Sophie

Sophie

distrib > Mandriva > 10.0 > i586 > media > updates > by-pkgid > 69ceaa49ee07f9c3f8bc98e4c4e719ff > files > 36

krb5-server-1.3-6.6.100mdk.i586.rpm

<html lang="en"><head>
<title>Kerberos V5 UNIX User's Guide</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name=description content="Kerberos V5 UNIX User's Guide">
<meta name=generator content="makeinfo 4.0">
<link href="http://texinfo.org/" rel=generator-home>
</head><body>

<p><hr>
Node:<a name="Top">Top</a>,
Next:<a rel=next href="#Copyright">Copyright</a>,
Previous:<a rel=previous href="#(dir)">(dir)</a>,
Up:<a rel=up href="#(dir)">(dir)</a>
<br>

<ul>
<li><a href="#Copyright">Copyright</a>: 
<li><a href="#Introduction">Introduction</a>: 
<li><a href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>: 
<li><a href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>: 
<li><a href="#Kerberos%20Glossary">Kerberos Glossary</a>: 
</ul>

<p><hr>
Node:<a name="Copyright">Copyright</a>,
Next:<a rel=next href="#Introduction">Introduction</a>,
Previous:<a rel=previous href="#Top">Top</a>,
Up:<a rel=up href="#Top">Top</a>
<br>

<h1>Copyright</h1>

<p>Copyright &copy; 1985-2002 by the Massachusetts Institute of Technology.

<blockquote>
Export of software employing encryption from the United States of
America may require a specific license from the United States
Government.  It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting. 
</blockquote>

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
this software and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of M.I.T. not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission.  Furthermore if you
modify this software you must label your software as modified software
and not distribute it in such a fashion that it might be confused with
the original MIT software.  M.I.T. makes no representations about the
suitability of this software for any purpose.  It is provided "as is"
without express or implied warranty.

<p>The following copyright and permission notice applies to the OpenVision
Kerberos Administration system located in kadmin/create, kadmin/dbutil,
kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

<blockquote>
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved

<p>WARNING:  Retrieving the OpenVision Kerberos Administration system source
code, as described below, indicates your acceptance of the following
terms.  If you do not agree to the following terms, do not retrieve the
OpenVision Kerberos administration system.

<p>You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source Code is
provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT
LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. 
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,
LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS
AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE
OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
ANY OTHER REASON.

<p>OpenVision retains all copyrights in the donated Source Code. OpenVision
also retains copyright to derivative works of the Source Code, whether
created by OpenVision or by a third party. The OpenVision copyright
notice must be preserved if derivative works are made based on the
donated Source Code.

<p>OpenVision Technologies, Inc. has donated this Kerberos Administration
system to MIT for inclusion in the standard Kerberos 5 distribution. 
This donation underscores our commitment to continuing Kerberos
technology development and our gratitude for the valuable work which has
been performed by MIT and the Kerberos community. 
</blockquote>

<p>The implementation of the Yarrow pseudo-random number generator
in src/lib/crypto/yarrow has the following copyright:

<blockquote>

<p>Copyright 2000 by Zero-Knowledge Systems, Inc.

<p>Permission to use, copy, modify, distribute, and sell this software
and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Zero-Knowledge Systems,
Inc. not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior
permission.  Zero-Knowledge Systems, Inc. makes no representations
about the suitability of this software for any purpose.  It is
provided "as is" without express or implied warranty.

<p>ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

</blockquote>

<p>The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:

<blockquote>

<p>Copyright (c) 2001, Dr Brian Gladman &lt;brg@gladman.uk.net&gt;, Worcester, UK. 
All rights reserved.

<p>LICENSE TERMS

<p>The free distribution and use of this software in both source and binary
form is allowed (with or without changes) provided that:

<ol type=1 start=1>
</p><li>distributions of this source code include the above copyright
notice, this list of conditions and the following disclaimer;
<li>distributions in binary form include the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other associated materials;
<li>the copyright holder's name is not used to endorse products
built using this software without specific written permission.
</ol>

<p>DISCLAIMER

<p>This software is provided 'as is' with no explcit or implied warranties
in respect of any properties, including, but not limited to, correctness
and fitness for purpose.

</blockquote>

Kerberos V5 includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:

<p>Copyright &copy; 1983 Regents of the University of California.<br>
All rights reserved.

<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
<ol type=1 start=1>
</p><li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer. 
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution. 
<li>All advertising materials mentioning features or use of this software
must display the following acknowledgement:
<blockquote>
This product includes software developed by the University of
California, Berkeley and its contributors. 
</blockquote>
<li>Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
</ol>

<p>Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notices and this permission notice are
preserved on all copies.

<p>Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided also that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.

<p>Permission is granted to copy and distribute translations of this manual
into another language, under the above conditions for modified versions.

<p><hr>
Node:<a name="Introduction">Introduction</a>,
Next:<a rel=next href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>,
Previous:<a rel=previous href="#Copyright">Copyright</a>,
Up:<a rel=up href="#Top">Top</a>
<br>

<h1>Introduction</h1>

<p>Kerberos V5 is an authentication system developed at MIT. 
Kerberos is named for the three-headed watchdog from Greek mythology,
who guarded the entrance to the underworld.

<p>Under Kerberos, a client (generally either a user or a service) sends a
request for a ticket to the <i>Key Distribution Center</i> (KDC).  The KDC
creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client, encrypts it
using the client's password as the key, and sends the encrypted TGT back
to the client.  The client then attempts to decrypt the TGT, using its
password.  If the client successfully decrypts the TGT (<i>i.e.</i>, if the
client gave the correct password), it keeps the decrypted TGT, which
indicates proof of the client's identity.

<p>The TGT, which expires at a specified time, permits the client to obtain
additional tickets, which give permission for specific services.  The
requesting and granting of these additional tickets is user-transparent.

<p>Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the internet, it provides
a layer of security that is not dependent on which side of a firewall
either client is on.  Since studies have shown that half of the computer
security breaches in industry happen from <i>inside</i> firewalls,
MIT's Kerberos V5 plays a vital role in maintaining your
network security.

<p>The Kerberos V5 package is designed to be easy to use.  Most of the
commands are nearly identical to UNIX network programs you already
use.  Kerberos V5 is a <dfn>single-sign-on</dfn> system, which means
that you have to type your password only once per session, and Kerberos
does the authenticating and encrypting transparently.

<ul>
<li><a href="#What%20is%20a%20Ticket%3f">What is a Ticket?</a>: 
<li><a href="#What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>: 
</ul>

<p><hr>
Node:<a name="What%20is%20a%20Ticket%3f">What is a Ticket?</a>,
Next:<a rel=next href="#What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>,
Previous:<a rel=previous href="#Introduction">Introduction</a>,
Up:<a rel=up href="#Introduction">Introduction</a>
<br>

<h2>What is a Ticket?</h2>

<p>Your Kerberos <dfn>credentials</dfn>, or "<dfn>tickets</dfn>", are a set of
electronic information that can be used to verify your identity.  Your
Kerberos tickets may be stored in a file, or they may exist only in
memory.

<p>The first ticket you obtain is a <dfn>ticket-granting ticket</dfn>, which
permits you to obtain additional tickets.  These additional tickets give
you permission for specific services.  The requesting and granting of
these additional tickets happens transparently.

<p>A good analogy for the ticket-granting ticket is a three-day ski pass
that is good at four different resorts.  You show the pass at whichever
resort you decide to go to (until it expires), and you receive a lift
ticket for that resort.  Once you have the lift ticket, you can ski all
you want at that resort.  If you go to another resort the next day, you
once again show your pass, and you get an additional lift ticket for the
new resort.  The difference is that the Kerberos V5 programs notice
that you have the weekend ski pass, and get the lift ticket for you, so
you don't have to perform the transactions yourself.

<p><hr>
Node:<a name="What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>,
Previous:<a rel=previous href="#What%20is%20a%20Ticket%3f">What is a Ticket?</a>,
Up:<a rel=up href="#Introduction">Introduction</a>
<br>

<h2>What is a Kerberos Principal?</h2>

<p>A Kerberos <dfn>principal</dfn> is a unique identity to which Kerberos can
assign tickets.  Principals can have an arbitrary number of
components.  Each component is separated by a component separator,
generally `/'.  The last component is the realm, separated from the
rest of the principal by the realm separator, generally `@'.  If there
is no realm component in the principal, then it will be assumed that
the principal is in the default realm for the context in which it is
being used.

<p>Traditionally, a principal is divided into three parts:  the
<dfn>primary</dfn>, the <dfn>instance</dfn>, and the <dfn>realm</dfn>.  The format of
a typical Kerberos V5 principal is <code>primary/instance@REALM</code>.

<ul>
<li>The <dfn>primary</dfn> is the first part of the principal.  In the case
of a user, it's the same as your username.  For a host, the primary is
the word <code>host</code>.

<li>The <dfn>instance</dfn> is an optional string that qualifies the
primary.  The instance is separated from the primary by a slash
(<code>/</code>).  In the case of a user, the instance is usually null, but a
user might also have an additional principal, with an instance called
<code>admin</code>, which he/she uses to administrate a database.  The
principal <code>jennifer@ATHENA.MIT.EDU</code> is completely
separate from the principal
<code>jennifer/admin@ATHENA.MIT.EDU</code>, with a separate
password, and separate permissions.  In the case of a host, the instance
is the fully qualified hostname, e.g.,
<code>daffodil.mit.edu</code>.

<li>The <dfn>realm</dfn> is your Kerberos realm.  In most cases, your
Kerberos realm is your domain name, in upper-case letters.  For example,
the machine <code>daffodil.example.com</code> would be in
the realm <code>EXAMPLE.COM</code>. 
</ul>

<p><hr>
Node:<a name="Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>,
Next:<a rel=next href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>,
Previous:<a rel=previous href="#Introduction">Introduction</a>,
Up:<a rel=up href="#Top">Top</a>
<br>

<h1>Kerberos V5 Tutorial</h1>

<p>This tutorial is intended to familiarize you with the Kerberos V5
client programs.  We will represent your prompt as "<code>shell%</code>". 
So an instruction to type the "<kbd>ls</kbd>" command would be represented as
follows:

<pre><b>shell%</b> ls
</pre>

<p>In these examples, we will use sample usernames, such as
<code>jennifer</code> and <code>david</code>, sample
hostnames, such as <code>daffodil</code> and
<code>trillium</code>, and sample domain names, such as
<code>mit.edu</code> and <code>example.com</code>.  When you
see one of these, substitute your username, hostname, or domain name
accordingly.

<ul>
<li><a href="#Setting%20Up%20to%20Use%20Kerberos%20V5">Setting Up to Use Kerberos V5</a>: 
<li><a href="#Ticket%20Management">Ticket Management</a>: 
<li><a href="#Password%20Management">Password Management</a>: 
<li><a href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>: 
</ul>

<p><hr>
Node:<a name="Setting%20Up%20to%20Use%20Kerberos%20V5">Setting Up to Use Kerberos V5</a>,
Next:<a rel=next href="#Ticket%20Management">Ticket Management</a>,
Previous:<a rel=previous href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>,
Up:<a rel=up href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>
<br>

<h2>Setting Up to Use Kerberos V5</h2>

<p>Your system administrator will have installed the Kerberos V5
programs in whichever directory makes the most sense for your system. 
We will use <code>/usr/local</code> throughout this guide to refer to the
top-level directory Kerberos V5 directory.  We will therefor use
<code>/usr/local/bin</code> to denote the location of the Kerberos V5 user
programs.  In your installation, the directory name may be different,
but whatever the directory name is, you should make sure it is included
in your path.  You will probably want to put it <i>ahead of</i> the
directories <code>/bin</code> and <code>/usr/bin</code> so you will get the
Kerberos V5 network programs, rather than the standard UNIX
versions, when you type their command names.

<p><hr>
Node:<a name="Ticket%20Management">Ticket Management</a>,
Next:<a rel=next href="#Password%20Management">Password Management</a>,
Previous:<a rel=previous href="#Setting%20Up%20to%20Use%20Kerberos%20V5">Setting Up to Use Kerberos V5</a>,
Up:<a rel=up href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>
<br>

<h2>Ticket Management</h2>

<p>On many systems, Kerberos is built into the login program, and you get
tickets automatically when you log in.  Other programs, such as
<code>rsh</code>, <code>rcp</code>, <code>telnet</code>, and <code>rlogin</code>, can forward
copies of your tickets to the remote host.  Most of these programs also
automatically destroy your tickets when they exit.  However,
MIT recommends that you explicitly destroy your Kerberos
tickets when you are through with them, just to be sure.  One way to
help ensure that this happens is to add the <code>kdestroy</code> command to
your <code>.logout</code> file.  Additionally, if you are going to be away
from your machine and are concerned about an intruder using your
permissions, it is safest to either destroy all copies of your tickets,
or use a screensaver that locks the screen.

<ul>
<li><a href="#Kerberos%20Ticket%20Properties">Kerberos Ticket Properties</a>: 
<li><a href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>: 
<li><a href="#Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>: 
<li><a href="#Destroying%20Your%20Tickets%20with%20kdestroy">Destroying Your Tickets with kdestroy</a>: 
</ul>

<p><hr>
Node:<a name="Kerberos%20Ticket%20Properties">Kerberos Ticket Properties</a>,
Next:<a rel=next href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>,
Previous:<a rel=previous href="#Ticket%20Management">Ticket Management</a>,
Up:<a rel=up href="#Ticket%20Management">Ticket Management</a>
<br>

<h3>Kerberos Ticket Properties</h3>

<p>There are various properties that Kerberos tickets can have:

<p>If a ticket is <dfn>forwardable</dfn>, then the KDC can issue a new ticket with
a different network address based on the forwardable ticket.  This
allows for authentication forwarding without requiring a password to be
typed in again.  For example, if a user with a forwardable TGT logs
into a remote system, the KDC could issue a new TGT for that user with
the netword address of the remote system, allowing authentication on
that host to work as though the user were logged in locally.

<p>When the KDC creates a new ticket based on a forwardable ticket, it
sets the <dfn>forwarded</dfn> flag on that new ticket.  Any tickets that are
created based on a ticket with the forwarded flag set will also have
their forwarded flags set.

<p>A <dfn>proxiable</dfn> ticket is similar to a forwardable ticket in that it
allows a service to take on the identity of the client.  Unlike a
forwardable ticket, however, a proxiable ticket is only issued for
specific services.  In other words, a ticket-granting ticket cannot be
issued based on a ticket that is proxiable but not forwardable.

<p>A <dfn>proxy</dfn> ticket is one that was issued based on a proxiable ticket.

<p>A <dfn>postdated</dfn> ticket is issued with the <i>invalid</i> flag set. 
After the starting time listed on the ticket, it can be presented to
the KDC to obtain valid tickets.

<p>Tickets with the <dfn>postdateable</dfn> flag set can be used to issue postdated
tickets.

<p><dfn>Renewable</dfn> tickets can be used to obtain new session keys without
the user entering their password again.  A renewable ticket has two
expiration times.  The first is the time at which this particular
ticket expires.  The second is the latest possible expiration time for
any ticket issued based on this renewable ticket.

<p>A ticket with the <dfn>initial</dfn> flag set was issued based on the
authentication protocol, and not on a ticket-granting ticket.   Clients
that wish to ensure that the user's key has been recently presented for
verification could specify that this flag must be set to accept the
ticket.

<p>An <dfn>invalid</dfn> ticket must be rejected by application servers.  Postdated
tickets are usually issued with this flag set, and must be validated by
the KDC before they can be used.

<p>A <dfn>preauthenticated</dfn> ticket is one that was only issued after the
client requesting the ticket had authenticated itself to the KDC.

<p>The <dfn>hardware authentication</dfn> flag is set on a ticket which
required the use of hardware for authentication.  The hardware is
expected to be possessed only by the client which requested the
tickets.

<p>If a ticket has the <dfn>transit policy checked</dfn> flag set, then the KDC that
issued this ticket implements the transited-realm check policy and
checked the transited-realms list on the ticket.  The transited-realms
list contains a list of all intermediate realms between the realm of the
KDC that issued the first ticket and that of the one that issued the
current ticket.  If this flag is not set, then the application server
must check the transited realms itself or else reject the ticket.

<p>The <dfn>okay as delegate</dfn> flag indicates that the server specified in
the ticket is suitable as a delegate as determined by the policy of
that realm.  A server that is acting as a delegate has been granted a
proxy or a forwarded TGT.  This flag is a new addition to the
Kerberos V5 protocol and is not yet implemented on MIT servers.

<p>An <dfn>anonymous</dfn>  ticket is one in which the named principal is a generic
principal for that realm; it does not actually specify the individual
that will be using the ticket.  This ticket is meant only to securely
distribute a session key.  This is a new addition to the Kerberos V5
protocol and is not yet implemented on MIT servers.

<p><hr>
Node:<a name="Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>,
Next:<a rel=next href="#Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>,
Previous:<a rel=previous href="#Kerberos%20Ticket%20Properties">Kerberos Ticket Properties</a>,
Up:<a rel=up href="#Ticket%20Management">Ticket Management</a>
<br>

<h3>Obtaining Tickets with kinit</h3>

<p>If your site is using the Kerberos V5 login program, you will get
Kerberos tickets automatically when you log in.  If your site uses a
different login program, you may need to explicitly obtain your Kerberos
tickets, using the <code>kinit</code> program.  Similarly, if your Kerberos
tickets expire, use the <code>kinit</code> program to obtain new ones.

<p>To use the <code>kinit</code> program, simply type <kbd>kinit</kbd> and then type
your password at the prompt.  For example, Jennifer (whose username is
<code>jennifer</code>) works for Bleep, Inc. (a fictitious company
with the domain name <code>mit.edu</code> and the Kerberos realm
<code>ATHENA.MIT.EDU</code>).  She would type:

<pre><b>shell%</b> kinit
<b>Password for jennifer@ATHENA.MIT.EDU:</b> <i>&lt;-- [Type jennifer's password here.]</i>
<b>shell%</b>
</pre>

<p>If you type your password incorrectly, kinit will give you the following
error message:

<pre><b>shell%</b> kinit
<b>Password for jennifer@ATHENA.MIT.EDU:</b> <i>&lt;-- [Type the wrong password here.]</i>
<b>kinit: Password incorrect</b>
<b>shell%</b>
</pre>

<p>and you won't get Kerberos tickets.

<p>Notice that <code>kinit</code> assumes you want tickets for your own
username in your default realm. 
Suppose Jennifer's friend David is visiting, and he wants to borrow a
window to check his mail.  David needs to get tickets for himself in his
own realm, EXAMPLE.COM.<a rel=footnote href="#fn-1"><sup>1</sup></a>  He would type:

<pre><b>shell%</b> kinit david@EXAMPLE.COM
<b>Password for david@EXAMPLE.COM:</b> <i>&lt;-- [Type david's password here.]</i>
<b>shell%</b>
</pre>

<p>David would then have tickets which he could use to log onto
his own machine.  Note that he typed his password locally on Jennifer's
machine, but it never went over the network.  Kerberos on the local host
performed the authentication to the KDC in the other realm.

<p>If you want to be able to forward your tickets to another host, you need
to request <dfn>forwardable</dfn> tickets.  You do this by specifying the
<kbd>-f</kbd> option:

<pre><b>shell%</b> kinit -f
<b>Password for jennifer@ATHENA.MIT.EDU:</b> <i>&lt;-- [Type your password here.]</i>
<b>shell%</b>
</pre>

<p>Note that <code>kinit</code> does not tell you that it obtained forwardable
tickets; you can verify this using the <code>klist</code> command
(see <a href="#Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>).

<p>Normally, your tickets are good for your system's default ticket
lifetime, which is ten hours on many systems.  You can specify a
different ticket lifetime with the <code>-l</code> option.  Add the letter
<code>s</code> to the value for seconds, <code>m</code> for minutes, <code>h</code> for
hours, or <code>d</code> for days. 
For example, to obtain forwardable tickets for
<code>david@EXAMPLE.COM</code> that would be good for
three hours, you would type:

<pre><b>shell%</b> kinit -f -l 3h david@EXAMPLE.COM
<b>Password for david@EXAMPLE.COM:</b> <i>&lt;-- [Type david's password here.]</i>
<b>shell%</b>
</pre>

<p>You cannot mix units; specifying a lifetime of <code>3h30m</code> would result
in an error.  Note also that most systems specify a maximum ticket
lifetime.  If you request a longer ticket lifetime, it will be
automatically truncated to the maximum lifetime.

<p><hr>
Node:<a name="Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>,
Next:<a rel=next href="#Destroying%20Your%20Tickets%20with%20kdestroy">Destroying Your Tickets with kdestroy</a>,
Previous:<a rel=previous href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>,
Up:<a rel=up href="#Ticket%20Management">Ticket Management</a>
<br>

<h3>Viewing Your Tickets with klist</h3>

<p>The <code>klist</code> command shows your tickets.  When you first obtain
tickets, you will have only the ticket-granting ticket.  (See <a href="#What%20is%20a%20Ticket%3f">What is a Ticket?</a>.)  The listing would look like this:

<pre><b>shell%</b> klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
<b>shell%</b>
</pre>

<p>The ticket cache is the location of your ticket file.  In the above
example, this file is named <code>/tmp/krb5cc_ttypa</code>.  The default
principal is your kerberos <dfn>principal</dfn>.  (see <a href="#What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>)

<p>The "valid starting" and "expires" fields describe the period of
time during which the ticket is valid.  The <dfn>service principal</dfn>
describes each ticket.  The ticket-granting ticket has the primary
<code>krbtgt</code>, and the instance is the realm name.

<p>Now, if jennifer connected to the machine
<code>daffodil.mit.edu</code>, and then typed
<kbd>klist</kbd> again, she would have gotten the following result:

<pre><b>shell%</b> klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
<b>shell%</b>
</pre>

<p>Here's what happened:  when jennifer used telnet to connect
to the host <code>daffodil.mit.edu</code>, the telnet
program presented her ticket-granting ticket to the KDC and requested a
host ticket for the host
<code>daffodil.mit.edu</code>.  The KDC sent the host
ticket, which telnet then presented to the host
<code>daffodil.mit.edu</code>, and she was allowed to
log in without typing her password.

<p>Suppose your Kerberos tickets allow you to log into a host in another
domain, such as <code>trillium.example.com</code>, which
is also in another Kerberos realm, <code>EXAMPLE.COM</code>.  If you
telnet to this host, you will receive a ticket-granting ticket for the
realm <code>EXAMPLE.COM</code>, plus the new <code>host</code> ticket for
<code>trillium.example.com</code>.  <kbd>klist</kbd> will now
show:

<pre><b>shell%</b> klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  host/trillium.example.com@ATHENA.MIT.EDU
<b>shell%</b>
</pre>

<p>You can use the <code>-f</code> option to view the <dfn>flags</dfn> that apply to
your tickets.  The flags are:

<dl>
<dt><b>F</b>
<dd><b>F</b>orwardable
<dt><b>f</b>
<dd><b>f</b>orwarded
<dt><b>P</b>
<dd><b>P</b>roxiable
<dt><b>p</b>
<dd><b>p</b>roxy
<dt><b>D</b>
<dd>post<b>D</b>ateable
<dt><b>d</b>
<dd>post<b>d</b>ated
<dt><b>R</b>
<dd><b>R</b>enewable
<dt><b>I</b>
<dd><b>I</b>nitial
<dt><b>i</b>
<dd><b>i</b>nvalid
<dt><b>H</b>
<dd><b>H</b>ardware authenticated
<dt><b>A</b>
<dd>pre<b>A</b>uthenticated
<dt><b>T</b>
<dd><b>T</b>ransit policy checked
<dt><b>O</b>
<dd><b>O</b>kay as delegate
<dt><b>a</b>
<dd><b>a</b>nonymous
</dl>

<p>Here is a sample listing.  In this example, the user jennifer
obtained her initial tickets (<code>I</code>), which are forwardable
(<code>F</code>) and postdated (<code>d</code>) but not yet validated (<code>i</code>). 
(See <a href="#kinit%20Reference">kinit Reference</a>, for more information about postdated tickets.)

<pre><b>shell%</b> klist -f
<b>Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
31/07/05 19:06:25  31/07/05 19:16:25  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
        Flags: FdiI
shell%</b>
</pre>

<p>In the following example, the user david's tickets were
forwarded (<code>f</code>) to this host from another host.  The tickets are
reforwardable (<code>F</code>).

<pre><b>shell%</b> klist -f
<b>Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM

Valid starting     Expires            Service principal
07/31/05 11:52:29  07/31/05 21:11:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        Flags: Ff
07/31/05 12:03:48  07/31/05 21:11:23  host/trillium.example.com@EXAMPLE.COM
        Flags: Ff
shell%</b>
</pre>

<p><hr>
Node:<a name="Destroying%20Your%20Tickets%20with%20kdestroy">Destroying Your Tickets with kdestroy</a>,
Previous:<a rel=previous href="#Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>,
Up:<a rel=up href="#Ticket%20Management">Ticket Management</a>
<br>

<h3>Destroying Your Tickets with kdestroy</h3>

<p>Your Kerberos tickets are proof that you are indeed yourself, and
tickets can be stolen.  If this happens, the person who has them can
masquerade as you until they expire.  For this reason, you should
destroy your Kerberos tickets when you are away from your computer.

<p>Destroying your tickets is easy.  Simply type <kbd>kdestroy</kbd>.

<pre><b>shell%</b> kdestroy
<b>shell%</b>
</pre>

<p>If <code>kdestroy</code> fails to destroy your tickets, it will beep and give
an error message.  For example, if <code>kdestroy</code> can't find any
tickets to destroy, it will give the following message:

<pre><b>shell%</b> kdestroy
<b>kdestroy: No credentials cache file found while destroying cache
shell%</b>
</pre>

<p><hr>
Node:<a name="Password%20Management">Password Management</a>,
Next:<a rel=next href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>,
Previous:<a rel=previous href="#Ticket%20Management">Ticket Management</a>,
Up:<a rel=up href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>
<br>

<h2>Password Management</h2>

<p>Your password is the only way Kerberos has of verifying your identity. 
If someone finds out your password, that person can masquerade as
you--send email that comes from you, read, edit, or delete your files,
or log into other hosts as you--and no one will be able to tell the
difference.  For this reason, it is important that you choose a good
password (see <a href="#Password%20Advice">Password Advice</a>), and keep it secret.  If you need to
give access to your account to someone else, you can do so through
Kerberos.  (See <a href="#Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>.)  You should
<i>never</i> tell your password to anyone, including your system
administrator, for any reason.  You should change your password
frequently, particularly any time you think someone may have found out
what it is.

<ul>
<li><a href="#Changing%20Your%20Password">Changing Your Password</a>: 
<li><a href="#Password%20Advice">Password Advice</a>: 
<li><a href="#Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>: 
</ul>

<p><hr>
Node:<a name="Changing%20Your%20Password">Changing Your Password</a>,
Next:<a rel=next href="#Password%20Advice">Password Advice</a>,
Previous:<a rel=previous href="#Password%20Management">Password Management</a>,
Up:<a rel=up href="#Password%20Management">Password Management</a>
<br>

<h3>Changing Your Password</h3>

<p>To change your Kerberos password, use the <code>kpasswd</code> command.  It
will ask you for your old password (to prevent someone else from walking
up to your computer when you're not there and changing your password),
and then prompt you for the new one twice.  (The reason you have to type
it twice is to make sure you have typed it correctly.)  For example,
user <code>david</code> would do the following:

<pre><b>shell%</b> kpasswd
<b>Password for david:</b>    <i>&lt;- Type your old password.</i>
<b>Enter new password:</b>    <i>&lt;- Type your new password.</i>
<b>Enter it again:</b>  <i>&lt;- Type the new password again.</i>
<b>Password changed.</b>
<b>shell%</b>
</pre>

<p>If david typed the incorrect old password, he would get
the following message:

<pre><b>shell%</b> kpasswd
<b>Password for david:</b>  <i>&lt;- Type the incorrect old password.</i>
<b>kpasswd: Password incorrect while getting initial ticket
shell%</b>
</pre>

<p>If you make a mistake and don't type the new password the same way
twice, <code>kpasswd</code> will ask you to try again:

<pre><b>shell%</b> kpasswd
<b>Password for david:</b>  <i>&lt;- Type the old password.</i>
<b>Enter new password:</b>  <i>&lt;- Type the new password.</i>
<b>Enter it again:</b> <i>&lt;- Type a different new password.</i>
<b>kpasswd: Password mismatch while reading password
shell%</b>
</pre>

<p>Once you change your password, it takes some time for the change to
propagate through the system.  Depending on how your system is set up,
this might be anywhere from a few minutes to an hour or more.  If you
need to get new Kerberos tickets shortly after changing your password,
try the new password.  If the new password doesn't work, try again using
the old one.

<p><hr>
Node:<a name="Password%20Advice">Password Advice</a>,
Next:<a rel=next href="#Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>,
Previous:<a rel=previous href="#Changing%20Your%20Password">Changing Your Password</a>,
Up:<a rel=up href="#Password%20Management">Password Management</a>
<br>

<h3>Password Advice</h3>

<p>Your password can include almost any character you can type (except
control keys and the "enter" key).  A good password is one you can
remember, but that no one else can easily guess.  Examples of <i>bad</i>
passwords are words that can be found in a dictionary, any common or
popular name, especially a famous person (or cartoon character), your
name or username in any form (<i>e.g.</i>, forward, backward, repeated
twice, <i>etc.</i>), your spouse's, child's, or pet's name, your birth
date, your social security number, and any sample password that appears
in this (or any other) manual.

MIT recommends that your password be at least 6 characters
long, and contain UPPER- and lower-case letters, numbers, and/or
punctuation marks.  Some passwords that would be good if they weren't
listed in this manual include:

<ul>
<li>some initials, like "GykoR-66." for "Get your kicks on Route
66."

<li>an easy-to-pronounce nonsense word, like "slaRooBey" or
"krang-its"

<li>a misspelled phrase, like "2HotPeetzas!" or "ItzAGurl!!!" 
</ul>

<p>Note:  don't actually use any of the above passwords.  They're
only meant to show you how to make up a good password.  Passwords that
appear in a manual are the first ones intruders will try.

Kerberos V5 allows your system administrators to automatically
reject bad passwords, based on certain criteria, such as a password
dictionary or a minimum length.  For example, if the user
<code>jennifer</code>, who had a policy "strict" that required a
minimum of 8 characaters, chose a password that was less than 8
characters, Kerberos would give an error message like the following:

<pre><b>shell%</b> kpasswd
<b>Password for jennifer:</b>  <i>&lt;- Type your old password here.</i>

jennifer's password is controlled by the policy strict, which
requires a minimum of 8 characters from at least 3 classes (the five classes
are lowercase, uppercase, numbers, punctuation, and all other characters).

<b>Enter new password:</b>  <i>&lt;- Type an insecure new password.</i>
<b>Enter it again:</b>  <i>&lt;- Type it again.</i>

kpasswd: Password is too short while attempting to change password.
Please choose another password.

<b>Enter new password:</b>  <i>&lt;- Type a good password here.</i>
<b>Enter it again:</b>  <i>&lt;- Type it again.</i>
<b>Password changed.
shell%</b>
</pre>

<p>Your system administrators can choose the message that is
displayed if you choose a bad password, so the message you see may be
different from the above example.

<p><hr>
Node:<a name="Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>,
Previous:<a rel=previous href="#Password%20Advice">Password Advice</a>,
Up:<a rel=up href="#Password%20Management">Password Management</a>
<br>

<h3>Granting Access to Your Account</h3>

<p>If you need to give someone access to log into your account, you can do
so through Kerberos, without telling the person your password.  Simply
create a file called <code>.k5login</code> in your home directory.  This file
should contain the Kerberos principal (See <a href="#What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>.) of each person to whom you wish to give access.  Each
principal must be on a separate line.  Here is a sample <code>.k5login</code>
file:

<pre>jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM
</pre>

<p>This file would allow the users <code>jennifer</code> and
<code>david</code> to use your user ID, provided that they had
Kerberos tickets in their respective realms.  If you will be logging
into other hosts across a network, you will want to include your own
Kerberos principal in your <code>.k5login</code> file on each of these hosts.

<p>Using a <code>.k5login</code> file is much safer than giving out your
password, because:

<ul>
<li>You can take access away any time simply by removing the principal
from your <code>.k5login</code> file.

<li>Although the user has full access to your account on one
particular host (or set of hosts if your <code>.k5login</code> file is shared,
<i>e.g.</i>, over NFS), that user does not inherit your network privileges.

<li>Kerberos keeps a log of who obtains tickets, so a system
administrator could find out, if necessary, who was capable of using
your user ID at a particular time. 
</ul>

<p>One common application is to have a <code>.k5login</code> file in
<code>root</code>'s home directory, giving root access to that machine to the
Kerberos principals listed.  This allows system administrators to allow
users to become root locally, or to log in remotely as <code>root</code>,
without their having to give out the root password, and without anyone
having to type the root password over the network.

<p><hr>
Node:<a name="Kerberos%20V5%20Applications">Kerberos V5 Applications</a>,
Previous:<a rel=previous href="#Password%20Management">Password Management</a>,
Up:<a rel=up href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>
<br>

<h2>Kerberos V5 Applications</h2>

Kerberos V5 is a <dfn>single-sign-on</dfn> system.  This means that you
only have to type your password once, and the Kerberos V5 programs
do the authenticating (and optionally encrypting) for you.  The way this
works is that Kerberos has been built into each of a suite of network
programs.  For example, when you use a Kerberos V5 program to
connect to a remote host, the program, the KDC, and the remote host
perform a set of rapid negotiations.  When these negotiations are
completed, your program has proven your identity on your behalf to the
remote host, and the remote host has granted you access, all in the
space of a few seconds.

<p>The Kerberos V5 applications are versions of existing UNIX network
programs with the Kerberos features added.

<ul>
<li><a href="#Overview%20of%20Additional%20Features">Overview of Additional Features</a>: 
<li><a href="#telnet">telnet</a>: 
<li><a href="#rlogin">rlogin</a>: 
<li><a href="#FTP">FTP</a>: 
<li><a href="#rsh">rsh</a>: 
<li><a href="#rcp">rcp</a>: 
<li><a href="#ksu">ksu</a>: 
</ul>

<p><hr>
Node:<a name="Overview%20of%20Additional%20Features">Overview of Additional Features</a>,
Next:<a rel=next href="#telnet">telnet</a>,
Previous:<a rel=previous href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>Overview of Additional Features</h3>

<p>The Kerberos V5 <dfn>network programs</dfn> are those programs that
connect to another host somewhere on the internet.  These programs
include <code>rlogin</code>, <code>telnet</code>, <code>ftp</code>, <code>rsh</code>,
<code>rcp</code>, and <code>ksu</code>.  These programs have all of the original
features of the corresponding non-Kerberos <code>rlogin</code>, <code>telnet</code>,
<code>ftp</code>, <code>rsh</code>, <code>rcp</code>, and <code>su</code> programs, plus
additional features that transparently use your Kerberos tickets for
negotiating authentication and optional encryption with the remote host. 
In most cases, all you'll notice is that you no longer have to type your
password, because Kerberos has already proven your identity.

<p>The Kerberos V5 network programs allow you the options of forwarding
your tickets to the remote host (if you obtained forwardable tickets
with the <code>kinit</code> program; see <a href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>), and
encrypting data transmitted between you and the remote host.

<p>This section of the tutorial assumes you are familiar with the
non-Kerberos versions of these programs, and highlights the Kerberos
functions added in the Kerberos V5 package.

<p><hr>
Node:<a name="telnet">telnet</a>,
Next:<a rel=next href="#rlogin">rlogin</a>,
Previous:<a rel=previous href="#Overview%20of%20Additional%20Features">Overview of Additional Features</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>telnet</h3>

<p>The Kerberos V5 <code>telnet</code> command works exactly like the
standard UNIX telnet program, with the following Kerberos options added:

<dl>
<dt><kbd>-f</kbd>
<dd>forwards a copy of your tickets to the remote host.

<dt><kbd>-F</kbd>
<dd>forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.

<dt><kbd>-k <i>realm</i></kbd>
<dd>requests tickets for the remote host in the specified realm, instead of
determining the realm itself.

<dt><kbd>-K</kbd>
<dd>uses your tickets to authenticate to the remote host, but does not log
you in.

<dt><kbd>-a</kbd>
<dd>attempt automatic login using your tickets.  <code>telnet</code> will assume
the same username unless you explicitly specify another.

<dt><kbd>-x</kbd>
<dd>turns on encryption.

</dl>

<p>For example, if <code>david</code> wanted to use the standard
UNIX telnet to connect to the machine
<code>daffodil.mit.edu</code>, he would type:

<pre><b>shell%</b> telnet daffodil.example.com
<b>Trying 128.0.0.5 ...
Connected to daffodil.example.com.
Escape character is '^]'.

NetBSD/i386 (daffodil) (ttyp3)

login:</b> david
<b>Password:</b>    <i>&lt;- david types his password here</i>
<b>Last login: Fri Jun 21 17:13:11 from trillium.mit.edu
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.

NetBSD 1.1: Tue May 21 00:31:42 EDT 1996

Welcome to NetBSD!
shell%</b>
</pre>

<p>Note that the machine
<code>daffodil.example.com</code> asked for
<code>david</code>'s password.  When he typed it, his password
was sent over the network unencrypted.  If an intruder were watching
network traffic at the time, that intruder would know
<code>david</code>'s password.

<p>If, on the other hand, <code>jennifer</code> wanted to use the
Kerberos V5 telnet to connect to the machine
<code>trillium.mit.edu</code>, she could forward a
copy of her tickets, request an encrypted session, and log on as herself
as follows:

<pre><b>shell%</b> telnet -a -f -x trillium.mit.edu
<b>Trying 128.0.0.5...
Connected to trillium.mit.edu.
Escape character is '^]'.
[ Kerberos V5 accepts you as ``jennifer@mit.edu'' ]
[ Kerberos V5 accepted forwarded credentials ]
What you type is protected by encryption.
Last login: Tue Jul 30 18:47:44 from {No value for `RANDOMHOST'}.example.com
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002

shell%</b>
</pre>

<p>Note that <code>jennifer</code>'s machine used Kerberos
to authenticate her to <code>trillium.mit.edu</code>,
and logged her in automatically as herself.  She had an encrypted
session, a copy of her tickets already waiting for her, and she never
typed her password.

<p>If you forwarded your Kerberos tickets, <code>telnet</code> automatically
destroys them when it exits.  The full set of options to Kerberos V5
<code>telnet</code> are discussed in the Reference section of this manual. 
(see <a href="#telnet%20Reference">telnet Reference</a>)

<p><hr>
Node:<a name="rlogin">rlogin</a>,
Next:<a rel=next href="#FTP">FTP</a>,
Previous:<a rel=previous href="#telnet">telnet</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>rlogin</h3>

<p>The Kerberos V5 <code>rlogin</code> command works exactly like the
standard UNIX rlogin program, with the following Kerberos options added:

<dl>
<dt><kbd>-f</kbd>
<dd>forwards a copy of your tickets to the remote host.

<dt><kbd>-F</kbd>
<dd>forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.

<dt><kbd>-k <i>realm</i></kbd>
<dd>requests tickets for the remote host in the specified realm, instead of
determining the realm itself.

<dt><kbd>-x</kbd>
<dd>encrypts the input and output data streams (the username is sent unencrypted)

</dl>

<p>For example, if <code>david</code> wanted to use the standard
UNIX rlogin to connect to the machine
<code>daffodil.example.com</code>, he would type:

<pre><b>shell%</b> rlogin daffodil.example.com -l david
<b>Password:</b>  <i>&lt;- david types his password here</i>
<b>Last login: Fri Jun 21 10:36:32 from :0.0
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.

NetBSD 1.1: Tue May 21 00:31:42 EDT 1996

Welcome to NetBSD!
shell%</b>
</pre>

<p>Note that the machine
<code>daffodil.example.com</code> asked for
<code>david</code>'s password.  When he typed it, his password
was sent over the network unencrypted.  If an intruder were watching
network traffic at the time, that intruder would know
<code>david</code>'s password.

<p>If, on the other hand, <code>jennifer</code> wanted to use
Kerberos V5 rlogin to connect to the machine
<code>trillium.mit.edu</code>, she could forward a
copy of her tickets, mark them as not forwardable from the remote host,
and request an encrypted session as follows:

<pre><b>shell%</b> rlogin trillium.mit.edu -f -x
<b>This rlogin session is using DES encryption for all data transmissions.
Last login: Thu Jun 20 16:20:50 from daffodil
Athena Server (sun4) Version 9.1.11 Tue Jul 30 14:40:08 EDT 2002
shell%</b>
</pre>

<p>Note that <code>jennifer</code>'s machine used Kerberos
to authenticate her to <code>trillium.mit.edu</code>,
and logged her in automatically as herself.  She had an encrypted
session, a copy of her tickets were waiting for her, and she never typed
her password.

<p>If you forwarded your Kerberos tickets, <code>rlogin</code> automatically
destroys them when it exits.  The full set of options to Kerberos V5
<code>rlogin</code> are discussed in the Reference section of this manual. 
(see <a href="#rlogin%20Reference">rlogin Reference</a>)

<p><hr>
Node:<a name="FTP">FTP</a>,
Next:<a rel=next href="#rsh">rsh</a>,
Previous:<a rel=previous href="#rlogin">rlogin</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>FTP</h3>

<p>The Kerberos V5 <code>FTP</code> program works exactly like the standard
UNIX FTP program, with the following Kerberos features added:

<dl>
<dt><kbd>-k <i>realm</i></kbd>
<dd>requests tickets for the remote host in the specified realm, instead of
determining the realm itself.

<dt><kbd>-f</kbd>
<dd>requests that your tickets be forwarded to the remote host.  The
<kbd>-f</kbd> argument must be the last argument on the command line.

<dt><kbd>protect <i>level</i></kbd>
<dd>(issued at the <code>ftp&gt;</code> prompt) sets the protection level.  "Clear"
is no protection; "safe" ensures data integrity by verifying the
checksum, and "private" encrypts the data.  Encryption also ensures
data integrity. 
</dl>

<p>For example, suppose <code>jennifer</code> wants to get her
<code>RMAIL</code> file from the directory <code>~jennifer/Mail</code>,
on the host <code>daffodil.mit.edu</code>.  She wants
to encrypt the file transfer.  The exchange would look like the
following:

<pre><b>shell%</b> ftp daffodil.mit.edu
Connected to daffodil.mit.edu.
220 daffodil.mit.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
200 Data channel protection level set to private.
Name (daffodil.mit.edu:jennifer):
232 GSSAPI user jennifer@ATHENA.MIT.EDU is authorized as jennifer
230 User jennifer logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; protect private
200 Protection level set to Private.
ftp&gt; cd ~jennifer/MAIL
250 CWD command successful.
ftp&gt; get RMAIL
227 Entering Passive Mode (128,0,0,5,16,49)
150 Opening BINARY mode data connection for RMAIL (361662 bytes).
226 Transfer complete.
361662 bytes received in 2.5 seconds (1.4e+02 Kbytes/s)
ftp&gt; quit
<b>shell%</b>
</pre>

<p>The full set of options to Kerberos V5 <code>FTP</code> are discussed
in the Reference section of this manual.  (see <a href="#FTP%20Reference">FTP Reference</a>)

<p><hr>
Node:<a name="rsh">rsh</a>,
Next:<a rel=next href="#rcp">rcp</a>,
Previous:<a rel=previous href="#FTP">FTP</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>rsh</h3>

<p>The Kerberos V5 <code>rsh</code> program works exactly like the standard
UNIX rlogin program, with the following Kerberos features added:

<dl>
<dt><kbd>-f</kbd>
<dd>forwards a copy of your tickets to the remote host.

<dt><kbd>-F</kbd>
<dd>forwards a copy of your tickets to the remote host, and marks them
re-forwardable from the remote host.

<dt><kbd>-k <i>realm</i></kbd>
<dd>requests tickets for the remote host in the specified realm, instead of
determining the realm itself.

<dt><kbd>-x</kbd>
<dd>encrypts the input and output data streams (the command line is not encrypted)

</dl>

<p>For example, if your Kerberos tickets allowed you to run programs on the
host <br> <code>trillium@example.com</code> as root, you could
run the <code>date</code> program as follows:

<pre><b>shell%</b> rsh trillium.example.com -l root -x date
<b>This rsh session is using DES encryption for all data transmissions.
Tue Jul 30 19:34:21 EDT 2002
shell%</b>
</pre>

<p>If you forwarded your Kerberos tickets, <code>rsh</code> automatically
destroys them when it exits.  The full set of options to Kerberos V5
<code>rsh</code> are discussed in the Reference section of this manual. 
(see <a href="#rsh%20Reference">rsh Reference</a>)

<p><hr>
Node:<a name="rcp">rcp</a>,
Next:<a rel=next href="#ksu">ksu</a>,
Previous:<a rel=previous href="#rsh">rsh</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>rcp</h3>

<p>The Kerberos V5 <code>rcp</code> program works exactly like the standard
UNIX rcp program, with the following Kerberos features added:

<dl>
<dt><kbd>-k <i>realm</i></kbd>
<dd>requests tickets for the remote host in the specified realm, instead of
determining the realm itself.

<dt><kbd>-x</kbd>
<dd>turns on encryption. 
</dl>

<p>For example, if you wanted to copy the file <code>/etc/motd</code> from the
host <code>daffodil.mit.edu</code> into the current
directory, via an encrypted connection, you would simply type:

<pre><b>shell%</b> rcp -x daffodil.mit.edu:/etc/motd .
</pre>

<p>The <kbd>rcp</kbd> program negotiates authentication and encryption
transparently.  The full set of options to Kerberos V5 <code>rcp</code>
are discussed in the Reference section of this manual.  (see <a href="#rcp%20Reference">rcp Reference</a>)

<p><hr>
Node:<a name="ksu">ksu</a>,
Previous:<a rel=previous href="#rcp">rcp</a>,
Up:<a rel=up href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<br>

<h3>ksu</h3>

<p>The Kerberos V5 <code>ksu</code> program replaces the standard UNIX su
program.  <code>ksu</code> first authenticates you to Kerberos.  Depending on
the configuration of your system, <code>ksu</code> may ask for your Kerberos
password if authentication fails.  <em>Note that you should never type
your password if you are remotely logged in using an unencrypted
connection.</em>

<p>Once <code>ksu</code> has authenticated you, if your Kerberos principal
appears in the target's <code>.k5login</code> file (see <a href="#Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>) or in the target's <code>.k5users</code> file (see below), it
switches your user ID to the target user ID.

<p>For example, <code>david</code> has put
<code>jennifer</code>'s Kerberos principal in his <code>.k5login</code>
file.  If <code>jennifer</code> uses <code>ksu</code> to become
<code>david</code>, the exchange would look like this.  (To
differentiate between the two shells, <code>jennifer</code>'s
prompt is represented as <code>jennifer%</code> and
<code>david</code>'s prompt is represented as
<code>david%</code>.)

<pre><b>jennifer%</b> ksu david
<b>Account david: authorization for jennifer@ATHENA.MIT.EDU successful
Changing uid to david (3382)
david%</b>
</pre>

<p>Note that the new shell has a copy of <code>jennifer</code>'s
tickets.  The ticket filename contains <code>david</code>'s UID
with <code>.1</code> appended to it:

<pre><b>david%</b> klist
<b>Ticket cache: /tmp/krb5cc_3382.1
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
07/31/04 21:53:01  08/01/04 07:52:53  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
07/31/04 21:53:39  08/01/04 07:52:53  host/daffodil.mit.edu@ATHENA.MIT.EDU
david%</b>
</pre>

<p>If <code>jennifer</code> had not appeared in
<code>david</code>'s <code>.k5login</code> file (and the system was
configured to ask for a password), the exchange would have looked like
this (assuming <code>david</code> has taken appropriate
precautions in protecting his password):

<pre><b>jennifer%</b> ksu david
<b>WARNING: Your password may be exposed if you enter it here and are logged
         in remotely using an unsecure (non-encrypted) channel.
Kerberos password for david@ATHENA.MIT.EDU:</b>  <i>&lt;-  <code>jennifer</code> types the wrong password here.</i>
<b>ksu: Password incorrect
Authentication failed.
jennifer%</b>
</pre>

<p>Now, suppose <code>david</code> did not want to give
<code>jennifer</code> full access to his account, but wanted to
give her permission to list his files and use the "more" command to view
them.  He could create a <code>.k5users</code> file giving her permission to
run only those specific commands.

<p>The <code>.k5users</code> file is like the <code>.k5login</code> file, except that
each principal is optionally followed by a list of commands.  <code>ksu</code>
will let those principals execute only the commands listed, using the
<kbd>-e</kbd> option.  <code>david</code>'s <code>.k5users</code> file
might look like the following:

<pre>jennifer@ATHENA.MIT.EDU       /bin/ls /usr/bin/more
joeadmin@ATHENA.MIT.EDU         /bin/ls
joeadmin/admin@ATHENA.MIT.EDU   *
david@EXAMPLE.COM
</pre>

<p>The above <code>.k5users</code> file would let
<code>jennifer</code> run only the commands <code>/bin/ls</code> and
<code>/usr/bin/more</code>.  It would let <code>joeadmin</code> run only
the command <code>/bin/ls</code> if he had regular tickets, but if he had
tickets for his <code>admin</code> instance,
<code>joeadmin/admin@ATHENA.MIT.EDU</code>, he would be able
to execute any command.  The last line gives <code>david</code>
in the realm EXAMPLE.COM permission to execute any command. 
(<i>I.e.</i>, having only a Kerberos principal on a line is equivalent to
giving that principal permission to execute <code>*</code>.)  This is so that
david can allow himself to execute commands when he logs
in, using Kerberos, from a machine in the realm EXAMPLE.COM.

<p>Then, when <code>jennifer</code> wanted to list his home directory,
she would type:

<pre><b>jennifer%</b> ksu david -e ls ~david
<b>Authenticated jennifer@ATHENA.MIT.EDU
Account david: authorization for jennifer@ATHENA.MIT.EDU for execution of
               /bin/ls successful
Changing uid to david (3382)
Mail            News            Personal        misc            bin
jennifer%</b>
</pre>

<p>If <code>jennifer</code> had tried to give a different
command to <code>ksu</code>, it would have prompted for a password as with the
previous example.

<p>Note that unless the <code>.k5users</code> file gives the target permission to
run any command, the user must use <code>ksu</code> with the <kbd>-e</kbd>
<i>command</i> option.

<p>The <code>ksu</code> options you are most likely to use are:

<dl>
<dt><kbd>-n <i>principal</i></kbd>
<dd>specifies which Kerberos principal you want to use for <code>ksu</code>. 
(<i>e.g.</i>, the user <code>joeadmin</code> might want to use his
<code>admin</code> instance.  See <a href="#What%20is%20a%20Ticket%3f">What is a Ticket?</a>.)

<dt><kbd>-c</kbd>
<dd>specifies the location of your Kerberos credentials cache (ticket file).

<dt><kbd>-k</kbd>
<dd>tells <code>ksu</code> not to destroy your Kerberos tickets when <code>ksu</code> is
finished.

<dt><kbd>-f</kbd>
<dd>requests forwardable tickets.  (See <a href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>.)  This
is only applicable if <code>ksu</code> needs to obtain tickets.

<dt><kbd>-l <i>lifetime</i></kbd>
<dd>sets the ticket lifetime.  (See <a href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>.)  This is
only applicable if <code>ksu</code> needs to obtain tickets.

<dt><kbd>-z</kbd>
<dd>tells <code>ksu</code> to copy your Kerberos tickets only if the UID you are
switching is the same as the Kerberos primary (either yours or the one
specified by the <kbd>-n</kbd> option).

<dt><kbd>-Z</kbd>
<dd>tells <code>ksu</code> not to copy any Kerberos tickets to the new UID.

<dt><kbd>-e <i>command</i></kbd>
<dd>tells <code>ksu</code> to execute <i>command</i> and then exit.  See the
description of the <code>.k5users</code> file above.

<dt><kbd>-a <i>text</i></kbd>
<dd>(at the end of the command line) tells <code>ksu</code> to pass everything
after <code>-a</code> to the target shell. 
</dl>

<p>The full set of options to Kerberos V5 <code>ksu</code> are discussed
in the Reference section of this manual.  (see <a href="#ksu%20Reference">ksu Reference</a>)

<p><hr>
Node:<a name="Kerberos%20V5%20Reference">Kerberos V5 Reference</a>,
Next:<a rel=next href="#Kerberos%20Glossary">Kerberos Glossary</a>,
Previous:<a rel=previous href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>,
Up:<a rel=up href="#Top">Top</a>
<br>

<h1>Kerberos V5 Reference</h1>

<p>This section will include copies of the manual pages for the
Kerberos V5 client programs.  You can read the manual entry for any
command by typing <code>man</code> <i>command</i>, where <i>command</i> is the name
of the command for which you want to read the manual entry.  For
example, to read the <code>kinit</code> manual entry, you would type:

<pre><b>shell%</b> man kinit
</pre>

<p>Note:  To be able to view the Kerberos V5 manual pages on line, you
may need to add the directory <code>/usr/local/man</code> to your MANPATH
environment variable.  (Remember to replace <code>/usr/local</code> with
the top-level directory in which Kerberos V5 is installed.)  For
example, if you had the the following line in your <code>.login</code>
file<a rel=footnote href="#fn-2"><sup>2</sup></a>:

<pre>setenv MANPATH /usr/local/man:/usr/man
</pre>

<p>and the Kerberos V5 man pages were in the directory
<code>/usr/krb5/man</code>, you would change the line to the following:

<pre>setenv MANPATH /usr/krb5/man:/usr/local/man:/usr/man
</pre>

<ul>
<li><a href="#kinit%20Reference">kinit Reference</a>: 
<li><a href="#klist%20Reference">klist Reference</a>: 
<li><a href="#ksu%20Reference">ksu Reference</a>: 
<li><a href="#kdestroy%20Reference">kdestroy Reference</a>: 
<li><a href="#kpasswd%20Reference">kpasswd Reference</a>: 
<li><a href="#telnet%20Reference">telnet Reference</a>: 
<li><a href="#FTP%20Reference">FTP Reference</a>: 
<li><a href="#rlogin%20Reference">rlogin Reference</a>: 
<li><a href="#rsh%20Reference">rsh Reference</a>: 
<li><a href="#rcp%20Reference">rcp Reference</a>: 
</ul>

<p><hr>
Node:<a name="kinit%20Reference">kinit Reference</a>,
Next:<a rel=next href="#klist%20Reference">klist Reference</a>,
Previous:<a rel=previous href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>kinit Reference</h2>

<a href="kinit.html"> kinit manpage</a>

<p><hr>
Node:<a name="klist%20Reference">klist Reference</a>,
Next:<a rel=next href="#ksu%20Reference">ksu Reference</a>,
Previous:<a rel=previous href="#kinit%20Reference">kinit Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>klist Reference</h2>

<a href="klist.html"> klist manpage</a>

<p><hr>
Node:<a name="ksu%20Reference">ksu Reference</a>,
Next:<a rel=next href="#kdestroy%20Reference">kdestroy Reference</a>,
Previous:<a rel=previous href="#klist%20Reference">klist Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>ksu Reference</h2>

<a href="ksu.html"> ksu manpage</a>

<p><hr>
Node:<a name="kdestroy%20Reference">kdestroy Reference</a>,
Next:<a rel=next href="#kpasswd%20Reference">kpasswd Reference</a>,
Previous:<a rel=previous href="#ksu%20Reference">ksu Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>kdestroy Reference</h2>

<a href="kdestroy.html"> kdestroy manpage</a>

<p><hr>
Node:<a name="kpasswd%20Reference">kpasswd Reference</a>,
Next:<a rel=next href="#telnet%20Reference">telnet Reference</a>,
Previous:<a rel=previous href="#kdestroy%20Reference">kdestroy Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>kpasswd Reference</h2>

<a href="kpasswd.html"> kpasswd manpage</a>

<p><hr>
Node:<a name="telnet%20Reference">telnet Reference</a>,
Next:<a rel=next href="#FTP%20Reference">FTP Reference</a>,
Previous:<a rel=previous href="#kpasswd%20Reference">kpasswd Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>telnet Reference</h2>

<a href="telnet.html"> telnet manpage</a>

<p><hr>
Node:<a name="FTP%20Reference">FTP Reference</a>,
Next:<a rel=next href="#rlogin%20Reference">rlogin Reference</a>,
Previous:<a rel=previous href="#telnet%20Reference">telnet Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>FTP Reference</h2>

<a href="ftp.html"> ftp manpage</a>

<p><hr>
Node:<a name="rlogin%20Reference">rlogin Reference</a>,
Next:<a rel=next href="#rsh%20Reference">rsh Reference</a>,
Previous:<a rel=previous href="#FTP%20Reference">FTP Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>rlogin Reference</h2>

<a href="rlogin.html"> rlogin manpage</a>

<p><hr>
Node:<a name="rsh%20Reference">rsh Reference</a>,
Next:<a rel=next href="#rcp%20Reference">rcp Reference</a>,
Previous:<a rel=previous href="#rlogin%20Reference">rlogin Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>rsh Reference</h2>

<a href="rsh.html"> rsh manpage</a>

<p><hr>
Node:<a name="rcp%20Reference">rcp Reference</a>,
Previous:<a rel=previous href="#rsh%20Reference">rsh Reference</a>,
Up:<a rel=up href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<br>

<h2>rcp Reference</h2>

<a href="rcp.html"> rcp manpage</a>

<p><hr>
Node:<a name="Kerberos%20Glossary">Kerberos Glossary</a>,
Previous:<a rel=previous href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>,
Up:<a rel=up href="#Top">Top</a>
<br>

<h1>Kerberos Glossary</h1>

<dl>
<dt><b>client</b>
<dd>an entity that can obtain a ticket.  This entity is usually either a
user or a host.

<br><dt><b>host</b>
<dd>a computer that can be accessed over a network.

<br><dt><b>Kerberos</b>
<dd>in Greek mythology, the three-headed dog that guards the entrance to the
underworld.  In the computing world, Kerberos is a network security
package that was developed at MIT.

<br><dt><b>KDC</b>
<dd>Key Distribution Center.  A machine that issues Kerberos tickets.

<br><dt><b>keytab</b>
<dd>a <b>key tab</b>le file containing one or more keys.  A host or service
uses a <dfn>keytab</dfn> file in much the same way as a user uses his/her
password.

<br><dt><b>principal</b>
<dd>a string that names a specific entity to which a set of credentials may
be assigned.  It can have an arbitrary number of components, but
generally has three:

<dl>
<dt><b>primary</b>
<dd>the first part of a Kerberos <i>principal</i>.  In the case of a user, it
is the username.  In the case of a service, it is the name of the
service.

<br><dt><b>instance</b>
<dd>the second part of a Kerberos <i>principal</i>.  It gives information that
qualifies the primary.  The instance may be null.  In the case of a
user, the instance is often used to describe the intended use of the
corresponding credentials.  In the case of a host, the instance is the
fully qualified hostname.

<br><dt><b>realm</b>
<dd>the logical network served by a single Kerberos database and a set of
Key Distribution Centers.  By convention, realm names are generally all
uppercase letters, to differentiate the realm from the internet domain. 
</dl>

<p>The typical format of a typical Kerberos principal is
primary/instance@REALM.

<br><dt><b>service</b>
<dd>any program or computer you access over a network.  Examples of services
include "host" (a host, <i>e.g.</i>, when you use <code>telnet</code> and
<code>rsh</code>), "ftp" (FTP), "krbtgt" (authentication;
cf. <i>ticket-granting ticket</i>), and "pop" (email).

<br><dt><b>ticket</b>
<dd>a temporary set of electronic credentials that verify the identity of a
client for a particular service.

<br><dt><b>TGT</b>
<dd>Ticket-Granting Ticket.  A special Kerberos ticket that permits the
client to obtain additional Kerberos tickets within the same Kerberos
realm. 
</dl>


<h1>Table of Contents</h1>
<ul>
<li><a href="#Copyright">Copyright</a>
<li><a href="#Introduction">Introduction</a>
<ul>
<li><a href="#What%20is%20a%20Ticket%3f">What is a Ticket?</a>
<li><a href="#What%20is%20a%20Kerberos%20Principal%3f">What is a Kerberos Principal?</a>
</ul>
<li><a href="#Kerberos%20V5%20Tutorial">Kerberos V5 Tutorial</a>
<ul>
<li><a href="#Setting%20Up%20to%20Use%20Kerberos%20V5">Setting Up to Use Kerberos V5</a>
<li><a href="#Ticket%20Management">Ticket Management</a>
<ul>
<li><a href="#Kerberos%20Ticket%20Properties">Kerberos Ticket Properties</a>
<li><a href="#Obtaining%20Tickets%20with%20kinit">Obtaining Tickets with kinit</a>
<li><a href="#Viewing%20Your%20Tickets%20with%20klist">Viewing Your Tickets with klist</a>
<li><a href="#Destroying%20Your%20Tickets%20with%20kdestroy">Destroying Your Tickets with kdestroy</a>
</ul>
<li><a href="#Password%20Management">Password Management</a>
<ul>
<li><a href="#Changing%20Your%20Password">Changing Your Password</a>
<li><a href="#Password%20Advice">Password Advice</a>
<li><a href="#Granting%20Access%20to%20Your%20Account">Granting Access to Your Account</a>
</ul>
<li><a href="#Kerberos%20V5%20Applications">Kerberos V5 Applications</a>
<ul>
<li><a href="#Overview%20of%20Additional%20Features">Overview of Additional Features</a>
<li><a href="#telnet">telnet</a>
<li><a href="#rlogin">rlogin</a>
<li><a href="#FTP">FTP</a>
<li><a href="#rsh">rsh</a>
<li><a href="#rcp">rcp</a>
<li><a href="#ksu">ksu</a>
</ul>
</ul>
<li><a href="#Kerberos%20V5%20Reference">Kerberos V5 Reference</a>
<ul>
<li><a href="#kinit%20Reference">kinit Reference</a>
<li><a href="#klist%20Reference">klist Reference</a>
<li><a href="#ksu%20Reference">ksu Reference</a>
<li><a href="#kdestroy%20Reference">kdestroy Reference</a>
<li><a href="#kpasswd%20Reference">kpasswd Reference</a>
<li><a href="#telnet%20Reference">telnet Reference</a>
<li><a href="#FTP%20Reference">FTP Reference</a>
<li><a href="#rlogin%20Reference">rlogin Reference</a>
<li><a href="#rsh%20Reference">rsh Reference</a>
<li><a href="#rcp%20Reference">rcp Reference</a>
</ul>
<li><a href="#Kerberos%20Glossary">Kerberos Glossary</a>
</ul>

<hr><h4>Footnotes</h4>
<ol type="1">
<li><a name="fn-1"></a>
<p>Note:  the realm
EXAMPLE.COM must be listed in your computer's Kerberos
configuration file, <code>/etc/krb5.conf</code>.</p>

<li><a name="fn-2"></a>
<p>The MANPATH variable may be specified in a different
initialization file, depending on your operating system.  Some of the
files in which you might specify environment variables include
<code>.login</code>, <code>.profile</code>, or <code>.cshrc</code>.</p>

</ol><hr>

</body></html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional