KerbNet for Macintosh User's Guide

Copyright © 1993, 1994, 1995, 1996, 1997 Cygnus Solutions.

KerbNet includes software and documentation developed at the Massachusetts Institute of Technology, which includes this copyright information:

Copyright © 1995, 1997 by the Massachusetts Institute of Technology.

Export of software employing encryption from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.


KerbNet includes software and documentation developed by OpenVision Technologies, Inc., which includes this copyright notice:

The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/server, lib/kadm, and portions of lib/rpc:

Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all rights, title, and interest in the donated Source Code. With respect to OpenVision's copyrights in the donated Source Code, OpenVision also retains rights to derivative works of the Source Code whether created by OpenVision or a third party. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.


KerbNet includes software and documentation developed at the University of California at Berkeley, which includes this copyright notice:

Copyright © 1983 Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
    This product includes software developed by the University of California, Berkeley and its contributors.
  4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.


Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions.

Tutorial

Introduction

The KerbNet authentication system is an electronic security system that makes it easy for you to connect to other machines over the internet without giving other people a chance to steal your private information.

When you log into the KerbNet system, it issues you an elecntronic ticket that it can use to verify your identity. As you work on your computer, you may sometimes connect to other machines or applications over the internet. The KerbNet authentication system uses your ticket to make sure that no one else can listen on the network for your password or pretend to be you to another machine.

The KerbNet system handles your tickets for you automatically; it verifies your identity each time you connect to another machine, without your having to type your password again. This tutorial section shows you how to perform basic tasks using your KerbNet software.

Logging in to the KerbNet System

To obtain Kerberos tickets:

  1. Double-click on the KerbNet icon on the desktop.

    The KerbNet window appears.

  2. Click the Login button.

    A login dialog opens.

  3. In the Network ID box, type your username.

  4. In the Password box, type your KerbNet password.

  5. Click the OK button to log in.

The Network Username field in the KerbNet window now lists your username, indicating that you have a Kerberos ticket.

The KerbNet authentication system has now verified your identity; you can start working as usual. Your Kerberos ticket is only valid for a certain amount of time, specified when you log in to the KerbNet system. If you are still working when the time runs out, you will need to get a new ticket. To do so, simply repeat the login procedure.

Connecting to a Remote Machine with KTelnet

KTelnet is an application that allows you to log into a remote machine, with the communication protected by KerbNet security. In order to connect to remote machines using KTelnet, you must first obtain Kerberos tickets from the KerbNet system.

When you run KTelnet, a dialog appears, prompting you for login information.

  1. Enter the name of the host you wish to connect to in the Host/Session Name box, or select a host name from the drop-down list.

  2. Click Connect.

The KTelnet window opens with your connection to the remote host. You can work as normal on the remote machine. When you log out of the remote session, the KTelnet window automatically closes.

Logging Out of the KerbNet System

To delete your Kerberos tickets:

  1. In the KerbNet window, click the Logout button.

The Network ID field now reads "Unknown," reflecting the absence of any tickets.

Note that this procedure deletes only the tickets stored on the local machine (the ones shown in the credentials display dialog). You should make sure to destroy any tickets you have stored on remote machines when you finish using them. For information about how to destroy remote tickets, see the KerbNet Unix User's Guide or contact your System Administrator.

Changing Your KerbNet Password

To change your KerbNet password:

  1. Click the Change Password button in the KerbNet window, or select Change Password from the File Menu.

    The Kerberos Password Change dialog appears.

  2. In the Network ID box, type your username.

  3. In the Current Password box, type your current password.

  4. In each of the New Password boxes, type your new password.

  5. When all of the boxes are properly filled in, click the OK button. The KerbNet system updates your password immediately.

What Next?

You should now know everything you need for day-to-day use of the KerbNet and KTelnet applications. The rest of this manual goes into more detail about how the KerbNet and KTelnet applications work, and describe their more complicated options.

About KerbNet Authentication

What is the KerbNet Authentication system?

The KerbNet authentication system is based on the Kerberos V5 system developed at MIT. The KerbNet system negotiates authenticated, and optionally encrypted, communications between two points anywhere on the internet, providing a layer of security separate from any firewalls or other security measures a local network may have.

Authentication is the process of verifying one's identity by presenting electronic credentials (tickets). Under the KerbNet system, an authenticatable entity (usually a user, although services can sometimes have tickets of their own) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting-ticket (TGT) for the authenticatable entity, encrypts it using the authenticatable entity's password as the key, and sends the encrypted TGT back. The authenticatable entity then uses its password to dycrypt the TGT. If it successfully decrypts the TGT (by giving the correct password), it keeps the decrypted TGT. The TGT permits the authenticatable entity to obtain additional tickets, which give permission for specific services (applications that use Kerberos authentication). The authenticatable entity can prove its identity to remote machines and services by presenting them its tickets.

The KerbNet authentication system is a single-sign-on-system, which means that you only have to type your password once per login session, and the KerbNet system takes care of the authentication and encryption each time you use an application that uses KerbNet authentication or is part of the KerbNet system.

Kerberos Tickets

A Kerberos ticket is an encrypted protocol message that provides authentication. It serves as a set of electronic credentials that identifies its owner. The KerbNet system stores Kerberos tickets in a credentials cache, which may be a file, or may exist only in memory.

Forwardable tickets can be forwarded to a remote host. When the KerbNet system forwards your ticket-granting-ticket, the system puts a copy of the TGT in a new credentials cache on the remote host. The KerbNet system can then use that copy to authenticate you when you open a new connection from the remote host. If your tickets are not forwardable, the system does not copy your TGT when you connect to a remote host. You have no tickets on the remote machine, and therefore you cannot open new connections from there without first going through the proper procedure to obtain tickets on the remote host. Forwarding your tickets allows you to open connections to other services and machines, taking advantage of KerbNet's single-sign-on capabilities by letting KerbNet handle the authentications.

Tickets are only valid for a certain amount of time, after which they expire. If your login session extends beyond the time limit, you will have to reauthenticate yourself to the KerbNet system.

Kerberos Principals

The name associated with an authenticatable entity in the KerbNet database is called a Kerberos principal. The Kerberos principal usually contains three parts.

The first part is the primary, which is the name of the user or service.

The second part is the instance, which in the case of a user is usually nonexistent (null). However, some users may have additional principals with special privileges, denoted by instances such as "root" or "admin." Such users would use these principals only when doing work that requires the privileges assigned to these principals. The principal joeuser@BLEEP.COM is completely separate from the principal joeuser/root@BLEEP.COM, although the same person uses both principals..

The third part of a Kerberos principal is the realm. The realm indicates which Kerberos installation provided authentication for the principal. The realm is usually the domain name in UPPER CASE letters; the machine trillium.bleep.com would be in the realm BLEEP.COM.

In a Kerberos principal, the primary is separated from the instance by a slash (if the instance is not null), and the realm follows, preceded by an @ sign. If the realm is the same as the default realm, it may be omitted. By convention, the realm is written in UPPER CASE. The following are examples of valid Kerberos principals:

foo
bar/admin
baz@BLEEP.COM
quux/root@BLEEP.COM

When the principal refers to a service, rather than a user, the primary describes the type of service (such as "host" or "pop"). The instance is the name of the machine on which it runs; the "host" service running on the machine trillium.bleep.com would have the Kerberos principal "host/trillium.bleep.com@BLEEP.COM", whereas the "host" service running on the machine daffodil.fubar.org would have the instance "host/daffodil.fubar.org@FUBAR.ORG".

When you log into the KerbNet system, you type your primary and instance (separated by a slash) in the Network Userid box in the KerbNet window. Usually, this will mean typing just your username, as in the tutorial instructions. You can also specify the realm you wish to obtain tickets for. See section KerbNet Login Options, for details on obtaining tickets.

More about the Credentials Display Dialog

The dialog that opens when you select File > Show Credentials shows you all the tickets in your credentials cache on the machine you are directly logged onto: your initial ticket (the TGT), including any tickets you obtain to open connections to services like Telnet. Tickets you forward to a remote machine or obtain once logged onto a remote machine do not appear in the KerbNet window, since they are stored in a cache on the remote machine and not in the cache on the local machine.

For each ticket, the ticket list shows :

* "Valid Starting": The time the ticket was created.

* "Expires": The time the ticket is due to expire.

* "Service Principal": The service to which the ticket grants you access.

If your tickets expire, you can reauthenticate yourself by opening the KerbNet window and requesting a new ticket. Your login session and any remote connections you may have will continue even after your tickets have expired, since the KerbNet system authenticates only at the beginning of each connection. However, you will no longer be able to form any new connections or use applications that depend on the KerbNet system until you obtain new tickets.

When you attempt to obtain a new TGT, the system automatically deletes any existing tickets (valid or expired) and replaces them with the new one. The system does not replace tickets other than the TGT, but the system will replace them automatically if you reconnect to the corresponding services. You must replace tickets on remote machines individually, from those machines. Consult the UNIX User's Guide or your System Administrator for information on renewing tickets on remote machines.

Using the KerbNet Authentication System

The tutorial at the beginning of this document showed you how to use basic KerbNet functions. This section explains further details of using the KerbNet application.

KerbNet Login Options

You can set several options governing the Kerberos tickets you obtain from the KerbNet system:

Realms
Designate the realm you want to obtain tickets in by selecting the realm's name from the Local Realm drop-down list in the KerbNet window. When you click the Login button, the KerbNet system will try to obtain tickets in whatever realm is currently shown in this field.

Forwardable Tickets
If you want your tickets to be forwardable, check the Forwardable checkbox in the dialog that appears when you click the Login button. In most situations, you should make your tickets forwardable.

Ticket Lifetime
If you want your tickets to last for a length of time different from the default set by the System Administrator, check the Non-Default Lifetime checkbox. When you check the checkbox, a text box appears, prompting you for the number of minutes you want the tickets to be good for. The maximum time tickets can last is set by the System Administrator. The maximum time may be different for different types of Kerberos principals. If you request more than the maximum amount of time, your tickets will be valid for the maximum time; otherwise, they will be valid for the requested amount of time.

The Edit Menu

The Edit Menu offers the following options:

Cut
removes selected text from the KerbNet window and puts it in the clipboard (select the text using the mouse).

Copy
copies selected text from the KerbNet window to the clipboard (select the text using the mouse).

Paste
inserts whatever text is in the clipboard into the KerbNet window, at the current location of the prompt.

Troubleshooting the KerbNet System

If you are having trouble getting your KerbNet software to work, make sure that the following conditions are all met:

* The time on your system must match the time on the KDC within a tolerance set by your system administrator. By default, your clock must be within five minutes of the clock on the KDC. Otherwise, the KerbNet system cannot give you tickets. If you get the error message: "Clock skew too great in KDC reply while logging in", check that your clock is set to the right time.

If the Key Distribution Center (KDC) is unreachable (perhaps because of network problems), you will be unable to get tickets. If the admin server is unreachable, you will be unable to change your password.

Using KTelnet

The tutorial at the beginning of this document showed you how to use basic KTelnet functions. This section explains further details of using the KTelnet application.

The KTelnet application is a modified version of the NCSA telnet for the Macintosh. Cygnus has integrated KerbNet security into the telnet application leaving the complete selection of NCSA user features. So if you are familiar with the NCSA version you will find all of the same features here, and you may even notice that the bulk of the security is provided by a "plugin." However, Ktelnet will not work with other security plugins and the KerbNet plugin will not work with other versions of NCSA telnet.

Connection Options

This section discusses the options available for forming telnet connections.

Multiple Telnet Sessions

You can have multiple telnet sessions open at the same time; they appear in separate windows. You can work in the session whose window is on top; to switch between sessions, bring the window you want to the foreground. The Next Session command in the Connections menu brings the next-closest telnet window to the front; this command only works when you have more than two sessions open.

Session Configuration Records

You can customize KTelnet's behavior and default settings using session configuration records. Once you have stored your chosen settings in a session configuration record, you can open a telnet session using that record to govern KTelnet's behavior.

To open a connection using a session configuration record:

  1. Choose Open from the File menu.

    The Open Connection dialog opens.

  2. Choose a session name from the drop-down list in the Host/Session Name box.

You can also open a session using one of these configuration files by choosing Open Special from the File menu and selecting the session name from the submenu. KTelnet opens a connection to the host specified in that configuration record, using the record's option settings.

The drop-down list lets you choose among the session configuration records that have already been created. If no session configuration records exist, the list will be empty.

To create or edit a session configuration record:

  1. Select Preferences > Session from the Edit menu.

    The Preferences dialog opens, displaying the current session configuration records.

  2. Click the New button to create a new record, or the Change button to edit an existing record.

    A Session Configuration Record dialog opens, displaying the record's configuration information.

  3. In the Hostname text box, enter the name of the host to which you want to connect. This text is passed to the MacTCP Domain Name Resolver (DNR), which translates a host's domain name into an IP address.

  4. In the Port text box, enter the name of the port to which you want KTelnet to attempt the connection to the remote machine. If you do not specify a port, KTelnet uses the standard telnet port, 23.

  5. Set any other session options you want to change. Whatever choices you make will become the default for any telnet session using this configuration file.

Terminal Configuration Records

Like session configuration records, terminal configuration records contain default settings for various aspects of a telnet session.

You can specify a terminal configuration record to govern your telnet session by entering the record name in the Terminal text box in the Open Connection dialog, or by choosing a record from the drop-down list.

To create or edit a terminal configuration record:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or the Change button to edit an existing record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. Set the options you want to change. Whatever choices you make will become the default for any telnet session using this configuration file.

To open a telnet connection using a particular terminal configuration record:

To open a connection using a session configuration record:

  1. Choose Open from the File menu.

    The Open Connection dialog opens.

  2. Choose a configuration record from the drop-down list in the Terminal box.

You can also link a terminal configuration record to a session configuration record, so that whenever you open a connection using the session configuration record, KTelnet automatically uses the terminal configuration record as well.

To do so:

  1. Select Preferences > Session from the Edit menu.

    The Preferences dialog opens.

  2. Select the session record you want to edit and click the Change button.

    A Session Configuration Record dialog opens, displaying the record's configuration information.

  3. From the drop-down list in the Terminal box, select the terminal configuration record you wish to link to this session record.

  4. Click OK to close the session configuration record, saving your changes.

  5. Click OK in the Preferences dialog to close the dialog.

The terminal configuration record is now linked to the session configuration record.

KerbNet Authentication

Since KTelnet sends information across the network, including your userid and password, it is important to make sure that the connection is secure. You can use KerbNet security to protect your KTelnet connection.

To use KerbNet authentication with KTelnet:

  1. In the dialog that opens when you choose File > Open Connection, check the Authenticate checkbox.

When this box is checked, KTelnet tries to negotiate a Kerberos-authenticated connection to the remote host, if the remote host supports authentication and if your Macintosh is properly configured.

You can set the Authenticate box to be checked by default. To do so:

  1. Select Preferences > Session from the Edit menu.

    The Preferences dialog opens.

  2. Select a session configuration file from the list and click Change, or click New.

    The Session Configuration Record dialog appears, displaying information about the record you selected.

  3. Check the Authenticate box.

  4. Click OK to close the Session Configuration Record dialog.

  5. Click OK to close the Preferences dialog.

Whenever you open a connection using the host corresponding to the session configuration file you modified, the Authenticate box in the dialog that opens a telnet connection will be checked by default.

In order to open an authenticated connection, you must have first obtained Kerberos tickets using the KerbNet application. If you have no Kerberos tickets, you can still open a connection with KTelnet, but it will not be protected by KerbNet, nor will it be encrypted.

KTelnet always tries to forward your Kerberos tickets to the machine you are connecting to. If your KerbNet tickets are forwardable, then KTelnet forwards them to the remote machine when it opens a connection. If your KerbNet tickets are not forwardable, KTelnet opens an authenticated connection using the tickets, but does not copy them to the new machine; you must obtain new tickets on the remote machine in order to authenticate yourself from there.

If you have already opened a telnet connection and want to obtain tickets or change the forwardability of your tickets, close the connection, get new tickets, and reopen the connection.

Session Encryption

Even with the authentication features of KerbNet, KTelnet connections are still subject to snooping. Data you send and receive can be snatched from the network and viewed by others. However, when KTelnet sets up an encrypted connection, data are scrambled before passing between your Macintosh and a remote host. Such data are significantly more protected than unencrypted data. Encryption is not foolproof, but it does stop the majority of attempts to snoop through your data. Unless you are on a secure internal network and you are getting an especially slow response time in your telnet session window, you should use the encryption option.

KTelnet displays encryption icons next to the zoom box in the window's title bar. A padlock icon indicates that a session is two-way encrypted, which means that data are encrypted both going to and coming from the server. If any other icon is displayed, the session is not two-way encrypted. An arrow indicates that the session is encrypted in one direction only (either going to or coming from the server) and is probably evidence of a bug in either the KTelnet code or in your telnet server. The absence of any icon means that no encryption is taking place.

To open an encrypted telnet session:

  1. In the dialog that opens when you select File > Open Connection, check the Encrypt checkbox.

    NOTE: the Encrypt box can only be checked if the Authenticate box in the dialog is also checked.

When you open a telnet connection, the session is encrypted.

You can set the Encrypt box to be checked by default. To do so:

  1. Select Preferences > Session from the Edit menu.

    The Preferences dialog opens.

  2. Select a session configuration file from the list and click Change, or click New.

    The Session Configuration Record dialog appears, displaying information about the record you selected.

  3. Check the Encrypt box.

  4. Click OK to close the Session Configuration Record dialog.

  5. Click OK to close the Preferences dialog.

Whenever you open a connection using the host corresponding to the session configuration file you modified, the Encrypt box in the dialog that opens a telnet connection will be checked by default.

Close and Quit Options

The File > Quit command exits the KTelnet program. If you still have a connection open, a dialog will open, asking whether you want to close those connections or continue using KTelnet.

The File > Close command closes the current Telnet window ending the session, if it is still in progress. If you have more than one Telnet window open, the Close command ends only the session in the window that is active when you use the command; other windows are not affected.

If you wish, you can set a session configuration option that causes session windows to remain open after their associated connections have terminated. When this option is in use, selecting the File > Close command ends the telnet session, but does not close the window. The window title is placed in parentheses to signify that the associated connection has closed. You can view, copy, and print text in a window whose connection has been closed. You can also read connection error messages from hosts that, due to an error, may close connections immediately after they are established.

To set this option:

  1. Select Preferences > Global from the Edit menu.

    The Global Preference dialog appears.

  2. Check the Windows Don't Go Away checkbox.

  3. Click OK to close the Global Preference dialog.

To close a window after the session has been terminated:

  1. Click in the window's close box or select Close from the File menu.

Transferring Text Into and Out of Telnet Windows

You can transfer text between your KTelnet session window and other applications on your computer by using commands from the Edit and Session menus.

Edit > Copy
This command copies selected text from the telnet window to the clipboard (select the text using the mouse).

Edit > Paste
This command inserts whatever text is in the clipboard into the telnet window, at the prompt.

Edit > Copy Table
This command copies highlighted text from the Telnet window into the clipboard as a table, rather than as plain text.

When you copy a table, all strings of contiguous spaces greater than the threshold are turned into tabs before being placed on the clipboard. This produces a format you can paste into most spreadsheet and graphing programs without losing data or doing additional formatting.

To specify the number of contiguous spaces that are translated into a tab:

    Select Preferences > Global from the Edit menu.

    The Global Preferences dialog appears.

    In the Copy Table Threshold text box, enter the minimum number of spaces that are replaced by tabs when you use the copy table command.

    Click OK to close the Global Preferences dialog.

You can paste the table into a word-processing program such as Microsoft Word or into a spread-sheet program such as Microsoft Excel.

Session > Capture Session File
This command records all text that appears on the screen during the Telnet session and saves it to a file.

Selecting Capture Session File begins the capture process; selecting the command again (un-checking it in the Session menu) ends the process. The part of the session that takes place between the two command selections is recorded. You can select Capture Session File at any time after the telnet session window opens.

Printing

The Print Selection command prints selected text from the current Telnet window.

To print a selection:

  1. Select the text you want to print by highlighting it in the Telnet window.

  2. Select Page Setup from the File menu to open a Page Setup dialog, which allows you to specify parameters governing printing from Telnet.

  3. Select Print Selection.

    The Print dialog opens.

  4. In the Print dialog box, specify the number of copies, printer feed, and other parameters.

  5. Click OK or press Return to close the Print dialog and begin printing.

For more information regarding the Page Setup and Print dialog boxes, refer to your Macintosh User's Guide.

Setting Key Mappings

You can change the key codes that KTelnet sends for certain keystrokes. Different Macintoshes and host machines may have different default mappings; in addition, some tasks you want to do may require particular mappings. This section discusses various key mapping options.

Backspace and Delete

The Backspace and Delete options, in the Session menu, control what character the DELETE key sends. If you select the Backspace option, pressing the DELETE key sends a backspace character. If you select the Delete option, pressing the DELETE key sends a delete character.

The ESCape Key

You can set a configuration option to cause KTelnet to send the ESCape character to the remote host when you press the grave accent (`). (This key is sometimes called the backquote.)

This configuration setting is helpful if you use an original Macintosh or Macintosh Plus keyboard. However, the option is available no matter which type of keyboard you have.

To map the backquote key to ESC:

  1. Select Preferences > Global from the Edit menu.

    The Global Preferences dialog opens.

  2. Check the Remap backquote to ESCape checkbox.

  3. Click OK to close the Global Preferences dialog.

Emacs Arrow Mapping

When you select the EMACS Arrow Mapping command from the Session menu, pressing arrow keys on your keyboard sends the appropriate codes to move around in the EMACS editor. When the EMACS arrow mapping command is not checked, KTelnet sends the VT codes for the arrow keys.

The EMACS Arrow Mapping command affects the key mappings only for your current telnet session. You can make EMACS arrow mapping the default key mapping for future telnet sessions by setting a configuration option.

To set this option:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. Check the EMACS Arrow Keys checkbox

  4. Click OK to close the terminal configuration record.

  5. Click OK in the Preferences dialog to close the dialog.

When you open a telnet session using this terminal configuration record, the arrow keys send the appropriate EMACS codes.

The PGUp/PgDown/End/Home Keys

To set KTelnet to use the PAGE UP, PAGE DOWN, HOME, and END keys to move around in the session's scrollback buffer:

  1. Select the PgUp/PgDn/End/Home Keys command from the Session menu.

When this option is not in use, KTelnet sends the VT codes for these keys.

The PgUp/PgDn/End/Home Keys command affects the key mappings only for your current telnet session. You can make this key mapping the default mapping for future telnet sessions by setting a configuration option.

To set this option:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. Check the Map PgUp, etc. checkbox

  4. Click OK to close the terminal configuration record.

  5. Click OK in the Preferences dialog to close the dialog.

When you open a telnet session using this terminal configuration record, the keys send the appropriate codes.

Designating Interrupt/Suspend/Resume Keys

Interrupt, Suspend, and Resume are telnet escape commands; they are useful when you are not able to type commands inside your telnet session for some reason.

The Interrupt, Suspend, and Resume commands are described below; the default key assignment for each command is listed next to the command name.

Interrupt
CONTROL-C

sends a telnet interrupt process character (the Send Interrupt Process from the Network menu has the same effect). The host's implementation of telnet is required to listen for and interrupt the current application when this function is received. Interrupt also does a timing-mark operation (also known as timing-mark flush and timing-mark processing). In many other implementations of telnet, pressing CONTROL-C can result in a several-minute delay while text scrolls on the screen. This occurs because the TCP protocol has buffered up to 16 Kbytes or even 32 Kbytes of data, which are waiting in the pipeline to be delivered even before you press CONTROL-C. To avoid this scrolling of buffered data, KTelnet initiates timing-mark processing any time you issue an Interrupt command, by sending to the host a special character that the host echoes back. KTelnet throws away all buffered data, causing the session to pause for up to 15 seconds (rather than several minutes) and then resume as usual.

Suspend
CONTROL-S

instantly interrupts all output from the network. The current session does not produce any more characters on the screen until you issue the Resume command.

Resume
CONTROL-Q

restarts character printing to the current session. Resume does nothing unless a Suspend command is in effect.

To set a key mapping for any of these commands:

  1. Select Setup Keys... from the Session Menu

    A dialog appears, listing the three commands and their current key assignments. If no key assignment is listed, the default assignment is in effect.

  2. In the text box corresponding to the command you want to assign, type the key combination you want to assign to it. Type the combination as you normally would; for example, if it includes the Control key, hold down Control and press other keys.

  3. When you are finished assigning key combinations, click OK to close the dialog and assign the key combinations.

Setting key mappings using the Setup Keys... command affects the key mappings only for your current telnet session. You can assign default key mappings for future telnet sessions by setting a configuration option.

To set this option:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. In the text box beside each command name (Interrupt, Suspend, Resume), enter the keystrokes you want to map to that command.

  4. Click OK to close the terminal configuration record.

  5. Click OK in the Preferences dialog to close the dialog.

When you open a telnet session using this terminal configuration record, the new key mappings are in effect.

Customizing KTelnet Session Windows

You can customize the appearance of your KTelnet session windows for the current session using commands from the Session menu, or you can change the default window appearance by setting options in the session configuration files.

Session Window Title

You can specify a title for your Ktelnet session window by entering the name in the Window Name text box in the Open Connection dialog box. If you do not specify a title when you open a connection, KTelnet automatically titles the window with the name of the session's host and a number. Each time you open a session, this number increases by one, no matter how many sessions are currently open.

To change the title of the current Telnet window (the active one, if more than one window is open):

  1. Select Change Window Title from the Connections menu.

If you set KTelnet to recognize Xterm escape sequences, you can also change the window title using the appropriate Xterm sequence.

To make KTelnet recognize Xterm escape sequences:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. Check the Xterm Sequences checkbox.

  4. Click OK to close the terminal configuration record.

  5. Click OK in the Preferences dialog to close the dialog.

When you open a connection using this terminal configuration record, KTelnet recognizes the Xterm escape sequences for changing window and icon titles, and changes the title of the session's window in response to those sequences.

Customizing Screen Size

KTelnet's VT emulation screens default to 24 lines because an actual VT terminal screen has room for 24 lines of text. Some host systems let you define a VT-like terminal type with more or fewer than 24 lines.

To increase or decrease the size of the VT emulation screen for the current telnet session:

  1. Select Set Screen Size... from the Session menu.

    The Select Screen Dimensions dialog box appears, showing the current number of lines and columns in the VT emulation screen.

  2. Change the values to the ones you want.

  3. Click the OK button (or press the RETURN key) to return to your session window. Click the Cancel button to abort the change.

The VT emulation screens resizes itself to the dimensions you specified, and the telnet session window resizes itself to match. You can manually readjust the window size to be smaller than the VT emulation size, but not larger.

Shortcut to Reset Screen Size:

  1. To quickly change the size of the VT emulation screen, hold down the OPTION key while you use the size box to resize the window. As the window changes size, KTelnet recalculates the number of lines in the window and displays the current dimensions in the upper-left corner of the window. When you release the mouse button, the new size of the VT emulation screen is set. This method is equivalent to selecting Set Screen Size from the Session menu.

    NOTE: Resizing a session window without holding down the OPTION key only resizes the Macintosh window and does not change the size of the VT emulation screen.

You can change the KTelnet VT emulation default screen size by editing the terminal configuration record (see section Terminal Configuration Records).

Using Wrap Mode

The VT terminal emulator maintains an internal setting to determine whether characters printed off the right-hand side of the screen cause the terminal to wrap. If you set the terminal to wrap, new characters appear on the next line of the screen and the screen scrolls as necessary. If you disable wrap mode, each new character replaces the last character on the current line and the cursor moves neither to the right nor onto the next line.

To turn on wrap mode in the current telnet session:

  1. Select Wrap Mode from the Session menu.

To set wrap mode as the default setting for future sessions:

  1. Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

  2. Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

  3. Check the Use VT Wrap Mode checkbox.

  4. Click OK to close the terminal configuration record.

  5. Click OK in the Preferences dialog to close the dialog.

NOTE: Any time you select Reset Terminal (see section The Reset Terminal Command) from the Session menu or in the Session Configuration records, wrap mode is disabled.

The Scrollback Buffer

You can adjust the following aspects of KTelnet's scrollback buffer:

Scrollback buffer size

To set the size of the scrollback buffer:

    Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

    Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

    In the Scrollback text box enter the number of lines you want in the scrollback buffer.

    Click OK to close the terminal configuration record.

    Click OK in the Preferences dialog to close the dialog.

The Clear Screen Saves Lines option
When you select Clear Screen Saves Lines from the Session menu, all lines currently displayed on the screen scroll into the scrollback region before the screen is cleared. If Clear Screen Saves Lines is not checked, the cleared lines are permanently erased when the screen is cleared.

The Clear Screen Saves Lines command affects only the current telnet session. You can make this option the default for future telnet sessions by setting a configuration option.

To set this option:

    Select Preferences > Terminal from the Edit menu.

    The Preferences dialog opens, displaying the current terminal configuration records.

    Click the New button to create a new record, or select a record from the list and click Change to edit the record.

    A Terminal Configuration Record dialog opens, displaying the record's configuration information.

    Check the Save Cleared Lines checkbox.

    Click OK to close the terminal configuration record.

    Click OK in the Preferences dialog to close the dialog.

Customizing Cursor Appearance

You can customize the appearance of the cursor in your telnet sesion windows by setting the following configuration options:

Blink Cursor
When this option is enabled, KTelnet makes the cursor blink periodically in session windows.

Block, Underline, Vertical Bar
You can set the cursor to appear in session windows as a block, underline, or vertical bar.

To set these options:

  1. Select Preferences > Global from the Edit menu.

    A dialog opens, listing global configuration options.

  2. Check the Blink Cursor checkbox to make the cursor blink. Check Block, Underline, or Vertical Bar button to set the cursor's form.

  3. Click OK to close the dialog.

When you next open a telnet connection, the cursor's appearance matches your specifications.

Customizing Fonts

You can set the font and character size of the text in your KTelnet session window by using the following options from the Session menu:

The Font Submenu lets you specify the font in which text in the Telnet window appears. When you select a font from the Font submenu, the current window is resized to contain the text and the selected font is used to display all text in the current window.

NOTE: KTelnet does not allow proportionally spaced fonts.

The Size Submenu lets you specify the font size in which text in the Telnet window appears. The Size submenu lists several sizes, checks the current size, and outlines all sizes in your system. When you select a point size from this submenu, the current window is resized to contain all the resized text and the text is redrawn according to the specified point size.

NOTE: Sizes that are not outlined in the submenu must be scaled by the system software and therefore may be slow and less sharply defined than nonscaled point sizes.

You can change the default font and character size by setting the appropriate options in your terminal configuration records (see section Terminal Configuration Records).

Customizing Color

The Color... command in the Session menu lets you change the color of the background and foreground for normal and blinking text in the telnet window. This command applies only to Macintosh computers that are color-equipped.

To change the the color settings in your current telnet window:

  1. Select Color... from the Session menu.

    The Color Selection dialog box appears.

    Click the box next to the item to which you wish to assign a color: Normal Text, Normal Background, Blinking Text, or Blinking Background.

    A dialog opens, prompting you to change the color.

  2. Select a new color using the color bars or wheel.

    The color you select appears in the top rectangle under the heading Please Select New Color.

  3. Click OK or press the RETURN key to set the color change and return to the Color Selection dialog box.

    The box next to the item you selected in the Color Selection dialog reflects the color you chose from the Color Wheel dialog.

  4. Repeat to assign colors to other items in the Color Selection dialog box.

  5. When you are done choosing colors, click OK to close the Color Selection dialog.

The new colors are applied to the text in your current session window.

You can change the default color settings for future telnet sessions by setting the Color configuration options in the terminal configuration records (see section Terminal Configuration Records).

For additional information on changing colors, refer to your Macintosh System Software User's Guide.

Using FTP

KTelnet allows you to use your Macintosh as an FTP server; from within a telnet session, you can FTP files from a remote host to your Macintosh. FTP transactions are not encrypted or authenticated.

For more information on FTP options, consult the NSCA Telnet documentation.

Tektronix Emulation

KTelnet can emulate a number of graphical capabilities of Tektronix 4014 and 4105 terminals, including text modes, text sizing, zoom, and pan. Using Tektronix graphics with KTelnet depends on host programs that can produce graphical images. When the host programs run and produce Tektronix 4014 or 4105 graphics commands, KTelnet automatically switches to graphics mode, opens a graphics window, and does the drawing.

For more information about Tektronix emulation using KTelnet, consult the NSCA Telnet documentation.

Troubleshooting

This section describes a few procedures that you can use if you have trouble with your KTelnet session. For more help with KTelnet problems, consult the NCSA Telnet documentation or your System Administrator.

The Connections Menu

The Connections menu lists the window names for current connections and the status of each session. A checkmark next to a window name indicates an active session, and a diamond or circle next to a session name indicates an attempted connection that has not yet successfully opened. More specifically, a diamond indicates that KTelnet is checking the nameserver to find the session name or hostname; a circle means KTelnet is trying to open the session. Once the connection is established, the diamond or circle next to the session name goes away and the session window appears.

If you have attempted to open a connection and no session window appears, try checking the connection's status in the Connection menu.

To abort an attempted connection attempt:

  1. Select the desired connection from the Connections menu.

    The Connection Status dialog box appears, reporting the name and status of the connection.

  2. Click the Abort button in the Connection Status dialog box.

Querying Your Host Machine

If your telnet window freezes up during a session, you can query the host you are trying to connect to to determine whether you are connected.

  1. Select Send "Are You There?" from the Network menu.

Every once in a while, especially when the host is bombarded with incoming information or tied up by a large number of users, the host doesn't seem to respond to your commands. When this happens and your terminal appears to have locked up, you can select Send "Are You There?" to determine whether you are still connected to the host. The host is supposed to respond, if able, with a readable message. Some machines answer Yes; others answer with more informative messages.

Interrupting the Current Process

If your session freezes because of a process running within your telnet session:

  1. Select Send "Interrupt Process" from the Network menu.

This command stops the current process and throws away all pending data for the connection. It is equivalent to pressing CONTROL-C on most UNIX systems. The Send Interrupt Process command works on most telnet hosts. To set your Macintosh keyboard so that CONTROL-C sends the Send Interrupt Process command, select the Setup Keys... command in the Session menu (see section Designating Interrupt/Suspend/Resume Keys).

The Reset Terminal Command

The Reset Terminal command in the Session menu resets all VT mode settings, disables wrap mode, resets VT graphics mode, resets the keypad mode to the default, and resets tabs to every eight spaces.

Use this command, for example, when a host program accidentally sets VT graphics mode or fails to leave VT graphics mode.

Displaying Your IP Address

The Network menu has two commands that give you easy access to your computer's IP address:

The Show Network Numbers command displays your Macintosh's IP address in a dialog box but does not transmit the address. Click on the dialog box to remove it.

The Send IP Number command prints your machine's IP address at the prompt in your Telnet session window (without a carriage return).

Installing KerbNet clients for the Macintosh

There are two pieces of software that need to be installed. The first is the package of binaries provided as part of the KerbNet release, the second is the krb5.conf file from another client machine with the correct `realm' and `kdc' already specified.

Use Stuffit Expander or equivalent application to decode and unstuff the binaries provided. You will end up with a 1.2 folder containing four files. There are two copies of the Cygnus Solutions ktelnet application, one for standard Macintosh hardware, the other for PowerMacs. You may delete the version that does not apply to save space.

When transferring the krb5.conf file to your Macintosh we recommend using Fetch or some other application that will translate text files (linefeed to carriage-return) to Macintosh text format. Change the name of the krb5.conf file to krb5.ini and place it in the preferences folder in the system folder.

This is all that is necessary. If after following this procedure you try to run the KerbNet client to get tickets and you get the following error message:

Kerberos Configuration File not present

This probably means that your krb5.ini is not in Macintosh text format. Go into the system folder, move the existing krb5.ini file out of the way (if it is not there go back to step two above) and create a blank one. If the KerbNet client now starts up, (although without default realm information it is not usable) you know there is a problem in the krb5.ini file.

Glossary of KerbNet Terms

authentication
the process of proving the identity of one entity on the internet (a user or service) to another entity.

client
an entity that can obtain a ticket. This entity is usually either a user or a host.

credentials cache
the location where KerbNet stores tickets. The credentials cache is frequently a file, but it may just be a place in memory.

expiration
tickets cease to be valid when they expire. The amount of time tickets have before expiration is chosen by the user when obtaining the tickets; the maximum allowable lifetime for different kinds of tickets is preset by the System Administrator.

forwardable tickets
Kerberos tickets that can be forwarded (copied) to a remote machine; the copies can be used on the remote machine, eliminating the need to obtain new tickets on that machine.

host
a computer that can be accessed over a network. A remote host is one that is accessed electronically through another host, rather than directly.

Kerberos
in Greek mythology, the three-headed dog that guards the entrance to the underworld. In the computing world, Kerberos is a network security package that was developed at MIT.

KDC
Key Distribution Center. A machine that issues Kerberos tickets.

keytab
a key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his/her password.

principal
a string that names a specific entity to which a set of credentials may be assigned. It generally has three parts:

primary
the first part of a Kerberos principal. The primary identifies the individual user (for a user principal) or the type of service (for a service principal). A user's primary is his/her username.

instance
the second part of a Kerberos principal. It gives information that qualifies the primary. If the principal represents a user, the instance is usually null (blank), but can also be used to describe the intended use of the corresponding credentials. If the principal represents a host, the instance is the fully qualified hostname.

realm
the logical network served by a single Kerberos database and a set of Key Distribution Centers. By convention, realm names are generally all uppercase letters, to differentiate the realm from the internet domain.

The typical format of a typical Kerberos principal is primary/instance@REALM.

  • service any program or computer you access over a network. Examples of services include "host" (a host, e.g., when you use telnet and rsh), "ftp" (FTP), "krbtgt" (authentication; cf. ticket-granting ticket), and "pop" (email).

  • single-sign-on system a security system that asks for initial confirmation of the user's identity, but then does all further authenticaton automatically. With a single-sign-on system, a user only needs to type his or her password once, at the beginning of the session.

  • telnet port the "address" that the telnet applications connects to on a computer.

  • ticket a temporary set of electronic credentials that verifies the identity of its to a particular service.

  • TGT Ticket-Granting Ticket. A special Kerberos ticket that permits its owner to obtain additional Kerberos tickets within the same Kerberos realm. A TGT is obtained during the initial authentication process.