diff --git a/lib/auth/sia/README b/lib/auth/sia/README deleted file mode 100644 index 0f2bed695..000000000 --- a/lib/auth/sia/README +++ /dev/null @@ -1,74 +0,0 @@ - ---------------------------------------------------------- - | NOTE: This code might not work as expected, especially | - | when used with C2 (aka ENHANCED) security. | - ---------------------------------------------------------- - -This is an attempt at a SIA module for Kerberos. To install this you -will have to do the following: - -* Make sure libsia_krb4.so is available in /usr/athena/lib. If - /usr/athena is not on local disk, you might want to put it in - /usr/shlib or someplace else. If you do, you'll have to edit - krb4_matrix.conf to reflect the new location. - -* Copy (your possibly edited) krb4_matrix.conf to /etc/sia. - -* Apply security.patch to /sbin/init.d/security - -* Turn on krb4 security by issuing `rcmgr set SECURITY KRB4' and - `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf' - -* Digital thinks you should reboot your machine, but that really - shouldn't be necessary. It's usually sufficient just to run - /sbin/init.d/security - -Users with local passwords (like root) should be able to login safely. - -When using Digital's xdm the KRBTKFILE environment variable doesn't -get passed along (since xdm zaps the environment). Instead you have to -set KRBTKFILE to the correct value in /usr/lib/X11/xdm/Xsession. Add a -line similar to - -KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE - -There is currently no support for changing kerberos passwords. Use -kpasswd instead. - -NOTES to users with ENHANCED security -------------------------------------- - -Digital's ENHANCED (C2) security, and Kerberos solves two different -problems. C2 deals with local security, and adds better control of who -can do what, and adds auditing and similar things. Kerberos deals with -network security. - -The C2 compatibility has not been extensively tested, simply because I -don't use C2. To make C2 security work with Kerberos you will have to -do the following. - -* Replace `krb4_matrix.conf' with `krb4+c2_matrix.conf' in the above - directions. - -* You must enable `vouching' in the `default' database. This will - make C2 trust other SIA modules, so you can login without giving - your C2 password. To do this use `edauth' to edit the default entry - `/usr/tcb/bin/edauth -dd default', and add a - `d_accept_alternate_vouching' capability, if not already present. - -* For each user that does *not* have a C2 password, you should set the - password expiration field to zero. You can do this for each user, or - in the `default' table. To to this use `edauth' to set (or change) - the `u_exp' capability to `u_exp#0'. - -* (optional) Change the entry for telnet in `/etc/inetd.conf' to - explicitly use Digital's login program. You can do this by adding - `-L /bin/login' at the end of the line. This way users with local - passwords will get warnings about expiring passwords and such. - -REMEMBER, if you do these changes you will get a system that most -certainly does *not* fulfill the requirements of a C2 system. If C2 is -what you want, for instance if someone else is forcing you to use it, -you're out of luck. If you use ENHANCED security because you want a -system that is more secure than it would otherwise be, you probably -got an even more secure system. Passwords will not be sent in the -clear, for instance.