Spelling, From Måns Nilsson.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16364 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
		| @@ -13,7 +13,7 @@ | ||||
| @section Authentication modules | ||||
|  | ||||
| The problem of having different authentication mechanisms has been | ||||
| recognised by several vendors, and several solutions has appeared. In | ||||
| recognised by several vendors, and several solutions have appeared. In | ||||
| most cases these solutions involve some kind of shared modules that are | ||||
| loaded at run-time.  Modules for some of these systems can be found in | ||||
| @file{lib/auth}.  Presently there are modules for Digital's SIA, | ||||
| @@ -29,7 +29,7 @@ and IRIX' @code{login} and @code{xdm} (in | ||||
| @subsection Digital SIA | ||||
|  | ||||
| How to install the SIA module depends on which OS version you're | ||||
| running. Tru64 5.0 have a new command, @file{siacfg}, which makes this | ||||
| running. Tru64 5.0 has a new command, @file{siacfg}, which makes this | ||||
| process quite simple. If you have this program, you should just be able | ||||
| to run: | ||||
| @example | ||||
| @@ -85,7 +85,7 @@ Dtlogin.exportList:     KRB5CCNAME | ||||
|  | ||||
| @subsubheading Notes to users with Enhanced security | ||||
|  | ||||
| Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two | ||||
| Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two | ||||
| different problems. C2 deals with local security, adds better control of | ||||
| who can do what, auditing, and similar things. Kerberos deals with | ||||
| network security. | ||||
| @@ -104,13 +104,13 @@ giving your C2 password. To do this use @samp{edauth} to edit the | ||||
| default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a | ||||
| @samp{d_accept_alternate_vouching} capability, if not already present. | ||||
| @item | ||||
| For each user that does @emph{not} have a local C2 password, you should | ||||
| For each user who does @emph{not} have a local C2 password, you should | ||||
| set the password expiration field to zero. You can do this for each | ||||
| user, or in the @samp{default} table. To do this use @samp{edauth} to | ||||
| set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. | ||||
| @item | ||||
| You also need to be aware that the shipped @file{login}, @file{rcp}, and | ||||
| @file{rshd}, doesn't do any particular C2 magic (such as checking to | ||||
| @file{rshd}, don't do any particular C2 magic (such as checking for | ||||
| various forms of disabled accounts), so if you rely on those features, | ||||
| you shouldn't use those programs. If you configure with | ||||
| @samp{--enable-osfc2}, these programs will, however, set the login | ||||
| @@ -146,14 +146,14 @@ The @file{afskauthlib.so} itself is able to reside in | ||||
| @file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory | ||||
| (wherever that is). | ||||
|  | ||||
| IRIX 6.4 and newer seems to have all programs (including @command{xdm} and | ||||
| IRIX 6.4 and newer seem to have all programs (including @command{xdm} and | ||||
| @command{login}) in the N32 object format, whereas in older versions they | ||||
| were O32. For it to work, the @file{afskauthlib.so} library has to be in | ||||
| the same object format as the program that tries to load it. This might | ||||
| require that you have to configure and build for O32 in addition to the | ||||
| default N32. | ||||
|  | ||||
| Appart from this it should ``just work'', there are no configuration | ||||
| Appart from this it should ``just work''; there are no configuration | ||||
| files. | ||||
|  | ||||
| Note that recent Irix 6.5 versions (at least 6.5.22) have PAM, | ||||
| @@ -189,7 +189,7 @@ is the enctype that will be converted. | ||||
|  | ||||
| @subsection How to convert a srvtab to a KeyFile | ||||
|  | ||||
| You need a @file{/usr/vice/etc/ThisCell} containing the cellname of you | ||||
| You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your | ||||
| AFS-cell. | ||||
|  | ||||
| @file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. | ||||
| @@ -208,16 +208,16 @@ encryption types. | ||||
|  | ||||
| Its only possible (in all cases) to do this for DES encryption types | ||||
| because only then the token (the AFS equivalent of a ticket) will be | ||||
| be smaller than the maximum size that can fit in the token cache in | ||||
| OpenAFS/Transarc client. Its so tight fit that some extra wrapping on | ||||
| the ASN1/DER encoding is removed from the Kerberos ticket. | ||||
| smaller than the maximum size that can fit in the token cache in the | ||||
| OpenAFS/Transarc client. It is a so tight fit that some extra wrapping | ||||
| on the ASN1/DER encoding is removed from the Kerberos ticket. | ||||
|  | ||||
| 2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for | ||||
| the part of the ticket that is encrypted with the service's key. The | ||||
| client doesn't know what's inside the encrypted data so to the client | ||||
| it doesn't matter. | ||||
|  | ||||
| To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets 2b | ||||
| To  differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b | ||||
| uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. | ||||
|  | ||||
| Its a requirement that all AFS servers that support 2b also support | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Love Hörnquist Åstrand
					Love Hörnquist Åstrand