This is the new version with:
	user-requested lifetimes
	multiple tickets per request


==========================================================================
Kerberos library patch
==========================================================================
File krb5_patches/svr_principal.c contains a patch to the Kerberos source
which was required for proper operation for service tickets other than
des-cbc-crc.  It prevents a service ticket from being issued with an
invalid encryption type of -1.


==========================================================================
Building KCT
==========================================================================
If you are configuring the software for different platforms, create
a subdirectory for the specific platform in the same directory as the
'src' directory.
  % mkdir i386_linux24
  % ls
  i386_linux24/  src/
  %

To compile the code, first run configure:
  % cd i386_linux24
  % ../src/configure \
  --with-krb5src=<path> \
  --with-krb5dest=<path> \
  --with-openssl=<path>
  %

all three arguments are required. Then just run make (or gmake for solaris)
  % make 

If the krb5 source is also split into separate source and object
directory trees, use --with-krb5obj=<path> to indicate the top of
the object tree

==========================================================================
Customizing KCT:
==========================================================================
You may customize the operation of the KCT by using command-line
arguments, or by specifying a configuration file.  The recommended
way is to specify a configuration file using the '-f' option when
starting KCT.  All values have defaults and can be overridden in the
configuration file.  Here are the values and their default value:

Config file parameter	Type		Default Value
---------------------	-----		---------------
LOG_FILE		string		"/var/kct/kct.log"
KCT_PORT		integer		5039
KCT_KEYTAB		string		"/var/kct/kct.keytab"
KCT_ACL_FILE		string		"/var/kct/kct.acl"
KCT_PRINC_NAME		string		"kct"
CA_FILE			string		"/var/kct/cert/ca-bundle.crt"
CA_PATH			string		"/var/kct/cert"
DEBUG_LEVEL		integer		4 (aka KCTLOG_WARNING)
SINGLE_PROCESS		integer(bool)	0
HANDSHAKE_VALID_TIME	integer		600
TICKET_LIFETIME		integer		3600

Most of these options are self-explanitory.  Here are explanations for the
ones that may not be.

KCT_PRINC_NAME is the Kerberos service principal name for the KCT
service.  mod_KCT gets a service ticket for this sevice to talk to
the KCT.

CA_FILE is the file containing the certificates for the CAs that
the KCT is willing to trust.  The certificates used in the handshake
between the original client and the mod_KCT must be trusted by the KCT.

CA_PATH specifies a directory name which contains individual files
containing the CA certificates that the KCT should trust.

If SINGLE_PROCESS is non-zero, then all requests are handled by a
single process, rather than forking off new processes to handle
each request.

HANDSHAKE_VALID_TIME is the number of seconds of "skew" allowed
in the timestamp found in the recorded handshake.  Requests for
tickets are rejected if the handshake timestamp is more than
HANDSHAKE_VALID_TIME from the current time.

TICKET_LIFETIME is the lifetime of the Kerberos tickets issued by the KCT.
It is a "todo" to make this the maximum lifetime for service tickets,
and add to the protocol the ability to specify a desired lifetime for
each ticket request.

KCT_ACL_FILE specifies a file which specifies who is allowed to request
tickets for which services.  The format of the file is lines containing
the following:

	pname/pinst sname[/sinst] ...

where:
	pname/pinst is the principal/instance name requesting a service
		ticket on behalf of someone else
	sname/sinst is the service/instance for which pname/pinst is
		allowed to obtain service tickets, the service instance
		may be ommited or wildcarded allowing pname/pinst to get
		tickets without an instance, or for any instance of the
		given service.  If the request specifies an instance,
		then the ACL entry must specify the instance or a
		wildcard ("*") to match.  If the request specifies no
		instance, then the ACL entry must specify no instance
		or a wildcard ("*") to match.  In other words, if the
		ACL entry specifies a non-wildcard instance, then the
		request must contain an instance which must match.

Here are some example ACL file entries:

  web_server/name.domain.org   afs imap/imap2.domain.org imap/imap3.domain.org
  web_server/name4.domain.org  imap/*
  web_server/name5.domain.org  imap

In the above examples, the web_server at "name" can obtain service tickets
for the "afs" service, and imap services with instances "imap2.domain.org"
and "imap3.domain.org".  It would *not* be able to get tickets for imap
with the instance "imap4.domain.org", for example.

The web_server at "name4" can get tickets for imap with any instance
specified in the request, or with no instance at all.

The web_server at "name5" can also get tickets for imap with any instance
specified, or with no instance.

The default behavior is that no-one is allowed to get any service tickets
unless there is an entry in the ACL file authorizing it.

==========================================================================
Running KCT:
==========================================================================
The KCT must be run on the same machine that runs the KDC.  It must have
access to the Kerberos database to generate Kerberos service tickets.
Like the KDC, it needs to run with root access.

