$Id: KERBEROS-ADDITIONS,v 1.6 1998/03/06 21:35:42 kenh Exp $

This file describes the additions to Kerberos 5 that the "monster-patch"
provides.

- Application defaults in krb5.conf

Two new functions are provided in the krb5 library:

void krb5_appdefault_boolean(krb5_context context, const char *appname,
			     const krb5_data *realm, const char *option,
			     int default, int *ret_value);

void krb5_appdefault_string(krb5_context context, const char *appname,
			    const krb5_data *realm, const char *option,
			    char *default, char **ret_value);

These functions look for a special [appdefaults] stanza in krb5.conf and
determine the appropriate value for the specified option.

In these functions, "appname" is the application name (e.g. - "kinit", "ftpd",
"xdm"), "realm" is the current/default realm, and "option" is the specified
option.  "Default" is the value returned if nothing was found for the
specified option.

Options can be specified in four different ways, ranging in priority from
most specific to least specific.  Here is the list, from most specific
to least specific:

Application-specific and realm specific:

[appdefaults]
	appname = {
		SOME.REALM = {
			option = <value>
		}
	}

Application-specific only:

[appdefaults]
	appname = {
		option = <value>
	}

Realm-specific only:

[appdefaults]
	SOME.REALM = {
		option = <value>
	}

Global:

[appdefaults]
	option = <value>

krb5_appdefault_boolean and krb5_appdefault_string use an identical
searching algorithm.  The only difference is the _boolean function
determines if <value> is a boolean value and returns a boolean integer
value in "ret_value", whereas _string always returns the actual character
string in "ret_value".  Note that the result returned by _string
is _always_ malloc'd (even if it uses the supplied default) and needs to
be free'd by the caller.

Permissible boolean values are:

y, yes, true, t, 1, on, for "true"
n, no, false, nil, 0, off for "false"

This may be confusing, but here's an example of how it's used:

[appdefaults]
	autologin = true
	forward = true
	forwardable = false
	krb4_get_tickets = false
	krb4_convert = false
	krb5_run_aklog = true
	krb5_aklog_path = /usr/krb5/bin/aklog

	CMF.NRL.NAVY.MIL = {
		forwardable = true
		retain_ccache = true
		afs_retain_token = true
		default_lifetime = 1d 1h 0m 0s
		check_quota = false
	}

	xdm = {
		retain_ccache = false
		afs_retain_token = false
	}

	ftpd = {
		default_lifetime = 4h
		afs_retain_token = false
	}


- Modified clients and application servers

Various parts of the V5 1.0 distribution have been modified to use these
new functions.  Included is a list of programs and their valid options
in krb5.conf

login.krb5 (appname: "login")

	krb4_convert (boolean)     - Get V4 tickets when logging in with
				     a password
	krb4_run_aklog (boolean)   - Run a V4 "aklog" when logging in
	aklog_path (string)	   - Path to V4 "aklog" (not implemented)
	forwardable (boolean)      - When acquiring tickets via a password,
				     make the initial ticket forwardable.
	krb5_run_aklog (boolean)   - Run a V5 "aklog" when logging in.
	krb5_aklog_path (string)   - Path to a V5 "aklog"
	default_lifetime (string)  - The default lifetime of the initial ticket.
	retain_ccache (boolean)    - Do not destroy the credential cache upon
				     logout.  Not recommended for most sites.
	afs_retain_token (boolean) - Do not destroy AFS token upon logout.
				     Not recommended for most sites.
	check_quota (boolean)      - Run "quota" to check the user's quota.

kshd (appname: "rshd")

	krb5_run_aklog (boolean)   - Run a V5 "aklog" when logging in.
	krb5_aklog_path (string)   - Path to a V5 "aklog"
	retain_ccache (boolean)    - Do not destroy the credential cache upon
				     logout.  Not recommended for most sites.
	afs_retain_token (boolean) - Do not destroy AFS token upon logout.
				     Not recommended for most sites.

klogind (appname: "rlogind")

	retain_ccache (boolean)    - Do not destroy the credential cache upon
				     logout.  Not recommended for most sites.

rsh (appname: "rsh")

	forward (boolean)          - Forward credentials to remote host
	forwardable (boolean)      - Make the remote credentials forwardable

rlogin (appname: "rlogin")

	forward (boolean)          - Forward credentials to remote host
	forwardable (boolean)      - Make the remote credentials forwardable

ftp (appname: "ftp")

	forward (boolean)          - Forward credentials to remote host

ftpd (appname: "ftpd")

	krb5_run_aklog (boolean)   - Run a V5 "aklog" when logging in.
	krb5_aklog_path (string)   - Path to a V5 "aklog"
	afs_retain_token (boolean) - Do not destroy AFS token upon logout.
				     Not recommended for most sites.
	default_lifetime (string)  - The default lifetime of the initial ticket
				     (only used when acquiring a ticket via
				     a plaintext password).

telnet (appname: "telnet")

	forward (boolean)          - Forward credentials to remote host
	forwardable (boolean)      - Make the remote credentials forwardable
	encrypt (boolean)          - Attempt to negotiate encryption
	forceencrypt (boolean)	   - Require encryption for all connections
	autologin (boolean)        - Attempt to automatically login to
				     remote host.

telnetd (appname: "telnetd")
	
	retain_ccache (boolean)    - Do not destroy the credential cache upon
				     logout.  Not recommended for most sites.

kinit (appname: "kinit")

	forwardable (boolean)      - Make the initial ticket forwardable.
	default_lifetime (string)  - Default lifetime of initial ticket.
	krb5_run_aklog (boolean)   - Run a V5 "aklog" after obtaining
				     credentials.
	krb5_aklog_path (string)   - Path to a V5 "aklog"


- Improved AFS integration

As evidenced by the above options, the intent of most of them is to improve
Kerberos 5's integration with AFS.  To that end, the Kerberos 5 application
servers now have the ability to run "aklog" at most places where a user would
expect to be able to write to their files.  Most notably, "kshd" and "ftpd"
both have the ability to run "aklog" now.

- Other improvements

The GSS ftp daemon now accepts plaintext Kerberos passwords.

The Kerberos telnet daemon now can do V4 telnet without having a V4
keytab in place.

There are a number of bug fixes included with this patch (unfortunately,
I don't have a good list).

- Miscellaneous notes

There are various sorts of command-line overrides for these defaults.
For example, -N tells a program to NOT forward a ticket, and -X tells
rlogin and rsh not to encrypt the session (since you can turn it off on
the fly for telnet and since -X is already used, I didn't implement an
equivalant for telnet).  The man pages haven't been updated, though.
