d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolve conflicts after import of Heimdal 0.6.1.

Browse Source
This commit is contained in:
Jacques Vidrine 2004-04-03 21:31:10 +00:00
parent 090bc474c9
commit a0c37ec326
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=127811
30 changed files with 196 additions and 3470 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
crypto/heimdal/TODO
View File

@ -1,85 +0,0 @@
-*- indented-text -*-
$Id: TODO,v 1.66 2001/08/09 08:43:42 assar Exp $
* configure
handle readline hiding in readline/readline.h
* appl
** appl/popper
Implement RFC1731 and 1734, pop over GSS-API
* doc
* kdc
* kadmin
make it happy with reading and parsing kdc.conf
is in need of a major cleanup
* kpasswdd
figure out what's the deal with do_sequence and the MIT client
* lib
** lib/asn1
prepend a prefix on all generated symbols
** lib/auth
** lib/auth/sia
PAM
** lib/com_err
write a man-page
** lib/des
make everything work with openssl and make prototypes compatible
** lib/gssapi
process_context_token, add_cred, inquire_cred_by_mech,
inquire_names_for_mech, and
inquire_mechs_for_name not implemented.
set minor_status in all functions
anonymous credentials not implemented
add rc4
** lib/hdb
** lib/kadm5
add policies?
fix to use rpc?
** lib/krb5
the replay cache is, in its current state, not very useful
OTP?
make checksum/encryption type configuration more realm-specific. make
some simple way of handling the w2k situtation
crypto: allow scatter/gather creation of checksums
verify_user: handle non-secure verification failing because of
host->realm mapping
config_file: do it in case-sensitive and/or insensitive
** lib/roken

9
crypto/heimdal/acinclude.m4
View File

@ -1,9 +0,0 @@
dnl $Id: acinclude.m4,v 1.15 1998/05/23 14:54:53 joda Exp $
dnl
dnl Only put things that for some reason can't live in the `cf'
dnl directory in this file.
dnl
dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $
dnl
define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl

81
crypto/heimdal/admin/ktutil.cat8
View File

@ -1,81 +0,0 @@
KTUTIL(8) NetBSD System Manager's Manual KTUTIL(8)
NNAAMMEE
kkttuuttiill - manage Kerberos keytabs
SSYYNNOOPPSSIISS
kkttuuttiill [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh |
----hheellpp] _c_o_m_m_a_n_d [_a_r_g_s]
DDEESSCCRRIIPPTTIIOONN
kkttuuttiill is a program for managing keytabs. _c_o_m_m_a_n_d can be one of the fol-
lowing:
add [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV _k_v_n_o] [----kkvvnnoo==_k_v_n_o] [--ee
_e_n_c_y_p_e] [----eennccttyyppee==_e_n_c_t_y_p_e] [--ww _p_a_s_s_w_o_r_d]
[----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--rr] [----rraannddoomm] [--ss] [----nnoo--ssaalltt]
Adds a key to the keytab. Options that are not specified will
be prompted for. This requires that you know the password of
the principal to add; if what you really want is to add a new
principal to the keytab, you should consider the _g_e_t command,
which talks to the kadmin server.
change [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [----aa _h_o_s_t] [----aaddmmiinn--sseerrvveerr==_h_o_s_t] [----ss
_p_o_r_t] [----sseerrvveerr--ppoorrtt==_p_o_r_t]
Update one or several keys to new versions. By default, use
the admin server for the realm of an keytab entry. Otherwise
it will use the values specified by the options.
If no principals are given, all the ones in the keytab are
updated.
copy _k_e_y_t_a_b_-_s_r_c _k_e_y_t_a_b_-_d_e_s_t
Copies all the entries from _k_e_y_t_a_b_-_s_r_c to _k_e_y_t_a_b_-_d_e_s_t.
get [--pp _a_d_m_i_n _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_a_d_m_i_n _p_r_i_n_c_i_p_a_l] [--ee _e_n_c_t_y_p_e]
[----eennccttyyppeess==_e_n_c_t_y_p_e] [--rr _r_e_a_l_m] [----rreeaallmm==_r_e_a_l_m] [--aa _a_d_m_i_n
_s_e_r_v_e_r] [----aaddmmiinn--sseerrvveerr==_a_d_m_i_n _s_e_r_v_e_r] [--ss _s_e_r_v_e_r _p_o_r_t]
[----sseerrvveerr--ppoorrtt==_s_e_r_v_e_r _p_o_r_t] _p_r_i_n_c_i_p_a_l _._._.
For each _p_r_i_n_c_i_p_a_l, generate a new key for it (creating it if
it doesn't already exist), and put that key in the keytab.
If no _r_e_a_l_m is specified, the realm to operate on is taken
from the first principal.
list [----kkeeyyss] [----ttiimmeessttaammpp]
List the keys stored in the keytab.
remove [--pp _p_r_i_n_c_i_p_a_l] [----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--VV --kkvvnnoo] [----kkvvnnoo==_k_v_n_o]
[--ee --eennccttyyppee] [----eennccttyyppee==_e_n_c_t_y_p_e]
Removes the specified key or keys. Not specifying a _k_v_n_o re-
moves keys with any version number. Not specifying a _e_n_c_t_y_p_e
removes keys of any type.
rename _f_r_o_m_-_p_r_i_n_c_i_p_a_l _t_o_-_p_r_i_n_c_i_p_a_l
Renames all entries in the keytab that match the _f_r_o_m_-
_p_r_i_n_c_i_p_a_l to _t_o_-_p_r_i_n_c_i_p_a_l.
purge [----aaggee==_a_g_e]
Removes all old entries (for which there is a newer version)
that are older than _a_g_e (default one week).
srvconvert
srv2keytab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b]
Converts the version 4 srvtab in _s_r_v_t_a_b to a version 5 keytab
and stores it in _k_e_y_t_a_b. Identical to:
ktutil copy krb4:_s_r_v_t_a_b _k_e_y_t_a_b
srvcreate
key2srvtab [--ss _s_r_v_t_a_b] [----ssrrvvttaabb==_s_r_v_t_a_b]
Converts the version 5 keytab in _k_e_y_t_a_b to a version 4 srvtab
and stores it in _s_r_v_t_a_b. Identical to:
ktutil copy _k_e_y_t_a_b krb4:_s_r_v_t_a_b
SSEEEE AALLSSOO
kadmin(8)
HEIMDAL December 16, 2000 2

644
crypto/heimdal/appl/ftp/ftp/ftp.cat1
View File

@ -1,644 +0,0 @@
FTP(1) NetBSD Reference Manual FTP(1)
NNAAMMEE
ffttpp - ARPANET file transfer program
SSYYNNOOPPSSIISS
ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [--ll] [_h_o_s_t]
DDEESSCCRRIIPPTTIIOONN
FFttpp is the user interface to the ARPANET standard File Transfer Protocol.
The program allows a user to transfer files to and from a remote network
site.
Modifications has been made so that it almost follows the ftpsec Internet
draft.
Options may be specified at the command line, or to the command inter-
preter.
--tt Enables packet tracing.
--vv Verbose option forces ffttpp to show all responses from the remote
server, as well as report on data transfer statistics.
--nn Restrains ffttpp from attempting ``auto-login'' upon initial connec-
tion. If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be-
low) file in the user's home directory for an entry describing an
account on the remote machine. If no entry exists, ffttpp will prompt
for the remote machine login name (default is the user identity on
the local machine), and, if necessary, prompt for a password and an
account with which to login.
--ii Turns off interactive prompting during multiple file transfers.
--pp Turn on passive mode.
--dd Enables debugging.
--gg Disables file name globbing.
--ll Disables command line editing.
The client host with which ffttpp is to communicate may be specified on the
command line. If this is done, ffttpp will immediately attempt to establish
a connection to an FTP server on that host; otherwise, ffttpp will enter its
command interpreter and await instructions from the user. When ffttpp is
awaiting commands from the user the prompt `ftp>' is provided to the us-
er. The following commands are recognized by ffttpp:
!! [_c_o_m_m_a_n_d [_a_r_g_s]]
Invoke an interactive shell on the local machine. If there
are arguments, the first is taken to be a command to execute
directly, with the rest of the arguments as its arguments.
$$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s]
Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff
command. Arguments are passed to the macro unglobbed.
aaccccoouunntt [_p_a_s_s_w_d]
Supply a supplemental password required by a remote system
for access to resources once a login has been successfully
completed. If no argument is included, the user will be
prompted for an account password in a non-echoing input mode.
aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
Append a local file to a file on the remote machine. If
_r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used
in naming the remote file after being altered by any nnttrraannss
or nnmmaapp setting. File transfer uses the current settings for
ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
aasscciiii Set the file transfer ttyyppee to network ASCII. This is the de-
fault type.
bbeellll Arrange that a bell be sounded after each file transfer com-
mand is completed.
bbiinnaarryy Set the file transfer ttyyppee to support binary image transfer.
bbyyee Terminate the FTP session with the remote server and exit
ffttpp. An end of file will also terminate the session and ex-
it.
ccaassee Toggle remote computer file name case mapping during mmggeett
commands. When ccaassee is on (default is off), remote computer
file names with all letters in upper case are written in the
local directory with the letters mapped to lower case.
ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y
Change the working directory on the remote machine to _r_e_m_o_t_e_-
_d_i_r_e_c_t_o_r_y.
ccdduupp Change the remote machine working directory to the parent of
the current remote machine working directory.
cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e
Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re-
mote sytem to _m_o_d_e.
cclloossee Terminate the FTP session with the remote server, and return
to the command interpreter. Any defined macros are erased.
ccrr Toggle carriage return stripping during ascii type file re-
trieval. Records are denoted by a carriage return/linefeed
sequence during ascii type file transfer. When ccrr is on (the
default), carriage returns are stripped from this sequence to
conform with the UNIX single linefeed record delimiter.
Records on non-UNIX remote systems may contain single line-
feeds; when an ascii type transfer is made, these linefeeds
may be distinguished from a record delimiter only when ccrr is
off.
ddeelleettee _r_e_m_o_t_e_-_f_i_l_e
Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine.
ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e]
Toggle debugging mode. If an optional _d_e_b_u_g_-_v_a_l_u_e is speci-
fied it is used to set the debugging level. When debugging
is on, ffttpp prints each command sent to the remote machine,
preceded by the string `-->'
ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a listing of the directory contents in the directory,
_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in
_l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt
the user to verify that the last argument is indeed the tar-
get local file for receiving ddiirr output. If no directory is
specified, the current working directory on the remote ma-
chine is used. If no local file is specified, or _l_o_c_a_l_-_f_i_l_e
is --, output comes to the terminal.
ddiissccoonnnneecctt A synonym for _c_l_o_s_e.
ffoorrmm _f_o_r_m_a_t
Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is
``file''.
ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine.
If the local file name is not specified, it is given the same
name it has on the remote machine, subject to alteration by
the current ccaassee, nnttrraannss, and nnmmaapp settings. The current
settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while
transferring the file.
gglloobb Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If
globbing is turned off with gglloobb, the file name arguments are
taken literally and not expanded. Globbing for mmppuutt is done
as in csh(1). For mmddeelleettee and mmggeett, each remote file name is
expanded separately on the remote machine and the lists are
not merged. Expansion of a directory name is likely to be
different from expansion of the name of an ordinary file: the
exact result depends on the foreign operating system and ftp
server, and can be previewed by doing `mls remote-files -'.
As a security measure, remotely globbed files that starts
with `/' or contains `../', will not be automatically re-
ceived. If you have interactive prompting turned off, these
filenames will be ignored. Note: mmggeett and mmppuutt are not meant
to transfer entire directory subtrees of files. That can be
done by transferring a tar(1) archive of the subtree (in bi-
nary mode).
hhaasshh Toggle hash-sign (``#'') printing for each data block trans-
ferred. The size of a data block is 1024 bytes.
hheellpp [_c_o_m_m_a_n_d]
Print an informative message about the meaning of _c_o_m_m_a_n_d.
If no argument is given, ffttpp prints a list of the known com-
mands.
iiddllee [_s_e_c_o_n_d_s]
Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec-
onds. If _s_e_c_o_n_d_s is omitted, the current inactivity timer is
printed.
llccdd [_d_i_r_e_c_t_o_r_y]
Change the working directory on the local machine. If no
_d_i_r_e_c_t_o_r_y is specified, the user's home directory is used.
llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a listing of the contents of a directory on the remote
machine. The listing includes any system-dependent informa-
tion that the server chooses to include; for example, most
UNIX systems will produce output from the command `ls -l'.
(See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified,
the current working directory is used. If interactive
prompting is on, ffttpp will prompt the user to verify that the
last argument is indeed the target local file for receiving
llss output. If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e
is `--', the output is sent to the terminal.
mmaaccddeeff _m_a_c_r_o_-_n_a_m_e
Define a macro. Subsequent lines are stored as the macro
_m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a
file or carriage returns from the terminal) terminates macro
input mode. There is a limit of 16 macros and 4096 total
characters in all defined macros. Macros remain defined un-
til a cclloossee command is executed. The macro processor inter-
prets `$' and `\' as special characters. A `$' followed by a
number (or numbers) is replaced by the corresponding argument
on the macro invocation command line. A `$' followed by an
`i' signals that macro processor that the executing macro is
to be looped. On the first pass `$i' is replaced by the
first argument on the macro invocation command line, on the
second pass it is replaced by the second argument, and so on.
A `\' followed by any character is replaced by that charac-
ter. Use the `\' to prevent special treatment of the `$'.
mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s]
Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine.
mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
Like ddiirr, except multiple remote files may be specified. If
interactive prompting is on, ffttpp will prompt the user to ver-
ify that the last argument is indeed the target local file
for receiving mmddiirr output.
mmggeett _r_e_m_o_t_e_-_f_i_l_e_s
Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett
for each file name thus produced. See gglloobb for details on
the filename expansion. Resulting file names will then be
processed according to ccaassee, nnttrraannss, and nnmmaapp settings.
Files are transferred into the local working directory, which
can be changed with `lcd directory'; new local directories
can be created with `! mkdir directory'.
mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
Make a directory on the remote machine.
mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
Like nnlliisstt, except multiple remote files may be specified,
and the _l_o_c_a_l_-_f_i_l_e must be specified. If interactive prompt-
ing is on, ffttpp will prompt the user to verify that the last
argument is indeed the target local file for receiving mmllss
output.
mmooddee [_m_o_d_e_-_n_a_m_e]
Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is
``stream'' mode.
mmooddttiimmee _f_i_l_e_-_n_a_m_e
Show the last modification time of the file on the remote ma-
chine.
mmppuutt _l_o_c_a_l_-_f_i_l_e_s
Expand wild cards in the list of local files given as argu-
ments and do a ppuutt for each file in the resulting list. See
gglloobb for details of filename expansion. Resulting file names
will then be processed according to nnttrraannss and nnmmaapp settings.
nneewweerr _f_i_l_e_-_n_a_m_e
Get the file only if the modification time of the remote file
is more recent that the file on the current system. If the
file does not exist on the current system, the remote file is
considered nneewweerr. Otherwise, this command is identical to
_g_e_t.
nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
Print a list of the files in a directory on the remote ma-
chine. If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current
working directory is used. If interactive prompting is on,
ffttpp will prompt the user to verify that the last argument is
indeed the target local file for receiving nnlliisstt output. If
no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output
is sent to the terminal.
nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n]
Set or unset the filename mapping mechanism. If no arguments
are specified, the filename mapping mechanism is unset. If
arguments are specified, remote filenames are mapped during
mmppuutt commands and ppuutt commands issued without a specified re-
mote target filename. If arguments are specified, local
filenames are mapped during mmggeett commands and ggeett commands
issued without a specified local target filename. This com-
mand is useful when connecting to a non-UNIX remote computer
with different file naming conventions or practices. The
mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n.
[_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may
have already been processed according to the nnttrraannss and ccaassee
settings). Variable templating is accomplished by including
the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to
prevent this special treatment of the `$' character. All
other characters are treated literally, and are used to de-
termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values. For example,
given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data",
$1 would have the value "mydata", and $2 would have the value
"data". The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file-
name. The sequences `$1', `$2', ...., `$9' are replaced by
any value resulting from the _i_n_p_a_t_t_e_r_n template. The se-
quence `$0' is replace by the original filename. Additional-
ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1
is not a null string; otherwise it is replaced by _s_e_q_2. For
example, the command
nmap $1.$2.$3 [$1,$2].[$2,file]
would yield the output filename "myfile.data" for input file-
names "myfile.data" and "myfile.data.old", "myfile.file" for
the input filename "myfile", and "myfile.myfile" for the in-
put filename ".myfile". Spaces may be included in
_o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/ *$//" > $1'
. Use the `\' character to prevent special treatment of the
`$','[','[', and `,' characters.
nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]]
Set or unset the filename character translation mechanism.
If no arguments are specified, the filename character trans-
lation mechanism is unset. If arguments are specified, char-
acters in remote filenames are translated during mmppuutt com-
mands and ppuutt commands issued without a specified remote tar-
get filename. If arguments are specified, characters in lo-
cal filenames are translated during mmggeett commands and ggeett
commands issued without a specified local target filename.
This command is useful when connecting to a non-UNIX remote
computer with different file naming conventions or practices.
Characters in a filename matching a character in _i_n_c_h_a_r_s are
replaced with the corresponding character in _o_u_t_c_h_a_r_s. If
the character's position in _i_n_c_h_a_r_s is longer than the length
of _o_u_t_c_h_a_r_s, the character is deleted from the file name.
ooppeenn _h_o_s_t [_p_o_r_t]
Establish a connection to the specified _h_o_s_t FTP server. An
optional port number may be supplied, in which case, ffttpp will
attempt to contact an FTP server at that port. If the aauuttoo--
llooggiinn option is on (default), ffttpp will also attempt to auto-
matically log the user in to the FTP server (see below).
ppaassssiivvee Toggle passive mode. If passive mode is turned on (default
is off), the ftp client will send a PASV command for all data
connections instead of the usual PORT command. The PASV com-
mand requests that the remote server open a port for the data
connection and return the address of that port. The remote
server listens on that port and the client connects to it.
When using the more traditional PORT command, the client lis-
tens on a port and sends that address to the remote server,
who connects back to it. Passive mode is useful when using
ffttpp through a gateway router or host that controls the direc-
tionality of traffic. (Note that though ftp servers are re-
quired to support the PASV command by RFC 1123, some do not.)
pprroommpptt Toggle interactive prompting. Interactive prompting occurs
during multiple file transfers to allow the user to selec-
tively retrieve or store files. If prompting is turned off
(default is on), any mmggeett or mmppuutt will transfer all files,
and any mmddeelleettee will delete all files.
pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d
Execute an ftp command on a secondary control connection.
This command allows simultaneous connection to two remote ftp
servers for transferring files between the two servers. The
first pprrooxxyy command should be an ooppeenn, to establish the sec-
ondary control connection. Enter the command "proxy ?" to
see other ftp commands executable on the secondary connec-
tion. The following commands behave differently when pref-
aced by pprrooxxyy: ooppeenn will not define new macros during the au-
to-login process, cclloossee will not erase existing macro defini-
tions, ggeett and mmggeett transfer files from the host on the pri-
mary control connection to the host on the secondary control
connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the
host on the secondary control connection to the host on the
primary control connection. Third party file transfers de-
pend upon support of the ftp protocol PASV command by the
server on the secondary control connection.
ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
Store a local file on the remote machine. If _r_e_m_o_t_e_-_f_i_l_e is
left unspecified, the local file name is used after process-
ing according to any nnttrraannss or nnmmaapp settings in naming the
remote file. File transfer uses the current settings for
ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
ppwwdd Print the name of the current working directory on the remote
machine.
qquuiitt A synonym for bbyyee.
qquuoottee _a_r_g_1 _a_r_g_2 _._._.
The arguments specified are sent, verbatim, to the remote FTP
server.
rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
A synonym for get.
rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is
smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par-
tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is
continued from the apparent point of failure. This command
is useful when transferring very large files over networks
that are prone to dropping connections.
rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e]
Request help from the remote FTP server. If a _c_o_m_m_a_n_d_-_n_a_m_e
is specified it is supplied to the server as well.
rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e]
With no arguments, show status of remote machine. If _f_i_l_e_-
_n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma-
chine.
rreennaammee [_f_r_o_m] [_t_o]
Rename the file _f_r_o_m on the remote machine, to the file _t_o.
rreesseett Clear reply queue. This command re-synchronizes command/re-
ply sequencing with the remote ftp server. Resynchronization
may be necessary following a violation of the ftp protocol by
the remote server.
rreessttaarrtt _m_a_r_k_e_r
Restart the immediately following ggeett or ppuutt at the indicated
_m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset in-
to the file.
rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
Delete a directory on the remote machine.
rruunniiqquuee Toggle storing of files on the local system with unique file-
names. If a file already exists with a name equal to the
target local filename for a ggeett or mmggeett command, a ".1" is
appended to the name. If the resulting name matches another
existing file, a ".2" is appended to the original name. If
this process continues up to ".99", an error message is
printed, and the transfer does not take place. The generated
unique filename will be reported. Note that rruunniiqquuee will not
affect local files generated from a shell command (see be-
low). The default value is off.
sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
A synonym for put.
sseennddppoorrtt Toggle the use of PORT commands. By default, ffttpp will at-
tempt to use a PORT command when establishing a connection
for each data transfer. The use of PORT commands can prevent
delays when performing multiple file transfers. If the PORT
command fails, ffttpp will use the default data port. When the
use of PORT commands is disabled, no attempt will be made to
use PORT commands for each data transfer. This is useful for
certain FTP implementations which do ignore PORT commands
but, incorrectly, indicate they've been accepted.
ssiittee _a_r_g_1 _a_r_g_2 _._._.
The arguments specified are sent, verbatim, to the remote FTP
server as a SITE command.
ssiizzee _f_i_l_e_-_n_a_m_e
Return size of _f_i_l_e_-_n_a_m_e on remote machine.
ssttaattuuss Show the current status of ffttpp.
ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e]
Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default
``stream'' structure is used.
ssuunniiqquuee Toggle storing of files on remote machine under unique file
names. Remote ftp server must support ftp protocol STOU com-
mand for successful completion. The remote server will re-
port unique name. Default value is off.
ssyysstteemm Show the type of operating system running on the remote ma-
chine.
tteenneexx Set the file transfer type to that needed to talk to TENEX
machines.
ttrraaccee Toggle packet tracing.
ttyyppee [_t_y_p_e_-_n_a_m_e]
Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is spec-
ified, the current type is printed. The default type is net-
work ASCII.
uummaasskk [_n_e_w_m_a_s_k]
Set the default umask on the remote server to _n_e_w_m_a_s_k. If
_n_e_w_m_a_s_k is omitted, the current umask is printed.
uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t]
Identify yourself to the remote FTP server. If the _p_a_s_s_w_o_r_d
is not specified and the server requires it, ffttpp will prompt
the user for it (after disabling local echo). If an _a_c_c_o_u_n_t
field is not specified, and the FTP server requires it, the
user will be prompted for it. If an _a_c_c_o_u_n_t field is speci-
fied, an account command will be relayed to the remote server
after the login sequence is completed if the remote server
did not require it for logging in. Unless ffttpp is invoked
with ``auto-login'' disabled, this process is done automati-
cally on initial connection to the FTP server.
vveerrbboossee Toggle verbose mode. In verbose mode, all responses from the
FTP server are displayed to the user. In addition, if ver-
bose is on, when a file transfer completes, statistics re-
garding the efficiency of the transfer are reported. By de-
fault, verbose is on.
?? [_c_o_m_m_a_n_d]
A synonym for help.
The following command can be used with ftpsec-aware servers.
pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e
Set the data protection level to the requested level.
The following command can be used with ftp servers that has implemented
the KAUTH site command.
kkaauutthh [_p_r_i_n_c_i_p_a_l]
Obtain remote tickets.
Command arguments which have embedded spaces may be quoted with quote `"'
marks.
AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR
To abort a file transfer, use the terminal interrupt key (usually Ctrl-
C). Sending transfers will be immediately halted. Receiving transfers
will be halted by sending a ftp protocol ABOR command to the remote serv-
er, and discarding any further data received. The speed at which this is
accomplished depends upon the remote server's support for ABOR process-
ing. If the remote server does not support the ABOR command, an `ftp>'
prompt will not appear until the remote server has completed sending the
requested file.
The terminal interrupt key sequence will be ignored when ffttpp has complet-
ed any local processing and is awaiting a reply from the remote server.
A long delay in this mode may result from the ABOR processing described
above, or from unexpected behavior by the remote server, including viola-
tions of the ftp protocol. If the delay results from unexpected remote
server behavior, the local ffttpp program must be killed by hand.
FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS
Files specified as arguments to ffttpp commands are processed according to
the following rules.
1. If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t
(for writing) is used.
2. If the first character of the file name is `|', the remainder of the
argument is interpreted as a shell command. FFttpp then forks a shell,
using popen(3) with the argument supplied, and reads (writes) from
the stdout (stdin). If the shell command includes spaces, the argu-
ment must be quoted; e.g. ``" ls -lt"''. A particularly useful ex-
ample of this mechanism is: ``dir more''.
3. Failing the above checks, if ``globbing'' is enabled, local file
names are expanded according to the rules used in the csh(1); c.f.
the gglloobb command. If the ffttpp command expects a single local file
(.e.g. ppuutt), only the first filename generated by the "globbing"
operation is used.
4. For mmggeett commands and ggeett commands with unspecified local file
names, the local filename is the remote filename, which may be al-
tered by a ccaassee, nnttrraannss, or nnmmaapp setting. The resulting filename
may then be altered if rruunniiqquuee is on.
5. For mmppuutt commands and ppuutt commands with unspecified remote file
names, the remote filename is the local filename, which may be al-
tered by a nnttrraannss or nnmmaapp setting. The resulting filename may then
be altered by the remote server if ssuunniiqquuee is on.
FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS
The FTP specification specifies many parameters which may affect a file
transfer. The ttyyppee may be one of ``ascii'', ``image'' (binary),
``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly).
FFttpp supports the ascii and image types of file transfer, plus local byte
size 8 for tteenneexx mode transfers.
FFttpp supports only the default values for the remaining file transfer pa-
rameters: mmooddee, ffoorrmm, and ssttrruucctt.
TTHHEE ..nneettrrcc FFIILLEE
The _._n_e_t_r_c file contains login and initialization information used by the
auto-login process. It resides in the user's home directory. The fol-
lowing tokens are recognized; they may be separated by spaces, tabs, or
new-lines:
mmaacchhiinnee _n_a_m_e
Identify a remote machine _n_a_m_e. The auto-login process search-
es the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote
machine specified on the ffttpp command line or as an ooppeenn command
argument. Once a match is made, the subsequent _._n_e_t_r_c tokens
are processed, stopping when the end of file is reached or an-
other mmaacchhiinnee or a ddeeffaauulltt token is encountered.
ddeeffaauulltt This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches
any name. There can be only one ddeeffaauulltt token, and it must be
after all mmaacchhiinnee tokens. This is normally used as:
default login anonymous password user@site
thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma-
chines not specified in _._n_e_t_r_c. This can be overridden by us-
ing the --nn flag to disable auto-login.
llooggiinn _n_a_m_e
Identify a user on the remote machine. If this token is pre-
sent, the auto-login process will initiate a login using the
specified _n_a_m_e.
ppaasssswwoorrdd _s_t_r_i_n_g
Supply a password. If this token is present, the auto-login
process will supply the specified string if the remote server
requires a password as part of the login process. Note that if
this token is present in the _._n_e_t_r_c file for any user other
than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the
_._n_e_t_r_c is readable by anyone besides the user.
aaccccoouunntt _s_t_r_i_n_g
Supply an additional account password. If this token is pre-
sent, the auto-login process will supply the specified string
if the remote server requires an additional account password,
or the auto-login process will initiate an ACCT command if it
does not.
mmaaccddeeff _n_a_m_e
Define a macro. This token functions like the ffttpp mmaaccddeeff com-
mand functions. A macro is defined with the specified name;
its contents begin with the next _._n_e_t_r_c line and continue until
a null line (consecutive new-line characters) is encountered.
If a macro named iinniitt is defined, it is automatically executed
as the last step in the auto-login process.
EENNVVIIRROONNMMEENNTT
FFttpp utilizes the following environment variables.
HOME For default location of a _._n_e_t_r_c file, if one exists.
SHELL For default shell.
SSEEEE AALLSSOO
ftpd(8)
_R_F_C_2_2_2_8.
HHIISSTTOORRYY
The ffttpp command appeared in 4.2BSD.
BBUUGGSS
Correct execution of many commands depends upon proper behavior by the
remote server.
An error in the treatment of carriage returns in the 4.2BSD ascii-mode
transfer code has been corrected. This correction may result in incor-
rect transfers of binary files to and from 4.2BSD servers using the ascii
type. Avoid this problem by using the binary image type.
4.2 Berkeley Distribution April 27, 1996 10

297
crypto/heimdal/appl/ftp/ftpd/ftpd.cat8
View File

@ -1,297 +0,0 @@
FTPD(8) NetBSD System Manager's Manual FTPD(8)
NNAAMMEE
ffttppdd - Internet File Transfer Protocol server
SSYYNNOOPPSSIISS
ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvvUU] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt
_t_i_m_e_o_u_t] [--uu _d_e_f_a_u_l_t _u_m_a_s_k] [--BB | ----bbuuiillttiinn--llss] [----ggoooodd--cchhaarrss==_s_t_r_i_n_g]
DDEESSCCRRIIPPTTIIOONN
FFttppdd is the Internet File Transfer Protocol server process. The server
uses the TCP protocol and listens at the port specified in the ``ftp''
service specification; see services(5).
Available options:
--aa Select the level of authentication required. Kerberised login
can not be turned off. The default is to only allow kerberised
login. Other possibilities can be turned on by giving a string
of comma separated flags as argument to --aa. Recognised flags are:
_p_l_a_i_n Allow logging in with plaintext password. The password can
be a(n) OTP or an ordinary password.
_o_t_p Same as _p_l_a_i_n, but only OTP is allowed.
_f_t_p Allow anonymous login.
The following combination modes exists for backwards compatibili-
ty:
_n_o_n_e Same as _p_l_a_i_n_,_f_t_p.
_s_a_f_e Same as _f_t_p.
_u_s_e_r Ignored.
--dd Debugging information is written to the syslog using LOG_FTP.
--gg Anonymous users will get a umask of _u_m_a_s_k.
--ii Open a socket and wait for a connection. This is mainly used for
debugging when ftpd isn't started by inetd.
--ll Each successful and failed ftp(1) session is logged using syslog
with a facility of LOG_FTP. If this option is specified twice,
the retrieve (get), store (put), append, delete, make directory,
remove directory and rename operations and their filename argu-
ments are also logged.
--pp Use _p_o_r_t (a service name or number) instead of the default
_f_t_p_/_t_c_p.
--TT A client may also request a different timeout period; the maximum
period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option.
The default limit is 2 hours.
--tt The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de-
fault is 15 minutes).
--uu Set the initial umask to something else than the default 027.
--UU In previous versions of ffttppdd, when a passive mode client request-
ed a data connection to the server, the server would use data
ports in the range 1024..4999. Now, by default, if the system
supports the IP_PORTRANGE socket option, the server will use data
ports in the range 49152..65535. Specifying this option will re-
vert to the old behavior.
--vv Verbose mode.
--BB, ----bbuuiillttiinn--llss
use built-in ls to list files
----ggoooodd--cchhaarrss==_s_t_r_i_n_g
allowed anonymous upload filename chars
The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access. If the file ex-
ists, ffttppdd displays it and exits. If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists,
ffttppdd prints it before issuing the ``ready'' message. If the file
_/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login.
The ftp server currently supports the following ftp requests. The case
of the requests is ignored.
Request Description
ABOR abort previous command
ACCT specify account (ignored)
ALLO allocate storage (vacuously)
APPE append to a file
CDUP change to parent of current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give list files in a directory (``ls -lgA'')
MKD make a directory
MDTM show last modification time of file
MODE specify data transfer _m_o_d_e
NLST give name list of files in directory
NOOP do nothing
PASS specify password
PASV prepare for server-to-server transfer
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REST restart incomplete transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from file name
RNTO specify rename-to file name
SITE non-standard commands (see next section)
SIZE return size of file
STAT return status of server
STOR store a file
STOU store a file with a unique name
STRU specify data transfer _s_t_r_u_c_t_u_r_e
SYST show operating system type of server system
TYPE specify data transfer _t_y_p_e
USER specify user name
XCUP change to parent of current working directory
(deprecated)
XCWD change working directory (deprecated)
XMKD make a directory (deprecated)
XPWD print the current working directory (deprecated)
XRMD remove a directory (deprecated)
The following commands are specified by RFC2228.
AUTH authentication/security mechanism
ADAT authentication/security data
PROT data channel protection level
PBSZ protection buffer size
MIC integrity protected command
CONF confidentiality protected command
ENC privacy protected command
CCC clear command channel
The following non-standard or UNIX specific commands are supported by the
SITE request.
UMASK change umask, (e.g. SSIITTEE UUMMAASSKK 000022)
IDLE set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600)
CHMOD change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee)
FIND quickly find a specific file with GNU locate(1).
HELP give help information.
The following Kerberos related site commands are understood.
KAUTH obtain remote tickets.
KLIST show remote tickets
The remaining ftp requests specified in Internet RFC 959 are recognized,
but not implemented. MDTM and SIZE are not specified in RFC 959, but
will appear in the next updated FTP RFC.
The ftp server will abort an active file transfer only when the ABOR com-
mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet
"Synch" signal in the command Telnet stream, as described in Internet RFC
959. If a STAT command is received during a data transfer, preceded by a
Telnet IP and Synch, transfer status will be returned.
FFttppdd interprets file names according to the ``globbing'' conventions used
by csh(1). This allows users to utilize the metacharacters ``*?[]{}~''.
FFttppdd authenticates users according to these rules.
1. If Kerberos authentication is used, the user must pass valid
tickets and the principal must be allowed to login as the re-
mote user.
2. The login name must be in the password data base, and not have
a null password (if kerberos is used the password field is not
checked). In this case a password must be provided by the
client before any file operations may be performed. If the
user has an OTP key, the response from a successful USER com-
mand will include an OTP challenge. The client may choose to
respond with a PASS command giving either a standard password
or an OTP one-time password. The server will automatically de-
termine which type of password it has been given and attempt
to authenticate accordingly. See otp(1) for more information
on OTP authentication.
3. The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s.
4. The user must have a standard shell returned by
getusershell(3).
5. If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses-
sion's root will be changed to the user's login directory by
chroot(2) as for an ``anonymous'' or ``ftp'' account (see next
item). However, the user must still supply a password. This
feature is intended as a compromise between a fully anonymous
account and a fully privileged account. The account should
also be set up as for an anonymous account.
6. If the user name is ``anonymous'' or ``ftp'', an anonymous ftp
account must be present in the password file (user ``ftp'').
In this case the user is allowed to log in by specifying any
password (by convention an email address for the user should
be used as the password).
In the last case, ffttppdd takes special measures to restrict the client's
access privileges. The server performs a chroot(2) to the home directory
of the ``ftp'' user. In order that system security is not breached, it
is recommended that the ``ftp'' subtree be constructed with care, consid-
er following these guidelines for anonymous ftp.
In general all files should be owned by ``root'', and have non-write per-
missions (644 or 755 depending on the kind of file). No files should be
owned or writable by ``ftp'' (possibly with exception for the
_~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below).
_~_f_t_p The ``ftp'' homedirectory should be owned by root.
_~_f_t_p_/_b_i_n The directory for external programs (such as ls(1)).
These programs must either be statically linked, or you
must setup an environment for dynamic linking when run-
ning chrooted. These programs will be used if present:
ls Used when listing files.
compress
When retrieving a filename that ends in _._Z,
and that file isn't present, ffttppdd will try
to find the filename without _._Z and com-
press it on the fly.
gzip Same as compress, just with files ending in
_._g_z.
gtar Enables retrieval of whole directories as
files ending in _._t_a_r. Can also be combined
with compression. You must use GNU Tar (or
some other that supports the --zz and --ZZ
flags).
locate Will enable ``fast find'' with the SSIITTEE
FFIINNDD command. You must also create a
_l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c.
_~_f_t_p_/_e_t_c If you put copies of the passwd(5) and group(5) files
here, ls will be able to produce owner names rather than
numbers. Remember to remove any passwords from these
files.
The file _m_o_t_d, if present, will be printed after a suc-
cessful login.
_~_f_t_p_/_d_e_v Put a copy of /dev/null(7) here.
_~_f_t_p_/_p_u_b Traditional place to put whatever you want to make pub-
lic.
If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di-
rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure
``ftp'' is member of group ``ftp''). The following restrictions apply to
anonymous users:
++oo Directories created will have mode 700.
++oo Uploaded files will be created with an umask of 777, if not changed
with the --gg option.
++oo These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK,
and SSIITTEE CCHHMMOODD.
++oo Filenames must start with an alpha-numeric character, and consist of
alpha-numeric characters or any of the following: + (plus), - (mi-
nus), = (equal), _ (underscore), . (period), and , (comma).
FFIILLEESS
/etc/ftpusers Access list for users.
/etc/ftpchroot List of normal users who should be chroot'd.
/etc/ftpwelcome Welcome notice.
/etc/motd Welcome notice after login.
/etc/nologin Displayed and access refused.
~/.klogin Login access for Kerberos.
SSEEEE AALLSSOO
ftp(1), otp(1), getusershell(3), ftpusers(5), syslogd(8)
SSTTAANNDDAARRDDSS
RRFFCC 995599 FTP PROTOCOL SPECIFICATION
RRFFCC 11993388 OTP Specification
RRFFCC 22222288 FTP Security Extensions.
BBUUGGSS
The server must run as the super-user to create sockets with privileged
port numbers. It maintains an effective user id of the logged in user,
reverting to the super-user only when binding addresses to sockets. The
possible security holes have been extensively scrutinized, but are possi-
bly incomplete.
HHIISSTTOORRYY
The ffttppdd command appeared in 4.2BSD.
4.2 Berkeley Distribution April 19, 1997 5

26
crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5
View File

@ -1,26 +0,0 @@
FTPUSERS(5) NetBSD Programmer's Manual FTPUSERS(5)
NNAAMMEE
_/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file
DDEESSCCRRIIPPTTIIOONN
_/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied
FTP access. Each line contains a user, optionally followed by ``allow''
(anything but ``allow'' is ignored). The semi-user ``*'' matches any us-
er. Users that has an explicit ``allow'', or that does not match any
line, are allowed access. Anyone else is denied access.
Note that this is compatible with the old format, where this file con-
tained a list of users that should be denied access.
EEXXAAMMPPLLEESS
This will deny anyone but ``foo'' and ``bar'' to use FTP:
foo allow
bar allow
*
SSEEEE AALLSSOO
ftpd(8)
KTH-KRB May 7, 1997 1

45
crypto/heimdal/appl/kf/kf.cat1
View File

@ -1,45 +0,0 @@
KF(1) NetBSD Reference Manual KF(1)
NNAAMMEE
kkff - securly forward tickets
SSYYNNOOPPSSIISS
kkff [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ll _l_o_g_i_n | ----llooggiinn=_l_o_g_i_n] [--cc _c_c_a_c_h_e |
----ccccaacchhee=_c_c_a_c_h_e] [--FF | ----ffoorrwwaarrddaabbllee] [--GG | ----nnoo--ffoorrwwaarrddaabbllee] [--hh |
----hheellpp] [----vveerrssiioonn] _h_o_s_t _._._.
DDEESSCCRRIIPPTTIIOONN
The kkff program forwards tickets to a remove host through an authenticated
and encrypted stream. Options supported are:
--pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
port to connect to
--ll _l_o_g_i_n, ----llooggiinn=_l_o_g_i_n
remote login name
--cc _c_c_a_c_h_e, ----ccccaacchhee=_c_c_a_c_h_e
remote cred cache
--FF, ----ffoorrwwaarrddaabbllee
forward forwardable credentials
--GG, ----nnoo--ffoorrwwaarrddaabbllee
do not forward forwardable credentials
--hh, ----hheellpp
----vveerrssiioonn
kkff is useful when you do not want to enter your password on a remote host
but want to have your tickets one for example afs.
In order for kkff to work you will need to acquire your initial ticket with
forwardable flag, ie kkiinniitt ----ffoorrwwaarrddaabbllee.
tteellnneett is able to forward ticket by itself.
SSEEEE AALLSSOO
kinit(1), telnet(1), kfd(8)
Heimdal July 2, 2000 1

30
crypto/heimdal/appl/kf/kfd.cat8
View File

@ -1,30 +0,0 @@
KFD(8) NetBSD System Manager's Manual KFD(8)
NNAAMMEE
kkffdd - receive forwarded tickets
SSYYNNOOPPSSIISS
kkffdd [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ii | ----iinneettdd] [--RR _r_e_g_p_a_g | ----rreeggppaagg=_r_e_g_p_a_g]
[--hh | ----hheellpp] [----vveerrssiioonn]
DDEESSCCRRIIPPTTIIOONN
This is the daemon for kf(1). Supported options:
--pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
port to listen to
--ii, ----iinneettdd
not started from inetd
--RR _r_e_g_p_a_g, ----rreeggppaagg==_r_e_g_p_a_g
path to regpag binary
EEXXAAMMPPLLEESS
Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd
SSEEEE AALLSSOO
kf(1)
Heimdal July 2, 2000 1

16
crypto/heimdal/appl/push/pfrom.cat1
View File

@ -1,16 +0,0 @@
PFROM(1) NetBSD Reference Manual PFROM(1)
NNAAMMEE
ppffrroomm - fetch a list of the current mail via POP
SSYYNNOOPPSSIISS
ppffrroomm [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--cc | ----ccoouunntt]
[----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-_s_p_e_c]
DDEESSCCRRIIPPTTIIOONN
ppffrroomm is a script that does push --from.
SSEEEE AALLSSOO
push(8)
HEIMDAL March 4, 2000 1

76
crypto/heimdal/appl/push/push.cat8
View File

@ -1,76 +0,0 @@
PUSH(8) NetBSD System Manager's Manual PUSH(8)
NNAAMMEE
ppuusshh - fetch mail via POP
SSYYNNOOPPSSIISS
ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll |
----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerrss=_h_e_a_d_e_r_s] [--pp _p_o_r_t_-_s_p_e_c |
----ppoorrtt=_p_o_r_t_-_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e
DDEESSCCRRIIPPTTIIOONN
ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail
in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following
formats:
`hostname:username'
`po:hostname:username'
`username@hostname'
`po:username@hostname'
`hostname'
`po:username'
If no username is specified, ppuusshh assumes that it's the same as on the
local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment
variable.
Supported options:
--44, ----kkrrbb44
use Kerberos 4 (if compiled with support for Kerberos 4)
--55, ----kkrrbb55
use Kerberos 5 (if compiled with support for Kerberos 5)
--ff, ----ffoorrkk
fork before starting to delete messages
--ll, ----lleeaavvee
don't delete fetched mail
----ffrroomm behave like from.
--cc, ----ccoouunntt
first print how many messages and bytes there are.
----hheeaaddeerrss=_h_e_a_d_e_r_s
a list of comma-separated headers that should get printed.
--pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt=_p_o_r_t_-_s_p_e_c
use this port instead of the default `kpop' or `1109'.
The default is to first try Kerberos 5 authentication and then, if that
fails, Kerberos 4.
EENNVVIIRROONNMMEENNTT
MAILHOST
points to the post office, if no other hostname is specified.
EEXXAAMMPPLLEESS
$ push cornfield:roosta ~/.emacs-mail-crash-box
tries to fetch mail for the user _r_o_o_s_t_a from the post office at
``cornfield'', and stores the mail in _~_/_._e_m_a_c_s_-_m_a_i_l_-_c_r_a_s_h_-_b_o_x (you are
using Gnus, aren't you?)
$ push --from -5 havregryn
tries to fetch FFrroomm:: lines for current user at post office ``havregryn''
using Kerberos 5.
SSEEEE AALLSSOO
from(1), pfrom(1), movemail(8), popper(8)
HHIISSTTOORRYY
ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail.
HEIMDAL May 31, 1998 2

714
crypto/heimdal/appl/telnet/telnet/telnet.cat1
View File

@ -1,714 +0,0 @@
TELNET(1) NetBSD Reference Manual TELNET(1)
NNAAMMEE
tteellnneett - user interface to the TELNET protocol
SSYYNNOOPPSSIISS
tteellnneett [--7788EEFFKKLLaaccddffrrxx] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--ee _e_s_c_a_p_e_c_h_a_r] [--kk _r_e_a_l_m]
[--ll _u_s_e_r] [--nn _t_r_a_c_e_f_i_l_e] [_h_o_s_t [port]]
DDEESSCCRRIIPPTTIIOONN
The tteellnneett command is used to communicate with another host using the
TELNET protocol. If tteellnneett is invoked without the _h_o_s_t argument, it en-
ters command mode, indicated by its prompt (tteellnneett>>). In this mode, it
accepts and executes the commands listed below. If it is invoked with
arguments, it performs an ooppeenn command with those arguments.
Options:
--88 Specifies an 8-bit data path. This causes an attempt to negoti-
ate the TELNET BINARY option on both input and output.
--77 Do not try to negotiate TELNET BINARY option.
--EE Stops any character from being recognized as an escape character.
--FF If Kerberos V5 authentication is being used, the --FF option allows
the local credentials to be forwarded to the remote system, in-
cluding any credentials that have already been forwarded into the
local environment.
--KK Specifies no automatic login to the remote system.
--LL Specifies an 8-bit data path on output. This causes the BINARY
option to be negotiated on output.
--SS _t_o_s Sets the IP type-of-service (TOS) option for the telnet connec-
tion to the value _t_o_s, which can be a numeric TOS value or, on
systems that support it, a symbolic TOS name found in the
/etc/iptos file.
--XX _a_t_y_p_e
Disables the _a_t_y_p_e type of authentication.
--aa Attempt automatic login. Currently, this sends the user name via
the USER variable of the ENVIRON option if supported by the re-
mote system. The name used is that of the current user as re-
turned by getlogin(2) if it agrees with the current user ID, oth-
erwise it is the name associated with the user ID.
--cc Disables the reading of the user's _._t_e_l_n_e_t_r_c file. (See the
ttooggggllee sskkiipprrcc command on this man page.)
--dd Sets the initial value of the ddeebbuugg toggle to TRUE
--ee _e_s_c_a_p_e _c_h_a_r
Sets the initial tteellnneett tteellnneett escape character to _e_s_c_a_p_e _c_h_a_r.
If _e_s_c_a_p_e _c_h_a_r is omitted, then there will be no escape charac-
ter.
--ff If Kerberos V5 authentication is being used, the --ff option allows
the local credentials to be forwarded to the remote system.
--kk _r_e_a_l_m
If Kerberos authentication is being used, the --kk option requests
that telnet obtain tickets for the remote host in realm realm in-
stead of the remote host's realm, as determined by
krb_realmofhost(3).
--ll _u_s_e_r
When connecting to the remote system, if the remote system under-
stands the ENVIRON option, then _u_s_e_r will be sent to the remote
system as the value for the variable USER. This option implies
the --aa option. This option may also be used with the ooppeenn com-
mand.
--nn _t_r_a_c_e_f_i_l_e
Opens _t_r_a_c_e_f_i_l_e for recording trace information. See the sseett
ttrraacceeffiillee command below.
--rr Specifies a user interface similar to rlogin(1). In this mode,
the escape character is set to the tilde (~) character, unless
modified by the -e option.
--xx Turn on encryption of the data stream. When this option is
turned on, will exit with an error if authentication cannot be
negotiated or if encryption cannot be turned on.
_h_o_s_t Indicates the official name, an alias, or the Internet address of
a remote host.
_p_o_r_t Indicates a port number (address of an application). If a number
is not specified, the default tteellnneett port is used.
When in rlogin mode, a line of the form ~. disconnects from the remote
host; ~ is the telnet escape character. Similarly, the line ~^Z suspends
the telnet session. The line ~^] escapes to the normal telnet escape
prompt.
Once a connection has been opened, tteellnneett will attempt to enable the
TELNET LINEMODE option. If this fails, then tteellnneett will revert to one of
two input modes: either ``character at a time'' or ``old line by line''
depending on what the remote system supports.
When LINEMODE is enabled, character processing is done on the local sys-
tem, under the control of the remote system. When input editing or char-
acter echoing is to be disabled, the remote system will relay that infor-
mation. The remote system will also relay changes to any special charac-
ters that happen on the remote system, so that they can take effect on
the local system.
In ``character at a time'' mode, most text typed is immediately sent to
the remote host for processing.
In ``old line by line'' mode, all text is echoed locally, and (normally)
only completed lines are sent to the remote host. The ``local echo char-
acter'' (initially ``^E'') may be used to turn off and on the local echo
(this would mostly be used to enter passwords without the password being
echoed).
If the LINEMODE option is enabled, or if the llooccaallcchhaarrss toggle is TRUE
(the default for ``old line by line``; see below), the user's qquuiitt, iinnttrr,
and fflluusshh characters are trapped locally, and sent as TELNET protocol se-
quences to the remote side. If LINEMODE has ever been enabled, then the
user's ssuusspp and eeooff are also sent as TELNET protocol sequences, and qquuiitt
is sent as a TELNET ABORT instead of BREAK There are options (see ttooggggllee
aauuttoofflluusshh and ttooggggllee aauuttoossyynncchh below) which cause this action to flush
subsequent output to the terminal (until the remote host acknowledges the
TELNET sequence) and flush previous terminal input (in the case of qquuiitt
and iinnttrr).
While connected to a remote host, tteellnneett command mode may be entered by
typing the tteellnneett ``escape character'' (initially ``^]''). When in com-
mand mode, the normal terminal editing conventions are available.
The following tteellnneett commands are available. Only enough of each command
to uniquely identify it need be typed (this is also true for arguments to
the mmooddee, sseett, ttooggggllee, uunnsseett, ssllcc, eennvviirroonn, and ddiissppllaayy commands).
aauutthh _a_r_g_u_m_e_n_t _._._.
The auth command manipulates the information sent through the
TELNET AUTHENTICATE option. Valid arguments for the auth com-
mand are as follows:
ddiissaabbllee _t_y_p_e Disables the specified type of authentication.
To obtain a list of available types, use the
aauutthh ddiissaabbllee ?? command.
eennaabbllee _t_y_p_e Enables the specified type of authentication.
To obtain a list of available types, use the
aauutthh eennaabbllee ?? command.
ssttaattuuss Lists the current status of the various types of
authentication.
cclloossee Close a TELNET session and return to command mode.
ddiissppllaayy _a_r_g_u_m_e_n_t _._._.
Displays all, or some, of the sseett and ttooggggllee values (see be-
low).
eennccrryypptt _a_r_g_u_m_e_n_t _._._.
The encrypt command manipulates the information sent through
the TELNET ENCRYPT option.
Note: Because of export controls, the TELNET ENCRYPT option
is not supported outside of the United States and Canada.
Valid arguments for the encrypt command are as follows:
ddiissaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
Disables the specified type of encryption. If
you omit the input and output, both input and
output are disabled. To obtain a list of avail-
able types, use the eennccrryypptt ddiissaabbllee ?? command.
eennaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
Enables the specified type of encryption. If
you omit input and output, both input and output
are enabled. To obtain a list of available
types, use the eennccrryypptt eennaabbllee ?? command.
iinnppuutt This is the same as the eennccrryypptt ssttaarrtt iinnppuutt com-
mand.
--iinnppuutt This is the same as the eennccrryypptt ssttoopp iinnppuutt com-
mand.
oouuttppuutt This is the same as the eennccrryypptt ssttaarrtt oouuttppuutt
command.
--oouuttppuutt This is the same as the eennccrryypptt ssttoopp oouuttppuutt com-
mand.
ssttaarrtt [iinnppuutt | oouuttppuutt]
Attempts to start encryption. If you omit iinnppuutt
and oouuttppuutt, both input and output are enabled.
To obtain a list of available types, use the
eennccrryypptt eennaabbllee ?? command.
ssttaattuuss Lists the current status of encryption.
ssttoopp [iinnppuutt | oouuttppuutt]
Stops encryption. If you omit input and output,
encryption is on both input and output.
ttyyppee _t_y_p_e Sets the default type of encryption to be used
with later eennccrryypptt ssttaarrtt or eennccrryypptt ssttoopp com-
mands.
eennvviirroonn _a_r_g_u_m_e_n_t_s _._._.
The eennvviirroonn command is used to manipulate the the variables
that my be sent through the TELNET ENVIRON option. The ini-
tial set of variables is taken from the users environment,
with only the DISPLAY and PRINTER variables being exported by
default. The USER variable is also exported if the --aa or --ll
options are used.
Valid arguments for the eennvviirroonn command are:
ddeeffiinnee _v_a_r_i_a_b_l_e _v_a_l_u_e
Define the variable _v_a_r_i_a_b_l_e to have a value of
_v_a_l_u_e. Any variables defined by this command are
automatically exported. The _v_a_l_u_e may be enclosed
in single or double quotes so that tabs and spaces
may be included.
uunnddeeffiinnee _v_a_r_i_a_b_l_e
Remove _v_a_r_i_a_b_l_e from the list of environment vari-
ables.
eexxppoorrtt _v_a_r_i_a_b_l_e
Mark the variable _v_a_r_i_a_b_l_e to be exported to the
remote side.
uunneexxppoorrtt _v_a_r_i_a_b_l_e
Mark the variable _v_a_r_i_a_b_l_e to not be exported un-
less explicitly asked for by the remote side.
lliisstt List the current set of environment variables.
Those marked with a ** will be sent automatically,
other variables will only be sent if explicitly
requested.
?? Prints out help information for the eennvviirroonn com-
mand.
llooggoouutt Sends the TELNET LOGOUT option to the remote side. This com-
mand is similar to a cclloossee command; however, if the remote
side does not support the LOGOUT option, nothing happens. If,
however, the remote side does support the LOGOUT option, this
command should cause the remote side to close the TELNET con-
nection. If the remote side also supports the concept of sus-
pending a user's session for later reattachment, the logout
argument indicates that you should terminate the session imme-
diately.
mmooddee _t_y_p_e _T_y_p_e is one of several options, depending on the state of the
TELNET session. The remote host is asked for permission to go
into the requested mode. If the remote host is capable of en-
tering that mode, the requested mode will be entered.
cchhaarraacctteerr Disable the TELNET LINEMODE option, or, if the
remote side does not understand the LINEMODE op-
tion, then enter ``character at a time`` mode.
lliinnee Enable the TELNET LINEMODE option, or, if the
remote side does not understand the LINEMODE op-
tion, then attempt to enter ``old-line-by-line``
mode.
iissiigg (--iissiigg) Attempt to enable (disable) the TRAPSIG mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
eeddiitt (--eeddiitt) Attempt to enable (disable) the EDIT mode of the
LINEMODE option. This requires that the
LINEMODE option be enabled.
ssooffttttaabbss (--ssooffttttaabbss)
Attempt to enable (disable) the SOFT_TAB mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
lliitteecchhoo (--lliitteecchhoo)
Attempt to enable (disable) the LIT_ECHO mode of
the LINEMODE option. This requires that the
LINEMODE option be enabled.
?? Prints out help information for the mmooddee com-
mand.
ooppeenn _h_o_s_t [--ll _u_s_e_r] [[--]_p_o_r_t]
Open a connection to the named host. If no port number is
specified, tteellnneett will attempt to contact a TELNET server at
the default port. The host specification may be either a host
name (see hosts(5)) or an Internet address specified in the
``dot notation'' (see inet(3)). The [--ll] option may be used
to specify the user name to be passed to the remote system via
the ENVIRON option. When connecting to a non-standard port,
tteellnneett omits any automatic initiation of TELNET options. When
the port number is preceded by a minus sign, the initial op-
tion negotiation is done. After establishing a connection,
the file _._t_e_l_n_e_t_r_c in the users home directory is opened.
Lines beginning with a # are comment lines. Blank lines are
ignored. Lines that begin without white space are the start
of a machine entry. The first thing on the line is the name
of the machine that is being connected to. The rest of the
line, and successive lines that begin with white space are as-
sumed to be tteellnneett commands and are processed as if they had
been typed in manually to the tteellnneett command prompt.
qquuiitt Close any open TELNET session and exit tteellnneett. An end of file
(in command mode) will also close a session and exit.
sseenndd _a_r_g_u_m_e_n_t_s
Sends one or more special character sequences to the remote
host. The following are the arguments which may be specified
(more than one argument may be specified at a time):
aabboorrtt Sends the TELNET ABORT (Abort processes) sequence.
aaoo Sends the TELNET AO (Abort Output) sequence, which
should cause the remote system to flush all output
_f_r_o_m the remote system _t_o the user's terminal.
aayytt Sends the TELNET AYT (Are You There) sequence, to
which the remote system may or may not choose to re-
spond.
bbrrkk Sends the TELNET BRK (Break) sequence, which may have
significance to the remote system.
eecc Sends the TELNET EC (Erase Character) sequence, which
should cause the remote system to erase the last char-
acter entered.
eell Sends the TELNET EL (Erase Line) sequence, which
should cause the remote system to erase the line cur-
rently being entered.
eeooff Sends the TELNET EOF (End Of File) sequence.
eeoorr Sends the TELNET EOR (End of Record) sequence.
eessccaappee Sends the current tteellnneett escape character (initially
``^'').
ggaa Sends the TELNET GA (Go Ahead) sequence, which likely
has no significance to the remote system.
ggeettssttaattuuss
If the remote side supports the TELNET STATUS command,
ggeettssttaattuuss will send the subnegotiation to request that
the server send its current option status.
iipp Sends the TELNET IP (Interrupt Process) sequence,
which should cause the remote system to abort the cur-
rently running process.
nnoopp Sends the TELNET NOP (No OPeration) sequence.
ssuusspp Sends the TELNET SUSP (SUSPend process) sequence.
ssyynncchh Sends the TELNET SYNCH sequence. This sequence causes
the remote system to discard all previously typed (but
not yet read) input. This sequence is sent as TCP ur-
gent data (and may not work if the remote system is a
4.2BSD system -- if it doesn't work, a lower case
``r'' may be echoed on the terminal).
ddoo _c_m_d
ddoonntt _c_m_d
wwiillll _c_m_d
wwoonntt _c_m_d
Sends the TELNET DO _c_m_d sequence. _C_m_d can be either a
decimal number between 0 and 255, or a symbolic name
for a specific TELNET command. _C_m_d can also be either
hheellpp or ?? to print out help information, including a
list of known symbolic names.
?? Prints out help information for the sseenndd command.
sseett _a_r_g_u_m_e_n_t _v_a_l_u_e
uunnsseett _a_r_g_u_m_e_n_t _v_a_l_u_e
The sseett command will set any one of a number of tteellnneett vari-
ables to a specific value or to TRUE. The special value ooffff
turns off the function associated with the variable, this is
equivalent to using the uunnsseett command. The uunnsseett command will
disable or set to FALSE any of the specified functions. The
values of variables may be interrogated with the ddiissppllaayy com-
mand. The variables which may be set or unset, but not tog-
gled, are listed here. In addition, any of the variables for
the ttooggggllee command may be explicitly set or unset using the
sseett and uunnsseett commands.
aayytt If TELNET is in localchars mode, or LINEMODE is en-
abled, and the status character is typed, a TELNET AYT
sequence (see sseenndd aayytt preceding) is sent to the re-
mote host. The initial value for the "Are You There"
character is the terminal's status character.
eecchhoo This is the value (initially ``^E'') which, when in
``line by line'' mode, toggles between doing local
echoing of entered characters (for normal processing),
and suppressing echoing of entered characters (for en-
tering, say, a password).
eeooff If tteellnneett is operating in LINEMODE or ``old line by
line'' mode, entering this character as the first
character on a line will cause this character to be
sent to the remote system. The initial value of the
eof character is taken to be the terminal's eeooff char-
acter.
eerraassee If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below), aanndd if tteellnneett is operating in ``character at a
time'' mode, then when this character is typed, a
TELNET EC sequence (see sseenndd eecc above) is sent to the
remote system. The initial value for the erase char-
acter is taken to be the terminal's eerraassee character.
eessccaappee This is the tteellnneett escape character (initially ``^['')
which causes entry into tteellnneett command mode (when con-
nected to a remote system).
fflluusshhoouuttppuutt
If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the fflluusshhoouuttppuutt character is typed, a
TELNET AO sequence (see sseenndd aaoo above) is sent to the
remote host. The initial value for the flush charac-
ter is taken to be the terminal's fflluusshh character.
ffoorrww11
ffoorrww22 If TELNET is operating in LINEMODE, these are the
characters that, when typed, cause partial lines to be
forwarded to the remote system. The initial value for
the forwarding characters are taken from the termi-
nal's eol and eol2 characters.
iinntteerrrruupptt
If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the iinntteerrrruupptt character is typed, a TELNET
IP sequence (see sseenndd iipp above) is sent to the remote
host. The initial value for the interrupt character
is taken to be the terminal's iinnttrr character.
kkiillll If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below), aanndd if tteellnneett is operating in ``character at a
time'' mode, then when this character is typed, a
TELNET EL sequence (see sseenndd eell above) is sent to the
remote system. The initial value for the kill charac-
ter is taken to be the terminal's kkiillll character.
llnneexxtt If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's llnneexxtt character. The initial value for the
lnext character is taken to be the terminal's llnneexxtt
character.
qquuiitt If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
below) and the qquuiitt character is typed, a TELNET BRK
sequence (see sseenndd bbrrkk above) is sent to the remote
host. The initial value for the quit character is
taken to be the terminal's qquuiitt character.
rreepprriinntt
If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's rreepprriinntt character. The initial value for
the reprint character is taken to be the terminal's
rreepprriinntt character.
rrllooggiinn This is the rlogin escape character. If set, the nor-
mal TELNET escape character is ignored unless it is
preceded by this character at the beginning of a line.
This character, at the beginning of a line followed by
a "." closes the connection; when followed by a ^Z it
suspends the telnet command. The initial state is to
disable the rlogin escape character.
ssttaarrtt If the TELNET TOGGLE-FLOW-CONTROL option has been en-
abled, then this character is taken to be the termi-
nal's ssttaarrtt character. The initial value for the kill
character is taken to be the terminal's ssttaarrtt charac-
ter.
ssttoopp If the TELNET TOGGLE-FLOW-CONTROL option has been en-
abled, then this character is taken to be the termi-
nal's ssttoopp character. The initial value for the kill
character is taken to be the terminal's ssttoopp charac-
ter.
ssuusspp If tteellnneett is in llooccaallcchhaarrss mode, or LINEMODE is en-
abled, and the ssuussppeenndd character is typed, a TELNET
SUSP sequence (see sseenndd ssuusspp above) is sent to the re-
mote host. The initial value for the suspend charac-
ter is taken to be the terminal's ssuussppeenndd character.
ttrraacceeffiillee
This is the file to which the output, caused by
nneettddaattaa or ooppttiioonn tracing being TRUE, will be written.
If it is set to ``--'', then tracing information will
be written to standard output (the default).
wwoorrddeerraassee
If tteellnneett is operating in LINEMODE or ``old line by
line`` mode, then this character is taken to be the
terminal's wwoorrddeerraassee character. The initial value for
the worderase character is taken to be the terminal's
wwoorrddeerraassee character.
?? Displays the legal sseett (uunnsseett) commands.
ssllcc _s_t_a_t_e The ssllcc command (Set Local Characters) is used to set or
change the state of the the special characters when the TELNET
LINEMODE option has been enabled. Special characters are
characters that get mapped to TELNET commands sequences (like
iipp or qquuiitt) or line editing characters (like eerraassee and kkiillll).
By default, the local special characters are exported.
cchheecckk Verify the current settings for the current spe-
cial characters. The remote side is requested to
send all the current special character settings,
and if there are any discrepancies with the local
side, the local side will switch to the remote
value.
eexxppoorrtt Switch to the local defaults for the special char-
acters. The local default characters are those of
the local terminal at the time when tteellnneett was
started.
iimmppoorrtt Switch to the remote defaults for the special
characters. The remote default characters are
those of the remote system at the time when the
TELNET connection was established.
?? Prints out help information for the ssllcc command.
ssttaattuuss Show the current status of tteellnneett. This includes the peer one
is connected to, as well as the current mode.
ttooggggllee _a_r_g_u_m_e_n_t_s _._._.
Toggle (between TRUE and FALSE) various flags that control how
tteellnneett responds to events. These flags may be set explicitly
to TRUE or FALSE using the sseett and uunnsseett commands listed
above. More than one argument may be specified. The state of
these flags may be interrogated with the ddiissppllaayy command.
Valid arguments are:
aauutthhddeebbuugg Turns on debugging information for the authenti-
cation code.
aauuttoofflluusshh If aauuttoofflluusshh and llooccaallcchhaarrss are both TRUE, then
when the aaoo, or qquuiitt characters are recognized
(and transformed into TELNET sequences; see sseett
above for details), tteellnneett refuses to display
any data on the user's terminal until the remote
system acknowledges (via a TELNET TIMING MARK
option) that it has processed those TELNET se-
quences. The initial value for this toggle is
TRUE if the terminal user had not done an "stty
noflsh", otherwise FALSE (see stty(1)).
aauuttooddeeccrryypptt When the TELNET ENCRYPT option is negotiated, by
default the actual encryption (decryption) of
the data stream does not start automatically.
The autoencrypt (autodecrypt) command states
that encryption of the output (input) stream
should be enabled as soon as possible.
Note: Because of export controls, the TELNET
ENCRYPT option is not supported outside the
United States and Canada.
aauuttoollooggiinn If the remote side supports the TELNET
AUTHENTICATION option TELNET attempts to use it
to perform automatic authentication. If the
AUTHENTICATION option is not supported, the us-
er's login name are propagated through the
TELNET ENVIRON option. This command is the same
as specifying _a option on the ooppeenn command.
aauuttoossyynncchh If aauuttoossyynncchh and llooccaallcchhaarrss are both TRUE, then
when either the iinnttrr or qquuiitt characters is typed
(see sseett above for descriptions of the iinnttrr and
qquuiitt characters), the resulting TELNET sequence
sent is followed by the TELNET SYNCH sequence.
This procedure sshhoouulldd cause the remote system to
begin throwing away all previously typed input
until both of the TELNET sequences have been
read and acted upon. The initial value of this
toggle is FALSE.
bbiinnaarryy Enable or disable the TELNET BINARY option on
both input and output.
iinnbbiinnaarryy Enable or disable the TELNET BINARY option on
input.
oouuttbbiinnaarryy Enable or disable the TELNET BINARY option on
output.
ccrrllff If this is TRUE, then carriage returns will be
sent as <CR><LF>. If this is FALSE, then car-
riage returns will be send as <CR><NUL>. The
initial value for this toggle is FALSE.
ccrrmmoodd Toggle carriage return mode. When this mode is
enabled, most carriage return characters re-
ceived from the remote host will be mapped into
a carriage return followed by a line feed. This
mode does not affect those characters typed by
the user, only those received from the remote
host. This mode is not very useful unless the
remote host only sends carriage return, but nev-
er line feed. The initial value for this toggle
is FALSE.
ddeebbuugg Toggles socket level debugging (useful only to
the ssuuppeerr uusseerr). The initial value for this
toggle is FALSE.
eennccddeebbuugg Turns on debugging information for the encryp-
tion code.
llooccaallcchhaarrss If this is TRUE, then the fflluusshh, iinntteerrrruupptt,
qquuiitt, eerraassee, and kkiillll characters (see sseett above)
are recognized locally, and transformed into
(hopefully) appropriate TELNET control sequences
(respectively aaoo, iipp, bbrrkk, eecc, and eell; see sseenndd
above). The initial value for this toggle is
TRUE in ``old line by line'' mode, and FALSE in
``character at a time'' mode. When the LINEMODE
option is enabled, the value of llooccaallcchhaarrss is
ignored, and assumed to always be TRUE. If
LINEMODE has ever been enabled, then qquuiitt is
sent as aabboorrtt, and eeooff and ssuussppeenndd are sent as
eeooff and ssuusspp, see sseenndd above).
nneettddaattaa Toggles the display of all network data (in hex-
adecimal format). The initial value for this
toggle is FALSE.
ooppttiioonnss Toggles the display of some internal tteellnneett pro-
tocol processing (having to do with TELNET op-
tions). The initial value for this toggle is
FALSE.
pprreettttyydduummpp When the nneettddaattaa toggle is enabled, if
pprreettttyydduummpp is enabled the output from the
nneettddaattaa command will be formatted in a more user
readable format. Spaces are put between each
character in the output, and the beginning of
any TELNET escape sequence is preceded by a '*'
to aid in locating them.
sskkiipprrcc When the skiprc toggle is TRUE, TELNET skips the
reading of the _._t_e_l_n_e_t_r_c file in the users home
directory when connections are opened. The ini-
tial value for this toggle is FALSE.
tteerrmmddaattaa Toggles the display of all terminal data (in
hexadecimal format). The initial value for this
toggle is FALSE.
vveerrbboossee__eennccrryypptt
When the vveerrbboossee__eennccrryypptt toggle is TRUE, TELNET
prints out a message each time encryption is en-
abled or disabled. The initial value for this
toggle is FALSE. Note: Because of export con-
trols, data encryption is not supported outside
of the United States and Canada.
?? Displays the legal ttooggggllee commands.
zz Suspend tteellnneett. This command only works when the user is us-
ing the csh(1).
!! [_c_o_m_m_a_n_d]
Execute a single command in a subshell on the local system.
If ccoommmmaanndd is omitted, then an interactive subshell is in-
voked.
?? [_c_o_m_m_a_n_d]
Get help. With no arguments, tteellnneett prints a help summary.
If a command is specified, tteellnneett will print the help informa-
tion for just that command.
EENNVVIIRROONNMMEENNTT
TTeellnneett uses at least the HOME, SHELL, DISPLAY, and TERM environment vari-
ables. Other environment variables may be propagated to the other side
via the TELNET ENVIRON option.
FFIILLEESS
~/.telnetrc user customized telnet startup values
HHIISSTTOORRYY
The TTeellnneett command appeared in 4.2BSD.
NNOOTTEESS
On some remote systems, echo has to be turned off manually when in ``old
line by line'' mode.
In ``old line by line'' mode or LINEMODE the terminal's eeooff character is
only recognized (and sent to the remote system) when it is the first
character on a line.
4.2 Berkeley Distribution June 1, 1994 11

293
crypto/heimdal/appl/telnet/telnetd/telnetd.cat8
View File

@ -1,293 +0,0 @@
TELNETD(8) NetBSD System Manager's Manual TELNETD(8)
NNAAMMEE
tteellnneettdd - DARPA TELNET protocol server
SSYYNNOOPPSSIISS
tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e]
[--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [--yy] [_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
The tteellnneettdd command is a server which supports the DARPA standard TELNET
virtual terminal protocol. TTeellnneettdd is normally invoked by the internet
server (see inetd(8)) for requests to connect to the TELNET port as indi-
cated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)). The --ddeebbuugg option may
be used to start up tteellnneettdd manually, instead of through inetd(8). If
started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alternate
TCP port number.
The tteellnneettdd command accepts the following options:
--aa _a_u_t_h_m_o_d_e This option may be used for specifying what mode should be
used for authentication. Note that this option is only use-
ful if tteellnneettdd has been compiled with support for the
AUTHENTICATION option. There are several valid values for
_a_u_t_h_m_o_d_e:
debug Turns on authentication debugging code.
user Only allow connections when the remote user can pro-
vide valid authentication information to identify the
remote user, and is allowed access to the specified
account without providing a password.
valid Only allow connections when the remote user can pro-
vide valid authentication information to identify the
remote user. The login(1) command will provide any
additional user verification needed if the remote us-
er is not allowed automatic access to the specified
account.
other Only allow connections that supply some authentica-
tion information. This option is currently not sup-
ported by any of the existing authentication mecha-
nisms, and is thus the same as specifying --aa vvaalliidd.
otp Only allow authenticated connections (as with --aa
uusseerr) and also logins with one-time passwords (OTPs).
This option will call login with an option so that
only OTPs are accepted. The user can of course still
type secret information at the prompt.
none This is the default state. Authentication informa-
tion is not required. If no or insufficient authen-
tication information is provided, then the login(1)
program will provide the necessary user verification.
off This disables the authentication code. All user ver-
ification will happen through the login(1) program.
--BB Ignored.
--DD _d_e_b_u_g_m_o_d_e
This option may be used for debugging purposes. This allows
tteellnneettdd to print out debugging information to the connec-
tion, allowing the user to see what tteellnneettdd is doing. There
are several possible values for _d_e_b_u_g_m_o_d_e:
ooppttiioonnss Prints information about the negotiation of TELNET
options.
rreeppoorrtt Prints the ooppttiioonnss information, plus some addi-
tional information about what processing is going
on.
nneettddaattaa Displays the data stream received by tteellnneettdd.
ppttyyddaattaa Displays data written to the pty.
eexxeerrcciissee Has not been implemented yet.
--hh Disables the printing of host-specific information before
login has been completed.
--kk
--ll Ignored.
--nn Disable TCP keep-alives. Normally tteellnneettdd enables the TCP
keep-alive mechanism to probe connections that have been
idle for some period of time to determine if the client is
still there, so that idle connections from machines that
have crashed or can no longer be reached may be cleaned up.
--rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y
This option is only enabled when tteellnneettdd is compiled for
UNICOS. It specifies an inclusive range of pseudo-terminal
devices to use. If the system has sysconf variable
_SC_CRAY_NPTY configured, the default pty search range is 0
to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128.
Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing
either end of the search range. If _l_o_w_p_t_y is omitted, the -
character is still required so that tteellnneettdd can differenti-
ate _h_i_g_h_p_t_y from _l_o_w_p_t_y.
--SS _t_o_s
--uu _l_e_n This option is used to specify the size of the field in the
utmp structure that holds the remote host name. If the re-
solved host name is longer than _l_e_n, the dotted decimal val-
ue will be used instead. This allows hosts with very long
host names that overflow this field to still be uniquely
identified. Specifying --uu00 indicates that only dotted deci-
mal addresses should be put into the _u_t_m_p file.
--UU This option causes tteellnneettdd to refuse connections from ad-
dresses that cannot be mapped back into a symbolic name via
the gethostbyaddr(3) routine.
--XX _a_u_t_h_t_y_p_e This option is only valid if tteellnneettdd has been built with
support for the authentication option. It disables the use
of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily
disable a specific authentication type without having to re-
compile tteellnneettdd.
--LL _p_a_t_h_n_a_m_e Specify pathname to an alternative login program.
--yy Makes tteellnneettdd not warn when a user is trying to login with a
cleartext password.
TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4)) for
a client, then creating a login process which has the slave side of the
pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the
master side of the pseudo-terminal, implementing the TELNET protocol and
passing characters between the remote client and the login process.
When a TELNET session is started up, tteellnneettdd sends TELNET options to the
client side indicating a willingness to do the following TELNET options,
which are described in more detail below:
DO AUTHENTICATION
WILL ENCRYPT
DO TERMINAL TYPE
DO TSPEED
DO XDISPLOC
DO NEW-ENVIRON
DO ENVIRON
WILL SUPPRESS GO AHEAD
DO ECHO
DO LINEMODE
DO NAWS
WILL STATUS
DO LFLOW
DO TIMING-MARK
The pseudo-terminal allocated to the client is configured to operate in
``cooked'' mode, and with XTABS and CRMOD enabled (see tty(4)).
TTeellnneettdd has support for enabling locally the following TELNET options:
WILL ECHO When the LINEMODE option is enabled, a WILL ECHO or
WONT ECHO will be sent to the client to indicate the
current state of terminal echoing. When terminal echo
is not desired, a WILL ECHO is sent to indicate that
telnetd will take care of echoing any data that needs
to be echoed to the terminal, and then nothing is
echoed. When terminal echo is desired, a WONT ECHO is
sent to indicate that telnetd will not be doing any
terminal echoing, so the client should do any terminal
echoing that is needed.
WILL BINARY Indicates that the client is willing to send a 8 bits
of data, rather than the normal 7 bits of the Network
Virtual Terminal.
WILL SGA Indicates that it will not be sending IAC GA, go
ahead, commands.
WILL STATUS Indicates a willingness to send the client, upon re-
quest, of the current status of all TELNET options.
WILL TIMING-MARK Whenever a DO TIMING-MARK command is received, it is
always responded to with a WILL TIMING-MARK
WILL LOGOUT When a DO LOGOUT is received, a WILL LOGOUT is sent in
response, and the TELNET session is shut down.
WILL ENCRYPT Only sent if tteellnneettdd is compiled with support for data
encryption, and indicates a willingness to decrypt the
data stream.
TTeellnneettdd has support for enabling remotely the following TELNET options:
DO BINARY Sent to indicate that telnetd is willing to receive an
8 bit data stream.
DO LFLOW Requests that the client handle flow control charac-
ters remotely.
DO ECHO This is not really supported, but is sent to identify
a 4.2BSD telnet(1) client, which will improperly re-
spond with WILL ECHO. If a WILL ECHO is received, a
DONT ECHO will be sent in response.
DO TERMINAL-TYPE Indicates a desire to be able to request the name of
the type of terminal that is attached to the client
side of the connection.
DO SGA Indicates that it does not need to receive IAC GA, the
go ahead command.
DO NAWS Requests that the client inform the server when the
window (display) size changes.
DO TERMINAL-SPEED Indicates a desire to be able to request information
about the speed of the serial line to which the client
is attached.
DO XDISPLOC Indicates a desire to be able to request the name of
the X windows display that is associated with the tel-
net client.
DO NEW-ENVIRON Indicates a desire to be able to request environment
variable information, as described in RFC 1572.
DO ENVIRON Indicates a desire to be able to request environment
variable information, as described in RFC 1408.
DO LINEMODE Only sent if tteellnneettdd is compiled with support for
linemode, and requests that the client do line by line
processing.
DO TIMING-MARK Only sent if tteellnneettdd is compiled with support for both
linemode and kludge linemode, and the client responded
with WONT LINEMODE. If the client responds with WILL
TM, the it is assumed that the client supports kludge
linemode. Note that the [--kk] option can be used to
disable this.
DO AUTHENTICATION Only sent if tteellnneettdd is compiled with support for au-
thentication, and indicates a willingness to receive
authentication information for automatic login.
DO ENCRYPT Only sent if tteellnneettdd is compiled with support for data
encryption, and indicates a willingness to decrypt the
data stream.
FFIILLEESS
/etc/services
/etc/inittab (UNICOS systems only)
/etc/iptos (if supported)
SSEEEE AALLSSOO
telnet(1), login(1)
SSTTAANNDDAARRDDSS
RRFFCC--885544 TELNET PROTOCOL SPECIFICATION
RRFFCC--885555 TELNET OPTION SPECIFICATIONS
RRFFCC--885566 TELNET BINARY TRANSMISSION
RRFFCC--885577 TELNET ECHO OPTION
RRFFCC--885588 TELNET SUPPRESS GO AHEAD OPTION
RRFFCC--885599 TELNET STATUS OPTION
RRFFCC--886600 TELNET TIMING MARK OPTION
RRFFCC--886611 TELNET EXTENDED OPTIONS - LIST OPTION
RRFFCC--888855 TELNET END OF RECORD OPTION
RRFFCC--11007733 Telnet Window Size Option
RRFFCC--11007799 Telnet Terminal Speed Option
RRFFCC--11009911 Telnet Terminal-Type Option
RRFFCC--11009966 Telnet X Display Location Option
RRFFCC--11112233 Requirements for Internet Hosts -- Application and Support
RRFFCC--11118844 Telnet Linemode Option
RRFFCC--11337722 Telnet Remote Flow Control Option
RRFFCC--11441166 Telnet Authentication Option
RRFFCC--11441111 Telnet Authentication: Kerberos Version 4
RRFFCC--11441122 Telnet Authentication: SPX
RRFFCC--11557711 Telnet Environment Option Interoperability Issues
RRFFCC--11557722 Telnet Environment Option
BBUUGGSS
Some TELNET commands are only partially implemented.
Because of bugs in the original 4.2 BSD telnet(1), tteellnneettdd performs some
dubious protocol exchanges to try to discover if the remote client is, in
fact, a 4.2 BSD telnet(1).
Binary mode has no common interpretation except between similar operating
systems (Unix in this case).
The terminal type name received from the remote client is converted to
lower case.
TTeellnneettdd never sends TELNET IAC GA (go ahead) commands.
4.2 Berkeley Distribution June 1, 1994 5

121
crypto/heimdal/kadmin/kadmin.cat8
View File

@ -1,121 +0,0 @@
KADMIN(8) NetBSD System Manager's Manual KADMIN(8)
NNAAMMEE
kkaaddmmiinn - Kerberos administration utility
SSYYNNOOPPSSIISS
kkaaddmmiinn [--pp _s_t_r_i_n_g | ----pprriinncciippaall==_s_t_r_i_n_g] [--KK _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] [--cc
_f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] [--rr _r_e_a_l_m |
----rreeaallmm==_r_e_a_l_m] [--aa _h_o_s_t | ----aaddmmiinn--sseerrvveerr==_h_o_s_t] [--ss _p_o_r_t _n_u_m_b_e_r |
----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r] [--ll | ----llooccaall] [--hh | ----hheellpp] [--vv | ----vveerrssiioonn]
[_c_o_m_m_a_n_d]
DDEESSCCRRIIPPTTIIOONN
The kkaaddmmiinn program is used to make modification to the Kerberos database,
either remotely via the kadmind(8) daemon, or locally (with the --ll op-
tion).
Supported options:
--pp _s_t_r_i_n_g, ----pprriinncciippaall==_s_t_r_i_n_g
principal to authenticate as
--KK _s_t_r_i_n_g, ----kkeeyyttaabb==_s_t_r_i_n_g
keytab for authentication pricipal
--cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
location of config file
--kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
location of master key file
--rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
realm to use
--aa _h_o_s_t, ----aaddmmiinn--sseerrvveerr==_h_o_s_t
server to contact
--ss _p_o_r_t _n_u_m_b_e_r, ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r
port to use
--ll, ----llooccaall
local admin mode
If no _c_o_m_m_a_n_d is given on the command line, kkaaddmmiinn will prompt for com-
mands to process. Commands include:
aadddd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e]
[----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] [----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
[----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] _p_r_i_n_c_i_p_a_l_._._.
creates a new principal
ppaasssswwdd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.
changes the password of an existing principal
ddeelleettee _p_r_i_n_c_i_p_a_l_._._.
removes a principal
ddeell__eennccttyyppee _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._.
removes some enctypes from a principal, this can be useful
the service belonging to the principal is known to not handle
certain enctypes
eexxtt__kkeeyyttaabb [--kk _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.
creates a keytab with the keys of the specified principals
ggeett [--ll | ----lloonngg] [--ss | ----sshhoorrtt] [--tt | ----tteerrssee] _e_x_p_r_e_s_s_i_o_n_._._.
lists the principals that match the expressions (which are
shell glob like), long format gives more information, and
terse just prints the names
rreennaammee _f_r_o_m _t_o
renames a principal
mmooddiiffyy [--aa _a_t_t_r_i_b_u_t_e_s | ----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
[----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e]
[----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e]
[----kkvvnnoo==_n_u_m_b_e_r] _p_r_i_n_c_i_p_a_l
modifies certain attributes of a principal
pprriivviilleeggeess
lists the operations you are allowd to perform
When running in local mode, the following commands can also be used.
dduummpp [--dd | ----ddeeccrryypptt] [_d_u_m_p_-_f_i_l_e]
writes the database in ``human readable'' form to the speci-
fied file, or standard out
iinniitt [----rreeaallmm--mmaaxx--ttiicckkeett--lliiffee==_s_t_r_i_n_g]
[----rreeaallmm--mmaaxx--rreenneewwaabbllee--lliiffee==_s_t_r_i_n_g] _r_e_a_l_m
initialises the Kerberos database with entries for a new
realm, it's possible to have more than one realm served by
one server
llooaadd _f_i_l_e
reads a previously dumped database, and re-creates that
database from scratch
mmeerrggee _f_i_l_e
similar to lliisstt but just modifies the database with the en-
tries in the dump file
SSEEEE AALLSSOO
kadmind(8), kdc(8)
HEIMDAL September 10, 2000 2

93
crypto/heimdal/kadmin/kadmind.cat8
View File

@ -1,93 +0,0 @@
KADMIND(8) NetBSD System Manager's Manual KADMIND(8)
NNAAMMEE
kkaaddmmiinndd - server for administrative access to kerberos database
SSYYNNOOPPSSIISS
kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
[----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t |
----ppoorrttss==_p_o_r_t] [----nnoo--kkeerrbbeerrooss44]
DDEESSCCRRIIPPTTIIOONN
kkaaddmmiinndd listens for requests for changes to the Kerberos database and
performs these, subject to permissions. When starting, if stdin is a
socket it assumes that it has been started by inetd(8), otherwise it be-
haves as a daemon, forking processes for each new connection. The ----ddeebbuugg
option causes kkaaddmmiinndd to accept exactly one connection, which is useful
for debugging.
If built with krb4 support, it implements both the Heimdal Kerberos 5 ad-
ministrative protocol and the Kerberos 4 protocol. Password changes via
the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the
kpasswdd(8) daemon is responsible for the Kerberos 5 password changing
protocol (used by kpasswd(1))
This daemon should only be run on ther master server, and not on any
slaves.
Principals are always allowed to change their own password and list their
own principal. Apart from that, doing any operation requires permission
explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of
this file is:
_p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n]
Where rights is any (comma separated) combination of:
++oo change-password or cpw
++oo list
++oo delete
++oo modify
++oo add
++oo get
++oo all
And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to operations on
principals that match the glob-style pattern.
Supported options:
--cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
location of config file
--kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
location of master key file
----kkeeyyttaabb==_k_e_y_t_a_b
what keytab to use
--rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
realm to use
--dd, ----ddeebbuugg
enable debugging
--pp _p_o_r_t, ----ppoorrttss==_p_o_r_t
ports to listen to. By default, if run as a daemon, it listen to
ports 749, and 751 (if Kerberos 4 support is built and enabled),
but you can add any number of ports with this option. The port
string is a whitespace separated list of port specifications,
with the special string ``+'' representing the default set of
ports.
----nnoo--kkeerrbbeerrooss44
make kkaaddmmiinndd ignore Kerberos 4 kadmin requests.
FFIILLEESS
_/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l
EEXXAAMMPPLLEESS
This will cause kkaaddmmiinndd to listen to port 4711 in addition to any com-
piled in defaults:
kkaaddmmiinndd----ppoorrttss="+ 4711" &
This acl file will grant Joe all rights, and allow Mallory to view and
add host principals.
joe/admin@EXAMPLE.COM all
mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
SSEEEE AALLSSOO
kpasswd(1), kadmin(8), kdc(8), kpasswdd(8)
HEIMDAL March 5, 2002 2

98
crypto/heimdal/kdc/hprop.cat8
View File

@ -1,98 +0,0 @@
HPROP(8) NetBSD System Manager's Manual HPROP(8)
NNAAMMEE
hhpprroopp - propagate the KDC database
SSYYNNOOPPSSIISS
hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e]
[----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r] [--rr _s_t_r_i_n_g |
----vv44--rreeaallmm==_s_t_r_i_n_g] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--kk _k_e_y_t_a_b
| ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g | ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE |
----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp]
[_h_o_s_t[:_p_o_r_t]] _._._.
DDEESSCCRRIIPPTTIIOONN
hhpprroopp takes a principal database in a specified format and converts it
into a stream of Heimdal database records. This stream can either be
written to standard out, or (more commonly) be propagated to a hpropd(8)
server running on a different machine.
If propagating, it connects to all _h_o_s_t_s specified on the command by
opening a TCP connection to port 754 (service hprop) and sends the
database in encrypted form.
Supported options:
--mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e
Where to find the master key to encrypt or decrypt keys with.
--dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
The database to be propagated.
----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r
Specifies the type of the source database. Alternatives include:
heimdal a Heimdal database
mit-dump a MIT Kerberos 5 dump file
krb4-db a Kerberos 4 database
krb4-dump a Kerberos 4 dump file
kaserver an AFS kaserver database
--kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
The keytab to use for fetching the key to be used for authenti-
cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used
from this keytab. The default is to fetch the key from the KDC
database.
--RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g
Local realm override.
--DD, ----ddeeccrryypptt
The encryption keys in the database can either be in clear, or
encrypted with a master key. This option transmits the database
with unencrypted keys.
--EE, ----eennccrryypptt
This option transmits the database with encrypted keys.
--nn, ----ssttddoouutt
Dump the database on stdout, in a format that can be fed to
hpropd.
The following options are only valid if hhpprroopp is compiled with support
for Kerberos 4 (kaserver).
--rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g
v4 realm to use
--cc _c_e_l_l, ----cceellll==_c_e_l_l
The AFS cell name, used if reading a kaserver database.
--SS, ----kkaassppeecciiaallss
Also dump the principals marked as special in the kaserver
database.
--44, ----vv44--ddbb
Deprecated, identical to `--source=krb4-db'.
--KK, ----kkaa--ddbb
Deprecated, identical to `--source=kaserver'.
EEXXAAMMPPLLEESS
The following will propagate a database to another machine (which should
run hpropd(8):)
$ hprop slave-1 slave-2
Copy a Kerberos 4 database to a Kerberos 5 slave:
$ hprop --source=krb4-db -E krb5-slave
Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
$ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n
SSEEEE AALLSSOO
hpropd(8)
HEIMDAL June 19, 2000 2

42
crypto/heimdal/kdc/hpropd.cat8
View File

@ -1,42 +0,0 @@
HPROPD(8) NetBSD System Manager's Manual HPROPD(8)
NNAAMMEE
hhpprrooppdd - receive a propagated database
SSYYNNOOPPSSIISS
hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii |
----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp]
DDEESSCCRRIIPPTTIIOONN
hhpprrooppdd receives databases sent by hhpprroopp. and writes it as a local
database.
By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket
and expects to receive the dumped database over stdin otherwise. If the
database is sent over the network, it is authenticated and encrypted.
Only connections from kkaaddmmiinn/hhpprroopp are accepted.
Options supported:
--dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
database
--nn, ----ssttddiinn
read from stdin
----pprriinntt
print dump to stdout
--ii, ----nnoo--iinneettdd
Not started from inetd
--kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
keytab to use for authentication
--44, ----vv44dduummpp
create v4 type DB
SSEEEE AALLSSOO
hprop(8)
HEIMDAL August 27, 1997 1

126
crypto/heimdal/kdc/kdc.cat8
View File

@ -1,126 +0,0 @@
KDC(8) NetBSD System Manager's Manual KDC(8)
NNAAMMEE
kkddcc - Kerberos 5 server
SSYYNNOOPPSSIISS
kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
[----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
[--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
DDEESSCCRRIIPPTTIIOONN
kkddcc serves requests for tickets. When it starts, it first checks the
flags passed, any options that are not specified with a command line flag
is taken from a config file, or from a default compiled-in value.
Options supported:
--cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
Specifies the location of the config file, the default is
_/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be
specified in the config file.
--pp, ----nnoo--rreeqquuiirree--pprreeaauutthh
Turn off the requirement for pre-autentication in the initial AS-
REQ for all principals. The use of pre-authentication makes it
more difficult to do offline password attacks. You might want to
turn it off if you have clients that doesn't do pre-authentica-
tion. Since the version 4 protocol doesn't support any pre-au-
thentication, so serving version 4 clients is just about the same
as not requiring pre-athentication. The default is to require
pre-authentication. Adding the require-preauth per principal is a
more flexible way of handling this.
----mmaaxx--rreeqquueesstt==_s_i_z_e
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
--HH, ----eennaabbllee--hhttttpp
Makes the kdc listen on port 80 and handle requests encapsulated
in HTTP.
--KK, ----nnoo--kkaasseerrvveerr
Disables kaserver emulation (in case it's compiled in).
--rr _r_e_a_l_m, ----vv44--rreeaallmm==_r_e_a_l_m
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but
since the version 4 protocol doesn't contain a realm for the
server, it must be explicitly specified. The default is whatever
is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if
the KDC has been compiled with version 4 support.
--PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
Specifies the set of ports the KDC should listen on. It is given
as a white-space separated list of services or port numbers.
----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
The list of addresses to listen for requests on. By default, the
kdc will listen on all the locally configured addresses. If only
a subset is desired, or the automatic detection fails, this op-
tion might be used.
All activities , are logged to one or more destinations, see
krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc.
CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
The configuration file has the same syntax as krb5.conf(5), but will be
read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there. Op-
tions specific to the KDC only are found in the ``[kdc]'' section. All
the command-line options can preferably be added in the configuration
file. The only difference is the pre-authentication flag, that has to be
specified as:
require-preauth = no
(in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).
And there are some configuration options which do not have command-line
equivalents:
check-ticket-addresses = _b_o_o_l_e_a_n
Check the addresses in the ticket when processing TGS re-
quests. The default is FALSE.
allow-null-ticket-addresses = _b_o_o_l_e_a_n
Permit tickets with no addresses. This option is only rele-
vant when check-ticket-addresses is TRUE.
allow-anonymous = _b_o_o_l_e_a_n
Permit anonymous tickets with no addresses.
encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
code. The Heimdal clients allow both.
kdc_warn_pwexpire = _t_i_m_e
How long before password/principal expiration the KDC should
start sending out warning messages.
An example of a config file:
[kdc]
require-preauth = no
v4-realm = FOO.SE
key-file = /key-file
BBUUGGSS
If the machine running the KDC has new addresses added to it, the KDC
will have to be restarted to listen to them. The reason it doesn't just
listen to wildcarded (like INADDR_ANY) addresses, is that the replies has
to come from the same address they were sent to, and most OS:es doesn't
pass this information to the application. If your normal mode of opera-
tion require that you add and remove addresses, the best option is proba-
bly to listen to a wildcarded TCP socket, and make sure your clients use
TCP to connect. For instance, this will listen to IPv4 TCP port 88 only:
kdc --addresses=0.0.0.0 --ports="88/tcp"
There should be a way to specify protocol, port, and address triplets,
not just addresses and protocol, port tuples.
SSEEEE AALLSSOO
kinit(1), krb5.conf(5)
HEIMDAL August 22, 2002 2

33
crypto/heimdal/kdc/kstash.cat8
View File

@ -1,33 +0,0 @@
KSTASH(8) NetBSD System Manager's Manual KSTASH(8)
NNAAMMEE
kkssttaasshh - store the KDC master password in a file
SSYYNNOOPPSSIISS
kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
[----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn]
DDEESSCCRRIIPPTTIIOONN
kkssttaasshh reads the Kerberos master key and stores it in a file that will be
used by the KDC.
Supported options:
--ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g
the encryption type to use, defaults to DES3-CBC-SHA1
--kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
the name of the master key file
----ccoonnvveerrtt--ffiillee
don't ask for a new master key, just read an old master key file,
and write it back in the new keyfile format
----mmaasstteerr--kkeeyy--ffdd==_f_d
filedescriptor to read passphrase from, if not specified the
passphrase will be read from the terminal
SSEEEE AALLSSOO
kdc(8)
HEIMDAL September 1, 2000 1

41
crypto/heimdal/kdc/string2key.cat8
View File

@ -1,41 +0,0 @@
STRING2KEY(8) NetBSD System Manager's Manual STRING2KEY(8)
NNAAMMEE
ssttrriinngg22kkeeyy - map a password into a key
SSYYNNOOPPSSIISS
ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l |
----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l |
----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d
DDEESSCCRRIIPPTTIIOONN
ssttrriinngg22kkeeyy performs the string-to-key function. This is useful when you
want to handle the raw key instead of the password. Supported options:
--55, ----vveerrssiioonn55
Output Kerberos v5 string-to-key
--44, ----vveerrssiioonn44
Output Kerberos v4 string-to-key
--aa, ----aaffss
Output AFS string-to-key
--cc _c_e_l_l, ----cceellll==_c_e_l_l
AFS cell to use
--ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d
Password to use
--pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l
Kerberos v5 principal to use
--kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g
Keytype
----vveerrssiioonn
print version
----hheellpp
HEIMDAL March 4, 2000 1

19
crypto/heimdal/kpasswd/kpasswd.cat1
View File

@ -1,19 +0,0 @@
KPASSWD(1) NetBSD Reference Manual KPASSWD(1)
NNAAMMEE
kkppaasssswwdd - Kerberos 5 password changing program
SSYYNNOOPPSSIISS
kkppaasssswwdd [_p_r_i_n_c_i_p_a_l]
DDEESSCCRRIIPPTTIIOONN
kkppaasssswwdd is the client for changing passwords.
DDIIAAGGNNOOSSTTIICCSS
If the password quality check fails or some other error occurs, an expla-
nation is printed.
SSEEEE AALLSSOO
kpasswdd(8)
HEIMDAL August 27, 1997 1

53
crypto/heimdal/kpasswd/kpasswdd.cat8
View File

@ -1,53 +0,0 @@
KPASSWDD(8) NetBSD System Manager's Manual KPASSWDD(8)
NNAAMMEE
kkppaasssswwdddd - Kerberos 5 password changing server
SSYYNNOOPPSSIISS
kkppaasssswwdddd [----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y] [----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n] [--kk _k_s_p_e_c
| ----kkeeyyttaabb==_k_s_p_e_c] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--pp _s_t_r_i_n_g | ----ppoorrtt==_s_t_r_i_n_g]
[----vveerrssiioonn] [----hheellpp]
DDEESSCCRRIIPPTTIIOONN
kkppaasssswwdddd serves request for password changes. It listens on UDP port 464
(service kpasswd) and processes requests when they arrive. It changes the
database directly and should thus only run on the master KDC.
Supported options:
----cchheecckk--lliibbrraarryy==_l_i_b_r_a_r_y
If your system has support for dynamic loading of shared li-
braries, you can use an external function to check password qual-
ity. This option specifies which library to load.
----cchheecckk--ffuunnccttiioonn==_f_u_n_c_t_i_o_n
This is the function to call in the loaded library. The function
should look like this:
_c_o_n_s_t _c_h_a_r _* ppaasssswwdd__cchheecckk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l
_p_r_i_n_c_i_p_a_l, _k_r_b_5___d_a_t_a _*_p_a_s_s_w_o_r_d)
_c_o_n_t_e_x_t is an initialized context; _p_r_i_n_c_i_p_a_l is the one who tries
to change passwords, and _p_a_s_s_w_o_r_d is the new password. Note that
the password (in _p_a_s_s_w_o_r_d_-_>_d_a_t_a) is not zero terminated.
--kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c
keytab to get authentication key from
--rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
default realm
--pp _s_t_r_i_n_g, ----ppoorrtt==_s_t_r_i_n_g
port to listen on (default service kpasswd - 464).
DDIIAAGGNNOOSSTTIICCSS
If an error occurs, the error message is returned to the user and/or
logged to syslog.
BBUUGGSS
The default password quality checks are too basic.
SSEEEE AALLSSOO
kpasswd(1), kdc(8)
HEIMDAL April 19, 1999 1

29
crypto/heimdal/kuser/kdestroy.cat1
View File

@ -1,29 +0,0 @@
KDESTROY(1) NetBSD Reference Manual KDESTROY(1)
NNAAMMEE
kkddeessttrrooyy - destroy the current ticket file
SSYYNNOOPPSSIISS
kkddeessttrrooyy [--cc _c_a_c_h_e_f_i_l_e] [----ccaacchhee==_c_a_c_h_e_f_i_l_e] [----nnoo--uunnlloogg] [----nnoo--ddeelleettee--vv44]
[----vveerrssiioonn] [----hheellpp]
DDEESSCCRRIIPPTTIIOONN
kkddeessttrrooyy remove the current set of tickets.
Supported options:
--cc _c_a_c_h_e_f_i_l_e
--ccaacchhee==_c_a_c_h_e_f_i_l_e
The cache file to remove.
----nnoo--uunnlloogg
Do not remove AFS tokens.
----nnoo--ddeelleettee--vv44
Do not remove v4 tickets.
SSEEEE AALLSSOO
kinit(1), klist(1)
HEIMDAL August 27, 1997 1

26
crypto/heimdal/kuser/kgetcred.cat1
View File

@ -1,26 +0,0 @@
KGETCRED(1) NetBSD Reference Manual KGETCRED(1)
NNAAMMEE
kkggeettccrreedd - get a ticket for a particular service
SSYYNNOOPPSSIISS
kkggeettccrreedd [--ee _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [----vveerrssiioonn] [----hheellpp] _s_e_r_v_i_c_e
DDEESSCCRRIIPPTTIIOONN
kkggeettccrreedd obtains a ticket for a service. Usually tickets for services
are obtained automatically when needed but sometimes for some odd reason
you want to obtain a particular ticket or of a special type.
Supported options:
--ee _e_n_c_t_y_p_e, ----eennccttyyppee==_e_n_c_t_y_p_e
encryption type to use
----vveerrssiioonn
----hheellpp
SSEEEE AALLSSOO
kinit(1), klist(1)
HEIMDAL May 14, 1999 1

127
crypto/heimdal/kuser/kinit.cat1
View File

@ -1,127 +0,0 @@
KINIT(1) NetBSD Reference Manual KINIT(1)
NNAAMMEE
kkiinniitt kkaauutthh - acquire initial tickets
SSYYNNOOPPSSIISS
kkiinniitt [--44 | ----552244iinniitt] [--99 | ----552244ccoonnvveerrtt] [----aaffsslloogg] [--cc _c_a_c_h_e_n_a_m_e |
----ccaacchhee==_c_a_c_h_e_n_a_m_e] [--ff | ----ffoorrwwaarrddaabbllee] [--tt _k_e_y_t_a_b_n_a_m_e |
----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e] [--ll _t_i_m_e | ----lliiffeettiimmee==_t_i_m_e] [--pp | ----pprrooxxiiaabbllee]
[--RR | ----rreenneeww] [----rreenneewwaabbllee] [--rr _t_i_m_e | ----rreenneewwaabbllee--lliiffee==_t_i_m_e] [--SS
_p_r_i_n_c_i_p_a_l | ----sseerrvveerr==_p_r_i_n_c_i_p_a_l] [--ss _t_i_m_e | ----ssttaarrtt--ttiimmee==_t_i_m_e] [--kk |
----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e_s | ----eennccttyyppeess==_e_n_c_t_y_p_e_s]
[--aa _a_d_d_r_e_s_s_e_s | ----eexxttrraa--aaddddrreesssseess==_a_d_d_r_e_s_s_e_s]
[----ffccaacchhee--vveerrssiioonn==_i_n_t_e_g_e_r] [----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss]
[----vveerrssiioonn] [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]]
DDEESSCCRRIIPPTTIIOONN
kkiinniitt is used to authenticate to the kerberos server as _p_r_i_n_c_i_p_a_l, or if
none is given, a system generated default (typically your login name at
the default realm), and acquire a ticket granting ticket that can later
be used to obtain tickets for other services.
If you have compiled kkiinniitt with Kerberos 4 support and you have a Ker-
beros 4 server, kkiinniitt will detect this and get you Kerberos 4 tickets.
Supported options:
--cc _c_a_c_h_e_n_a_m_e ----ccaacchhee==_c_a_c_h_e_n_a_m_e
The credentials cache to put the acquired ticket in, if other
than default.
--ff, ----ffoorrwwaarrddaabbllee
Get ticket that can be forwarded to another host.
--tt _k_e_y_t_a_b_n_a_m_e, ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e
Don't ask for a password, but instead get the key from the speci-
fied keytab.
--ll _t_i_m_e, ----lliiffeettiimmee==_t_i_m_e
Specifies the lifetime of the ticket. The argument can either be
in seconds, or a more human readable string like `1h'.
--pp, ----pprrooxxiiaabbllee
Request tickets with the proxiable flag set.
--RR, ----rreenneeww
Try to renew ticket. The ticket must have the `renewable' flag
set, and must not be expired.
----rreenneewwaabbllee
The same as ----rreenneewwaabbllee--lliiffee, with an infinite time.
--rr _t_i_m_e, ----rreenneewwaabbllee--lliiffee==_t_i_m_e
The max renewable ticket life.
--SS _p_r_i_n_c_i_p_a_l, ----sseerrvveerr==_p_r_i_n_c_i_p_a_l
Get a ticket for a service other than krbtgt/LOCAL.REALM.
--ss _t_i_m_e, ----ssttaarrtt--ttiimmee==_t_i_m_e
Obtain a ticket that starts to be valid _t_i_m_e (which can really be
a generic time specification, like `1h') seconds into the future.
--kk, ----uussee--kkeeyyttaabb
The same as ----kkeeyyttaabb, but with the default keytab name (normally
_F_I_L_E_:_/_e_t_c_/_k_r_b_5_._k_e_y_t_a_b).
--vv, ----vvaalliiddaattee
Try to validate an invalid ticket.
--ee, ----eennccttyyppeess==_e_n_c_t_y_p_e_s
Request tickets with this particular enctype.
----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n
Create a credentials cache of version vveerrssiioonn.
--aa, ----eexxttrraa--aaddddrreesssseess==_e_n_c_t_y_p_e_s
Adds a set of addresses that will, in addition to the systems lo-
cal addresses, be put in the ticket. This can be useful if all
addresses a client can use can't be automatically figured out.
One such example is if the client is behind a firewall. Also set-
table via libdefaults/extra_addresses in krb5.conf(5).
----nnoo--aaddddrreesssseess
Request a ticket with no addresses.
----aannoonnyymmoouuss
Request an anonymous ticket (which means that the ticket will be
issued to an anonymous principal, typically ``anonymous@REALM'').
The following options are only available if kkiinniitt has been compiled with
support for Kerberos 4.
--44, ----552244iinniitt
Try to convert the obtained Kerberos 5 krbtgt to a version 4 com-
patible ticket. It will store this ticket in the default Kerberos
4 ticket file.
--99, ----552244ccoonnvveerrtt
only convert ticket to version 4
----aaffsslloogg
Gets AFS tickets, converts them to version 4 format, and stores
them in the kernel. Only useful if you have AFS.
The _f_o_r_w_a_r_d_a_b_l_e, _p_r_o_x_i_a_b_l_e, _t_i_c_k_e_t___l_i_f_e, and _r_e_n_e_w_a_b_l_e___l_i_f_e options can
be set to a default value from the appdefaults section in krb5.conf, see
krb5_appdefault(3).
If a _c_o_m_m_a_n_d is given, kkiinniitt will setup new credentials caches, and AFS
PAG, and then run the given command. When it finishes the credentials
will be removed.
EENNVVIIRROONNMMEENNTT
KRB5CCNAME
Specifies the default credentials cache.
KRB5_CONFIG
The file name of _k_r_b_5_._c_o_n_f , the default being _/_e_t_c_/_k_r_b_5_._c_o_n_f.
KRBTKFILE
Specifies the Kerberos 4 ticket file to store version 4 tickets
in.
SSEEEE AALLSSOO
kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)
HEIMDAL May 29, 1998 2

87
crypto/heimdal/kuser/klist.cat1
View File

@ -1,87 +0,0 @@
KLIST(1) NetBSD Reference Manual KLIST(1)
NNAAMMEE
kklliisstt - list Kerberos credentials
SSYYNNOOPPSSIISS
kklliisstt [--cc _c_a_c_h_e | ----ccaacchhee==_c_a_c_h_e] [--ss | --tt | ----tteesstt] [--44 | ----vv44] [--TT |
----ttookkeennss] [--55 | ----vv55] [--vv | ----vveerrbboossee] [--ff] [----vveerrssiioonn] [----hheellpp]
DDEESSCCRRIIPPTTIIOONN
kklliisstt reads and displays the current tickets in the crential cache (also
known as the ticket file).
Options supported:
--cc _c_a_c_h_e, ----ccaacchhee==_c_a_c_h_e
credentials cache to list
--ss, --tt, ----tteesstt
Test for there being an active and valid TGT for the local realm
of the user in the credential cache.
--44, ----vv44
display v4 tickets
--TT, ----ttookkeennss
display AFS tokens
--55, ----vv55
display v5 cred cache (this is the default)
--ff Include ticket flags in short form, each charcted stands for a
specific flag, as follows:
F forwardable
f forwarded
P proxiable
p proxied
D postdate-able
d postdated
R renewable
I initial
i invalid
A pre-authenticated
H hardware authenticated
This information is also output with the ----vveerrbboossee option, but in
a more verbose way.
--vv, ----vveerrbboossee
Verbose output. Include all possible information:
Server
the princial the ticket is for
Ticket etype
the encryption type use in the ticket, followed by
the key version of the ticket, if it is available
Session key
the encryption type of the session key, if it's dif-
ferent from the encryption type of the ticket
Auth time
the time the authentication exchange took place
Start time
the time that this tickets is valid from (only print-
ed if it's different from the auth time)
End time
when the ticket expires, if it has already expired
this is also noted
Renew till
the maximum possible end time of any ticket derived
from this one
Ticket flags
the flags set on the ticket
Addresses
the set of addresses from which this ticket is valid
SSEEEE AALLSSOO
kdestroy(1), kinit(1)
HEIMDAL July 8, 2000 2

5
crypto/heimdal/lib/hdb/hdb_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: hdb_locl.h,v 1.18 2002/09/10 20:03:48 joda Exp $ */
/* $Id: hdb_locl.h,v 1.18.4.1 2003/09/10 22:04:39 lha Exp $ */
/* $FreeBSD$ */
#ifndef __HDB_LOCL_H__
@ -55,6 +55,9 @@
#ifdef HAVE_SYS_FILE_H
#include <sys/file.h>
#endif
#ifdef HAVE_LIMITS_H
#include <limits.h>
#endif
#include <roken.h>
#include "crypto-headers.h"

97
crypto/heimdal/lib/kafs/kafs.cat3
View File

@ -1,97 +0,0 @@
KAFS(3) NetBSD Programmer's Manual KAFS(3)
NNAAMMEE
kk__hhaassaaffss, kk__ppiiooccttll, kk__uunnlloogg, kk__sseettppaagg, kk__aaffss__cceellll__ooff__ffiillee, kkrrbb__aaffsslloogg,
kkrrbb__aaffsslloogg__uuiidd - AFS library
LLIIBBRRAARRYY
AFS cache manager access library (libkafs, -lkafs)
SSYYNNOOPPSSIISS
##iinncclluuddee <<kkaaffss..hh>>
_i_n_t
kk__aaffss__cceellll__ooff__ffiillee(_c_o_n_s_t _c_h_a_r _*_p_a_t_h, _c_h_a_r _*_c_e_l_l, _i_n_t _l_e_n);
_i_n_t
kk__hhaassaaffss();
_i_n_t
kk__ppiiooccttll(_c_h_a_r _*_a___p_a_t_h, _i_n_t _o___o_p_c_o_d_e, _s_t_r_u_c_t _V_i_c_e_I_o_c_t_l _*_a___p_a_r_a_m_s_P,
_i_n_t _a___f_o_l_l_o_w_S_y_m_l_i_n_k_s);
_i_n_t
kk__sseettppaagg();
_i_n_t
kk__uunnlloogg();
_i_n_t
kkrrbb__aaffsslloogg(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m);
_i_n_t
kkrrbb__aaffsslloogg__uuiidd(_c_h_a_r _*_c_e_l_l, _c_h_a_r _*_r_e_a_l_m, _u_i_d___t _u_i_d);
DDEESSCCRRIIPPTTIIOONN
kk__hhaassaaffss() initializes some library internal structures, and tests for
the presence of AFS in the kernel, none of the other functions should be
called before kk__hhaassaaffss() is called, or if it fails.
kkrrbb__aaffsslloogg(), and kkrrbb__aaffsslloogg__uuiidd() obtains new tokens (and possibly tick-
ets) for the specified _c_e_l_l and _r_e_a_l_m. If _c_e_l_l is NULL, the local cell
is used. If _r_e_a_l_m is NULL, the function tries to guess what realm to use.
Unless you have some good knowledge of what cell or realm to use, you
should pass NULL. kkrrbb__aaffsslloogg() will use the real user-id for the ViceId
field in the token, kkrrbb__aaffsslloogg__uuiidd() will use _u_i_d.
kk__aaffss__cceellll__ooff__ffiillee() will in _c_e_l_l return the cell of a specified file, no
more than _l_e_n characters is put in _c_e_l_l.
kk__ppiiooccttll() does a ppiiooccttll() syscall with the specified arguments. This
function is equivalent to llppiiooccttll().
kk__sseettppaagg() initializes a new PAG.
kk__uunnlloogg() removes destroys all tokens in the current PAG.
RREETTUURRNN VVAALLUUEESS
kk__hhaassaaffss() returns 1 if AFS is present in the kernel, 0 otherwise.
kkrrbb__aaffsslloogg() and kkrrbb__aaffsslloogg__uuiidd() returns 0 on success, or a kerberos er-
ror number on failure. kk__aaffss__cceellll__ooff__ffiillee(), kk__ppiiooccttll(), kk__sseettppaagg(), and
kk__uunnlloogg() all return the value of the underlaying system call, 0 on suc-
cess.
EENNVVIIRROONNMMEENNTT
The following environment variable affect the mode of operation of kkaaffss:
AFS_SYSCALL Normally, kkaaffss will try to figure out the correct system
call(s) that are used by AFS by itself. If it does not man-
age to do that, or does it incorrectly, you can set this
variable to the system call number or list of system call
numbers that should be used.
EEXXAAMMPPLLEESS
The following code from llooggiinn will obtain a new PAG and tokens for the
local cell and the cell of the users home directory.
if (k_hasafs()) {
char cell[64];
k_setpag();
if(k_afs_cell_of_file(pwd->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, NULL);
krb_afslog(NULL, NULL);
}
EERRRROORRSS
If any of these functions (apart from kk__hhaassaaffss()) is called without AFS
beeing present in the kernel, the process will usually (depending on the
operating system) receive a SIGSYS signal.
SSEEEE AALLSSOO
Transarc Corporation, "File Server/Cache Manager Interface", _A_F_S_-_3
_P_r_o_g_r_a_m_m_e_r_'_s _R_e_f_e_r_e_n_c_e, 1991.
BBUUGGSS
AFS_SYSCALL has no effect under AIX.
KTH-KRB May 7, 1997 2

301
crypto/heimdal/lib/krb5/crypto.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
RCSID("$Id: crypto.c,v 1.73 2003/04/01 16:51:54 lha Exp $");
RCSID("$Id: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $");
/* RCSID("$FreeBSD$"); */
#undef CRYPTO_DEBUG
@ -140,14 +140,15 @@ static krb5_error_code derive_key(krb5_context context,
struct key_data *key,
const void *constant,
size_t len);
static void hmac(krb5_context context,
struct checksum_type *cm,
const void *data,
size_t len,
unsigned usage,
struct key_data *keyblock,
Checksum *result);
static krb5_error_code hmac(krb5_context context,
struct checksum_type *cm,
const void *data,
size_t len,
unsigned usage,
struct key_data *keyblock,
Checksum *result);
static void free_key_data(krb5_context context, struct key_data *key);
static krb5_error_code usage2arcfour (krb5_context, int *);
/************************************************************
* *
@ -594,12 +595,16 @@ krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype,
_krb5_put_int(data + datalen - 4, keypart, 4);
hmac(context, c, data, datalen, 0, &ksign, &result);
ret = hmac(context, c, data, datalen, 0, &ksign, &result);
if (ret)
krb5_abortx(context, "hmac failed");
memcpy(p, result.checksum.data, len);
memcpy(tmpcksum, result.checksum.data, result.checksum.length);
for (i = 0; i < iter; i++) {
hmac(context, c, tmpcksum, result.checksum.length,
0, &ksign, &result);
ret = hmac(context, c, tmpcksum, result.checksum.length,
0, &ksign, &result);
if (ret)
krb5_abortx(context, "hmac failed");
memcpy(tmpcksum, result.checksum.data, result.checksum.length);
for (j = 0; j < len; j++)
p[j] ^= tmpcksum[j];
@ -1385,7 +1390,7 @@ SHA1_checksum(krb5_context context,
}
/* HMAC according to RFC2104 */
static void
static krb5_error_code
hmac(krb5_context context,
struct checksum_type *cm,
const void *data,
@ -1399,6 +1404,17 @@ hmac(krb5_context context,
size_t key_len;
int i;
ipad = malloc(cm->blocksize + len);
if (ipad == NULL)
return ENOMEM;
opad = malloc(cm->blocksize + cm->checksumsize);
if (opad == NULL) {
free(ipad);
return ENOMEM;
}
memset(ipad, 0x36, cm->blocksize);
memset(opad, 0x5c, cm->blocksize);
if(keyblock->key->keyvalue.length > cm->blocksize){
(*cm->checksum)(context,
keyblock,
@ -1412,10 +1428,6 @@ hmac(krb5_context context,
key = keyblock->key->keyvalue.data;
key_len = keyblock->key->keyvalue.length;
}
ipad = malloc(cm->blocksize + len);
opad = malloc(cm->blocksize + cm->checksumsize);
memset(ipad, 0x36, cm->blocksize);
memset(opad, 0x5c, cm->blocksize);
for(i = 0; i < key_len; i++){
ipad[i] ^= key[i];
opad[i] ^= key[i];
@ -1431,8 +1443,40 @@ hmac(krb5_context context,
free(ipad);
memset(opad, 0, cm->blocksize + cm->checksumsize);
free(opad);
return 0;
}
krb5_error_code
krb5_hmac(krb5_context context,
krb5_cksumtype cktype,
const void *data,
size_t len,
unsigned usage,
krb5_keyblock *key,
Checksum *result)
{
struct checksum_type *c = _find_checksum(cktype);
struct key_data kd;
krb5_error_code ret;
if (c == NULL) {
krb5_set_error_string (context, "checksum type %d not supported",
cktype);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
kd.key = key;
kd.schedule = NULL;
ret = hmac(context, c, data, len, usage, &kd, result);
if (kd.schedule)
krb5_free_data(context, kd.schedule);
return ret;
}
static void
SP_HMAC_SHA1_checksum(krb5_context context,
struct key_data *key,
@ -1444,11 +1488,14 @@ SP_HMAC_SHA1_checksum(krb5_context context,
struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1);
Checksum res;
char sha1_data[20];
krb5_error_code ret;
res.checksum.data = sha1_data;
res.checksum.length = sizeof(sha1_data);
hmac(context, c, data, len, usage, key, &res);
ret = hmac(context, c, data, len, usage, key, &res);
if (ret)
krb5_abortx(context, "hmac failed");
memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
}
@ -1473,10 +1520,13 @@ HMAC_MD5_checksum(krb5_context context,
unsigned char t[4];
unsigned char tmp[16];
unsigned char ksign_c_data[16];
krb5_error_code ret;
ksign_c.checksum.length = sizeof(ksign_c_data);
ksign_c.checksum.data = ksign_c_data;
hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c);
ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c);
if (ret)
krb5_abortx(context, "hmac failed");
ksign.key = &kb;
kb.keyvalue = ksign_c.checksum;
MD5_Init (&md5);
@ -1487,7 +1537,9 @@ HMAC_MD5_checksum(krb5_context context,
MD5_Update (&md5, t, 4);
MD5_Update (&md5, data, len);
MD5_Final (tmp, &md5);
hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
if (ret)
krb5_abortx(context, "hmac failed");
}
/*
@ -1508,6 +1560,7 @@ HMAC_MD5_checksum_enc(krb5_context context,
krb5_keyblock kb;
unsigned char t[4];
unsigned char ksign_c_data[16];
krb5_error_code ret;
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
@ -1516,10 +1569,14 @@ HMAC_MD5_checksum_enc(krb5_context context,
ksign_c.checksum.length = sizeof(ksign_c_data);
ksign_c.checksum.data = ksign_c_data;
hmac(context, c, t, sizeof(t), 0, key, &ksign_c);
ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c);
if (ret)
krb5_abortx(context, "hmac failed");
ksign.key = &kb;
kb.keyvalue = ksign_c.checksum;
hmac(context, c, data, len, 0, &ksign, result);
ret = hmac(context, c, data, len, 0, &ksign, result);
if (ret)
krb5_abortx(context, "hmac failed");
}
struct checksum_type checksum_none = {
@ -1741,18 +1798,18 @@ get_checksum_key(krb5_context context,
}
static krb5_error_code
do_checksum (krb5_context context,
struct checksum_type *ct,
krb5_crypto crypto,
unsigned usage,
void *data,
size_t len,
Checksum *result)
create_checksum (krb5_context context,
struct checksum_type *ct,
krb5_crypto crypto,
unsigned usage,
void *data,
size_t len,
Checksum *result)
{
krb5_error_code ret;
struct key_data *dkey;
int keyed_checksum;
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL) {
krb5_clear_error_string (context);
@ -1770,17 +1827,26 @@ do_checksum (krb5_context context,
return 0;
}
static krb5_error_code
create_checksum(krb5_context context,
krb5_crypto crypto,
unsigned usage, /* not krb5_key_usage */
krb5_cksumtype type, /* 0 -> pick from crypto */
void *data,
size_t len,
Checksum *result)
static int
arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto)
{
return (ct->type == CKSUMTYPE_HMAC_MD5) &&
(crypto->key.key->keytype == KEYTYPE_ARCFOUR);
}
krb5_error_code
krb5_create_checksum(krb5_context context,
krb5_crypto crypto,
krb5_key_usage usage,
int type,
void *data,
size_t len,
Checksum *result)
{
struct checksum_type *ct = NULL;
unsigned keyusage;
/* type 0 -> pick from crypto */
if (type) {
ct = _find_checksum(type);
} else if (crypto) {
@ -1794,21 +1860,15 @@ create_checksum(krb5_context context,
type);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
return do_checksum (context, ct, crypto, usage, data, len, result);
}
krb5_error_code
krb5_create_checksum(krb5_context context,
krb5_crypto crypto,
krb5_key_usage usage,
int type,
void *data,
size_t len,
Checksum *result)
{
return create_checksum(context, crypto,
CHECKSUM_USAGE(usage),
type, data, len, result);
if (arcfour_checksum_p(ct, crypto)) {
keyusage = usage;
usage2arcfour(context, &keyusage);
} else
keyusage = CHECKSUM_USAGE(usage);
return create_checksum(context, ct, crypto, keyusage,
data, len, result);
}
static krb5_error_code
@ -1826,7 +1886,7 @@ verify_checksum(krb5_context context,
struct checksum_type *ct;
ct = _find_checksum(cksum->cksumtype);
if(ct == NULL) {
if (ct == NULL) {
krb5_set_error_string (context, "checksum type %d not supported",
cksum->cksumtype);
return KRB5_PROG_SUMTYPE_NOSUPP;
@ -1872,8 +1932,24 @@ krb5_verify_checksum(krb5_context context,
size_t len,
Checksum *cksum)
{
return verify_checksum(context, crypto,
CHECKSUM_USAGE(usage), data, len, cksum);
struct checksum_type *ct;
unsigned keyusage;
ct = _find_checksum(cksum->cksumtype);
if(ct == NULL) {
krb5_set_error_string (context, "checksum type %d not supported",
cksum->cksumtype);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
if (arcfour_checksum_p(ct, crypto)) {
keyusage = usage;
usage2arcfour(context, &keyusage);
} else
keyusage = CHECKSUM_USAGE(usage);
return verify_checksum(context, crypto, keyusage,
data, len, cksum);
}
krb5_error_code
@ -2109,7 +2185,7 @@ AES_CTS_encrypt(krb5_context context,
k = &k[1];
if (len < AES_BLOCK_SIZE)
abort();
krb5_abortx(context, "invalid use of AES_CTS_encrypt");
if (len == AES_BLOCK_SIZE) {
if (encrypt)
AES_encrypt(data, data, k);
@ -2149,6 +2225,7 @@ ARCFOUR_subencrypt(krb5_context context,
RC4_KEY rc4_key;
unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
krb5_error_code ret;
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
@ -2158,7 +2235,9 @@ ARCFOUR_subencrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
@ -2171,7 +2250,9 @@ ARCFOUR_subencrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = data;
hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
ke.key = &kb;
kb.keyvalue = k1_c.checksum;
@ -2179,7 +2260,9 @@ ARCFOUR_subencrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
hmac(NULL, c, data, 16, 0, &ke, &k3_c);
ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
@ -2206,6 +2289,7 @@ ARCFOUR_subdecrypt(krb5_context context,
unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
unsigned char cksum_data[16];
krb5_error_code ret;
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
@ -2215,7 +2299,9 @@ ARCFOUR_subdecrypt(krb5_context context,
k1_c.checksum.length = sizeof(k1_c_data);
k1_c.checksum.data = k1_c_data;
hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
if (ret)
krb5_abortx(context, "hmac failed");
memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
@ -2228,7 +2314,9 @@ ARCFOUR_subdecrypt(krb5_context context,
k3_c.checksum.length = sizeof(k3_c_data);
k3_c.checksum.data = k3_c_data;
hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
if (ret)
krb5_abortx(context, "hmac failed");
RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
@ -2239,7 +2327,9 @@ ARCFOUR_subdecrypt(krb5_context context,
cksum.checksum.length = 16;
cksum.checksum.data = cksum_data;
hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
if (ret)
krb5_abortx(context, "hmac failed");
memset (k1_c_data, 0, sizeof(k1_c_data));
memset (k2_c_data, 0, sizeof(k2_c_data));
@ -2256,54 +2346,28 @@ ARCFOUR_subdecrypt(krb5_context context,
/*
* convert the usage numbers used in
* draft-ietf-cat-kerb-key-derivation-00.txt to the ones in
* draft-brezak-win2k-krb-rc4-hmac-03.txt
* draft-brezak-win2k-krb-rc4-hmac-04.txt
*/
static krb5_error_code
usage2arcfour (krb5_context context, int *usage)
{
switch (*usage) {
case KRB5_KU_PA_ENC_TIMESTAMP :
*usage = 1;
return 0;
case KRB5_KU_TICKET :
*usage = 2;
return 0;
case KRB5_KU_AS_REP_ENC_PART :
case KRB5_KU_AS_REP_ENC_PART : /* 3 */
case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */
*usage = 8;
return 0;
case KRB5_KU_TGS_REQ_AUTH_DAT_SESSION :
case KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY :
case KRB5_KU_TGS_REQ_AUTH_CKSUM :
case KRB5_KU_TGS_REQ_AUTH :
*usage = 7;
case KRB5_KU_USAGE_SEAL : /* 22 */
*usage = 13;
return 0;
case KRB5_KU_TGS_REP_ENC_PART_SESSION :
case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY :
*usage = 8;
return 0;
case KRB5_KU_AP_REQ_AUTH_CKSUM :
case KRB5_KU_AP_REQ_AUTH :
case KRB5_KU_AP_REQ_ENC_PART :
*usage = 11;
return 0;
case KRB5_KU_KRB_PRIV :
case KRB5_KU_USAGE_SIGN : /* 23 */
*usage = 15;
return 0;
case KRB5_KU_USAGE_SEQ: /* 24 */
*usage = 0;
return 0;
case KRB5_KU_KRB_CRED :
case KRB5_KU_KRB_SAFE_CKSUM :
case KRB5_KU_OTHER_ENCRYPTED :
case KRB5_KU_OTHER_CKSUM :
case KRB5_KU_KRB_ERROR :
case KRB5_KU_AD_KDC_ISSUED :
case KRB5_KU_MANDATORY_TICKET_EXTENSION :
case KRB5_KU_AUTH_DATA_TICKET_EXTENSION :
case KRB5_KU_USAGE_SEAL :
case KRB5_KU_USAGE_SIGN :
case KRB5_KU_USAGE_SEQ :
default :
krb5_set_error_string(context, "unknown arcfour usage type %d", *usage);
return KRB5_PROG_ETYPE_NOSUPP;
return 0;
}
}
@ -2731,9 +2795,9 @@ encrypt_internal_derived(krb5_context context,
memcpy(q, data, len);
ret = create_checksum(context,
et->keyed_checksum,
crypto,
INTEGRITY_USAGE(usage),
et->keyed_checksum->type,
p,
block_sz,
&cksum);
@ -2800,9 +2864,9 @@ encrypt_internal(krb5_context context,
memcpy(q, data, len);
ret = create_checksum(context,
et->checksum,
crypto,
0,
et->checksum->type,
p,
block_sz,
&cksum);
@ -2896,6 +2960,11 @@ decrypt_internal_derived(krb5_context context,
return EINVAL; /* XXX - better error code? */
}
if (((len - checksum_sz) % et->padsize) != 0) {
krb5_clear_error_string(context);
return KRB5_BAD_MSIZE;
}
p = malloc(len);
if(len != 0 && p == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
@ -2964,6 +3033,11 @@ decrypt_internal(krb5_context context,
size_t checksum_sz, l;
struct encryption_type *et = crypto->et;
if ((len % et->padsize) != 0) {
krb5_clear_error_string(context);
return KRB5_BAD_MSIZE;
}
checksum_sz = CHECKSUMSIZE(et->checksum);
p = malloc(len);
if(len != 0 && p == NULL) {
@ -3022,25 +3096,34 @@ decrypt_internal_special(krb5_context context,
struct encryption_type *et = crypto->et;
size_t cksum_sz = CHECKSUMSIZE(et->checksum);
size_t sz = len - cksum_sz - et->confoundersize;
char *cdata = (char *)data;
char *tmp;
unsigned char *p;
krb5_error_code ret;
tmp = malloc (sz);
if (tmp == NULL) {
if ((len % et->padsize) != 0) {
krb5_clear_error_string(context);
return KRB5_BAD_MSIZE;
}
p = malloc (len);
if (p == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
}
memcpy(p, data, len);
ret = (*et->encrypt)(context, &crypto->key, data, len, FALSE, usage, ivec);
ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec);
if (ret) {
free(tmp);
free(p);
return ret;
}
memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz);
result->data = tmp;
memmove (p, p + cksum_sz + et->confoundersize, sz);
result->data = realloc(p, sz);
if(result->data == NULL) {
free(p);
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
}
result->length = sz;
return 0;
}

1
crypto/heimdal/lib/roken/config.h.in
View File

@ -1 +0,0 @@
/*autoheader*/

51
crypto/heimdal/tools/krb5-config.cat1
View File

@ -1,51 +0,0 @@
KRB5-CONFIG(1) NetBSD Reference Manual KRB5-CONFIG(1)
NNAAMMEE
kkrrbb55--ccoonnffiigg - give information on how to link code against Heimdal li-
braries
SSYYNNOOPPSSIISS
kkrrbb55--ccoonnffiigg [----pprreeffiixx[=_d_i_r]] [----eexxeecc--pprreeffiixx[=_d_i_r]] [----lliibbss] [----ccffllaaggss]
[_l_i_b_r_a_r_i_e_s]
DDEESSCCRRIIPPTTIIOONN
kkrrbb55--ccoonnffiigg tells the application programmer what special flags to use to
compile and link programs against the libraries installed by Heimdal.
Options supported:
----pprreeffiixx[=_d_i_r]
Print the prefix if no _d_i_r is specified, otherwise set prefix to
_d_i_r.
----eexxeecc--pprreeffiixx[=_d_i_r]
Print the exec-prefix if no _d_i_r is specified, otherwise set exec-
prefix to _d_i_r.
----lliibbss Output the set of libraries that should be linked against.
----ccffllaaggss
Output the set of flags to give to the C compiler when using the
Heimdal libraries.
By default kkrrbb55--ccoonnffiigg will output the set of flags and libraries to be
used by a normal program using the krb5 API. The user can also supply a
library to be used, the supported ones are:
krb5 (the default)
gssapi use the krb5 gssapi mechanism
kadm-client
use the client-side kadmin libraries
kadm-server
use the server-side kadmin libraries
SSEEEE AALLSSOO
cc(1)
HHIISSTTOORRYY
kkrrbb55--ccoonnffiigg appeared in Heimdal 0.3d.
HEIMDAL November 30, 2000 1