From 8192b9ed3567a10e3f9d65864a88b32de9d6b8b6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 12 Oct 2011 12:25:10 +0200 Subject: [PATCH] remove refernces to kerberos 4 and kaserver --- doc/heimdal.texi | 1 - doc/intro.texi | 3 +-- doc/kerberos4.texi | 45 ++---------------------------------- doc/setup.texi | 56 ++------------------------------------------- kdc/kdc.8 | 3 --- lib/krb5/krb5.conf.5 | 2 -- lib/krb5/verify_krb5_conf.c | 2 +- 7 files changed, 6 insertions(+), 106 deletions(-) diff --git a/doc/heimdal.texi b/doc/heimdal.texi index cebee5df7..b3efd2e38 100644 --- a/doc/heimdal.texi +++ b/doc/heimdal.texi @@ -84,7 +84,6 @@ Setting up a realm * Creating the database:: * Modifying the database:: * keytabs:: -* Serving Kerberos 4/524/kaserver:: * Remote administration:: * Password changing:: * Testing clients and servers:: diff --git a/doc/intro.texi b/doc/intro.texi index 83c378788..c51eba02a 100644 --- a/doc/intro.texi +++ b/doc/intro.texi @@ -57,8 +57,7 @@ a library @file{libkafs} for authenticating to AFS and a program @item some simple test programs @item -a KDC that supports most things; optionally, it may also support -Kerberos V4 and kaserver, +a KDC that supports most things, @item simple programs for distributing databases between a KDC master and slaves diff --git a/doc/kerberos4.texi b/doc/kerberos4.texi index a474fccbd..41a6508aa 100644 --- a/doc/kerberos4.texi +++ b/doc/kerberos4.texi @@ -4,18 +4,13 @@ @comment node-name, next, previous, up @chapter Kerberos 4 issues -The KDC has built-in version 4 support. It is not enabled by default, -see setup how to set it up. - -The KDC will also have kaserver emulation and be able to handle -AFS-clients that use @code{klog}. +Kerberos 4 KDC and KA server have been moved. For more about AFS, see the section @xref{AFS}. @menu * Principal conversion issues:: * Converting a version 4 database:: -* kaserver:: @end menu @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues @@ -59,7 +54,7 @@ principal exists in the database. The KDC will use @code{krb5_425_conv_principal_ext} to convert principals when handling to version 4 requests. -@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues +@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues @section Converting a version 4 database If you want to convert an existing version 4 database, the principal @@ -176,39 +171,3 @@ server: hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n @end example -@node kaserver, , Converting a version 4 database, Kerberos 4 issues -@section kaserver - -@subsection kaserver emulation - -The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 -server with pre-authentication using Rx as the on-wire protocol. The kdc -contains a minimalistic Rx implementation. - -There are three parts of the kaserver; KAA (Authentication), KAT (Ticket -Granting), and KAM (Maintenance). The KAA interface and KAT interface -both passes over DES encrypted data-blobs (just like the -Kerberos-protocol) and thus do not need any other protection. The KAM -interface uses @code{rxkad} (Kerberos authentication layer for Rx) for -security and data protection, and is used for example for changing -passwords. This part is not implemented in the kdc. - -Another difference between the ka-protocol and the Kerberos 4 protocol -is that the pass-phrase is salted with the cellname in the @code{string to -key} function in the ka-protocol, while in the Kerberos 4 protocol there -is no salting of the password at all. To make sure AFS-compatible keys -are added to each principals when they are created or their password are -changed, @samp{afs3-salt} should be added to -@samp{[kadmin]default_keys}. - -For more about AFS, see the section @xref{AFS}. - -@subsection Transarc AFS Windows client - -The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus -does not need a kaserver. The Windows client assumes that the Kerberos -server is on the same machine as the AFS-database server. If you do not -like to do that you can add a small program that runs on the database -servers that forward all kerberos requests to the real kerberos -server. A program that does this is @code{krb-forward} -(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}). diff --git a/doc/setup.texi b/doc/setup.texi index ad5476f32..732c26e6b 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -282,7 +282,7 @@ database check by run by the following command : kadmin -l check REALM.EXAMPLE.ORG @end example -@node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm +@node keytabs, Remote administration, Checking the setup, Setting up a realm @section keytabs To extract a service ticket from the database and put it in a keytab, you @@ -305,59 +305,7 @@ Version Type Principal 1 des3-cbc-sha1 host/my.host.name@@MY.REALM @end example -@node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm -@section Serving Kerberos 4/524/kaserver - -Heimdal can be configured to support 524, Kerberos 4 or kaserver. All -these services are turned off by default. Kerberos 4 is always -supported by the KDC, but the Kerberos 4 client support also depends -on Kerberos 4 support having been included at compile-time, using -@kbd{--with-krb4=dir}. - -@subsection 524 - -524 is a service that allows the KDC to convert Kerberos 5 tickets to -Kerberos 4 tickets for backward compatibility. See also Using 2b -tokens with AFS in @xref{AFS}. - -524 can be turned on by adding this to the configuration file - -@example -[kdc] - enable-524 = yes -@end example - -@subsection Kerberos 4 - -Kerberos 4 is the predecessor to to Kerberos 5. It only supports -single DES@. You should only enable Kerberos 4 support if you have -needs for compatibility with an installed base of Kerberos 4 -clients/servers. - -Kerberos 4 can be turned on by adding this to the configuration file - -@example -[kdc] - enable-kerberos4 = yes -@end example - -@subsection kaserver - -Kaserver is a Kerberos 4 that is used in AFS@. The protocol has some -extra features over plain Kerberos 4, but like Kerberos 4, only uses -single DES@. - -You should only enable Kaserver support if you have needs for -compatibility with an installed base of AFS machines. - -Kaserver can be turned on by adding this to the configuration file - -@example -[kdc] - enable-kaserver = yes -@end example - -@node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm +@node Remote administration, Password changing, keytabs, Setting up a realm @section Remote administration The administration server, @command{kadmind}, can be started by diff --git a/kdc/kdc.8 b/kdc/kdc.8 index 4a69bda06..171c426a0 100644 --- a/kdc/kdc.8 +++ b/kdc/kdc.8 @@ -54,7 +54,6 @@ .Fl Fl v4-realm= Ns Ar string .Xc .Oc -.Op Fl K | Fl Fl kaserver .Oo Fl P Ar portspec \*(Ba Xo .Fl Fl ports= Ns Ar portspec .Xc @@ -112,8 +111,6 @@ The default is whatever is returned by .Fn krb_get_lrealm . This option is only available if the KDC has been compiled with version 4 support. -.It Fl K , Fl Fl kaserver -Enable kaserver emulation (in case it's compiled in). .It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec Specifies the set of ports the KDC should listen on. It is given as a diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 9e1edc7b6..db16e7d5c 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -410,8 +410,6 @@ Default is the same as .Va enable-kerberos4 . .It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It Li enable-kaserver = Va BOOL -If this kdc should emulate the AFS kaserver. .It Li as-use-strongest-session-key = Va BOOL If this is TRUE then the KDC will prefer the strongest key from the client's AS-REQ enctype list, that is also supported by the KDC and the diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c index d554423a1..647a311a2 100644 --- a/lib/krb5/verify_krb5_conf.c +++ b/lib/krb5/verify_krb5_conf.c @@ -508,7 +508,7 @@ struct entry kdc_entries[] = { { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, - { "enable-kaserver", krb5_config_string, check_boolean }, + { "enable-kaserver", krb5_config_string, check_boolean, 1 }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, { "use_2b", krb5_config_list, NULL }, -- 2.11.4.GIT