Spelling, From Måns Nilsson.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16364 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -13,7 +13,7 @@
|
||||
@section Authentication modules
|
||||
|
||||
The problem of having different authentication mechanisms has been
|
||||
recognised by several vendors, and several solutions has appeared. In
|
||||
recognised by several vendors, and several solutions have appeared. In
|
||||
most cases these solutions involve some kind of shared modules that are
|
||||
loaded at run-time. Modules for some of these systems can be found in
|
||||
@file{lib/auth}. Presently there are modules for Digital's SIA,
|
||||
@@ -29,7 +29,7 @@ and IRIX' @code{login} and @code{xdm} (in
|
||||
@subsection Digital SIA
|
||||
|
||||
How to install the SIA module depends on which OS version you're
|
||||
running. Tru64 5.0 have a new command, @file{siacfg}, which makes this
|
||||
running. Tru64 5.0 has a new command, @file{siacfg}, which makes this
|
||||
process quite simple. If you have this program, you should just be able
|
||||
to run:
|
||||
@example
|
||||
@@ -85,7 +85,7 @@ Dtlogin.exportList: KRB5CCNAME
|
||||
|
||||
@subsubheading Notes to users with Enhanced security
|
||||
|
||||
Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two
|
||||
Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two
|
||||
different problems. C2 deals with local security, adds better control of
|
||||
who can do what, auditing, and similar things. Kerberos deals with
|
||||
network security.
|
||||
@@ -104,13 +104,13 @@ giving your C2 password. To do this use @samp{edauth} to edit the
|
||||
default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
|
||||
@samp{d_accept_alternate_vouching} capability, if not already present.
|
||||
@item
|
||||
For each user that does @emph{not} have a local C2 password, you should
|
||||
For each user who does @emph{not} have a local C2 password, you should
|
||||
set the password expiration field to zero. You can do this for each
|
||||
user, or in the @samp{default} table. To do this use @samp{edauth} to
|
||||
set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
|
||||
@item
|
||||
You also need to be aware that the shipped @file{login}, @file{rcp}, and
|
||||
@file{rshd}, doesn't do any particular C2 magic (such as checking to
|
||||
@file{rshd}, don't do any particular C2 magic (such as checking for
|
||||
various forms of disabled accounts), so if you rely on those features,
|
||||
you shouldn't use those programs. If you configure with
|
||||
@samp{--enable-osfc2}, these programs will, however, set the login
|
||||
@@ -146,14 +146,14 @@ The @file{afskauthlib.so} itself is able to reside in
|
||||
@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
|
||||
(wherever that is).
|
||||
|
||||
IRIX 6.4 and newer seems to have all programs (including @command{xdm} and
|
||||
IRIX 6.4 and newer seem to have all programs (including @command{xdm} and
|
||||
@command{login}) in the N32 object format, whereas in older versions they
|
||||
were O32. For it to work, the @file{afskauthlib.so} library has to be in
|
||||
the same object format as the program that tries to load it. This might
|
||||
require that you have to configure and build for O32 in addition to the
|
||||
default N32.
|
||||
|
||||
Appart from this it should ``just work'', there are no configuration
|
||||
Appart from this it should ``just work''; there are no configuration
|
||||
files.
|
||||
|
||||
Note that recent Irix 6.5 versions (at least 6.5.22) have PAM,
|
||||
@@ -189,7 +189,7 @@ is the enctype that will be converted.
|
||||
|
||||
@subsection How to convert a srvtab to a KeyFile
|
||||
|
||||
You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you
|
||||
You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your
|
||||
AFS-cell.
|
||||
|
||||
@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}.
|
||||
@@ -208,16 +208,16 @@ encryption types.
|
||||
|
||||
Its only possible (in all cases) to do this for DES encryption types
|
||||
because only then the token (the AFS equivalent of a ticket) will be
|
||||
be smaller than the maximum size that can fit in the token cache in
|
||||
OpenAFS/Transarc client. Its so tight fit that some extra wrapping on
|
||||
the ASN1/DER encoding is removed from the Kerberos ticket.
|
||||
smaller than the maximum size that can fit in the token cache in the
|
||||
OpenAFS/Transarc client. It is a so tight fit that some extra wrapping
|
||||
on the ASN1/DER encoding is removed from the Kerberos ticket.
|
||||
|
||||
2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for
|
||||
the part of the ticket that is encrypted with the service's key. The
|
||||
client doesn't know what's inside the encrypted data so to the client
|
||||
it doesn't matter.
|
||||
|
||||
To differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b
|
||||
To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b
|
||||
uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens.
|
||||
|
||||
Its a requirement that all AFS servers that support 2b also support
|
||||
|
||||
Reference in New Issue
Block a user