[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
| 7 | <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
|
---|
| 8 | <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
|
---|
| 9 | <!ENTITY heimdal-size "3.2 MB">
|
---|
| 10 | <!ENTITY heimdal-buildsize "142 MB">
|
---|
| 11 | <!ENTITY heimdal-time "2.55 SBU">
|
---|
| 12 | ]>
|
---|
| 13 |
|
---|
[f505cbc9] | 14 | <sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
|
---|
[a0f03b0] | 15 | <sect1info>
|
---|
[5cd0959d] | 16 | <othername>$LastChangedBy$</othername>
|
---|
| 17 | <date>$Date$</date>
|
---|
[a0f03b0] | 18 | </sect1info>
|
---|
[bae6e15] | 19 | <?dbhtml filename="heimdal.html"?>
|
---|
[6856556] | 20 | <title>Heimdal-&heimdal-version;</title>
|
---|
| 21 |
|
---|
[b4b71892] | 22 | <sect2>
|
---|
| 23 | <title>Introduction to <application>Heimdal</application></title>
|
---|
| 24 |
|
---|
[359e1043] | 25 | <para><application>Heimdal</application> is a free implementation of Kerberos
|
---|
[b4b71892] | 26 | 5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
|
---|
| 27 | compatible with krb4. Kerberos is a network authentication protocol. Basically
|
---|
| 28 | it preserves the integrity of passwords in any untrusted network (like the
|
---|
| 29 | Internet). Kerberized applications work hand-in-hand with sites that support
|
---|
| 30 | Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
|
---|
| 31 | will make changes to the authentication mechanisms on your network and will
|
---|
[359e1043] | 32 | overwrite several programs and daemons from the
|
---|
| 33 | <application>Coreutils</application>, <application>Inetutils</application>,
|
---|
| 34 | <application>Qpopper</application> and <application>Shadow</application>
|
---|
| 35 | packages.</para>
|
---|
[b4b71892] | 36 |
|
---|
| 37 | <sect3><title>Package information</title>
|
---|
| 38 | <itemizedlist spacing='compact'>
|
---|
| 39 | <listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
|
---|
| 40 | <listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
|
---|
| 41 | <listitem><para>Download size: &heimdal-size;</para></listitem>
|
---|
[518538f] | 42 | <listitem><para>Estimated disk space required: &heimdal-buildsize;</para></listitem>
|
---|
[b4b71892] | 43 | <listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
|
---|
| 44 | </sect3>
|
---|
| 45 |
|
---|
| 46 | <sect3><title>Additional downloads</title>
|
---|
| 47 | <itemizedlist spacing='compact'>
|
---|
[07b157f4] | 48 | <listitem><para>Required Patch: <ulink
|
---|
[014d11ad] | 49 | url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
|
---|
[b4b71892] | 50 | </listitem>
|
---|
| 51 | <listitem><para>Required patch for cracklib: <ulink
|
---|
| 52 | url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
|
---|
| 53 | </listitem>
|
---|
| 54 | </itemizedlist>
|
---|
| 55 |
|
---|
| 56 | </sect3>
|
---|
| 57 |
|
---|
| 58 | <sect3><title><application>Heimdal</application> dependencies</title>
|
---|
| 59 | <sect4><title>Required</title>
|
---|
| 60 | <para>
|
---|
[939cf0da] | 61 | <xref linkend="openssl-package"/> and
|
---|
[b4b71892] | 62 | <xref linkend="db"/>
|
---|
| 63 | </para></sect4>
|
---|
| 64 | <sect4><title>Optional</title>
|
---|
| 65 | <para>
|
---|
| 66 | <xref linkend="Linux_PAM"/>,
|
---|
| 67 | <xref linkend="openldap"/>,
|
---|
| 68 | X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
|
---|
| 69 | <xref linkend="cracklib"/> and
|
---|
| 70 | <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>
|
---|
| 71 | </para>
|
---|
| 72 |
|
---|
| 73 | <note><para>
|
---|
| 74 | Some sort of time synchronization facility on your system (like <xref
|
---|
| 75 | linkend="ntp"/>) is required since Kerberos won't authenticate if the
|
---|
| 76 | time differential between a kerberized client and the
|
---|
| 77 | <acronym>KDC</acronym> server is more than 5 minutes.</para></note>
|
---|
| 78 | </sect4>
|
---|
| 79 |
|
---|
| 80 | </sect3>
|
---|
| 81 |
|
---|
| 82 | </sect2>
|
---|
| 83 |
|
---|
| 84 | <sect2>
|
---|
| 85 | <title>Installation of <application>Heimdal</application></title>
|
---|
| 86 |
|
---|
| 87 | <para>
|
---|
| 88 | Before installing the package, you may want to preserve the
|
---|
[359e1043] | 89 | <command>ftp</command> program from the <application>Inetutils</application>
|
---|
| 90 | package. This is because using the <application>Heimdal</application>
|
---|
| 91 | <command>ftp</command> program to connect to non-kerberized ftp servers may
|
---|
| 92 | not work properly. It will allow you to connect (letting you know that
|
---|
| 93 | transmission of the password is clear text) but will have problems doing puts
|
---|
| 94 | and gets.
|
---|
[b4b71892] | 95 | </para>
|
---|
| 96 |
|
---|
| 97 | <screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
|
---|
| 98 |
|
---|
| 99 | <para>
|
---|
[359e1043] | 100 | If you wish the <application>Heimdal</application> package to link against the
|
---|
| 101 | <application>cracklib</application> library, you must apply a patch:
|
---|
[b4b71892] | 102 | </para>
|
---|
| 103 |
|
---|
| 104 | <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
|
---|
| 105 |
|
---|
| 106 | <para>Install <application>Heimdal</application> by running the following commands:</para>
|
---|
| 107 |
|
---|
[014d11ad] | 108 | <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &&
|
---|
[b4b71892] | 109 | ./configure --prefix=/usr --sysconfdir=/etc/heimdal \
|
---|
| 110 | --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
|
---|
| 111 | --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
|
---|
| 112 | --enable-shared --with-openssl=/usr &&
|
---|
| 113 | make &&
|
---|
| 114 | make install &&
|
---|
| 115 | mv /bin/login /bin/login.shadow &&
|
---|
| 116 | mv /bin/su /bin/su.coreutils &&
|
---|
| 117 | mv /usr/bin/{login,su} /bin &&
|
---|
| 118 | ln -sf ../../bin/login /usr/bin &&
|
---|
| 119 | mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib &&
|
---|
| 120 | mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib &&
|
---|
| 121 | mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib &&
|
---|
[dc04b84] | 122 | mv /usr/lib/libdb-4.1.so /lib &&
|
---|
[b4b71892] | 123 | ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib &&
|
---|
| 124 | ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib &&
|
---|
| 125 | ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib &&
|
---|
[dc04b84] | 126 | ln -sf ../../lib/libdb-4.1.so /usr/lib &&
|
---|
[b4b71892] | 127 | ldconfig</command></userinput></screen>
|
---|
| 128 |
|
---|
| 129 | </sect2>
|
---|
| 130 |
|
---|
| 131 | <sect2>
|
---|
| 132 | <title>Command explanations</title>
|
---|
| 133 |
|
---|
[359e1043] | 134 | <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the
|
---|
| 135 | daemon programs into <filename class="directory">/usr/sbin</filename>.
|
---|
[b4b71892] | 136 | </para>
|
---|
| 137 |
|
---|
| 138 | <note><para>
|
---|
[359e1043] | 139 | If you want to preserve all your existing <application>Inetutils</application>
|
---|
| 140 | package daemons, install the <application>Heimdal</application> daemons into
|
---|
| 141 | <filename class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
|
---|
[b4b71892] | 142 | Since these programs will be called from <command>(x)inetd</command> or
|
---|
[359e1043] | 143 | <filename>rc</filename> scripts, it really doesn't matter where they are
|
---|
| 144 | installed, as long as they are correctly specified in the
|
---|
| 145 | <filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename>
|
---|
| 146 | scripts. If you choose something other than
|
---|
| 147 | <filename class="directory">/usr/sbin</filename>, you may want to move some of
|
---|
| 148 | the user programs (such as <command>kadmin</command>) to
|
---|
| 149 | <filename class="directory">/usr/sbin</filename> manually so they'll be in the
|
---|
| 150 | privileged user's default path.</para></note>
|
---|
[b4b71892] | 151 |
|
---|
| 152 | <para>
|
---|
| 153 | <screen><command>mv /bin/login /bin/login.shadow
|
---|
| 154 | mv /bin/su /bin/su.coreutils
|
---|
| 155 | mv /usr/bin/{login,su} /bin
|
---|
| 156 | ln -sf ../../bin/login /usr/bin</command></screen>
|
---|
[359e1043] | 157 |
|
---|
| 158 | The <command>login</command> and <command>su</command> programs installed by
|
---|
| 159 | <application>Heimdal</application> belong in the
|
---|
| 160 | <filename class="directory">/bin</filename> directory. The
|
---|
| 161 | <command>login</command> program is symlinked because
|
---|
| 162 | <application>Heimdal</application> is expecting to find it in
|
---|
| 163 | <filename class="directory">/usr/bin</filename>. The old executables are
|
---|
| 164 | preserved before the move to keep things sane should breaks occur.
|
---|
[b4b71892] | 165 | </para>
|
---|
| 166 |
|
---|
| 167 | <para>
|
---|
| 168 | <screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib
|
---|
| 169 | mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib
|
---|
| 170 | mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib
|
---|
[dc04b84] | 171 | mv /usr/lib/libdb-4.1.so /lib
|
---|
[b4b71892] | 172 | ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib
|
---|
| 173 | ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib
|
---|
| 174 | ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
|
---|
[dc04b84] | 175 | ln -sf ../../lib/libdb-4.1.so /usr/lib</command></screen>
|
---|
[359e1043] | 176 |
|
---|
[b4b71892] | 177 | The <command>login</command> and <command>su</command> programs
|
---|
[359e1043] | 178 | installed by <application>Heimdal</application> link against
|
---|
| 179 | <application>Heimdal</application> libraries as well as libraries provided by
|
---|
| 180 | the <application>OpenSSL</application>, <application>Berkeley DB</application>
|
---|
| 181 | and <application>E2fsprogs</application> packages. These libraries are moved
|
---|
| 182 | to <filename class="directory">/lib</filename> to be <acronym>FHS</acronym>
|
---|
| 183 | compliant and also in case <filename class="directory">/usr</filename> is
|
---|
| 184 | located on a separate partition which may not always be mounted.
|
---|
[b4b71892] | 185 | </para>
|
---|
| 186 |
|
---|
| 187 | </sect2>
|
---|
| 188 |
|
---|
| 189 | <sect2>
|
---|
[359e1043] | 190 | <title>Configuring <application>Heimdal</application></title>
|
---|
[b4b71892] | 191 |
|
---|
| 192 | <sect3><title>Config files</title>
|
---|
| 193 | <para><filename>/etc/heimdal/*</filename></para>
|
---|
| 194 | </sect3>
|
---|
| 195 |
|
---|
| 196 | <sect3><title>Configuration Information</title>
|
---|
| 197 |
|
---|
[359e1043] | 198 | <sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>
|
---|
[b4b71892] | 199 |
|
---|
| 200 | <para>
|
---|
[359e1043] | 201 | Create the Kerberos configuration file with the following commands:
|
---|
[b4b71892] | 202 | </para>
|
---|
| 203 |
|
---|
| 204 | <screen><userinput><command>install -d /etc/heimdal &&
|
---|
| 205 | cat > /etc/heimdal/krb5.conf << "EOF"</command>
|
---|
| 206 | # Begin /etc/heimdal/krb5.conf
|
---|
[014d11ad] | 207 |
|
---|
[b4b71892] | 208 | [libdefaults]
|
---|
[359e1043] | 209 | default_realm = <replaceable>[EXAMPLE.COM]</replaceable>
|
---|
[b4b71892] | 210 | encrypt = true
|
---|
| 211 |
|
---|
| 212 | [realms]
|
---|
[359e1043] | 213 | <replaceable>[EXAMPLE.COM]</replaceable> = {
|
---|
| 214 | kdc = <replaceable>[hostname.example.com]</replaceable>
|
---|
| 215 | admin_server = <replaceable>[hostname.example.com]</replaceable>
|
---|
| 216 | kpasswd_server = <replaceable>[hostname.example.com]</replaceable>
|
---|
[b4b71892] | 217 | }
|
---|
| 218 |
|
---|
| 219 | [domain_realm]
|
---|
[359e1043] | 220 | .<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable>
|
---|
[b4b71892] | 221 |
|
---|
| 222 | [logging]
|
---|
| 223 | kdc = FILE:/var/log/kdc.log
|
---|
| 224 | admin_server = FILE:/var/log/kadmin.log
|
---|
| 225 | default = FILE:/var/log/krb.log
|
---|
| 226 |
|
---|
| 227 | # End /etc/heimdal/krb5.conf
|
---|
| 228 | <command>EOF</command></userinput></screen>
|
---|
| 229 |
|
---|
| 230 | <para>
|
---|
[359e1043] | 231 | You will need to substitute your domain and proper hostname for the
|
---|
| 232 | occurrences of the <replaceable>[hostname]</replaceable> and
|
---|
| 233 | <replaceable>[EXAMPLE.COM]</replaceable> names.
|
---|
[b4b71892] | 234 | </para>
|
---|
| 235 |
|
---|
| 236 | <para>
|
---|
[359e1043] | 237 | <userinput>default_realm</userinput> should be the name of your domain changed
|
---|
| 238 | to ALL CAPS. This isn't required, but both <application>Heimdal</application>
|
---|
| 239 | and <application><acronym>MIT</acronym> krb5</application> recommend it.
|
---|
[b4b71892] | 240 | </para>
|
---|
| 241 |
|
---|
| 242 | <para>
|
---|
[359e1043] | 243 | <userinput>encrypt = true</userinput> provides encryption of all traffic
|
---|
| 244 | between kerberized clients and servers. It's not necessary and can be left
|
---|
| 245 | off. If you leave it off, you can encrypt all traffic from the client to the
|
---|
| 246 | server using a switch on the client program instead.
|
---|
[b4b71892] | 247 | </para>
|
---|
| 248 |
|
---|
| 249 | <para>
|
---|
[359e1043] | 250 | The <userinput>[realms]</userinput> parameters tell the client programs where
|
---|
| 251 | to look for the <acronym>KDC</acronym> authentication services.
|
---|
[b4b71892] | 252 | </para>
|
---|
| 253 |
|
---|
| 254 | <para>
|
---|
| 255 | The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
|
---|
| 256 | </para>
|
---|
| 257 |
|
---|
| 258 | <para>
|
---|
| 259 | Store the master password in a key file using the following commands:
|
---|
| 260 | </para>
|
---|
| 261 |
|
---|
| 262 | <screen><userinput><command>install -d -m 755 /var/lib/heimdal &&
|
---|
| 263 | kstash</command></userinput></screen>
|
---|
| 264 |
|
---|
| 265 | <para>
|
---|
| 266 | Create the <acronym>KDC</acronym> database:
|
---|
| 267 | </para>
|
---|
| 268 |
|
---|
| 269 | <screen><userinput><command>kadmin -l</command></userinput></screen>
|
---|
| 270 |
|
---|
| 271 | <para>
|
---|
| 272 | Choose the defaults for now. You can go in later and change the
|
---|
| 273 | defaults, should you feel the need. At the
|
---|
| 274 | <userinput>kadmin></userinput> prompt, issue the following statement:
|
---|
| 275 | </para>
|
---|
| 276 |
|
---|
[359e1043] | 277 | <screen><userinput><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 278 |
|
---|
| 279 | <para>
|
---|
[359e1043] | 280 | The database must now be populated with at least one principle (user). For now,
|
---|
| 281 | just use your regular login name or root. You may create as few, or as many
|
---|
| 282 | principles as you wish using the following statement:
|
---|
[b4b71892] | 283 | </para>
|
---|
| 284 |
|
---|
| 285 | <screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 286 |
|
---|
| 287 | <para>
|
---|
| 288 | The <acronym>KDC</acronym> server and any machine running kerberized
|
---|
| 289 | server daemons must have a host key installed:
|
---|
| 290 | </para>
|
---|
| 291 |
|
---|
[359e1043] | 292 | <screen><userinput><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 293 |
|
---|
| 294 | <para>
|
---|
| 295 | After choosing the defaults when prompted, you will have to export the
|
---|
| 296 | data to a keytab file:
|
---|
| 297 | </para>
|
---|
| 298 |
|
---|
[359e1043] | 299 | <screen><userinput><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 300 |
|
---|
| 301 | <para>
|
---|
| 302 | This should have created two files in
|
---|
[359e1043] | 303 | <filename class="directory">/etc/heimdal</filename>:
|
---|
[b4b71892] | 304 | <filename>krb5.keytab</filename> (Kerberos 5) and
|
---|
| 305 | <filename>srvtab</filename> (Kerberos 4). Both files should have 600
|
---|
| 306 | (root rw only) permissions. Keeping the keytab files from public access
|
---|
| 307 | is crucial to the overall security of the Kerberos installation.
|
---|
| 308 | </para>
|
---|
| 309 |
|
---|
| 310 | <para>
|
---|
| 311 | Eventually, you'll want to add server daemon principles to the database
|
---|
| 312 | and extract them to the keytab file. You do this in the same way you
|
---|
| 313 | created the host principles. Below is an example:
|
---|
| 314 | </para>
|
---|
| 315 |
|
---|
[359e1043] | 316 | <screen><userinput><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 317 |
|
---|
| 318 | <para>
|
---|
| 319 | (choose the defaults)
|
---|
| 320 | </para>
|
---|
| 321 |
|
---|
[359e1043] | 322 | <screen><userinput><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
|
---|
[b4b71892] | 323 |
|
---|
| 324 | <para>
|
---|
| 325 | Exit the <command>kadmin</command> program (use <command>quit</command>
|
---|
| 326 | or <command>exit</command>) and return back to the shell prompt. Start
|
---|
| 327 | the <acronym>KDC</acronym> daemon manually, just to test out the
|
---|
| 328 | installation:
|
---|
| 329 | </para>
|
---|
| 330 |
|
---|
| 331 | <screen><userinput><command>/usr/sbin/kdc &</command></userinput></screen>
|
---|
| 332 |
|
---|
| 333 | <para>
|
---|
| 334 | Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
|
---|
| 335 | following command:
|
---|
| 336 | </para>
|
---|
| 337 |
|
---|
| 338 | <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 339 |
|
---|
| 340 | <para>
|
---|
| 341 | You will be prompted for the password you created. After you get your
|
---|
| 342 | ticket, you should list it with the following command:
|
---|
| 343 | </para>
|
---|
| 344 |
|
---|
| 345 | <screen><userinput><command>klist</command></userinput></screen>
|
---|
| 346 |
|
---|
| 347 | <para>
|
---|
| 348 | Information about the ticket should be displayed on the screen.
|
---|
| 349 | </para>
|
---|
| 350 |
|
---|
| 351 | <para>
|
---|
[359e1043] | 352 | To test the functionality of the keytab file, issue the following command:
|
---|
[b4b71892] | 353 | </para>
|
---|
| 354 |
|
---|
| 355 | <screen><userinput><command>ktutil list</command></userinput></screen>
|
---|
| 356 |
|
---|
| 357 | <para>
|
---|
| 358 | This should dump a list of the host principals, along with the encryption
|
---|
| 359 | methods used to access the principals.
|
---|
| 360 | </para>
|
---|
| 361 |
|
---|
| 362 | <para>
|
---|
| 363 | At this point, if everything has been successful so far, you can feel
|
---|
| 364 | fairly confident in the installation and configuration of the package.
|
---|
| 365 | </para>
|
---|
| 366 |
|
---|
| 367 | <para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
|
---|
| 368 | included in the <xref linkend="intro-important-bootscripts"/>
|
---|
[359e1043] | 369 | package:</para>
|
---|
[b4b71892] | 370 |
|
---|
| 371 | <screen><userinput><command>make install-heimdal</command></userinput></screen>
|
---|
| 372 |
|
---|
| 373 | </sect4>
|
---|
| 374 |
|
---|
| 375 | <sect4><title>Using Kerberized Client Programs</title>
|
---|
| 376 |
|
---|
| 377 | <para>
|
---|
| 378 | To use the kerberized client programs (<command>telnet</command>,
|
---|
| 379 | <command>ftp</command>, <command>rsh</command>,
|
---|
| 380 | <command>rxterm</command>, <command>rxtelnet</command>,
|
---|
| 381 | <command>rcp</command>, <command>xnlock</command>), you first must get
|
---|
| 382 | a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
|
---|
| 383 | get the ticket. After you've acquired the ticket, you can use the
|
---|
| 384 | kerberized programs to connect to any kerberized server on the network.
|
---|
| 385 | You will not be prompted for authentication until your ticket expires
|
---|
| 386 | (default is one day), unless you specify a different user as a command
|
---|
| 387 | line argument to the program.
|
---|
| 388 | </para>
|
---|
| 389 |
|
---|
| 390 | <para>
|
---|
[359e1043] | 391 | The kerberized programs will connect to non-kerberized daemons, warning
|
---|
[b4b71892] | 392 | you that authentication is not encrypted. As mentioned earlier, only the
|
---|
[359e1043] | 393 | <command>ftp</command> program gives any trouble connecting to
|
---|
| 394 | non-kerberized daemons.
|
---|
[b4b71892] | 395 | </para>
|
---|
| 396 |
|
---|
[359e1043] | 397 | <para>In order to use the <application>Heimdal</application>
|
---|
| 398 | <application>X</application> programs, you'll need to add a service port
|
---|
| 399 | entry to the <filename>/etc/services</filename> file for the
|
---|
| 400 | <command>kxd</command> server. There is no 'standardized port number' for
|
---|
| 401 | the 'kx' service in the IANA database, so you'll have to pick an unused port
|
---|
| 402 | number. Add an entry to the <filename>services</filename> file similar to the
|
---|
| 403 | entry below (substitute your chosen port number for
|
---|
| 404 | <replaceable>[49150]</replaceable>):</para>
|
---|
| 405 |
|
---|
| 406 | <screen><userinput>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X
|
---|
| 407 | kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</userinput></screen>
|
---|
| 408 |
|
---|
[b4b71892] | 409 | <para>
|
---|
| 410 | For additional information consult <ulink
|
---|
| 411 | url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
|
---|
| 412 | Heimdal hint</ulink> on which the above instructions are based.
|
---|
| 413 | </para>
|
---|
| 414 |
|
---|
| 415 | </sect4>
|
---|
| 416 |
|
---|
| 417 | </sect3>
|
---|
| 418 |
|
---|
| 419 | </sect2>
|
---|
| 420 |
|
---|
| 421 | <sect2>
|
---|
| 422 | <title>Contents</title>
|
---|
| 423 |
|
---|
| 424 | <para>The <application>Heimdal</application> package contains
|
---|
| 425 | <command>afslog</command>,
|
---|
| 426 | <command>dump_log</command>,
|
---|
| 427 | <command>ftp</command>,
|
---|
| 428 | <command>ftpd</command>,
|
---|
| 429 | <command>hprop</command>,
|
---|
| 430 | <command>hpropd</command>,
|
---|
| 431 | <command>ipropd-master</command>,
|
---|
| 432 | <command>ipropd-slave</command>,
|
---|
| 433 | <command>kadmin</command>,
|
---|
| 434 | <command>kadmind</command>,
|
---|
| 435 | <command>kauth</command>,
|
---|
| 436 | <command>kdc</command>,
|
---|
| 437 | <command>kdestroy</command>,
|
---|
| 438 | <command>kf</command>,
|
---|
| 439 | <command>kfd</command>,
|
---|
| 440 | <command>kgetcred</command>,
|
---|
| 441 | <command>kinit</command>,
|
---|
| 442 | <command>klist</command>,
|
---|
| 443 | <command>kpasswd</command>,
|
---|
| 444 | <command>kpasswdd</command>,
|
---|
| 445 | <command>krb5-config</command>,
|
---|
| 446 | <command>kstash</command>,
|
---|
| 447 | <command>ktutil</command>,
|
---|
| 448 | <command>kx</command>,
|
---|
| 449 | <command>kxd</command>,
|
---|
| 450 | <command>login</command>,
|
---|
| 451 | <command>mk_cmds</command>,
|
---|
| 452 | <command>otp</command>,
|
---|
| 453 | <command>otpprint</command>,
|
---|
| 454 | <command>pagsh</command>,
|
---|
| 455 | <command>pfrom</command>,
|
---|
| 456 | <command>popper</command>,
|
---|
| 457 | <command>push</command>,
|
---|
| 458 | <command>rcp</command>,
|
---|
| 459 | <command>replay_log</command>,
|
---|
| 460 | <command>rsh</command>,
|
---|
| 461 | <command>rshd</command>,
|
---|
| 462 | <command>rxtelnet</command>,
|
---|
| 463 | <command>rxterm</command>,
|
---|
| 464 | <command>string2key</command>,
|
---|
| 465 | <command>su</command>,
|
---|
| 466 | <command>telnet</command>,
|
---|
| 467 | <command>telnetd</command>,
|
---|
| 468 | <command>tenletxr</command>,
|
---|
| 469 | <command>truncate_log</command>,
|
---|
| 470 | <command>verify_krb5_conf</command>,
|
---|
| 471 | <command>xnlock</command>,
|
---|
| 472 | <filename class="libraryfile">libasn1</filename>,
|
---|
| 473 | <filename class="libraryfile">libeditline</filename>,
|
---|
| 474 | <filename class="libraryfile">libgssapi</filename>,
|
---|
| 475 | <filename class="libraryfile">libhdb</filename>,
|
---|
| 476 | <filename class="libraryfile">libkadm5clnt</filename>,
|
---|
| 477 | <filename class="libraryfile">libkadm5srv</filename>,
|
---|
| 478 | <filename class="libraryfile">libkafs</filename>,
|
---|
| 479 | <filename class="libraryfile">libkrb5</filename>,
|
---|
| 480 | <filename class="libraryfile">libotp</filename>,
|
---|
| 481 | <filename class="libraryfile">libroken</filename>,
|
---|
| 482 | <filename class="libraryfile">libsl</filename> and
|
---|
| 483 | <filename class="libraryfile">libss</filename>.
|
---|
| 484 | </para>
|
---|
| 485 |
|
---|
| 486 | </sect2>
|
---|
| 487 |
|
---|
| 488 | <sect2><title>Description</title>
|
---|
| 489 |
|
---|
| 490 | <sect3><title>afslog</title>
|
---|
[359e1043] | 491 | <para><command>afslog</command> obtains <acronym>AFS</acronym> tokens for a
|
---|
| 492 | number of cells.</para></sect3>
|
---|
[b4b71892] | 493 |
|
---|
| 494 | <sect3><title>hprop</title>
|
---|
| 495 | <para><command>hprop</command> takes a principal database in a specified
|
---|
[359e1043] | 496 | format and converts it into a stream of <application>Heimdal</application>
|
---|
| 497 | database records.</para></sect3>
|
---|
[b4b71892] | 498 |
|
---|
| 499 | <sect3><title>hpropd</title>
|
---|
| 500 | <para><command>hpropd</command> receives a database sent by
|
---|
[359e1043] | 501 | <command>hprop</command> and writes it as a local database.</para></sect3>
|
---|
[b4b71892] | 502 |
|
---|
| 503 | <sect3><title>kadmin</title>
|
---|
[359e1043] | 504 | <para><command>kadmin</command> is a utility used to make modifications
|
---|
[b4b71892] | 505 | to the Kerberos database.</para></sect3>
|
---|
| 506 |
|
---|
| 507 | <sect3><title>kadmind</title>
|
---|
| 508 | <para><command>kadmind</command> is a server for administrative access
|
---|
[359e1043] | 509 | to the Kerberos database.</para></sect3>
|
---|
[b4b71892] | 510 |
|
---|
| 511 | <sect3><title>kauth, kinit</title>
|
---|
| 512 | <para><command>kauth</command> and <command>kinit</command> are used to
|
---|
[359e1043] | 513 | authenticate to the Kerberos server as a principal and acquire a ticket
|
---|
[b4b71892] | 514 | granting ticket that can later be used to obtain tickets for other
|
---|
| 515 | services.</para></sect3>
|
---|
| 516 |
|
---|
| 517 | <sect3><title>kdc</title>
|
---|
| 518 | <para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
|
---|
| 519 |
|
---|
| 520 | <sect3><title>kdestroy</title>
|
---|
[359e1043] | 521 | <para><command>kdestroy</command> removes a principle's current set of
|
---|
[b4b71892] | 522 | tickets.</para></sect3>
|
---|
| 523 |
|
---|
| 524 | <sect3><title>kf</title>
|
---|
| 525 | <para><command>kf</command> is a program which forwards tickets to a
|
---|
| 526 | remote host through an authenticated and encrypted
|
---|
| 527 | stream.</para></sect3>
|
---|
| 528 |
|
---|
| 529 | <sect3><title>kfd</title>
|
---|
| 530 | <para><command>kfd</command> receives forwarded tickets.</para></sect3>
|
---|
| 531 |
|
---|
| 532 | <sect3><title>kgetcred</title>
|
---|
| 533 | <para><command>kgetcred</command> obtains a ticket for a
|
---|
| 534 | service.</para></sect3>
|
---|
| 535 |
|
---|
| 536 | <sect3><title>klist</title>
|
---|
| 537 | <para><command>klist</command> reads and displays the current tickets in
|
---|
| 538 | the credential cache.</para></sect3>
|
---|
| 539 |
|
---|
| 540 | <sect3><title>kpasswd</title>
|
---|
| 541 | <para><command>kpasswd</command> is a program for changing Kerberos 5
|
---|
| 542 | passwords.</para></sect3>
|
---|
| 543 |
|
---|
| 544 | <sect3><title>kpasswdd</title>
|
---|
| 545 | <para><command>kpasswdd</command> is a Kerberos 5 password changing
|
---|
| 546 | server.</para></sect3>
|
---|
| 547 |
|
---|
| 548 | <sect3><title>krb5-config</title>
|
---|
| 549 | <para><command>krb5-config</command> gives information on how to link
|
---|
[359e1043] | 550 | programs against <application>Heimdal</application> libraries.</para></sect3>
|
---|
[b4b71892] | 551 |
|
---|
| 552 | <sect3><title>kstash</title>
|
---|
| 553 | <para><command>kstash</command> stores the <acronym>KDC</acronym> master
|
---|
| 554 | password in a file.</para></sect3>
|
---|
| 555 |
|
---|
| 556 | <sect3><title>ktutil</title>
|
---|
| 557 | <para><command>ktutil</command> is a program for managing Kerberos
|
---|
| 558 | keytabs.</para></sect3>
|
---|
| 559 |
|
---|
| 560 | <sect3><title>kx</title>
|
---|
[359e1043] | 561 | <para><command>kx</command> is a program which securely forwards
|
---|
| 562 | <application>X</application> connections.</para></sect3>
|
---|
[b4b71892] | 563 |
|
---|
| 564 | <sect3><title>kxd</title>
|
---|
| 565 | <para><command>kxd</command> is the daemon for
|
---|
| 566 | <command>kx</command>.</para></sect3>
|
---|
| 567 |
|
---|
| 568 | <sect3><title>otp</title>
|
---|
| 569 | <para><command>otp</command> manages one-time passwords.</para></sect3>
|
---|
| 570 |
|
---|
| 571 | <sect3><title>otpprint</title>
|
---|
| 572 | <para><command>otpprint</command> prints lists of one-time
|
---|
| 573 | passwords.</para></sect3>
|
---|
| 574 |
|
---|
| 575 | <sect3><title>rxtelnet</title>
|
---|
[359e1043] | 576 | <para><command>rxtelnet</command> starts an <command>xterm</command>
|
---|
| 577 | window with a telnet to a given host and forwards
|
---|
| 578 | <application>X</application> connections.</para></sect3>
|
---|
[b4b71892] | 579 |
|
---|
| 580 | <sect3><title>rxterm</title>
|
---|
| 581 | <para><command>rxterm</command> starts a secure remote
|
---|
| 582 | <command>xterm</command>.</para></sect3>
|
---|
| 583 |
|
---|
| 584 | <sect3><title>string2key</title>
|
---|
| 585 | <para><command>string2key</command> maps a password into a
|
---|
| 586 | key.</para></sect3>
|
---|
| 587 |
|
---|
| 588 | <sect3><title>tenletxr</title>
|
---|
[359e1043] | 589 | <para><command>tenletxr</command> forwards <application>X</application>
|
---|
| 590 | connections backwards.</para></sect3>
|
---|
[b4b71892] | 591 |
|
---|
| 592 | <sect3><title>verify_krb5_conf</title>
|
---|
| 593 | <para><command>verify_krb5_conf</command> checks
|
---|
| 594 | <filename>krb5.conf</filename> file for obvious errors.</para></sect3>
|
---|
| 595 |
|
---|
| 596 | <sect3><title>xnlock</title>
|
---|
| 597 | <para><command>xnlock</command> is a program that acts as a secure screen
|
---|
[359e1043] | 598 | saver for workstations running <application>X</application>.</para></sect3>
|
---|
[b4b71892] | 599 |
|
---|
| 600 | </sect2>
|
---|
[6856556] | 601 |
|
---|
| 602 | </sect1>
|
---|