remove refernces to kerberos 4 and kaserver

2011-10-12 12:25:10 +02:00
parent 4c6976a6bd
commit 8192b9ed35
7 changed files with 6 additions and 106 deletions
--- a/doc/heimdal.texi
+++ b/doc/heimdal.texi
@@ -84,7 +84,6 @@ Setting up a realm
 * Creating the database::       
 * Modifying the database::      
 * keytabs::                     
-* Serving Kerberos 4/524/kaserver::  
 * Remote administration::       
 * Password changing::           
 * Testing clients and servers::  
--- a/doc/intro.texi
+++ b/doc/intro.texi
@@ -57,8 +57,7 @@ a library @file{libkafs} for authenticating to AFS and a program
@item
 some simple test programs
@item
-a KDC that supports most things; optionally, it may also support
-Kerberos V4 and kaserver,
+a KDC that supports most things,
@item
 simple programs for distributing databases between a KDC master and
 slaves
--- a/doc/kerberos4.texi
+++ b/doc/kerberos4.texi
@@ -4,18 +4,13 @@
@comment  node-name,  next,  previous,  up
@chapter Kerberos 4 issues

-The KDC has built-in version 4 support. It is not enabled by default,
-see setup how to set it up.
-
-The KDC will also have kaserver emulation and be able to handle
-AFS-clients that use @code{klog}.
+Kerberos 4 KDC and KA server have been moved.

 For more about AFS, see the section @xref{AFS}.

@menu
 * Principal conversion issues::  
 * Converting a version 4 database::  
-* kaserver::
@end menu

@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
@@ -59,7 +54,7 @@ principal exists in the database. The KDC will use
@code{krb5_425_conv_principal_ext} to convert principals when handling
 to version 4 requests.

-@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
+@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues
@section Converting a version 4 database

 If you want to convert an existing version 4 database, the principal
@@ -176,39 +171,3 @@ server:
 hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n
@end example

-@node kaserver, , Converting a version 4 database, Kerberos 4 issues
-@section kaserver
-
-@subsection kaserver emulation
-
-The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
-server with pre-authentication using Rx as the on-wire protocol. The kdc
-contains a minimalistic Rx implementation.
-
-There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
-Granting), and KAM (Maintenance). The KAA interface and KAT interface
-both passes over DES encrypted data-blobs (just like the
-Kerberos-protocol) and thus do not need any other protection.  The KAM
-interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
-security and data protection, and is used for example for changing
-passwords.  This part is not implemented in the kdc.
-
-Another difference between the ka-protocol and the Kerberos 4 protocol
-is that the pass-phrase is salted with the cellname in the @code{string to
-key} function in the ka-protocol, while in the Kerberos 4 protocol there
-is no salting of the password at all. To make sure AFS-compatible keys
-are added to each principals when they are created or their password are
-changed, @samp{afs3-salt} should be added to
-@samp{[kadmin]default_keys}.
-
-For more about AFS, see the section @xref{AFS}.
-
-@subsection Transarc AFS Windows client
-
-The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
-does not need a kaserver. The Windows client assumes that the Kerberos
-server is on the same machine as the AFS-database server. If you do not
-like to do that you can add a small program that runs on the database
-servers that forward all kerberos requests to the real kerberos
-server. A program that does this is @code{krb-forward}
-(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -282,7 +282,7 @@ database check by run by the following command :
 kadmin -l check REALM.EXAMPLE.ORG
@end example

-@node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm
+@node keytabs, Remote administration, Checking the setup, Setting up a realm
@section keytabs

 To extract a service ticket from the database and put it in a keytab, you
@@ -305,59 +305,7 @@ Version  Type             Principal
     1   des3-cbc-sha1    host/my.host.name@@MY.REALM
@end example

-@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm
-@section Serving Kerberos 4/524/kaserver
-
-Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
-these services are turned off by default. Kerberos 4 is always
-supported by the KDC, but the Kerberos 4 client support also depends
-on Kerberos 4 support having been included at compile-time, using
-@kbd{--with-krb4=dir}.
-
-@subsection 524
-
-524 is a service that allows the KDC to convert Kerberos 5 tickets to
-Kerberos 4 tickets for backward compatibility. See also Using 2b
-tokens with AFS in @xref{AFS}.
-
-524 can be turned on by adding this to the configuration file
-
-@example
-[kdc]
-	enable-524 = yes
-@end example
-
-@subsection Kerberos 4
-
-Kerberos 4 is the predecessor to to Kerberos 5. It only supports
-single DES@. You should only enable Kerberos 4 support if you have
-needs for compatibility with an installed base of Kerberos 4
-clients/servers.
-
-Kerberos 4 can be turned on by adding this to the configuration file
-
-@example
-[kdc]
-	enable-kerberos4 = yes
-@end example
-
-@subsection kaserver
-
-Kaserver is a Kerberos 4 that is used in AFS@.  The protocol has some
-extra features over plain Kerberos 4, but like Kerberos 4, only uses
-single DES@.
-
-You should only enable Kaserver support if you have needs for
-compatibility with an installed base of AFS machines.
-
-Kaserver can be turned on by adding this to the configuration file
-
-@example
-[kdc]
-	enable-kaserver = yes
-@end example
-
-@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
+@node Remote administration, Password changing, keytabs, Setting up a realm
@section Remote administration

 The administration server, @command{kadmind}, can be started by
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -54,7 +54,6 @@
 .Fl Fl v4-realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl K | Fl Fl kaserver
 .Oo Fl P Ar portspec \*(Ba Xo
 .Fl Fl ports= Ns Ar portspec
 .Xc
@@ -112,8 +111,6 @@ The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only available if the KDC has been compiled with version
 4 support.
-.It Fl K , Fl Fl kaserver
-Enable kaserver emulation (in case it's compiled in).
 .It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec
 Specifies the set of ports the KDC should listen on.
 It is given as a
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -410,8 +410,6 @@ Default is the same as
 .Va enable-kerberos4 .
 .It Li enable-http = Va BOOL
 Should the kdc answer kdc-requests over http.
-.It Li enable-kaserver = Va BOOL
-If this kdc should emulate the AFS kaserver.
 .It Li as-use-strongest-session-key = Va BOOL
 If this is TRUE then the KDC will prefer the strongest key from the
 client's AS-REQ enctype list, that is also supported by the KDC and the
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -508,7 +508,7 @@ struct entry kdc_entries[] = {
    { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
    { "allow-anonymous", krb5_config_string, check_boolean },
    { "v4_realm", krb5_config_string, NULL },
-    { "enable-kaserver", krb5_config_string, check_boolean },
+    { "enable-kaserver", krb5_config_string, check_boolean, 1 },
    { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
    { "kdc_warn_pwexpire", krb5_config_string, check_time },
    { "use_2b", krb5_config_list, NULL },