glfs/archive/heimdal.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY heimdal-download-http "http://www.h5l.org/dist/src/heimdal-&heimdal-version;.tar.gz">
  <!ENTITY heimdal-download-ftp  "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
  <!ENTITY heimdal-md5sum        "31d08bbf47a77827fe97ef3f52b4c9c4">
  <!ENTITY heimdal-size          "6.0 MB">
  <!ENTITY heimdal-buildsize     "205 MB">
  <!ENTITY heimdal-time          "3.9 SBU (additional 2.3 SBU to run the test suite)">
]>

<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
  <?dbhtml filename="heimdal.html"?>

  <sect1info>
    <date>$Date$</date>
  </sect1info>

  <title>Heimdal-&heimdal-version;</title>

  <indexterm zone="heimdal">
    <primary sortas="a-Heimdal">Heimdal</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Heimdal</title>

    <para><application>Heimdal</application> is a free implementation
    of Kerberos 5 that aims to be compatible with MIT Kerberos 5 and is
    backward compatible with Kerberos 4. Kerberos is a network authentication
    protocol. Basically it preserves the integrity of passwords in any
    untrusted network (like the Internet). Kerberized applications work
    hand-in-hand with sites that support Kerberos to ensure that passwords
    cannot be stolen or compromised. A Kerberos installation will make changes
    to the authentication mechanisms on your network and will overwrite several
    programs and daemons from the <application>Shadow</application>,
    <application>Inetutils</application> and
    <application>Qpopper</application> packages. See
    <ulink url="&files-anduin;/heimdal-overwrites"/> for a complete list of
    all the files and commands to rename each of them.</para>

    <para>&lfssvn_checked;20101029&lfssvn_checked2;</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &heimdal-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &heimdal-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &heimdal-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &heimdal-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing='compact'>
      <listitem>
        <para>Required Patch: <ulink
        url="&patch-root;/heimdal-&heimdal-version;-otp_fixes-1.patch"/></para>
      </listitem>
      <!-- <listitem>
        <para>Required Patch: <ulink
        url="&patch-root;/heimdal-&heimdal-version;-libss-1.patch"/></para>
      </listitem> -->
    </itemizedlist>

    <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required to Build the Server-Side Tools</bridgehead>
    <para role="required"><xref linkend="db"/></para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended"><xref linkend="openssl"/></para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><xref linkend="openldap"/>,
    <xref linkend="sqlite"/>,
    <xref linkend="x-window-system"/>,
    <xref linkend="libcap2"/>, and
    <ulink url="http://people.redhat.com/sgrubb/libcap-ng/">libcap-ng</ulink> (with this
    <ulink url="&patch-root;/libcap-ng-0.6.4-2.6.36_kernel_fix-1.patch">patch</ulink>
    if the Linux kernel version is &gt;=2.6.36)</para>

    <note>
      <para>Some sort of time synchronization facility on your system
      (like <xref linkend="ntp"/>) is required since Kerberos won't
      authenticate if the time differential between a kerberized client
      and the KDC server is more than 5 minutes.</para>
    </note>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/heimdal"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Heimdal</title>

    <warning>
      <para>Ensure you really need a Kerberos installation before you decide
      to install this package. Failure to install and configure the package
      correctly can alter your system so that users cannot log in.</para>
    </warning>

    <para>Install <application>Heimdal</application> by running the following
    commands:</para>

<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-otp_fixes-1.patch &amp;&amp;
sed -i 's|/var/heimdal|/var/lib/heimdal|' \
       `grep -lr "/var/heimdal" doc kadmin kdc lib` &amp;&amp;

./configure --prefix=/usr \
            --sysconfdir=/etc/heimdal \
            --libexecdir=/usr/sbin \
            --localstatedir=/var/lib/heimdal \
            --datadir=/var/lib/heimdal \
            --with-hdbdir=/var/lib/heimdal \
            --with-readline=/usr \
            --enable-kcm &amp;&amp;
make &amp;&amp;

install -v -m755 -d doc/html                                    &amp;&amp;
make -C doc html                                                &amp;&amp;
mv -v doc/heimdal.html doc/html/heimdal                         &amp;&amp;
mv -v doc/hx509.html   doc/html/hx509                           &amp;&amp;
makeinfo --html --no-split -o doc/heimdal.html doc/heimdal.texi &amp;&amp;
makeinfo --html --no-split -o doc/hx509.html   doc/hx509.texi   &amp;&amp;
makeinfo --plaintext       -o doc/heimdal.txt  doc/heimdal.texi &amp;&amp;
makeinfo --plaintext       -o doc/hx509.txt    doc/hx509.texi</userinput></screen>

    <para>If you have <!--<xref linkend="tetex"/> or--> <xref linkend="texlive"/>
    installed and wish to create PDF and Postscript forms of the documentation,
    change into the <filename class='directory'>doc</filename> directory and
    issue any or all of the following commands:</para>

<screen><userinput>pushd doc                        &amp;&amp;
texi2pdf            heimdal.texi &amp;&amp;
texi2dvi            heimdal.texi &amp;&amp;
dvips -o heimdal.ps heimdal.dvi  &amp;&amp;
texi2pdf            hx509.texi   &amp;&amp;
texi2dvi            hx509.texi   &amp;&amp;
dvips -o hx509.ps   hx509.dvi    &amp;&amp;
popd</userinput></screen>

    <para>To test the results, issue: <command>make -k check</command>. The
    <command>check-iprop</command> test is known to fail but all others should
    pass.</para>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;

install -v -m755 -d /usr/share/doc/heimdal-&heimdal-version;        &amp;&amp;
install -v -m644    doc/{heimdal,hx509}.{html,txt} \
                    doc/{init-creds,layman.asc}    \
                    /usr/share/doc/heimdal-&heimdal-version;        &amp;&amp;
cp      -v -R       doc/html \
                    destdir/usr/share/doc/heimdal-&heimdal-version; &amp;&amp;

mv -v /bin/login          /bin/login.SHADOW &amp;&amp;
mv -v /bin/su             /bin/su.SHADOW    &amp;&amp;
mv -v /usr/bin/{login,su} /bin              &amp;&amp;
ln -v -sf ../../bin/login /usr/bin          &amp;&amp;

for LINK in   \
    lib{otp,kafs,krb5,hx509,sqlite3,asn1,roken,crypto,wind}; do
        mv -v     /usr/lib/${LINK}.so.* /lib &amp;&amp;
        ln -v -sf ../../lib/$(readlink  /usr/lib/${LINK}.so) \
                  /usr/lib/${LINK}.so
done &amp;&amp;

mv -v     /usr/lib/$(readlink /usr/lib/libdb.so) \
          /usr/lib/libdb-?.so \
          /lib &amp;&amp;
ln -v -sf ../../lib/$(readlink /usr/lib/libdb.so) \
          /usr/lib/libdb.so &amp;&amp;

ldconfig</userinput></screen>

    <para>If you built any of the additional forms of documentation, install it
    using the following commands as the
    <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>install -v -m644 doc/{heimdal,hx509}.{dvi,ps,pdf} \
                 /usr/share/doc/heimdal-&heimdal-version;</userinput></screen>

    <para>If you wish to use the <xref linkend="cracklib"/> library to enforce
    strong passwords in the KDC database, issue the following commands as the
    <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>sed -e 's|/usr/pkg|/usr|' \
    -e 's|/usr/lib/cracklib_dict|/lib/cracklib/pw_dict|' \
    -e 's|/var/heimdal|/var/lib/heimdal|' \
        lib/kadm5/check-cracklib.pl \
     > /bin/krb5-check-cracklib.pl &amp;&amp;

chmod -v 755 /bin/krb5-check-cracklib.pl</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>sed -i ... `grep -lr "/var/heimdal"
    doc kadmin kdc lib`</command>: This command is used to change the
    hard-coded references in the documentation files from
    <filename class='directory'>/var/heimdal</filename> to the FHS compliant
    <filename class='directory'>/var/lib/heimdal</filename> directory
    name.</para>

    <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch causes
    the daemon programs to be installed into
    <filename class="directory">/usr/sbin</filename>.</para>

    <tip>
      <para>If you want to preserve all your existing
      <application>Inetutils</application> package daemons, install the
      <application>Heimdal</application> daemons into
      <filename class="directory">/usr/sbin/heimdal</filename> (or wherever
      you want). Since these programs will be called from
      <command>(x)inetd</command> or <filename>rc</filename> scripts, it
      really doesn't matter where they are installed, as long as they are
      correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
      and <filename>rc</filename> scripts. If you choose something other than
      <filename class="directory">/usr/sbin</filename>, you may want to move
      some of the user programs (such as <command>kadmin</command>) to
      <filename class="directory">/usr/sbin</filename> manually so they'll be
      in the privileged user's default <envar>PATH</envar>.</para>
    </tip>

    <para><parameter>--localstatedir=/var/lib/heimdal</parameter>,
    <parameter>--datadir=/var/lib/heimdal</parameter> and
    <parameter>--with-hdbdir=/var/lib/heimdal</parameter>: These parameters
    are used so that the KDC database and associated files will all reside
    in <filename class='directory'>/var/lib/heimdal</filename>.</para>

    <para><parameter>--with-readline=/usr</parameter>: This parameter must be
    used so that the <command>configure</command> script properly locates the
    installed <application>Readline</application> package.</para>

    <para><parameter>--enable-kcm</parameter>: This parameter enables building
    the Kerberos Credentials Manager.</para>

    <para><option>--with-sqlite3=/usr</option>: This parameter must be
    used so that the <command>configure</command> script properly locates the
    installed <application>Sqlite3</application> package.</para>

    <para><option>--with-openldap=/usr</option> and
    <option>--enable-hdb-openldap-module</option>: These parameters must be
    used so that the <command>configure</command> script properly locates the
    installed <application>OpenLDAP</application> package in order to build the
    module allowing an LDAP backend database.</para>

    <para><command>mv ... ...SHADOW</command>, <command>mv ... /bin</command>
    and <command> ln ... /usr/bin</command>: The <command>login</command>
    and <command>su</command> programs installed by
    <application>Heimdal</application> belong in the
    <filename class="directory">/bin</filename> directory. The
    <command>login</command> program is symlinked because
    <application>Heimdal</application> is expecting to find it in
    <filename class="directory">/usr/bin</filename>. The old executables from
    the <application>Shadow</application> package are preserved before the move
    so that they can be restored if you experience problems logging into the
    system after the <application>Heimdal</application> package is installed
    and configured.</para>

    <para><command>for LINK in ...; do ...; done</command>,
    <command>mv ... /lib</command> and
    <command>ln ... /usr/lib/libdb.so</command>: The <command>login</command>
    and <command>su</command> programs previously moved into the
    <filename class='directory'>/lib</filename> directory link against
    <application>Heimdal</application> libraries as well as libraries provided
    by the <application>OpenSSL</application> and
    <application>Berkeley DB</application> packages. These
    libraries are also moved to <filename class="directory">/lib</filename>
    so they are FHS compliant and also in case
    <filename class="directory">/usr</filename> is located on a separate
    partition which may not always be mounted.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Heimdal</title>

    <sect3 id="heimdal-config">
      <title>Config Files</title>

      <para><filename>/etc/heimdal/*</filename></para>

      <indexterm zone="heimdal heimdal-config">
        <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

        <note>
          <para>All the configuration steps shown below must be accomplished
          by the <systemitem class='username'>root</systemitem> user unless
          otherwise noted.</para>
        </note>

      <sect4>
        <title>Master KDC Server Configuration</title>

        <para>Many of the commands below use
        <replaceable>&lt;replaceable&gt;</replaceable> tags to identify places
        where you need to substitute information specific to your network.
        Ensure you replace everything in these tags (there will be no angle
        brackets when you are done) with your site-specific information.</para>

        <para>Create the Kerberos configuration file with the following
        commands:</para>

<screen role="root"><userinput>install -v -m755 -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF" &amp;&amp;
<literal># Begin /etc/heimdal/krb5.conf

[libdefaults]
    default_realm = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
    encrypt = true

[realms]
    <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> = {
        kdc = <replaceable>&lt;hostname.example.com&gt;</replaceable>
        admin_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
        kpasswd_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
    }

[domain_realm]
    .<replaceable>&lt;example.com&gt;</replaceable> = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>

[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

# End /etc/heimdal/krb5.conf</literal>
EOF
chmod -v 644 /etc/heimdal/krb5.conf</userinput></screen>

        <para>You will need to substitute your domain and proper hostname
        for the occurrences of the <replaceable>&lt;hostname&gt;</replaceable>
        and <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> names.</para>

        <para><option>default_realm</option> should be the name of your
        domain changed to ALL CAPS. This isn't required, but both
        <application>Heimdal</application> and <application>MIT
        Kerberos</application> recommend it.</para>

        <para><option>encrypt = true</option> provides encryption of all
        traffic between kerberized clients and servers. It's not necessary
        and can be left off. If you leave it off, you can encrypt all traffic
        from the client to the server using a switch on the client program
        instead. The <option>[realms]</option> parameters tell the client
        programs where to look for the KDC authentication services. The
        <option>[domain_realm]</option> section maps a domain
        to a realm.</para>

        <para>Store the master password in a key file using the following
        commands:</para>

<screen role="root"><userinput>install -v -m755 -d /var/lib/heimdal &amp;&amp;
kstash</userinput></screen>

        <para>Create the KDC database:</para>

<screen role="root"><userinput>kadmin -l</userinput></screen>

        <para>The commands below will prompt you for information about the
        principles. Choose the defaults for now unless you know what you are
        doing and need to specify different values. You can go in later and
        change the defaults, should you feel the need. You may use the up and
        down arrow keys to use the history feature of <command>kadmin</command>
        in a similar manner as the <command>bash</command> history
        feature.</para>

        <para>At the <prompt>kadmin&gt;</prompt> prompt, issue the following
        statement:</para>

<screen role="root"><userinput>init <replaceable>&lt;EXAMPLE.COM&gt;</replaceable></userinput></screen>

        <para>The database must now be populated with at least one principle
        (user). For now, just use your regular login name or root. You may
        create as few, or as many principles as you wish using the following
        statement:</para>

<screen role="root"><userinput>add <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>The KDC server and any machine running kerberized
        server daemons must have a host key installed:</para>

<screen role="root"><userinput>add --random-key host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>

        <para>After choosing the defaults when prompted, you will have to
        export the data to a keytab file:</para>

<screen role="root"><userinput>ext host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>

        <para>This should have created a file in
        <filename class="directory">/etc/heimdal</filename> named
        <filename>krb5.keytab</filename>. This file should have 600
        (root rw only) permissions. Keeping the keytab file from public access
        is crucial to the overall security of the Kerberos installation.</para>

        <para>Eventually, you'll want to add server daemon principles to the
        database and extract them to the keytab file. You do this in the same
        way you created the host principles. Below is an example:</para>

<screen role="root"><userinput>add --random-key ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>

        <para>(choose the defaults)</para>

<screen role="root"><userinput>ext ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>

        <para>Exit the <command>kadmin</command> program (use
        <command>quit</command> or <command>exit</command>) and return back
        to the shell prompt. Start the KDC daemon manually, just to test out
        the installation:</para>

<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>

        <para>Attempt to get a TGT (ticket granting ticket) with
        the following command:</para>

<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>

        <para>You will be prompted for the password you created. After you get
        your ticket, you should list it with the following command:</para>

<screen><userinput>klist</userinput></screen>

        <para>Information about the ticket should be displayed on
        the screen.</para>

        <para>To test the functionality of the <filename>keytab</filename> file,
        issue the following command:</para>

<screen><userinput>ktutil list</userinput></screen>

        <para>This should dump a list of the host principals, along with the
        encryption methods used to access the principals.</para>

        <para>At this point, if everything has been successful so far, you
        can feel fairly confident in the installation, setup and configuration
        of your new <application>Heimdal</application> Kerberos 5
        installation.</para>

        <para>If you wish to use the <xref linkend="cracklib"/> library to
        enforce strong passwords in the KDC database, you must do two things.
        First, add the following lines to the
        <filename>/etc/heimdal/krb5.conf</filename> configuration file:</para>

<screen><literal>[password_quality]
    policies = builtin:external-check
    external_program = /bin/krb5-check-cracklib.pl</literal></screen>

        <para>Next you must install the
        <application>Crypt::Cracklib</application>
        <application>Perl</application> module. Download it from the CPAN
        site. The URL at the time of this writing is <ulink
        url="http://www.cpan.org/authors/id/D/DA/DANIEL/Crypt-Cracklib-1.5.tar.gz"/>.
        After unpacking the tarball and changing into the newly created
        directory, issue the following command to add the BLFS
        <application>Cracklib</application> dictionary location to one of the
        source files:</para>

<screen><userinput>sed -i 's|pw_dict|&amp;\n\t\t/lib/cracklib/pw_dict|' Cracklib.pm</userinput></screen>

        <para>Then use the standard <command>perl Makefile.PL</command>;
        <command>make</command>; <command>make test</command>;
        <command>make install</command> commands.</para>

        <para id="heimdal-init">Install the
        <filename>/etc/rc.d/init.d/heimdal</filename> init script included
        in the <xref linkend="bootscripts"/> package:</para>

        <indexterm zone="heimdal heimdal-init">
          <primary sortas="f-heimdal">heimdal</primary>
        </indexterm>

<screen role="root"><userinput>make install-heimdal</userinput></screen>

      </sect4>

      <sect4>
        <title>Using Kerberized Client Programs</title>

        <para>To use the kerberized client programs (<command>telnet</command>,
        <command>ftp</command>, <command>rsh</command>,
        <command>rxterm</command>, <command>rxtelnet</command>,
        <command>rcp</command>, <command>xnlock</command>), you first must get
        a TGT. Use the <command>kinit</command> program to get the ticket.
        After you've acquired the ticket, you can use the kerberized programs
        to connect to any kerberized server on the network. You will not be
        prompted for authentication until your ticket expires (default is one
        day), unless you specify a different user as a command line argument
        to the program.</para>

        <para>The kerberized programs will connect to non-kerberized daemons,
        warning you that authentication is not encrypted.</para>

        <para>In order to use the <application>Heimdal</application>
        <application>X</application> programs, you'll need to add a service
        port entry to the <filename>/etc/services</filename> file for the
        <command>kxd</command> server. There is no 'standardized port number'
        for the 'kx' service in the IANA database, so you'll have to pick an
        unused port number. Add an entry to the <filename>services</filename>
        file similar to the entry below (substitute your chosen port number
        for <replaceable>&lt;49150&gt;</replaceable>):</para>

<screen><literal>kx              <replaceable>&lt;49150&gt;</replaceable>/tcp   # Heimdal kerberos X
kx              <replaceable>&lt;49150&gt;</replaceable>/udp   # Heimdal kerberos X</literal></screen>

        <para>For additional information consult <ulink
        url="&hints-root;/downloads/files/heimdal.txt">the
        Heimdal hint</ulink> on which the above instructions are based.</para>

      </sect4>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>afslog, ftp, ftpd, gss, hprop, hpropd, hxtool, iprop-log,
        ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc,
        kdestroy, kdigest, kf, kfd, kgetcred, kimpersonate, kinit, klist,
        kpasswd, kpasswdd, krb5-check-cracklib.pl, krb5-config, kstash,
        ktutil, kx, kxd, login, mk_cmds-krb5, otp, otpprint, pagsh, pfrom,
        popper, push, rcp, rsh, rshd, rxtelnet, rxterm, string2key, su,
        telnet, telnetd, tenletxr, verify_krb5_conf and xnlock</seg>

        <seg>hdb_ldap.{so,a}, libasn1.{so,a},
        libgssapi.{so,a}, libhdb.{so,a}, libheimntlm.{so,a}, libhx509.{so,a},
        libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkafs.{so,a},
        libkdc.{so,a}, libkrb5.{so,a}, libotp.{so,a}, libroken.{so,a},
        libsl.{so,a}, libss-krb5.{so,a} and wind.{so,a}</seg>

        <seg>/etc/heimdal, /usr/include/gssapi, /usr/include/kadm5,
        /usr/include/krb5, /usr/include/roken,
        /usr/share/doc/heimdal-&heimdal-version; and /var/lib/heimdal</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="afslog">
        <term><command>afslog</command></term>
        <listitem>
          <para>obtains AFS tokens for a number of cells.</para>
          <indexterm zone="heimdal afslog">
            <primary sortas="b-afslog">afslog</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ftp">
        <term><command>ftp</command></term>
        <listitem>
          <para>is a kerberized FTP client.</para>
          <indexterm zone="heimdal ftp">
            <primary sortas="b-ftp">ftp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ftpd">
        <term><command>ftpd</command></term>
        <listitem>
          <para>is a kerberized FTP daemon.</para>
          <indexterm zone="heimdal ftpd">
            <primary sortas="b-ftpd">ftpd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="hprop">
        <term><command>hprop</command></term>
        <listitem>
          <para> takes a principal database in a specified format and converts
          it into a stream of <application>Heimdal</application> database
          records.</para>
          <indexterm zone="heimdal hprop">
            <primary sortas="b-hprop">hprop</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="hpropd">
        <term><command>hpropd</command></term>
        <listitem>
          <para>is a server that receives a database sent by
          <command>hprop</command> and writes it as a local database.</para>
          <indexterm zone="heimdal hpropd">
            <primary sortas="b-hpropd">hpropd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="iprop-log">
        <term><command>iprop-log</command></term>
        <listitem>
          <para>is used to maintain the iprop log file.</para>
          <indexterm zone="heimdal iprop-log">
            <primary sortas="b-iprop-log">iprop-log</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ipropd-master">
        <term><command>ipropd-master</command></term>
        <listitem>
          <para>is a daemon which runs on the master KDC
          server which incrementally propagates changes to the KDC
          database to the slave KDC servers.</para>
          <indexterm zone="heimdal ipropd-master">
            <primary sortas="b-ipropd-master">ipropd-master</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ipropd-slave">
        <term><command>ipropd-slave</command></term>
        <listitem>
          <para>is a daemon which runs on the slave KDC
          servers which incrementally propagates changes to the KDC
          database from the master KDC server.</para>
          <indexterm zone="heimdal ipropd-slave">
            <primary sortas="b-ipropd-slave">ipropd-slave</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmin">
        <term><command>kadmin</command></term>
        <listitem>
          <para>is a utility used to make modifications to the Kerberos
          database.</para>
          <indexterm zone="heimdal kadmin">
            <primary sortas="b-kadmin">kadmin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kadmind">
        <term><command>kadmind</command></term>
        <listitem>
          <para>is a server for administrative access to the Kerberos
          database.</para>
          <indexterm zone="heimdal kadmind">
            <primary sortas="b-kadmind">kadmind</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kauth">
        <term><command>kauth</command></term>
        <listitem>
          <para>is a symbolic link to the <command>kinit</command>
          program.</para>
          <indexterm zone="heimdal kauth">
            <primary sortas="g-kauth">kauth</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kcm">
        <term><command>kcm</command></term>
        <listitem>
          <para>is a process based credential cache for Kerberos
          tickets.</para>
          <indexterm zone="heimdal kcm">
            <primary sortas="b-kcm">kcm</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdc">
        <term><command>kdc</command></term>
        <listitem>
          <para>is a Kerberos 5 server.</para>
          <indexterm zone="heimdal kdc">
            <primary sortas="b-kdc">kdc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kdestroy">
        <term><command>kdestroy</command></term>
        <listitem>
          <para>removes a principle's current set of tickets.</para>
          <indexterm zone="heimdal kdestroy">
            <primary sortas="b-kdestroy">kdestroy</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kf">
        <term><command>kf</command></term>
        <listitem>
          <para>is a program which forwards tickets to a remote host through
          an authenticated and encrypted stream.</para>
          <indexterm zone="heimdal kf">
            <primary sortas="b-kf">kf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kfd">
        <term><command>kfd</command></term>
        <listitem>
          <para>is a server used to receive forwarded tickets.</para>
          <indexterm zone="heimdal kfd">
            <primary sortas="b-kfd">kfd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kgetcred">
        <term><command>kgetcred</command></term>
        <listitem>
          <para>obtains a ticket for a service.</para>
          <indexterm zone="heimdal kgetcred">
            <primary sortas="b-kgetcred">kgetcred</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kinit">
        <term><command>kinit</command></term>
        <listitem>
          <para>is used to authenticate to the Kerberos server as a principal
          and acquire a ticket granting ticket that can later be used to obtain
          tickets for other services.</para>
          <indexterm zone="heimdal kinit">
            <primary sortas="b-kinit">kinit</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="klist">
        <term><command>klist</command></term>
        <listitem>
          <para>reads and displays the current tickets in the credential
          cache.</para>
          <indexterm zone="heimdal klist">
            <primary sortas="b-klist">klist</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpasswd">
        <term><command>kpasswd</command></term>
        <listitem>
          <para>is a program for changing Kerberos 5 passwords.</para>
          <indexterm zone="heimdal kpasswd">
            <primary sortas="b-kpasswd">kpasswd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kpasswdd">
        <term><command>kpasswdd</command></term>
        <listitem>
          <para>is a Kerberos 5 password changing server.</para>
          <indexterm zone="heimdal kpasswdd">
            <primary sortas="b-kpasswdd">kpasswdd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="krb5-config-prog">
        <term><command>krb5-config</command></term>
        <listitem>
          <para>gives information on how to link programs against
          <application>Heimdal</application> libraries.</para>
          <indexterm zone="heimdal krb5-config-prog">
            <primary sortas="b-krb5-config">krb5-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kstash">
        <term><command>kstash</command></term>
        <listitem>
          <para>stores the KDC master password in a file.</para>
          <indexterm zone="heimdal kstash">
            <primary sortas="b-kstash">kstash</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="ktutil">
        <term><command>ktutil</command></term>
        <listitem>
          <para>is a program for managing Kerberos keytabs.</para>
          <indexterm zone="heimdal ktutil">
            <primary sortas="b-ktutil">ktutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kx">
        <term><command>kx</command></term>
        <listitem>
          <para>is a program which securely forwards
          <application>X</application> connections.</para>
          <indexterm zone="heimdal kx">
            <primary sortas="b-kx">kx</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="kxd">
        <term><command>kxd</command></term>
        <listitem>
          <para>is the daemon for <command>kx</command>.</para>
          <indexterm zone="heimdal kxd">
            <primary sortas="b-kxd">kxd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="login">
        <term><command>login</command></term>
        <listitem>
          <para>is a kerberized login program.</para>
          <indexterm zone="heimdal login">
            <primary sortas="b-login">login</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="otp">
        <term><command>otp</command></term>
        <listitem>
          <para>manages one-time passwords.</para>
          <indexterm zone="heimdal otp">
            <primary sortas="b-otp">otp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="otpprint">
        <term><command>otpprint</command></term>
        <listitem>
          <para>prints lists of one-time passwords.</para>
          <indexterm zone="heimdal otpprint">
            <primary sortas="b-otpprint">otpprint</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pfrom">
        <term><command>pfrom</command></term>
        <listitem>
          <para>is a script that runs <command>push --from</command>.</para>
          <indexterm zone="heimdal pfrom">
            <primary sortas="b-pfrom">pfrom</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="popper">
        <term><command>popper</command></term>
        <listitem>
          <para>is a kerberized POP-3 server.</para>
          <indexterm zone="heimdal popper">
            <primary sortas="b-popper">popper</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="push">
        <term><command>push</command></term>
        <listitem>
          <para>is a kerberized POP mail retrieval client.</para>
          <indexterm zone="heimdal push">
            <primary sortas="b-push">push</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rcp">
        <term><command>rcp</command></term>
        <listitem>
          <para>is a kerberized rcp client program.</para>
          <indexterm zone="heimdal rcp">
            <primary sortas="b-rcp">rcp</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rsh">
        <term><command>rsh</command></term>
        <listitem>
          <para>is a kerberized rsh client program.</para>
          <indexterm zone="heimdal rsh">
            <primary sortas="b-rsh">rsh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rshd">
        <term><command>rshd</command></term>
        <listitem>
          <para>is a kerberized rsh server.</para>
          <indexterm zone="heimdal rshd">
            <primary sortas="b-rshd">rshd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rxtelnet">
        <term><command>rxtelnet</command></term>
        <listitem>
          <para>starts a secure <command>xterm</command> window with a
          <command>telnet</command> to a given host and forwards
          <application>X</application> connections.</para>
          <indexterm zone="heimdal rxtelnet">
            <primary sortas="b-rxtelnet">rxtelnet</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rxterm">
        <term><command>rxterm</command></term>
        <listitem>
          <para>starts a secure remote <command>xterm</command>.</para>
          <indexterm zone="heimdal rxterm">
            <primary sortas="b-rxterm">rxterm</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="string2key">
        <term><command>string2key</command></term>
        <listitem>
          <para>maps a password into a key.</para>
          <indexterm zone="heimdal string2key">
            <primary sortas="b-string2key">string2key</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="su">
        <term><command>su</command></term>
        <listitem>
          <para>is a kerberized su client program.</para>
          <indexterm zone="heimdal su">
            <primary sortas="b-su">su</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="telnet">
        <term><command>telnet</command></term>
        <listitem>
          <para>is a kerberized telnet client program.</para>
          <indexterm zone="heimdal telnet">
            <primary sortas="b-telnet">telnet</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="telnetd">
        <term><command>telnetd</command></term>
        <listitem>
          <para>is a kerberized telnet server.</para>
          <indexterm zone="heimdal telnetd">
            <primary sortas="b-telnetd">telnetd</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tenletxr">
        <term><command>tenletxr</command></term>
        <listitem>
          <para>forwards <application>X</application> connections
          backwards.</para>
          <indexterm zone="heimdal tenletxr">
            <primary sortas="b-tenletxr">tenletxr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="verify_krb5_conf">
        <term><command>verify_krb5_conf</command></term>
        <listitem>
          <para>checks <filename>krb5.conf</filename> file for obvious
          errors.</para>
          <indexterm zone="heimdal verify_krb5_conf">
            <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="xnlock">
        <term><command>xnlock</command></term>
        <listitem>
          <para>is a program that acts as a secure screen saver for
          workstations running <application>X</application>.</para>
          <indexterm zone="heimdal xnlock">
            <primary sortas="b-xnlock">xnlock</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libasn1">
        <term><filename class='libraryfile'>libasn1.{so,a}</filename></term>
        <listitem>
          <para>provides the ASN.1 and DER functions to encode and decode
          the Kerberos TGTs.</para>
          <indexterm zone="heimdal libasn1">
            <primary sortas="c-libasn1">libasn1.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libgssapi">
        <term><filename class='libraryfile'>libgssapi.{so,a}</filename></term>
        <listitem>
          <para>contain the Generic Security Service Application Programming
          Interface (GSSAPI) functions which provides security
          services to callers in a generic fashion, supportable with a range of
          underlying mechanisms and technologies and hence allowing source-level
          portability of applications to different environments.</para>
          <indexterm zone="heimdal libgssapi">
            <primary sortas="c-libgssapi">libgssapi.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libhdb">
        <term><filename class='libraryfile'>libhdb.{so,a}</filename></term>
        <listitem>
          <para>is a <application>Heimdal</application> Kerberos 5
          authentication/authorization database access library.</para>
          <indexterm zone="heimdal libhdb">
            <primary sortas="c-libhdb">libhdb.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5clnt">
        <term><filename class='libraryfile'>libkadm5clnt.{so,a}</filename></term>
        <listitem>
          <para>contains the administrative authentication and password
          checking functions required by Kerberos 5 client-side programs.</para>
          <indexterm zone="heimdal libkadm5clnt">
            <primary sortas="c-libkadm5clnt">libkadm5clnt.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkadm5srv">
        <term><filename class='libraryfile'>libkadm5srv.{so,a}</filename></term>
        <listitem>
          <para>contain the administrative authentication and password
          checking functions required by Kerberos 5 servers.</para>
          <indexterm zone="heimdal libkadm5srv">
            <primary sortas="c-libkadm5srv">libkadm5srv.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkafs">
        <term><filename class='libraryfile'>libkafs.{so,a}</filename></term>
        <listitem>
          <para>contains the functions required to authenticated to AFS.</para>
          <indexterm zone="heimdal libkafs">
            <primary sortas="c-libkafs">libkafs.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libkrb5">
        <term><filename class='libraryfile'>libkrb5.{so,a}</filename></term>
        <listitem>
          <para>is an all-purpose Kerberos 5 library.</para>
          <indexterm zone="heimdal libkrb5">
            <primary sortas="c-libkrb5">libkrb5.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libotp">
        <term><filename class='libraryfile'>libotp.{so,a}</filename></term>
        <listitem>
          <para>contains the functions required to handle authenticating
          one time passwords.</para>
          <indexterm zone="heimdal libotp">
            <primary sortas="c-libotp">libotp.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libroken">
        <term><filename class='libraryfile'>libroken.{so,a}</filename></term>
        <listitem>
          <para>is a library containing Kerberos 5 compatibility
          functions.</para>
          <indexterm zone="heimdal libroken">
            <primary sortas="c-libroken">libroken.{so,a}</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>