                           kstart release 3.10
               (kinit daemon that uses srvtabs or keytabs)

         Originally written by Robert Morgan and Booker C. Bense
         Currently maintained by Russ Allbery <rra@stanford.edu>

  Copyright 1995, 1996, 1997, 1999, 2000, 2001, 2002, 2004, 2005, 2006,
  2007 Board of Trustees, Leland Stanford Jr. University.  This software
  is distributed under a BSD-style license.  Please see the section
  LICENSE below for terms of use and redistribution.

  Based on code copyright 1987, 1988, 1989 by the Massachusetts Institute
  of Technology.

BLURB

  k4start, k5start, and krenew are modified versions of kinit which add
  support for running as a daemon to maintain a ticket cache, running a
  command with credentials from a keytab and maintaining a ticket cache
  until that command completes, obtaining AFS tokens (via an external
  aklog) after obtaining tickets, and creating an AFS PAG for a command.
  They are primarily useful in conjunction with long-running jobs; for
  moving ticket handling code out of servers, cron jobs, or daemons; and
  to obtain tickets and AFS tokens with a single command.

DESCRIPTION

  k4start (for Kerberos v4) and k5start (for Kerberos v5) are modified
  versions of kinit.  They can be used as a substitute for kinit (with
  better command-line handling than the old Kerberos v4 kinit), but they
  can also obtain credentials automatically from a v4 srvtab or a v5
  keytab.  They can run as a daemon, waking up periodically to refresh
  credentials using that srvtab or keytab, and can also check for the
  validity of tickets and only refresh if they're no longer valid.

  Some of these capabilities have been included in Kerberos v5's kinit,
  but the ability to maintain tickets while running as a daemon has not
  and is useful for servers that need to use Kerberos.  Using kstart
  allows the ticket handling to be moved out of the server into a separate
  process dedicated just to that purpose.

  k4start and k5start can optionally run an external program whenever the
  ticket is refreshed to obtain an AFS token, and therefore can be used in
  conjunction with a program like aklog or afslog to maintain an AFS
  token.  When built with the (currently somewhat experimental) support
  for AFS PAGs, they can also put the program in its own PAG so that its
  authentication doesn't affect any other programs.

  krenew is identical to k5start except that rather than obtaining new
  tickets from a password or keytab, it renews an existing renewable
  ticket cache.  It can be used to periodically renew tickets and
  optionally AFS tokens for long-running processes in cases where using a
  keytab is inappropriate (such as users running their own jobs with their
  own credentials).

REQUIREMENTS

  As Kerberos programs, k4start, k5start, and krenew require Kerberos
  libraries to link against.  They have only been thoroughly tested with
  the MIT Kerberos libraries, but should work with Heimdal and KTH
  Kerberos v4.

  If you only have Heimdal but not KTH Kerberos v4, you can build only
  k5start and krenew by passing the --disable-k4start flag to configure.

  Other than that, all you should need is a suitable C compiler.  Neither
  program has been tested on non-Unix systems.

  If you want the -t option to work, you need a program to obtain AFS
  tokens from Kerberos tickets.  You can specify the program to use on
  your system with the --with-aklog option to configure; if that option is
  not given, the first of aklog or afslog that is found on your path at
  configure time will be used.

  To enable support for AFS PAGs, pass the --with-afs-setpag flag to
  configure.  It is not enabled by default.  This support requires either
  the newer OpenAFS libraries (libafsauthent and libafsrpc) or the kafs
  library that comes with either Heimdal or KTH Kerberos.  If these
  libraries aren't in your standard search path, give the root the
  installation (the directory above the lib directory) to
  --with-afs-setpag as an argument.  When enabled, k4start, k5start, and
  krenew will always create a new PAG before authentication when running a
  specific command and when aklog is being run.

INSTALLATION

  Basic installation is simple.  Just run:

      ./configure
      make
      make install

  This will build k4start, k5start, and krenew and install them in
  /usr/local/bin with man pages in /usr/local/man/man1.  You may need to
  be root to run make install.  To install in a different location,
  specify a different location with the --prefix option to configure, as
  in:

      ./configure --prefix=/opt/sw

  Binaries would then be installed in /opt/sw/bin and man pages in
  /opt/sw/man/man1.  Alternately, --bindir and --mandir can be given to
  change the installation locations of the binaries and manual pages
  separately.

  If your Kerberos libraries aren't installed in a location found by your
  compiler by default, use the --with-kerberos=PATH option to configure.
  The Kerberos libraries will then be expected in PATH/lib and the headers
  in PATH/include.  If you only want to build k5start and krenew, pass the
  --disable-k4start flag to configure.

  To specify a particular krb5-config script to use, either set the
  KRB5_CONFIG environment variable or pass it to configure like:

      ./configure KRB5_CONFIG=/path/to/krb5-config

  If you are using aklog, afslog, or some other program to obtain AFS
  tokens, give its path to configure with the --with-aklog option, as in:

      ./configure --with-aklog=/usr/local/bin/aklog

  This program will be run when the -t option is given to k4start,
  k5start, or krenew.

  To enable the AFS PAG support, pass --with-afs-setpag to configure.  You
  may need to specify the root of your AFS client tree if the AFS
  libraries aren't in the standard search path, such as with:

      ./configure --with-afs-setpag=/usr/afsws

  To link statically against the Kerberos libraries rather than
  dynamically (so that the binaries can be used on systems without
  Kerberos libraries installed, for example, or so that they're
  independent of shared libraries installed in AFS or NFS), give the
  --enable-static option to configure.  This has only been tested on
  Solaris and Linux and may not work on all platforms.

  You can pass the --enable-reduced-depends flag to configure to try to
  minimize the shared library dependencies encoded in the binaries.  This
  omits from the link line all the libraries included solely because the
  Kerberos libraries depend on them and instead links the programs only
  against libraries whose APIs are called directly.  This will only work
  with shared Kerberos libraries and will only work on platforms where
  shared libraries properly encode their own dependencies (such as Linux).
  It is intended primarily for building packages for Linux distributions
  to avoid encoding unnecessary shared library dependencies that make
  shared library migrations more difficult.  If none of the above made any
  sense to you, don't bother with this flag.

THANKS

  To Navid Golpayegani, for contributing the initial implementation of the
  -b option to background after the initial authentication and the -p
  option to save the PID in a file.

  To Buck Huppmann, for contributing an RPM spec file and suggesting
  krenew.

  To Adam Megacz, for pointing out that checking the executability of the
  aklog program isn't necessary and for contributing the code to propagate
  signals to a child process.

  To Quanah Gibson-Mount, for pointing out various build system issues and
  missing documentation.

  To Sidney Cammeresi, for catching a missing include in krenew and for
  providing information and suggestions about Mac OS X's default ticket
  cache and its effects on the -b option of k5start and krenew.

  To Thomas Kula, for pointing out that k_hasafs has to be called before
  k_setpag when using the kafs functions.

  To Thomas Weiss, for noticing that code restructuring caused the
  argument to -H to be ignored in both k4start and k5start and that -H and
  -K should be diagnosed as mutually exclusive.

LICENSE

  Copyright 1995, 1996, 1997, 1999, 2000, 2001, 2002, 2004, 2005, 2006,
  2007 Board of Trustees, Leland Stanford Jr. University.  All rights
  reserved.
  
  Permission to use, copy, modify, and distribute this software and its
  documentation for any purpose and without fee is hereby granted,
  provided that the above copyright notice appear in all copies and that
  both that copyright notice and this permission notice appear in
  supporting documentation, and that the name of Stanford University not
  be used in advertising or publicity pertaining to distribution of the
  software without specific, written prior permission.  Stanford
  University makes no representations about the suitability of this
  software for any purpose.  It is provided "as is" without express or
  implied warranty.

  THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
  WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

  Portions of this code was based on the original kinit from the MIT
  Kerberos distribution, which is covered by the following license:

  Copyright (C) 1987, 1988, 1989 by the Massachusetts Institute of
  Technology

  Export of this software from the United States of America may require a
  specific license from the United States Government.  It is the
  responsibility of any person or organization contemplating export to
  obtain such a license before exporting.

  WITHIN THAT CONSTRAINT, Permission to use, copy, modify, and distribute
  this software and its documentation for any purpose and without fee is
  hereby granted, provided that the above copyright notice appear in all
  copies and that both that copyright notice and this permission notice
  appear in supporting documentation, and that the name of M.I.T. not be
  used in advertising or publicity pertaining to distribution of the
  software without specific, written prior permission.  Furthermore if you
  modify this software you must label your software as modified software
  and not distribute it in such a fashion that it might be confused with
  the original M.I.T. software.  M.I.T. makes no representations about the
  suitability of this software for any purpose.  It is provided "as is"
  without express or implied warranty.

  (The portions taken from MIT Kerberos do not include any encryption
  code covered by the US export restrictions.)
