diff --git a/doc/apps.texi b/doc/apps.texi index 47ea3f695..82ab5d0d0 100644 --- a/doc/apps.texi +++ b/doc/apps.texi @@ -13,7 +13,7 @@ @section Authentication modules The problem of having different authentication mechanisms has been -recognised by several vendors, and several solutions has appeared. In +recognised by several vendors, and several solutions have appeared. In most cases these solutions involve some kind of shared modules that are loaded at run-time. Modules for some of these systems can be found in @file{lib/auth}. Presently there are modules for Digital's SIA, @@ -29,7 +29,7 @@ and IRIX' @code{login} and @code{xdm} (in @subsection Digital SIA How to install the SIA module depends on which OS version you're -running. Tru64 5.0 have a new command, @file{siacfg}, which makes this +running. Tru64 5.0 has a new command, @file{siacfg}, which makes this process quite simple. If you have this program, you should just be able to run: @example @@ -85,7 +85,7 @@ Dtlogin.exportList: KRB5CCNAME @subsubheading Notes to users with Enhanced security -Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two +Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two different problems. C2 deals with local security, adds better control of who can do what, auditing, and similar things. Kerberos deals with network security. @@ -104,13 +104,13 @@ giving your C2 password. To do this use @samp{edauth} to edit the default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a @samp{d_accept_alternate_vouching} capability, if not already present. @item -For each user that does @emph{not} have a local C2 password, you should +For each user who does @emph{not} have a local C2 password, you should set the password expiration field to zero. You can do this for each user, or in the @samp{default} table. To do this use @samp{edauth} to set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. @item You also need to be aware that the shipped @file{login}, @file{rcp}, and -@file{rshd}, doesn't do any particular C2 magic (such as checking to +@file{rshd}, don't do any particular C2 magic (such as checking for various forms of disabled accounts), so if you rely on those features, you shouldn't use those programs. If you configure with @samp{--enable-osfc2}, these programs will, however, set the login @@ -146,14 +146,14 @@ The @file{afskauthlib.so} itself is able to reside in @file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory (wherever that is). -IRIX 6.4 and newer seems to have all programs (including @command{xdm} and +IRIX 6.4 and newer seem to have all programs (including @command{xdm} and @command{login}) in the N32 object format, whereas in older versions they were O32. For it to work, the @file{afskauthlib.so} library has to be in the same object format as the program that tries to load it. This might require that you have to configure and build for O32 in addition to the default N32. -Appart from this it should ``just work'', there are no configuration +Appart from this it should ``just work''; there are no configuration files. Note that recent Irix 6.5 versions (at least 6.5.22) have PAM, @@ -189,7 +189,7 @@ is the enctype that will be converted. @subsection How to convert a srvtab to a KeyFile -You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you +You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your AFS-cell. @file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. @@ -208,16 +208,16 @@ encryption types. Its only possible (in all cases) to do this for DES encryption types because only then the token (the AFS equivalent of a ticket) will be -be smaller than the maximum size that can fit in the token cache in -OpenAFS/Transarc client. Its so tight fit that some extra wrapping on -the ASN1/DER encoding is removed from the Kerberos ticket. +smaller than the maximum size that can fit in the token cache in the +OpenAFS/Transarc client. It is a so tight fit that some extra wrapping +on the ASN1/DER encoding is removed from the Kerberos ticket. 2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for the part of the ticket that is encrypted with the service's key. The client doesn't know what's inside the encrypted data so to the client it doesn't matter. -To differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b +To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. Its a requirement that all AFS servers that support 2b also support