diff --git a/handbook/ctm.sgml b/handbook/ctm.sgml
index cfc2f35214..4339f91561 100644
--- a/handbook/ctm.sgml
+++ b/handbook/ctm.sgml
@@ -1,266 +1,261 @@
 <!--
 # This is the sgml version of the ctm.FAQ file.
 #
 # Converted by Ollivier Robert <roberto@FreeBSD.ORG>
 #
-# $Id: ctm.sgml,v 1.22 1997-10-20 07:45:23 jkh Exp $
+# $Id: ctm.sgml,v 1.23 1998-10-27 09:38:15 markm Exp $
 #
 # ----------------------------------------------------------------------------
 # "THE BEER-WARE LICENSE" (Revision 42):
 # <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
 # can do whatever you want with this stuff. If we meet some day, and you think
 # this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 # ----------------------------------------------------------------------------
 #
 -->
 
 <sect1><heading>CTM<label id="ctm"></heading>
 
 <p><em>Contributed by &a.phk;.  Updated 19-October-1997.</em>
 
         <tt/CTM/ is a method for keeping a remote directory tree in sync with a
         central one.  It has been developed for usage with FreeBSD's source
         trees, though other people may find it useful for other purposes as
         time goes by.  Little, if any, documentation currently exists at
         this time on the process of creating deltas, so talk to &a.phk;
         for more information should you wish to use <tt/CTM/ for other things.
 
     <sect2><heading>Why should I use <tt/CTM/?</heading>
       <p><tt/CTM/ will give you a local copy of the FreeBSD source trees.
 	There are a number of ``flavors'' of the tree available. Whether
 	you wish to track the entire cvs tree or just one of the branches,
 	<tt/CTM/ can provide you the information.
         If you are an active developer on FreeBSD, but have lousy
         or non-existent TCP/IP connectivity,  or simply wish to have the
 	changes automatically sent to you, <tt/CTM/ was made for you.
         You will need to obtain up to three deltas per day for the most 
 	active branches. However, you should consider having them sent
 	by automatic email. The sizes of the updates are
         always kept as small as possible.  This is typically less than 5K,
         with an occasional (one in ten) being 10-50K and every now and
         then a biggie of 100K+ or more coming around.
 
         You will also need to make yourself aware of the various caveats 
 	related to working directly from the development sources rather
 	than a pre-packaged release. This is particularly true if you
 	choose the ``current'' sources. It is recommended that
         you read <ref id="current" name="Staying current with FreeBSD">.
 
     <sect2><heading>What do I need to use <tt/CTM/?</heading>
 
       <p>You will need two things: The ``<tt/CTM/'' program and the initial
         deltas to feed it (to get up to ``current'' levels).
 
         The <tt/CTM/ program has been part of FreeBSD ever since version 2.0
         was released, and lives in <tt>/usr/src/usr.sbin/<tt/CTM/</tt> if you
         have a copy of the source online.
 
         If you are running a pre-2.0 version of FreeBSD, you can fetch the
         current <tt/CTM/ sources directly from:
 
         <url
           url="ftp://ftp.FreeBSD.ORG/pub/FreeBSD/FreeBSD-current/src/usr.sbin/ctm">
 
         The ``deltas'' you feed <tt/CTM/ can be had two ways, FTP or e-mail.
         If you have general FTP access to the Internet then the following
         FTP sites support access to <tt/CTM/:
 
         <url url="ftp://ftp.FreeBSD.ORG/pub/FreeBSD/CTM">
 
 	or see section <ref id="mirrors-ctm" name="mirrors">.
 
         FTP the relevant directory and fetch the <tt/README/ file,
         starting from there.
 
         If you may wish to get your deltas via email:
 
         Send email to &a.majordomo to subscribe to one of the  <tt/CTM/
 	distribution lists. ``ctm-cvs-cur'' supports the entire cvs tree.
 	``ctm-src-cur'' supports the head of the development branch.
 	``ctm-src-2_2'' supports the 2.2 release branch, etc.
         (If you do not know how to subscribe
         yourself using majordomo, send a message first containing the
         word ``help'' - it will send you back usage instructions.)
 
         When you begin receiving your <tt/CTM/ updates in the mail, you may
         use the <tt/ctm_rmail/ program to unpack and apply them.  You
         can actually use the <tt/ctm_rmail/ program directly from a entry
         in <tt>/etc/aliases</tt> if you want to have the process run in a
         fully automated fashion.  Check the <tt/ctm_rmail/ man page for more
         details.
 
         <bf/NOTE/: No matter what method you use to get the <tt/CTM/
         deltas, you should subscribe to the <tt/ctm-announce@FreeBSD.ORG/
         mailing list.  In the future, this will be the only place where
         announcements concerning the operations of the <tt/CTM/ system will be
         posted.  Send an email to &a.majordomo with a single
         line of ``<tt/subscribe ctm-announce/'' to get added to the list.
 
     <sect2><heading>Starting off with <tt/CTM/ for the first time</heading>
       <p>Before you can start using <tt/CTM/ deltas, you will need to get a
          to a starting point for the deltas produced subsequently to it.
   
- 	First you should determine what you already have. Everyone can
- 	start from an ``Empty'' directory. However, since the trees are
- 	many tens of megabytes, you should prefer to start from something
- 	already at hand. If you have a RELEASE CD, you can copy or extract
- 	an initial source from it. This will save a significant transfer
- 	of data.
+ 	First you should determine what you already have. Everyone should
+ 	start from an ``Empty'' directory.  You must use an initial ``Empty''
+	delta to start off your <tt/CTM/ supported tree. At some point
+	it is intended that one of these ``starter'' deltas be distributed
+	on the CD for your convenience. This does not currently happen,
+	however.
  
- 	Once you identify a suitable starting point, you must use an initial
- 	``transition'' delta to transform your starting point into a
- 	<tt/CTM/ supported tree.
- 
-         You can recognize these transition  deltas by the ``<tt/X/'' appended
+        You can recognize these ``starter''  deltas by the ``<tt/X/'' appended
  	to the number (<tt/src-cur.3210XEmpty.gz/ for instance).
  	The designation following the ``<tt/X/'' corresponds to the origin
- 	of your initial ``seed''. ``Empty'' is an empty directory, ``R225''
- 	would designate the 2.2.5 release, etc.
+ 	of your initial ``seed''. ``Empty'' is an empty directory.
  	As a rule a base transition from ``Empty'' is producted 
-        every 100 deltas.  By the way, they are large!  25 to 30
+        every 100 deltas.  By the way, they are large!  A few tens of
         Megabytes of <tt/gzip/'ed data is common for the ``XEmpty'' deltas.
 
         Once you've picked a base delta to start from, you will also need
         all deltas with higher numbers following it.
 
     <sect2><heading>Using <tt/CTM/ in your daily life</heading>
       <p>
         To apply the deltas, simply say:
         <tscreen><verb>
 cd /where/ever/you/want/the/stuff
 ctm -v -v /where/you/store/your/deltas/src-xxx.*
         </verb></tscreen>
       <p>
         <tt/CTM/ understands deltas which have been put through <tt/gzip/,
         so you do not need to gunzip them first, this saves disk space.
 
         Unless it feels very secure about the entire process, <tt/CTM/ will
         not touch your tree.  To verify a delta you can also use the
         ``<tt/-c/'' flag and <tt/CTM/ will not actually touch your tree; it will
 	merely verify the integrity of the delta and see if it would apply
         cleanly to your current tree.
 
         There are other options to <tt/CTM/ as well, see the manual pages
         or look in the sources for more information.
 
         I would also be very happy if somebody could help with the ``user
         interface'' portions, as I have realized that I cannot make up my
         mind on what options should do what, how and when...
 
         That's really all there is to it.  Every time you get a new delta,
         just run it through <tt/CTM/ to keep your sources up to date.
 
         Do not remove the deltas if they are hard to download again.  You
         just might want to keep them around in case something bad happens.
         Even if you only have floppy disks, consider using <tt/fdwrite/ to
         make a copy.
 
     <sect2><heading>Keeping your local changes</heading>
      <p>
       As a developer one would like to experiment with and change
       files in the source tree.  CTM supports local modifications in a
       limited way: before checking for the presence of a file
       <tt>foo</tt>, it first looks for <tt>foo.ctm</tt>.  If this
       file exists, CTM will operate on it instead of <tt>foo</tt>.
      <p>
       This behaviour gives us a simple way to maintain local changes:
       simply copy the files you plan to modify to the corresponding
       file names with a <tt>.ctm</tt> suffix.  Then you can freely hack 
       the code, while CTM keeps the <tt>.ctm</tt> file up-to-date.
     
     <sect2><heading>Other interesting CTM options</heading>
      <sect3><heading>Finding out exactly what would be touched by an update</heading>
       <p>
        You can determine the list of changes that CTM will make on your
        source repository using the ``<tt>-l</tt>'' option to CTM.
       <p>
        This is useful if you would like to keep logs of the changes, 
        pre- or post- process the modified files in any manner, or just 
        are feeling a tad paranoid :-).
 
      <sect3><heading>Making backups before updating</heading>
       <p>
        Sometimes you may want to backup all the files that would be changed
        by a CTM update.
       <p>
        Specifying the ``<tt>-B backup-file</tt>'' option causes
        CTM to backup all files that would be touched by a given CTM
        delta to <tt>backup-file</tt>.
 
      <sect3><heading>Restricting the files touched by an update</heading> 
       <p>
        Sometimes you would be interested in restricting the scope of a
        given CTM update, or may be interested in extracting just a few
        files from a sequence of deltas.
       <p>
        You can control the list of files that CTM would operate on by
        specifying filtering regular expressions using the
        ``<tt>-e</tt>'' and ``<tt>-x</tt>'' options.
       <p>
        For example, to extract an up-to-date copy of 
        <tt>lib/libc/Makefile</tt> from your collection of saved CTM deltas,
        run the commands:
       <tscreen><verb>
 cd /where/ever/you/want/to/extract/it/
 ctm -e '^lib/libc/Makefile' ~ctm/src-xxx.*
       </verb></tscreen>
       <p>
        For every file specified in a CTM delta, the ``<tt>-e</tt>'' and
        ``<tt>-x</tt>'' options are applied in the order given on the
        command line.  The file is processed by CTM only if it is
        marked as eligible after all the ``<tt>-e</tt>'' and
        ``<tt>-x</tt>'' options are applied to it.
 
        <sect2><heading>Future plans for <tt/CTM/</heading>
       <p>
         Tons of them:
         <itemize>
           <item>
             Use some kind of authentication into the CTM system, so as to
             allow detection of spoofed CTM updates.
           <item>
             Clean up the options to <tt/CTM/, they became confusing and
             counter intuitive.
         </itemize>
 
         The bad news is that I am very busy, so any help in doing this will
         be most welcome.  And do not forget to tell me what you want also...
 
     <sect2><heading>Miscellaneous stuff</heading>
       <p>
         All the ``DES infected'' (e.g. export controlled) source is not
         included.  You will get the ``international'' version only.  If
         sufficient interest appears, we will set up a ``<tt/sec-cur/''
         sequence too.
 <!--
         If you are a frequent or valuable contributor to FreeBSD, I will be
         willing to arrange special services, one option is delivery via
         <tt/ftp/ or <tt/rcp/ to a machine closer to you.  You need to have
         earned this, since it takes time to do, but I will be all the more
         happy to do it for you then.
 -->
         There is a sequence of deltas for the <tt/ports/ collection too,
         but interest has not been all that high yet.  Tell me if you want
         an email list for that too and we will consider setting it up.
 <!--
         If you have commit privileges or are similarly authorized by the
         FreeBSD core team, you can also get access to the CVS repository
         tree by the same means.  Contact &a.phk;
         for details.
 -->
 
     <sect2><heading>Thanks!</heading>
       <p>
         <descrip>
           <tag/&a.bde;/
             for his pointed pen and invaluable comments.
           <tag/&a.sos;/
 	    for patience.
           <tag/Stephen McKay/
             wrote <tt/ctm_&lsqb;rs&rsqb;mail/, much appreciated.
           <tag/&a.jkh;/
             for being so stubborn that I had to make it better.
           <tag/All the users/
             I hope you like it...
         </descrip>
 
diff --git a/handbook/kerberos.sgml b/handbook/kerberos.sgml
index 37e1bcd2d6..38a380fff6 100644
--- a/handbook/kerberos.sgml
+++ b/handbook/kerberos.sgml
@@ -1,480 +1,480 @@
-<!-- $Id: kerberos.sgml,v 1.12 1997-10-26 18:50:04 max Exp $ -->
+<!-- $Id: kerberos.sgml,v 1.13 1998-10-27 09:38:15 markm Exp $ -->
 <!-- The FreeBSD Documentation Project -->
 
 <sect><heading>Kerberos<label id="kerberos"></heading>
 
 <p><em>Contributed by &a.markm; (based on contribution by &a.md;).</em>
 
     Kerberos is a network add-on system/protocol that allows users to
     authenticate themselves through the services of a secure server.
     Services such as remote login, remote copy, secure inter-system
     file copying and other high-risk tasks are made considerably safer
     and more controllable.
 
     The following instructions can be used as a guide on how to
     set up Kerberos as distributed for FreeBSD. However, you should refer
     to the relevant manual pages for a complete description.
 
     In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
     distribution, but eBones, which had been previously ported to
     FreeBSD 1.1.5.1, and was sourced from outside the USA/Canada,
     and is thus available to system owners outside those countries.
 
     For those needing to get a legal foreign distribution of this
     software, please <em>DO NOT</em> get it from a USA or Canada site.
     You will get that site in <em>big</em> trouble! A legal copy of this is
-    available from <tt>skeleton.mikom.csir.co.za</tt>, which is in South
-    Africa.
+    available from <tt>ftp.internat.freebsd.org</tt>, which is in South
+    Africa and an official FreeBSD mirror site.
 
  <sect1>
  <heading>Creating the initial database</heading>
 
  <p>This is done on the Kerberos server only. First make sure that you
     do not have any old Kerberos databases around. You should change to the
     directory <tt>/etc/kerberosIV</tt> and check that only the following
     files are present:
 
 <tscreen><verb>
 grunt# cd /etc/kerberosIV
 grunt# ls
 README          krb.conf        krb.realms
 </verb></tscreen>
 
  <p>If any additional files (such as <tt>principal.*</tt> or
     <tt>master_key</tt>) exist, then use the <tt>kdb_destroy</tt>
     command to destroy the old Kerberos database, of if Kerberos
-    is not running, simply delete the extra files with <tt>rm</tt>.
+    is not running, simply delete the extra files.
 
     You should now edit the <tt>krb.conf</tt> and <tt>krb.realms</tt>
     files to define your Kerberos realm. In this case the realm will
     be <it>GRONDAR.ZA</it> and the server is <it>grunt.grondar.za</it>.
     We edit or create the <tt>krb.conf</tt> file:
 
 <tscreen><verb>
 grunt# cat krb.conf
 GRONDAR.ZA
 GRONDAR.ZA grunt.grondar.za admin server
 CS.BERKELEY.EDU okeeffe.berkeley.edu
 ATHENA.MIT.EDU kerberos.mit.edu
 ATHENA.MIT.EDU kerberos-1.mit.edu
 ATHENA.MIT.EDU kerberos-2.mit.edu
 ATHENA.MIT.EDU kerberos-3.mit.edu
 LCS.MIT.EDU kerberos.lcs.mit.edu
 TELECOM.MIT.EDU bitsy.mit.edu
 ARC.NASA.GOV trident.arc.nasa.gov
 </verb></tscreen>
 
  <p>In this case, the other realms do not need to be there.
     They are here as an example of how a machine may be made aware
     of multiple realms. You may wish to not include them for simplicity.
 
     The first line names the realm in which this system works. The other
     lines contain realm/host entries. The first item on a line is a realm,
     and the second is a host in that realm that is acting as a ``key
     distribution centre''. The words ``admin server'' following a hosts
     name means that host also provides an administrative database server.
     For further explanation of these terms, please consult the Kerberos
     man pages.
 
     Now we have to add <it>grunt.grondar.za</it> to the <it>GRONDAR.ZA</it>
     realm and also add an entry to put all hosts in the <it>.grondar.za</it>
     domain in the <it>GRONDAR.ZA</it> realm.  The <tt>krb.realms</tt> file
     would be updated as follows:
 
 <tscreen><verb>
  grunt# cat krb.realms
  grunt.grondar.za GRONDAR.ZA
  .grondar.za GRONDAR.ZA
  .berkeley.edu CS.BERKELEY.EDU
  .MIT.EDU ATHENA.MIT.EDU
  .mit.edu ATHENA.MIT.EDU
 </verb></tscreen>
 
  <p>Again, the other realms do not need to be there.
     They are here as an example of how a machine may be made aware
     of multiple realms. You may wish to remove them to simplify things.
 
     The first line puts the <it>specific</it> system into the named
     realm. The rest of the lines show how to default systems of a
     particular subdomain to a named realm.
 
     Now we are ready to create the database. This only needs to run on
     the Kerberos server (or Key Distribution Centre). Issue the
     <tt>kdb_init</tt> command to do this:
 
 <tscreen><verb>
 grunt# kdb_init
 Realm name [default  ATHENA.MIT.EDU ]: GRONDAR.ZA
 You will be prompted for the database Master Password.
 It is important that you NOT FORGET this password.
 
 Enter Kerberos master key: 
 </verb></tscreen>
 
  <p>Now we have to save the key so that servers on the local
     machine can pick it up.  Use the <tt>kstash</tt> command to
     do this.
 
 <tscreen><verb>
 grunt# kstash
 
 Enter Kerberos master key: 
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 </verb></tscreen>
 
  <p>This saves the encrypted master password in
     <tt>/etc/kerberosIV/master_key</tt>.
 
  <sect1>
   <heading>Making it all run</heading>
 
  <p>Two principals need to be added to the database for <it>each</it>
     system that will be secured with Kerberos. Their names are
     <tt>kpasswd</tt> and <tt>rcmd</tt> These two principals are
     made for each system, with the instance being the name of the
     individual system.
 
     These daemons, <tt>kpasswd</tt> and <tt>rcmd</tt> allow other systems
     to change Kerberos passwords and run commands like <tt>rcp</tt>,
     <tt>rlogin</tt> and <tt>rsh</tt>.
 
    Now let's add these entries:
 
 <tscreen><verb>
 grunt# kdb_edit
 Opening database...
 
 Enter Kerberos master key: 
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 Principal name: passwd
 Instance: grunt
 
 <Not found>, Create [y] ? y
 
 Principal: passwd, Instance: grunt, kdc_key_ver: 1
 New Password:                    <---- enter RANDOM here
 Verifying password
 
 New Password:                    <---- enter RANDOM here
 
 Random password [y] ? y
 
 Principal's new key version = 1
 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
 Max ticket lifetime (*5 minutes) [ 255 ] ? 
 Attributes [ 0 ] ? 
 Edit O.K.
 Principal name: rcmd
 Instance: grunt
 
 <Not found>, Create [y] ? 
 
 Principal: rcmd, Instance: grunt, kdc_key_ver: 1
 New Password:                    <---- enter RANDOM here
 Verifying password
 
 New Password:                    <---- enter RANDOM here
 
 Random password [y] ? 
 
 Principal's new key version = 1
 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
 Max ticket lifetime (*5 minutes) [ 255 ] ? 
 Attributes [ 0 ] ? 
 Edit O.K.
 Principal name:                  <---- null entry here will cause an exit
 </verb></tscreen>
 
  <sect1>
   <heading>Creating the server file</heading>
 
  <p>We now have to extract all the instances which define the services
     on each machine.  For this we use the <tt>ext_srvtab</tt> command.
     This will create a file which must be copied or moved <it>by secure
     means</it> to each Kerberos client's /etc/kerberosIV directory. This
     file must be present on each server and client, and is crucial to the
     operation of Kerberos.
 
 <tscreen><verb>
 grunt# ext_srvtab grunt
 
 Enter Kerberos master key: 
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Generating 'grunt-new-srvtab'....
 </verb></tscreen>
 
  <p>Now, this command only generates a temporary file
     which must be renamed to <tt>srvtab</tt> so that all the
     server can pick it up.  Use the <tt>mv</tt> command to move it
     into place on the original system:
 
 <tscreen><verb>
 grunt# mv grunt-new-srvtab srvtab
 </verb></tscreen>
 
  <p>If the file is for a client system, and the network is not
     deemed safe, then copy the <tt>&lt;client&gt;-new-srvtab</tt> to
     removable media and transport it by secure physical means. Be
     sure to rename it to <tt>srvtab</tt> in the client's
     <tt>/etc/kerberosIV</tt> directory, and make sure it is mode 600:
 
 <tscreen><verb>
 grumble# mv grumble-new-srvtab srvtab
 grumble# chmod 600 srvtab
 </verb></tscreen>
 
  <sect1>
   <heading>Populating the database</heading>
 
  <p>We now have to add some user entries into the database.
     First let's create an entry for the user <it>jane</it>.  Use
     the <tt>kdb_edit</tt> command to do this:
 
 <tscreen><verb>
 grunt# kdb_edit
 Opening database...
 
 Enter Kerberos master key: 
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 Principal name: jane
 Instance:
 
 <Not found>, Create [y] ? y
 
 Principal: jane, Instance: , kdc_key_ver: 1
 New Password:                    <---- enter a secure password here
 Verifying password
 
 New Password:                    <---- re-enter the password here
 
 Principal's new key version = 1
 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
 Max ticket lifetime (*5 minutes) [ 255 ] ? 
 Attributes [ 0 ] ? 
 Edit O.K.
 Principal name:                  <---- null entry here will cause an exit
 </verb></tscreen>
 
  <sect1>
   <heading>Testing it all out</heading>
 
  <p>First we have to start the Kerberos daemons. NOTE that if you have
     correctly edited your <tt>/etc/rc.conf</tt> then this will happen
     automatically when you reboot. This is only necessary on the Kerberos
     server. Kerberos clients will automagically get what they need from
     the <tt>/etc/kerberosIV</tt> directory.
 
 <tscreen><verb>
 grunt# kerberos &
 grunt# Kerberos server starting
         Sleep forever on error
         Log file is /var/log/kerberos.log
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 
 Current Kerberos master key version is 1
 Local realm: GRONDAR.ZA
 grunt# kadmind -n &
 grunt# KADM Server KADM0.0A initializing
 Please do not use 'kill -9' to kill this job, use a
 regular kill instead
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 </verb></tscreen>
 
  <p>Now we can try using the <tt>kinit</tt> command to get a ticket for
     the id <it>jane</it> that we created above:
 
 <tscreen><verb>
 grunt$ kinit jane
 MIT Project Athena (grunt.grondar.za)
 Kerberos Initialization for "jane"
 Password: 
 </verb></tscreen>
 
  <p>Try listing the tokens using <tt>klist</tt> to see if we really have them:
 
 <tscreen><verb>
 grunt$ klist
 Ticket file:    /tmp/tkt245
 Principal:    jane@GRONDAR.ZA
 
   Issued           Expires          Principal
 Apr 30 11:23:22  Apr 30 19:23:22  krbtgt.GRONDAR.ZA@GRONDAR.ZA
 </verb></tscreen>
 
  <p>Now try changing the password using <tt>passwd</tt> to check if the
     kpasswd daemon can get authorization to the Kerberos database:
 
 <tscreen><verb>
 grunt$ passwd
 realm GRONDAR.ZA
 Old password for jane:
 New Password for jane:
 Verifying password
 New Password for jane:
 Password changed.
 </verb></tscreen>
 
  <sect1>
   <heading>Adding <tt>su</tt> privileges</heading>
 
  <p>Kerberos allows us to give <it>each</it> user who needs root
     privileges their own <it>separate</it> <tt>su</tt>password. We
     could now add an id which is authorized to <tt>su</tt> to <it>root</it>.
     This is controlled by having an instance of <it>root</it> associated
     with a principal.  Using <tt>kdb_edit</tt> we can create the entry
     <it>jane.root</it> in the Kerberos database:
 
 <tscreen><verb>
 grunt# kdb_edit
 Opening database...
 
 Enter Kerberos master key: 
 
 Current Kerberos master key version is 1.
 
 Master key entered.  BEWARE!
 Previous or default values are in [brackets] ,
 enter return to leave the same, or new value.
 
 Principal name: jane
 Instance: root
 
 <Not found>, Create [y] ? y
 
 Principal: jane, Instance: root, kdc_key_ver: 1
 New Password:                    <---- enter a SECURE password here
 Verifying password
 
 New Password:                    <---- re-enter the password here
 
 Principal's new key version = 1
 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
 Max ticket lifetime (*5 minutes) [ 255 ] ? 12 <--- Keep this short!
 Attributes [ 0 ] ? 
 Edit O.K.
 Principal name:                  <---- null entry here will cause an exit
 </verb></tscreen>
 
  <p>Now try getting tokens for it to make sure it works:
 
 <tscreen><verb>
 grunt# kinit jane.root
 MIT Project Athena (grunt.grondar.za)
 Kerberos Initialization for "jane.root"
 Password: 
  </verb></tscreen>
 
  <p>Now we need to add the user to root's <tt>.klogin</tt> file:
 
 <tscreen><verb>
 grunt# cat /root/.klogin
 jane.root@GRONDAR.ZA
 </verb></tscreen>
 
  <p>Now try doing the <tt>su</tt>:
 
 <tscreen><verb>
 [jane@grunt 10407] su
 Password: 
 grunt#
       </verb></tscreen>
 
     and take a look at what tokens we have:
 
 <tscreen><verb>
 grunt# klist
 Ticket file:	/tmp/tkt_root_245
 Principal:	jane.root@GRONDAR.ZA
 
   Issued           Expires          Principal
 May  2 20:43:12  May  3 04:43:12  krbtgt.GRONDAR.ZA@GRONDAR.ZA
 </verb></tscreen>
 
  <sect1>
   <heading>Using other commands</heading>
 
  <p>In an earlier example, we created a principal called <tt>jane</tt>
     with an instance <tt>root</tt>. This was based on a user with the
     same name as the principal, and this is a Kerberos default; that a
     <em>&lt;principal&gt;.&lt;instance&gt;</em> of the form
     <em>&lt;username&gt;.</em><tt>root</tt> will allow that
     <em>&lt;username&gt;</em> to <tt>su</tt> to root if the necessary
     entries are in the <tt>.klogin</tt> file in <tt>root</tt>'s home
     directory:
 
 <tscreen><verb>
 grunt# cat /root/.klogin
 jane.root@GRONDAR.ZA
 </verb></tscreen>
 
  <p>Likewise, if a user has in their own home directory lines of the
     form:
 
 <tscreen><verb>
 [jane@grunt 10543] cat ~/.klogin
 jane@GRONDAR.ZA
 jack@GRONDAR.ZA
 </verb></tscreen>
 
  <p>This allows anyone in the <em>GRONDAR.ZA</em> realm who has
     authenticated themselves to <em>jane</em> or <em>jack</em> (via
     <tt>kinit</tt>, see above) access to <tt>rlogin</tt> to <em>jane</em>'s
     account or files on this system (<em>grunt</em>) via <tt>rlogin</tt>,
     <tt>rsh</tt> or <tt>rcp</tt>.
 
     For example, Jane now logs into another system, using Kerberos:
 
 <tscreen><verb>
 [jane@grumble 573] kinit
 MIT Project Athena (grunt.grondar.za)
 Password: 
 [jane@grumble 574] rlogin grunt
 Last login: Mon May  1 21:14:47 from grumble
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
 	The Regents of the University of California.   All rights reserved.
 
 FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
 
 [jane@grunt 10567]
 </verb></tscreen>
 
  <p>Or Jack logs into Jane's account on the same machine (Jane having set up
     the <tt>.klogin</tt> file as above, and the person in charge of Kerberos
     having set up principal <em>jack</em> with a null instance:
 
 <tscreen><verb>
 [jack@grumble 573] kinit
 [jack@grumble 574] rlogin grunt -l jane
 MIT Project Athena (grunt.grondar.za)
 Password: 
 Last login: Mon May  1 21:16:55 from grumble
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
 	The Regents of the University of California.   All rights reserved.
 
 FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
 
 [jane@grunt 10578]
 </verb></tscreen>