemode and kludge linemode, and the client responded
with WONT LINEMODE. If the client responds with WILL
TM, the it is assumed that the client supports kludge
linemode. Note that the [--kk] option can be used to
disable this.
DO AUTHENTICATION Only sent if tteellnneettdd is compiled with support for au-
thentication, and indicates a willingness to receive
authentication information for automatic login.
DO ENCRYPT Only sent if tteellnneettdd is compiled with support for data
encryption, and indicates a willingness to decrypt the
data stream.
EENNVVIIRROONNMMEENNTT
FFIILLEESS
_/_e_t_c_/_s_e_r_v_i_c_e_s
_/_e_t_c_/_i_n_i_t_t_a_b (UNICOS systems only)
_/_e_t_c_/_i_p_t_o_s (if supported)
SSEEEE AALLSSOO
telnet(1), login(1)
SSTTAANNDDAARRDDSS
RRFFCC--885544 TELNET PROTOCOL SPECIFICATION
RRFFCC--885555 TELNET OPTION SPECIFICATIONS
RRFFCC--885566 TELNET BINARY TRANSMISSION
RRFFCC--885577 TELNET ECHO OPTION
RRFFCC--885588 TELNET SUPPRESS GO AHEAD OPTION
RRFFCC--885599 TELNET STATUS OPTION
RRFFCC--886600 TELNET TIMING MARK OPTION
RRFFCC--886611 TELNET EXTENDED OPTIONS - LIST OPTION
RRFFCC--888855 TELNET END OF RECORD OPTION
RRFFCC--11007733 Telnet Window Size Option
RRFFCC--11007799 Telnet Terminal Speed Option
RRFFCC--11009911 Telnet Terminal-Type Option
RRFFCC--11009966 Telnet X Display Location Option
RRFFCC--11112233 Requirements for Internet Hosts -- Application and Support
RRFFCC--11118844 Telnet Linemode Option
RRFFCC--11337722 Telnet Remote Flow Control Option
RRFFCC--11441166 Telnet Authentication Option
RRFFCC--11441111 Telnet Authentication: Kerberos Version 4
RRFFCC--11441122 Telnet Authentication: SPX
RRFFCC--11557711 Telnet Environment Option Interoperability Issues
RRFFCC--11557722 Telnet Environment Option
BBUUGGSS
Some TELNET commands are only partially implemented.
Because of bugs in the original 4.2 BSD telnet(1), tteellnneettdd performs some
dubious protocol exchanges to try to discover if the remote client is, in
fact, a 4.2 BSD telnet(1).
Binary mode has no common interpretation except between similar operating
systems (Unix in this case).
The terminal type name received from the remote client is converted to
lower case.
TTeellnneettdd never sends TELNET IAC GA (go ahead) commands.
4.2 Berkeley Distribution June 1, 1994 5

37
crypto/dist/krb4/man/tenletxr.cat1 vendored
View File

@ -1,37 +0,0 @@
TENLETXR(1) System Reference Manual TENLETXR(1)
NNAAMMEE
tteennlleettxxrr - forward X-connections backwards.
SSYYNNOOPPSSIISS
tteennlleettxxrr [--ll _u_s_e_r_n_a_m_e] [--kk] _h_o_s_t [_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
The tteennlleettxxrr program enables forwarding of X-connections from this ma-
chine to host _h_o_s_t. If _p_o_r_t is given, that port will be used instead of
the default.
The supported options are:
--ll Log in on the remote host as user _u_s_e_r_n_a_m_e
--kk Disables keep-alives.
EEXXAAMMPPLLEE
To login from host _f_o_o to host _b_a_r (where your display is), you might do
the following.
1. On foo: tteennlleettxxrr _b_a_r
2. You will get a new shell where you will be able to start X clients
that will show their windows on _b_a_r.
BBUUGGSS
It currently checks if you have permission to run it by checking if you
own _/_d_e_v_/_c_o_n_s_o_l_e on the remote host.
SSEEEE AALLSSOO
rxtelnet(1), rxterm(1), kx(1), kxd(8), telnet(1)
KTH_KRB March 31, 1997 1

132
crypto/dist/krb4/man/tf_util.cat3 vendored
View File

@ -1,132 +0,0 @@
TTFF__UUTTIILL((33)) MMIITT PPrroojjeecctt AAtthheennaa TTFF__UUTTIILL((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
NNAAMMEE
tf_init, tf_get_pname, tf_get_pinst, tf_get_cred, tf_close - Routines
for manipulating a Kerberos ticket file
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkrrbb..hh>>
eexxtteerrnn cchhaarr **kkrrbb__eerrrr__ttxxtt[[]];;
ttff__iinniitt((ttff__nnaammee,, rrww))
cchhaarr **ttff__nnaammee;;
iinntt rrww;;
ttff__ggeett__ppnnaammee((ppnnaammee))
cchhaarr **ppnnaammee;;
ttff__ggeett__ppiinnsstt((ppiinnsstt))
cchhaarr **ppiinnsstt;;
ttff__ggeett__ccrreedd((cc))
CCRREEDDEENNTTIIAALLSS **cc;;
ttff__cclloossee(())
DDEESSCCRRIIPPTTIIOONN
This group of routines are provided to manipulate the Kerberos tickets
file. A ticket file has the following format:
principal's name (null-terminated string)
principal's instance (null-terminated string)
CREDENTIAL_1
CREDENTIAL_2
...
CREDENTIAL_n
EOF
Where "CREDENTIAL_x" consists of the following fixed-length
fields from the CREDENTIALS structure (defined in <krb.h>):
char service[ANAME_SZ]
char instance[INST_SZ]
char realm[REALM_SZ]
des_cblock session
int lifetime
int kvno
KTEXT_ST ticket_st
long issue_date
_t_f___i_n_i_t must be called before the other ticket file routines. It
takes the name of the ticket file to use, and a read/write flag as
- 1 - Formatted: March 12, 2000
TTFF__UUTTIILL((33)) MMIITT PPrroojjeecctt AAtthheennaa TTFF__UUTTIILL((33))
KKeerrbbeerrooss VVeerrssiioonn 44..00
arguments. It tries to open the ticket file, checks the mode and if
everything is okay, locks the file. If it's opened for reading, the
lock is shared. If it's opened for writing, the lock is exclusive.
KSUCCESS is returned if all went well, otherwise one of the following:
NO_TKT_FIL - file wasn't there
TKT_FIL_ACC - file was in wrong mode, etc.
TKT_FIL_LCK - couldn't lock the file, even after a retry
The _t_f___g_e_t___p_n_a_m_e reads the principal's name from a ticket file. It
should only be called after tf_init has been called. The principal's
name is filled into the _p_n_a_m_e parameter. If all goes well, KSUCCESS
is returned. If tf_init wasn't called, TKT_FIL_INI is returned. If
the principal's name was null, or EOF was encountered, or the name was
longer than ANAME_SZ, TKT_FIL_FMT is returned.
The _t_f___g_e_t___p_i_n_s_t reads the principal's instance from a ticket file.
It should only be called after tf_init and tf_get_pname have been
called. The principal's instance is filled into the _p_i_n_s_t parameter.
If all goes well, KSUCCESS is returned. If tf_init wasn't called,
TKT_FIL_INI is returned. If EOF was encountered, or the name was
longer than INST_SZ, TKT_FIL_FMT is returned. Note that, unlike the
principal name, the instance name may be null.
The _t_f___g_e_t___c_r_e_d routine reads a CREDENTIALS record from a ticket file
and fills in the given structure. It should only be called after
tf_init, tf_get_pname, and tf_get_pinst have been called. If all goes
well, KSUCCESS is returned. Possible error codes are:
TKT_FIL_INI - tf_init wasn't called first
TKT_FIL_FMT - bad format
EOF - end of file encountered
_t_f___c_l_o_s_e closes the ticket file and releases the lock on it.
SSEEEE AALLSSOO
krb(3)
DDIIAAGGNNOOSSTTIICCSS
BBUUGGSS
The ticket file routines have to be called in a certain order.
AAUUTTHHOORRSS
Jennifer Steiner, MIT Project Athena
Bill Bryant, MIT Project Athena
RREESSTTRRIICCTTIIOONNSS
Copyright 1987 Massachusetts Institute of Technology
- 2 - Formatted: March 12, 2000