diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
| commit | 33a9b234e7087f573ef08cd7318c6497ba08b439 (patch) | |
| tree | d0ea40ad3bf5463a3c55795977c71bcb7d781b4b /doc/html/user/pwd_mgmt.html | |
Import MIT KRB5 1.15.1, which will gracefully replace KTH Heimdal.vendor/krb5/1.15.1
The tarball used in this import is the same tarball used in
ports/krb5-115 r435378.
Obtained from: http://web.mit.edu/kerberos/dist/
Thanks to: pfg (for all your tireless behind-the-scenes effort)
Notes
Notes:
svn path=/vendor-crypto/krb5/dist/; revision=320790
svn path=/vendor-crypto/krb5/1.15.1/; revision=320791; tag=vendor/krb5/1.15.1
Diffstat (limited to 'doc/html/user/pwd_mgmt.html')
| -rw-r--r-- | doc/html/user/pwd_mgmt.html | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/doc/html/user/pwd_mgmt.html b/doc/html/user/pwd_mgmt.html new file mode 100644 index 000000000000..5da8eed16a15 --- /dev/null +++ b/doc/html/user/pwd_mgmt.html @@ -0,0 +1,239 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>Password management — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="For users" href="index.html" /> + <link rel="next" title="Ticket management" href="tkt_mgmt.html" /> + <link rel="prev" title="For users" href="index.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="index.html" title="For users" + accesskey="P">previous</a> | + <a href="tkt_mgmt.html" title="Ticket management" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Password management">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="password-management"> +<h1>Password management<a class="headerlink" href="#password-management" title="Permalink to this headline">¶</a></h1> +<p>Your password is the only way Kerberos has of verifying your identity. +If someone finds out your password, that person can masquerade as +you—send email that comes from you, read, edit, or delete your files, +or log into other hosts as you—and no one will be able to tell the +difference. For this reason, it is important that you choose a good +password, and keep it secret. If you need to give access to your +account to someone else, you can do so through Kerberos (see +<a class="reference internal" href="#grant-access"><em>Granting access to your account</em></a>). You should never tell your password to anyone, +including your system administrator, for any reason. You should +change your password frequently, particularly any time you think +someone may have found out what it is.</p> +<div class="section" id="changing-your-password"> +<h2>Changing your password<a class="headerlink" href="#changing-your-password" title="Permalink to this headline">¶</a></h2> +<p>To change your Kerberos password, use the <a class="reference internal" href="user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> command. +It will ask you for your old password (to prevent someone else from +walking up to your computer when you’re not there and changing your +password), and then prompt you for the new one twice. (The reason you +have to type it twice is to make sure you have typed it correctly.) +For example, user <tt class="docutils literal"><span class="pre">david</span></tt> would do the following:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kpasswd +Password for david: <- Type your old password. +Enter new password: <- Type your new password. +Enter it again: <- Type the new password again. +Password changed. +shell% +</pre></div> +</div> +<p>If <tt class="docutils literal"><span class="pre">david</span></tt> typed the incorrect old password, he would get the +following message:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kpasswd +Password for david: <- Type the incorrect old password. +kpasswd: Password incorrect while getting initial ticket +shell% +</pre></div> +</div> +<p>If you make a mistake and don’t type the new password the same way +twice, kpasswd will ask you to try again:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kpasswd +Password for david: <- Type the old password. +Enter new password: <- Type the new password. +Enter it again: <- Type a different new password. +kpasswd: Password mismatch while reading password +shell% +</pre></div> +</div> +<p>Once you change your password, it takes some time for the change to +propagate through the system. Depending on how your system is set up, +this might be anywhere from a few minutes to an hour or more. If you +need to get new Kerberos tickets shortly after changing your password, +try the new password. If the new password doesn’t work, try again +using the old one.</p> +</div> +<div class="section" id="granting-access-to-your-account"> +<span id="grant-access"></span><h2>Granting access to your account<a class="headerlink" href="#granting-access-to-your-account" title="Permalink to this headline">¶</a></h2> +<p>If you need to give someone access to log into your account, you can +do so through Kerberos, without telling the person your password. +Simply create a file called <a class="reference internal" href="user_config/k5login.html#k5login-5"><em>.k5login</em></a> in your home directory. +This file should contain the Kerberos principal of each person to whom +you wish to give access. Each principal must be on a separate line. +Here is a sample .k5login file:</p> +<div class="highlight-python"><div class="highlight"><pre>jennifer@ATHENA.MIT.EDU +david@EXAMPLE.COM +</pre></div> +</div> +<p>This file would allow the users <tt class="docutils literal"><span class="pre">jennifer</span></tt> and <tt class="docutils literal"><span class="pre">david</span></tt> to use your +user ID, provided that they had Kerberos tickets in their respective +realms. If you will be logging into other hosts across a network, you +will want to include your own Kerberos principal in your .k5login file +on each of these hosts.</p> +<p>Using a .k5login file is much safer than giving out your password, +because:</p> +<ul class="simple"> +<li>You can take access away any time simply by removing the principal +from your .k5login file.</li> +<li>Although the user has full access to your account on one particular +host (or set of hosts if your .k5login file is shared, e.g., over +NFS), that user does not inherit your network privileges.</li> +<li>Kerberos keeps a log of who obtains tickets, so a system +administrator could find out, if necessary, who was capable of using +your user ID at a particular time.</li> +</ul> +<p>One common application is to have a .k5login file in root’s home +directory, giving root access to that machine to the Kerberos +principals listed. This allows system administrators to allow users +to become root locally, or to log in remotely as root, without their +having to give out the root password, and without anyone having to +type the root password over the network.</p> +</div> +<div class="section" id="password-quality-verification"> +<h2>Password quality verification<a class="headerlink" href="#password-quality-verification" title="Permalink to this headline">¶</a></h2> +<p>TODO</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Password management</a><ul> +<li><a class="reference internal" href="#changing-your-password">Changing your password</a></li> +<li><a class="reference internal" href="#granting-access-to-your-account">Granting access to your account</a></li> +<li><a class="reference internal" href="#password-quality-verification">Password quality verification</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For users</a><ul class="current"> +<li class="toctree-l2 current"><a class="current reference internal" href="">Password management</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="tkt_mgmt.html">Ticket management</a></li> +<li class="toctree-l2"><a class="reference internal" href="user_config/index.html">User config files</a></li> +<li class="toctree-l2"><a class="reference internal" href="user_commands/index.html">User commands</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="index.html" title="For users" + >previous</a> | + <a href="tkt_mgmt.html" title="Ticket management" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Password management">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |