source: postlfs/security/heimdal.xml@ b4b71892

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since b4b71892 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 19.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
8 <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
9 <!ENTITY heimdal-size "3.2 MB">
10 <!ENTITY heimdal-buildsize "142 MB">
11 <!ENTITY heimdal-time "2.55 SBU">
12]>
13
14<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
15<?dbhtml filename="heimdal.html"?>
16<title>Heimdal-&heimdal-version;</title>
17
18<sect2>
19<title>Introduction to <application>Heimdal</application></title>
20
21<para> <application>Heimdal</application> is a free implementation of Kerberos
225, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
23compatible with krb4. Kerberos is a network authentication protocol. Basically
24it preserves the integrity of passwords in any untrusted network (like the
25Internet). Kerberized applications work hand-in-hand with sites that support
26Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
27will make changes to the authentication mechanisms on your network and will
28overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper
29and Shadow packages. </para>
30
31<sect3><title>Package information</title>
32<itemizedlist spacing='compact'>
33<listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
34<listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
35<listitem><para>Download size: &heimdal-size;</para></listitem>
36<listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem>
37<listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
38</sect3>
39
40<sect3><title>Additional downloads</title>
41<itemizedlist spacing='compact'>
42<listitem><para>Required patch: <ulink
43url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para>
44</listitem>
45<listitem><para>Required patch for cracklib: <ulink
46url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
47</listitem>
48</itemizedlist>
49
50</sect3>
51
52<sect3><title><application>Heimdal</application> dependencies</title>
53<sect4><title>Required</title>
54<para>
55<xref linkend="openssl"/> and
56<xref linkend="db"/>
57</para></sect4>
58<sect4><title>Optional</title>
59<para>
60<xref linkend="readline"/>,
61<xref linkend="Linux_PAM"/>,
62<xref linkend="openldap"/>,
63X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
64<xref linkend="cracklib"/> and
65<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>
66</para>
67
68<note><para>
69Some sort of time synchronization facility on your system (like <xref
70linkend="ntp"/>) is required since Kerberos won't authenticate if the
71time differential between a kerberized client and the
72<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
73</sect4>
74
75</sect3>
76
77</sect2>
78
79<sect2>
80<title>Installation of <application>Heimdal</application></title>
81
82<para>
83Before installing the package, you may want to preserve the
84<command>ftp</command> program from the Inetutils package. This is
85because using the Heimdal <command>ftp</command> program to connect to
86non kerberized ftp servers may not work properly. It will allow you to
87connect (letting you know that transmission of the password is clear
88text) but will have problems doing puts and gets.
89</para>
90
91<screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
92
93<para>
94If you wish the Heimdal package to link against the cracklib library,
95you must apply a patch:
96</para>
97
98<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
99
100<para>Install <application>Heimdal</application> by running the following commands:</para>
101
102<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch &amp;&amp;
103./configure --prefix=/usr --sysconfdir=/etc/heimdal \
104 --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
105 --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
106 --enable-shared --with-openssl=/usr &amp;&amp;
107make &amp;&amp;
108make install &amp;&amp;
109mv /bin/login /bin/login.shadow &amp;&amp;
110mv /bin/su /bin/su.coreutils &amp;&amp;
111mv /usr/bin/{login,su} /bin &amp;&amp;
112ln -sf ../../bin/login /usr/bin &amp;&amp;
113mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib &amp;&amp;
114mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib &amp;&amp;
115mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib &amp;&amp;
116mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib &amp;&amp;
117ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib &amp;&amp;
118ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib &amp;&amp;
119ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib &amp;&amp;
120ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib &amp;&amp;
121ldconfig</command></userinput></screen>
122
123</sect2>
124
125<sect2>
126<title>Command explanations</title>
127
128<para><parameter>--libexecdir=/usr/sbin</parameter>:
129This switch puts the daemon programs into <filename
130class="directory">/usr/sbin</filename>.
131</para>
132
133<note><para>
134If you want to preserve all your existing Inetutils package daemons,
135install the Heimdal daemons into <filename
136class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
137Since these programs will be called from <command>(x)inetd</command> or
138<command>rc</command> scripts, it really doesn't matter where they live,
139as long as they are correctly specified in the
140<filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
141scripts. If you choose something other than <filename
142class="directory">/usr/sbin</filename>, you may want to move some of the
143user programs (such as <command>kadmin</command>) to <filename
144class="directory">/usr/sbin</filename> manually.
145</para></note>
146
147<para>
148<screen><command>mv /bin/login /bin/login.shadow
149mv /bin/su /bin/su.coreutils
150mv /usr/bin/{login,su} /bin
151ln -sf ../../bin/login /usr/bin</command></screen>
152The <command>login</command> and <command>su</command> programs
153installed by Heimdal belong in the <filename
154class="directory">/bin</filename> directory. The
155<command>login</command> program is symlinked because Heimdal is expecting
156to find it in <filename class="directory">/usr/bin</filename>. We
157preserve the old executables before the move to keep things sane should
158breaks occur.
159</para>
160
161<para>
162<screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib
163mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib
164mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib
165mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib
166ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib
167ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib
168ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
169ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen>
170The <command>login</command> and <command>su</command> programs
171installed by Heimdal link against Heimdal libraries as well as crypto
172and db libraries. We move these libraries to <filename
173class="directory">/lib</filename> to be <acronym>FHS</acronym>
174compliant and in case when <filename
175class="directory">/usr</filename> is located on a separate partition which
176may not always be mounted.
177</para>
178
179</sect2>
180
181<sect2>
182<title>Configuring Heimdal</title>
183
184<sect3><title>Config files</title>
185<para><filename>/etc/heimdal/*</filename></para>
186</sect3>
187
188<sect3><title>Configuration Information</title>
189
190<sect4><title>Master KDC Server Configuration</title>
191
192<para>
193Create the Kerberos configuration file with the following command:
194</para>
195
196<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
197cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
198# Begin /etc/heimdal/krb5.conf
199
200[libdefaults]
201 default_realm = <replaceable>[LFS.ORG]</replaceable>
202 encrypt = true
203
204[realms]
205 <replaceable>[LFS.ORG]</replaceable> = {
206 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
207 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
208 kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
209 }
210
211[domain_realm]
212 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
213
214[logging]
215 kdc = FILE:/var/log/kdc.log
216 admin_server = FILE:/var/log/kadmin.log
217 default = FILE:/var/log/krb.log
218
219# End /etc/heimdal/krb5.conf
220<command>EOF</command></userinput></screen>
221
222<para>
223You will need to substitute your domain and proper hostname for the
224occurances of the belgarath and lfs.org names.
225</para>
226
227<para>
228<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
229This isn't required, but both Heimdal and <acronym>MIT</acronym>
230recommend it.
231</para>
232
233<para>
234<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
235clients and servers. It's not necessary and can be left off. If you
236leave it off, you can encrypt all traffic from the client to the server
237using a switch on the client program instead.
238</para>
239
240<para>
241The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
242<acronym>KDC</acronym> authentication services.
243</para>
244
245<para>
246The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
247</para>
248
249<para>
250Store the master password in a key file using the following commands:
251</para>
252
253<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
254kstash</command></userinput></screen>
255
256<para>
257Create the <acronym>KDC</acronym> database:
258</para>
259
260<screen><userinput><command>kadmin -l</command></userinput></screen>
261
262<para>
263Choose the defaults for now. You can go in later and change the
264defaults, should you feel the need. At the
265<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
266</para>
267
268<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
269
270<para>
271Now we need to populate the database with principles (users). For now,
272just use your regular login name or root.
273</para>
274
275<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
276
277<para>
278The <acronym>KDC</acronym> server and any machine running kerberized
279server daemons must have a host key installed:
280</para>
281
282<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
283
284<para>
285After choosing the defaults when prompted, you will have to export the
286data to a keytab file:
287</para>
288
289<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
290
291<para>
292This should have created two files in
293<filename class="directory">/etc/heimdal</filename>;
294<filename>krb5.keytab</filename> (Kerberos 5) and
295<filename>srvtab</filename> (Kerberos 4). Both files should have 600
296(root rw only) permissions. Keeping the keytab files from public access
297is crucial to the overall security of the Kerberos installation.
298</para>
299
300<para>
301Eventually, you'll want to add server daemon principles to the database
302and extract them to the keytab file. You do this in the same way you
303created the host principles. Below is an example:
304</para>
305
306<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
307
308<para>
309(choose the defaults)
310</para>
311
312<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
313
314<para>
315Exit the <command>kadmin</command> program (use <command>quit</command>
316or <command>exit</command>) and return back to the shell prompt. Start
317the <acronym>KDC</acronym> daemon manually, just to test out the
318installation:
319</para>
320
321<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
322
323<para>
324Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
325following command:
326</para>
327
328<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
329
330<para>
331You will be prompted for the password you created. After you get your
332ticket, you should list it with the following command:
333</para>
334
335<screen><userinput><command>klist</command></userinput></screen>
336
337<para>
338Information about the ticket should be displayed on the screen.
339</para>
340
341<para>
342To test the functionality of the keytab file, issue the following
343command:
344</para>
345
346<screen><userinput><command>ktutil list</command></userinput></screen>
347
348<para>
349This should dump a list of the host principals, along with the encryption
350methods used to access the principals.
351</para>
352
353<para>
354At this point, if everything has been successful so far, you can feel
355fairly confident in the installation and configuration of the package.
356</para>
357
358<para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
359included in the <xref linkend="intro-important-bootscripts"/>
360package.</para>
361
362<screen><userinput><command>make install-heimdal</command></userinput></screen>
363
364</sect4>
365
366<sect4><title>Using Kerberized Client Programs</title>
367
368<para>
369To use the kerberized client programs (<command>telnet</command>,
370<command>ftp</command>, <command>rsh</command>,
371<command>rxterm</command>, <command>rxtelnet</command>,
372<command>rcp</command>, <command>xnlock</command>), you first must get
373a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
374get the ticket. After you've acquired the ticket, you can use the
375kerberized programs to connect to any kerberized server on the network.
376You will not be prompted for authentication until your ticket expires
377(default is one day), unless you specify a different user as a command
378line argument to the program.
379</para>
380
381<para>
382The kerberized programs will connect to non kerberized daemons, warning
383you that authentication is not encrypted. As mentioned earlier, only the
384<command>ftp</command> program gives any trouble connecting to non
385kerberized daemons.
386</para>
387
388<para>
389For additional information consult <ulink
390url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
391Heimdal hint</ulink> on which the above instructions are based.
392</para>
393
394</sect4>
395
396</sect3>
397
398</sect2>
399
400<sect2>
401<title>Contents</title>
402
403<para>The <application>Heimdal</application> package contains
404<command>afslog</command>,
405<command>dump_log</command>,
406<command>ftp</command>,
407<command>ftpd</command>,
408<command>hprop</command>,
409<command>hpropd</command>,
410<command>ipropd-master</command>,
411<command>ipropd-slave</command>,
412<command>kadmin</command>,
413<command>kadmind</command>,
414<command>kauth</command>,
415<command>kdc</command>,
416<command>kdestroy</command>,
417<command>kf</command>,
418<command>kfd</command>,
419<command>kgetcred</command>,
420<command>kinit</command>,
421<command>klist</command>,
422<command>kpasswd</command>,
423<command>kpasswdd</command>,
424<command>krb5-config</command>,
425<command>kstash</command>,
426<command>ktutil</command>,
427<command>kx</command>,
428<command>kxd</command>,
429<command>login</command>,
430<command>mk_cmds</command>,
431<command>otp</command>,
432<command>otpprint</command>,
433<command>pagsh</command>,
434<command>pfrom</command>,
435<command>popper</command>,
436<command>push</command>,
437<command>rcp</command>,
438<command>replay_log</command>,
439<command>rsh</command>,
440<command>rshd</command>,
441<command>rxtelnet</command>,
442<command>rxterm</command>,
443<command>string2key</command>,
444<command>su</command>,
445<command>telnet</command>,
446<command>telnetd</command>,
447<command>tenletxr</command>,
448<command>truncate_log</command>,
449<command>verify_krb5_conf</command>,
450<command>xnlock</command>,
451<filename class="libraryfile">libasn1</filename>,
452<filename class="libraryfile">libeditline</filename>,
453<filename class="libraryfile">libgssapi</filename>,
454<filename class="libraryfile">libhdb</filename>,
455<filename class="libraryfile">libkadm5clnt</filename>,
456<filename class="libraryfile">libkadm5srv</filename>,
457<filename class="libraryfile">libkafs</filename>,
458<filename class="libraryfile">libkrb5</filename>,
459<filename class="libraryfile">libotp</filename>,
460<filename class="libraryfile">libroken</filename>,
461<filename class="libraryfile">libsl</filename> and
462<filename class="libraryfile">libss</filename>.
463
464</para>
465
466</sect2>
467
468<sect2><title>Description</title>
469
470<sect3><title>afslog</title>
471<para><command>afslog</command> obtains AFS tokens for a number of
472cells.</para></sect3>
473
474<sect3><title>hprop</title>
475<para><command>hprop</command> takes a principal database in a specified
476format and converts it into a stream of Heimdal database
477records.</para></sect3>
478
479<sect3><title>hpropd</title>
480<para><command>hpropd</command> receives a database sent by
481<command>hprop</command> and writes it as a local
482database.</para></sect3>
483
484<sect3><title>kadmin</title>
485<para><command>kadmin</command> is an utility used to make modifications
486to the Kerberos database.</para></sect3>
487
488<sect3><title>kadmind</title>
489<para><command>kadmind</command> is a server for administrative access
490to Kerberos database.</para></sect3>
491
492<sect3><title>kauth, kinit</title>
493<para><command>kauth</command> and <command>kinit</command> are used to
494authenticate to the Kerberos server as principal and acquire a ticket
495granting ticket that can later be used to obtain tickets for other
496services.</para></sect3>
497
498<sect3><title>kdc</title>
499<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
500
501<sect3><title>kdestroy</title>
502<para><command>kdestroy</command> removes the current set of
503tickets.</para></sect3>
504
505<sect3><title>kf</title>
506<para><command>kf</command> is a program which forwards tickets to a
507remote host through an authenticated and encrypted
508stream.</para></sect3>
509
510<sect3><title>kfd</title>
511<para><command>kfd</command> receives forwarded tickets.</para></sect3>
512
513<sect3><title>kgetcred</title>
514<para><command>kgetcred</command> obtains a ticket for a
515service.</para></sect3>
516
517<sect3><title>klist</title>
518<para><command>klist</command> reads and displays the current tickets in
519the credential cache.</para></sect3>
520
521<sect3><title>kpasswd</title>
522<para><command>kpasswd</command> is a program for changing Kerberos 5
523passwords.</para></sect3>
524
525<sect3><title>kpasswdd</title>
526<para><command>kpasswdd</command> is a Kerberos 5 password changing
527server.</para></sect3>
528
529<sect3><title>krb5-config</title>
530<para><command>krb5-config</command> gives information on how to link
531programs against Heimdal libraries.</para></sect3>
532
533<sect3><title>kstash</title>
534<para><command>kstash</command> stores the <acronym>KDC</acronym> master
535password in a file.</para></sect3>
536
537<sect3><title>ktutil</title>
538<para><command>ktutil</command> is a program for managing Kerberos
539keytabs.</para></sect3>
540
541<sect3><title>kx</title>
542<para><command>kx</command> is a program which securely forwards X
543connections.</para></sect3>
544
545<sect3><title>kxd</title>
546<para><command>kxd</command> is the daemon for
547<command>kx</command>.</para></sect3>
548
549<sect3><title>otp</title>
550<para><command>otp</command> manages one-time passwords.</para></sect3>
551
552<sect3><title>otpprint</title>
553<para><command>otpprint</command> prints lists of one-time
554passwords.</para></sect3>
555
556<sect3><title>rxtelnet</title>
557<para><command>rxtelnet</command> program starts an
558<command>xterm</command> window with a telnet to given host and forwards
559X connections.</para></sect3>
560
561<sect3><title>rxterm</title>
562<para><command>rxterm</command> starts a secure remote
563<command>xterm</command>.</para></sect3>
564
565<sect3><title>string2key</title>
566<para><command>string2key</command> maps a password into a
567key.</para></sect3>
568
569<sect3><title>tenletxr</title>
570<para><command>tenletxr</command> forwards X connections
571backwards.</para></sect3>
572
573<sect3><title>verify_krb5_conf</title>
574<para><command>verify_krb5_conf</command> checks
575<filename>krb5.conf</filename> file for obvious errors.</para></sect3>
576
577<sect3><title>xnlock</title>
578<para><command>xnlock</command> is a program that acts as a secure screen
579saver for workstations running X.</para></sect3>
580
581</sect2>
582
583</sect1>
Note: See TracBrowser for help on using the repository browser.