source: postlfs/security/heimdal/heimdal-config.xml@ 22c4e1ee

10.0 10.1 11.0 11.1 11.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules plabs/python-mods qt5new systemd-11177 systemd-13485 trunk upgradedb v5_1 v5_1-pre1 xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 22c4e1ee was 22c4e1ee, checked in by Tushar Teredesai <tushar@…>, 19 years ago

Makefile changes and entity fixes

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2085 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.6 KB
Line 
1<sect2>
2<title>Configuring Heimdal</title>
3
4<sect3><title>Config files</title>
5<para><filename>/etc/heimdal/*</filename></para>
6</sect3>
7
8<sect3><title>Configuration Information</title>
9
10<sect4><title>Master KDC Server Configuration</title>
11
12<para>
13Create the Kerberos configuration file with the following command:
14</para>
15
16<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
17cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
18# Begin /etc/heimdal/krb5.conf
19
20[libdefaults]
21 default_realm = <replaceable>[LFS.ORG]</replaceable>
22 encrypt = true
23
24[realms]
25 <replaceable>[LFS.ORG]</replaceable> = {
26 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
27 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
28 kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
29 }
30
31[domain_realm]
32 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
33
34[logging]
35 kdc = FILE:/var/log/kdc.log
36 admin_server = FILE:/var/log/kadmin.log
37 default = FILE:/var/log/krb.log
38
39# End /etc/heimdal/krb5.conf
40<command>EOF</command></userinput></screen>
41
42<para>
43You will need to substitute your domain and proper hostname for the
44occurances of the belgarath and lfs.org names.
45</para>
46
47<para>
48<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
49This isn't required, but both Heimdal and <acronym>MIT</acronym>
50recommend it.
51</para>
52
53<para>
54<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
55clients and servers. It's not necessary and can be left off. If you
56leave it off, you can encrypt all traffic from the client to the server
57using a switch on the client program instead.
58</para>
59
60<para>
61The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
62<acronym>KDC</acronym> authentication services.
63</para>
64
65<para>
66The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
67</para>
68
69<para>
70Store the master password in a key file using the following commands:
71</para>
72
73<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
74kstash</command></userinput></screen>
75
76<para>
77Create the <acronym>KDC</acronym> database:
78</para>
79
80<screen><userinput><command>kadmin -l</command></userinput></screen>
81
82<para>
83Choose the defaults for now. You can go in later and change the
84defaults, should you feel the need. At the
85<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
86</para>
87
88<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
89
90<para>
91Now we need to populate the database with principles (users). For now,
92just use your regular login name or root.
93</para>
94
95<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
96
97<para>
98The <acronym>KDC</acronym> server and any machine running kerberized
99server daemons must have a host key installed:
100</para>
101
102<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
103
104<para>
105After choosing the defaults when prompted, you will have to export the
106data to a keytab file:
107</para>
108
109<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
110
111<para>
112This should have created two files in
113<filename class="directory">/etc/heimdal</filename>;
114<filename>krb5.keytab</filename> (Kerberos 5) and
115<filename>srvtab</filename> (Kerberos 4). Both files should have 600
116(root rw only) permissions. Keeping the keytab files from public access
117is crucial to the overall security of the Kerberos installation.
118</para>
119
120<para>
121Eventually, you'll want to add server daemon principles to the database
122and extract them to the keytab file. You do this in the same way you
123created the host principles. Below is an example:
124</para>
125
126<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
127
128<para>
129(choose the defaults)
130</para>
131
132<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
133
134<para>
135Exit the <command>kadmin</command> program (use <command>quit</command>
136or <command>exit</command>) and return back to the shell prompt. Start
137the <acronym>KDC</acronym> daemon manually, just to test out the
138installation:
139</para>
140
141<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
142
143<para>
144Attempt to get a ticket with the following command:
145</para>
146
147<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
148
149<para>
150You will be prompted for the password you created. After you get your
151ticket, you can list it with the following command:
152</para>
153
154<screen><userinput><command>klist</command></userinput></screen>
155
156<para>
157Information about the ticket should be displayed on the screen.
158</para>
159
160<para>
161To test the functionality of the keytab file, issue the following
162command:
163</para>
164
165<screen><userinput><command>ktutil list</command></userinput></screen>
166
167<para>
168This should dump a list of the host principal, along with the encryption
169methods used to access the principal.
170</para>
171
172<para>
173At this point, if everything has been successful so far, you can feel
174fairly confident in the installation and configuration of the package.
175</para>
176
177<!--
178<para>Install <filename>/etc/rc.d/init.d/heimdal</filename> init script
179included in the <xref linkend="intro-important-bootscripts"/>
180package.</para>
181
182<screen><userinput><command>make install-heimdal</command></userinput></screen>
183-->
184
185<para>
186To automate the running of Kerberos server and
187<command>kpasswdd</command> daemon, use the following command to create
188the init.d script:
189</para>
190
191<screen><userinput><command>cat &gt;etc/rc.d/init.d/heimdal &lt;&lt; "EOF"</command>
192#!/bin/sh
193# Begin $rc_base/init.d/heimdal
194
195# Based on sysklogd script from LFS-3.1 and earlier.
196# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
197# Heimdal bootscript submitted by Randy McMurchy - LFS-User@mcmurchy.com
198
199. /etc/sysconfig/rc
200. $rc_functions
201
202case "$1" in
203 start)
204 echo "Starting KDC Server Daemon..."
205 if test -f "/var/run/kdc.pid"
206 then
207 print_status warning running
208 else
209 /usr/sbin/kdc &amp;
210 sleep 1
211 if test -f "/var/run/kdc.pid"
212 then
213 print_status success
214 else
215 print_status failure
216 fi
217 fi
218 echo "Starting KDC kpasswdd Daemon..."
219 if test -f "/var/run/kpasswdd.pid"
220 then
221 print_status warning running
222 else
223 /usr/sbin/kpasswdd &amp;
224 sleep 1
225 if test -f "/var/run/kpasswdd.pid"
226 then
227 print_status success
228 else
229 print_status failure
230 fi
231 fi
232 ;;
233
234 stop)
235 echo "Stopping KDC kpasswdd Daemon..."
236 killproc /usr/sbin/kpasswdd
237 echo "Stopping KDC Server Daemon..."
238 killproc /usr/sbin/kdc
239 ;;
240
241 restart)
242 $0 stop
243 sleep 1
244 $0 start
245 ;;
246
247 status)
248 statusproc /usr/sbin/kdc
249 statusproc /usr/sbin/kpasswdd
250 ;;
251
252 *)
253 echo "Usage: $0 {start|stop|restart|status}"
254 exit 1
255 ;;
256esac
257
258# End $rc_base/init.d/heimdal
259<command>EOF
260chmod 754 /etc/rc.d/init.d/heimdal</command></userinput></screen>
261
262<para>
263Create the symbolic links to this file in the relevant <filename
264class="directory">rc.d</filename> directory with the following commands:
265</para>
266
267<screen><userinput><command>cd /etc/rc.d/init.d &amp;&amp;
268ln -sf ../init.d/heimdal ../rc0.d/K42heimdal &amp;&amp;
269ln -sf ../init.d/heimdal ../rc1.d/K42heimdal &amp;&amp;
270ln -sf ../init.d/heimdal ../rc2.d/K42heimdal &amp;&amp;
271ln -sf ../init.d/heimdal ../rc3.d/S28heimdal &amp;&amp;
272ln -sf ../init.d/heimdal ../rc4.d/S28heimdal &amp;&amp;
273ln -sf ../init.d/heimdal ../rc5.d/S28heimdal &amp;&amp;
274ln -sf ../init.d/heimdal ../rc6.d/K42heimdal</command></userinput></screen>
275
276</sect4>
277
278<sect4><title>Using Kerberized Client Programs</title>
279
280<para>
281To use the kerberized client programs (<command>telnet</command>,
282<command>ftp</command>, <command>rsh</command>,
283<command>rxterm</command>, <command>rxtelnet</command>,
284<command>rcp</command>, <command>xnlock</command>), you first must get
285an authentication ticket. Use the <command>kinit</command> program to
286get the ticket. After you've acquired the ticket, you can use the
287kerberized programs to connect to any kerberized server on the network.
288You will not be prompted for authentication until your ticket expires
289(default is one day), unless you specify a different user as a command
290line argument to the program.
291</para>
292
293<para>
294The kerberized programs will connect to non kerberized daemons, warning
295you that authentication is not encrypted. As mentioned earlier, only the
296<command>ftp</command> program gives any trouble connecting to non
297kerberized daemons.
298</para>
299
300<para>
301For additional information consult <ulink
302url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
303Heimdal hint</ulink> on which the above instructions are based.
304</para>
305
306</sect4>
307
308</sect3>
309
310</sect2>
Note: See TracBrowser for help on using the repository browser.