kprop(8krb) [ultrix man page]
kprop(8krb) kprop(8krb) Name kprop - Kerberos utility Syntax /var/dss/kerberos/bin/kprop database slaves_file [ -force ] [ -safe | clear ] [-realm realm_name] Description The daemon runs on a Kerberos master and propagates the Kerberos database to the Kerberos slaves, where it is received by the waiting dae- mon. The first parameter, database, is the name of the file out of which data is extracted. This file is not the Kerberos database, See the reference page for more information. The database is a file created by the command. It is an ASCII representation of the Kerberos data- base (see the reference page for The second parameter that must be supplied is slaves_file, the name of the file on the Kerberos master that lists the Kerberos slaves to which propagates the Kerberos master database. The is created in format. The Kerberos utility first determines whether the ASCII Kerberos database, database, was correctly dumped by It accomplishes this by deter- mining if database is older than the file created by during the operation. If it is older, the dump did not succeed or is not yet fin- ished. If the dump did not complete successfully or has not yet completed, the master database is not transferred to any Kerberos slave. Otherwise, determines, for each slave server listed in the whether or not the database has changed since the last successful transfer to the slave. It determines this for slave server by comparing the modification time of the file with the modification time of database. If the file is newer, then the database, database, need not be transferred to Finally, propagates the database to those servers which need a new copy of the database and updates the modification time of the file for these slave servers. Options -safe Specifies that the data sent over the network is guaranteed to be authenticated at the destination and protected against modifica- tions in transit. That is, and which are Kerberos principals, become Kerberos-authenticated to each other and send messages format- ted by For more information about refer to the on-line reference page, -clear Specifies that all data should be sent in cleartext (unencrypted). This switch is useful when first setting up the Kerberos envi- ronment. -realm Specifies the realm name that you are in. If this option is not used, the realm_name is given in the file. (See the reference page for more information.) -force Forces the on the Kerberos master to propagate the Kerberos database to the Kerberos slaves, even if there are no recent changes to the database. Without the force flag, the Kerberos database is not propagated if the database file has not changed since the last successful transfer. Restrictions The Kerberos utility does not support the transfer of encrypted data. Files See Also kpropd(8krb), krb.conf(5krb), kdb_util(8krb), krb_slaves(5krb), krb_dbase(8krb) kprop(8krb)
Check Out this Related Man Page
kerberos(8krb) kerberos(8krb) Name kerberos - the kerberos daemon Syntax /usr/etc/kerberos [ -p pause_seconds ] [ -a max_age ] [ -l log_file ] [ -r realm ] [ -s ] [ -n ] [ -m ] Description The daemon is used by a Kerberos principal, X, to assist it in authenticating its identity to another Kerberos principal Y. In the ULTRIX environment, X would typically be an application running on one machine while Y would be an application running on another machine. Because X and Y run on separate machines, the authentication of X by Y and Y by X is not an easy task. If they ran on a single machine, A, the authentication of X could be performed easily by Y. All Y need do is ask A for the user ID of X. Since Y trusts the local machine, if the user ID of X is the user ID Y expects, then X must be X. If Y were to authenticate X when X runs on a different machine, B, using the same user ID method, then Y would be forced to trust the machine B to provide a correct answer. The security of this method breaks down as soon as any one machine that Y is willing to trust is subverted by a hostile user. In addition, it breaks as soon as any machines that cannot be trusted by Y are allowed on the physical net- work to which A and B are connected. Hostile users that have control over these rogue machines can force them to produce messages that look as though they come from machine B. The daemon serves as a single point of trust in a local area network (LAN). The authentication of X to Y depends upon the trust that both X and Y have in the daemon. X trusts the daemon to give Y only enough information to authenticate itself as Y to X, and Y trusts to give X only enough information to authenticate itself as X to Y. Y no longer needs to trust B to authenticate X. If X were to authenticate itself to Y, X would first communicate with the daemon in order to obtain a ticket that would allow it to authen- ticate to Y. The ticket can be defined as the data that X needs to authenticate itself to Y. X passes the ticket to Y, along with other information, to authenticate itself to Y. Y then has the ability to send a message back to X in order to authenticate its identity to X. There is one master daemon per LAN. The difference between a Kerberos master daemon and a Kerberos slave daemon is apparent in the way in which the Kerberos database on the machines on which they run is updated. The Kerberos database stores information about Kerberos princi- pals. It stores, for instance, the Data Encryption Standard (DES) encryption key that is associated with each principal. There is only one Kerberos database per LAN, to which updates to individual principal entries should be performed. This is the Kerberos master database. The daemon that runs on the machine which stores the Kerberos master database is the master daemon. All the other Ker- beros databases in the LAN are periodically updated by and based upon the data stored in the Kerberos master database. The machines that store this type of database run slave daemons. A realm is the common name given to a group of principals. All principals stored in one Kerberos database belong to a single realm, and an individual daemon uses only one Kerberos database. So, a daemon only allows one principal in the realm to authenticate another principal in the realm. Inter-realm authentication is not supported in the ULTRIX version of Kerberos. Options -p Allows the user to select the number of seconds that the daemon will pause, pause_seconds, after it has encountered an unrecoverable error, and before it exits. This time interval must be between five minutes(300), and one hour(3600). If neither this option nor the -s option is used, the daemon will pause forever before exiting. -a Allows the user to specify the age in seconds, max_age, above which the Kerberos database should be considered too old for a Ker- beros slave server to use. The daemon determines the age of the Kerberos database by comparing the last modification time of the file with the current time. The file is modified every time the database is changed. Since a Kerberos slave server receives its database in whole from the Kerberos master, this option specifies the maximum amount of time allowed between database transfers. The time value must be between one hour(3600) and three days(259200). If neither this option nor the -s option is used, the maxi- mum age of the database is infinite. -l Allows the user to select a different file, log_file, into which the daemon will place Kerberos log messages. If neither this option nor the -s option is used, the log_file value is set to -r Allows the user to change the name of the realm, realm, for which the daemon will serve information. If no realm name is specified with the -r option, the daemon will server the realm of which the local host is a member. -s Allows the user to tell the daemon to use the default values for pause_seconds, max_age, and log_file of a slave server. If max_age has not been set with the -a option, the max_age value is set to the slave server default of one day(86400). If the pause_seconds value has not been set with the -p option, the pause_seconds value is set to the slave server default of 5 minutes(300). If the log_file value has not been set with the -l option, the log_file value is set to the slave server default, Use of the -s option is equivalent to using the following list of options with the daemon: -a 86400 -p 300 -l /var/dss/kerberos/log/kerberos_slave.log -n Allows the user to tell the daemon that the maximum age of the Kerberos database should be infinite. This option is only useful if the -s option has been selected by the user, but the maximum age of the database should not be equal to the slave default(300), but should be infinite. This option also overrides the -a option. -m Allows the user to run the daemon in manual mode. This implies that the master key of the Kerberos database will be input from If this option is not used, the master key of the Kerberos database is read from the data file placed in the system. See Also kdb_init(8krb), kdb_util(8krb), kdb_edit(8krb), kdb_destroy(8krb), kerberos(3krb), kprop(8krb) kpropd(8krb) kerberos(8krb)