1 | <sect2>
|
---|
2 | <title>Configuring Heimdal</title>
|
---|
3 |
|
---|
4 | <sect3><title>Config files</title>
|
---|
5 | <para><filename>/etc/heimdal/*</filename></para>
|
---|
6 | </sect3>
|
---|
7 |
|
---|
8 | <sect3><title>Configuration Information</title>
|
---|
9 |
|
---|
10 | <sect4><title>Master KDC Server Configuration</title>
|
---|
11 |
|
---|
12 | <para>
|
---|
13 | Create the Kerberos configuration file with the following command:
|
---|
14 | </para>
|
---|
15 |
|
---|
16 | <screen><userinput><command>install -d /etc/heimdal &&
|
---|
17 | cat > /etc/heimdal/krb5.conf << "EOF"</command>
|
---|
18 | # Begin /etc/heimdal/krb5.conf
|
---|
19 |
|
---|
20 | [libdefaults]
|
---|
21 | default_realm = <replaceable>[LFS.ORG]</replaceable>
|
---|
22 | encrypt = true
|
---|
23 |
|
---|
24 | [realms]
|
---|
25 | <replaceable>[LFS.ORG]</replaceable> = {
|
---|
26 | kdc = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
27 | admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
28 | kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
29 | }
|
---|
30 |
|
---|
31 | [domain_realm]
|
---|
32 | .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
|
---|
33 |
|
---|
34 | [logging]
|
---|
35 | kdc = FILE:/var/log/kdc.log
|
---|
36 | admin_server = FILE:/var/log/kadmin.log
|
---|
37 | default = FILE:/var/log/krb.log
|
---|
38 |
|
---|
39 | # End /etc/heimdal/krb5.conf
|
---|
40 | <command>EOF</command></userinput></screen>
|
---|
41 |
|
---|
42 | <para>
|
---|
43 | You will need to substitute your domain and proper hostname for the
|
---|
44 | occurances of the belgarath and lfs.org names.
|
---|
45 | </para>
|
---|
46 |
|
---|
47 | <para>
|
---|
48 | <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
|
---|
49 | This isn't required, but both Heimdal and <acronym>MIT</acronym>
|
---|
50 | recommend it.
|
---|
51 | </para>
|
---|
52 |
|
---|
53 | <para>
|
---|
54 | <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
|
---|
55 | clients and servers. It's not necessary and can be left off. If you
|
---|
56 | leave it off, you can encrypt all traffic from the client to the server
|
---|
57 | using a switch on the client program instead.
|
---|
58 | </para>
|
---|
59 |
|
---|
60 | <para>
|
---|
61 | The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
|
---|
62 | <acronym>KDC</acronym> authentication services.
|
---|
63 | </para>
|
---|
64 |
|
---|
65 | <para>
|
---|
66 | The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
|
---|
67 | </para>
|
---|
68 |
|
---|
69 | <para>
|
---|
70 | Store the master password in a key file using the following commands:
|
---|
71 | </para>
|
---|
72 |
|
---|
73 | <screen><userinput><command>install -d -m 755 /var/lib/heimdal &&
|
---|
74 | kstash</command></userinput></screen>
|
---|
75 |
|
---|
76 | <para>
|
---|
77 | Create the <acronym>KDC</acronym> database:
|
---|
78 | </para>
|
---|
79 |
|
---|
80 | <screen><userinput><command>kadmin -l</command></userinput></screen>
|
---|
81 |
|
---|
82 | <para>
|
---|
83 | Choose the defaults for now. You can go in later and change the
|
---|
84 | defaults, should you feel the need. At the
|
---|
85 | <userinput>kadmin></userinput> prompt, issue the following statement:
|
---|
86 | </para>
|
---|
87 |
|
---|
88 | <screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
|
---|
89 |
|
---|
90 | <para>
|
---|
91 | Now we need to populate the database with principles (users). For now,
|
---|
92 | just use your regular login name or root.
|
---|
93 | </para>
|
---|
94 |
|
---|
95 | <screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
96 |
|
---|
97 | <para>
|
---|
98 | The <acronym>KDC</acronym> server and any machine running kerberized
|
---|
99 | server daemons must have a host key installed:
|
---|
100 | </para>
|
---|
101 |
|
---|
102 | <screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
103 |
|
---|
104 | <para>
|
---|
105 | After choosing the defaults when prompted, you will have to export the
|
---|
106 | data to a keytab file:
|
---|
107 | </para>
|
---|
108 |
|
---|
109 | <screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
110 |
|
---|
111 | <para>
|
---|
112 | This should have created two files in
|
---|
113 | <filename class="directory">/etc/heimdal</filename>;
|
---|
114 | <filename>krb5.keytab</filename> (Kerberos 5) and
|
---|
115 | <filename>srvtab</filename> (Kerberos 4). Both files should have 600
|
---|
116 | (root rw only) permissions. Keeping the keytab files from public access
|
---|
117 | is crucial to the overall security of the Kerberos installation.
|
---|
118 | </para>
|
---|
119 |
|
---|
120 | <para>
|
---|
121 | Eventually, you'll want to add server daemon principles to the database
|
---|
122 | and extract them to the keytab file. You do this in the same way you
|
---|
123 | created the host principles. Below is an example:
|
---|
124 | </para>
|
---|
125 |
|
---|
126 | <screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
127 |
|
---|
128 | <para>
|
---|
129 | (choose the defaults)
|
---|
130 | </para>
|
---|
131 |
|
---|
132 | <screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
133 |
|
---|
134 | <para>
|
---|
135 | Exit the <command>kadmin</command> program (use <command>quit</command>
|
---|
136 | or <command>exit</command>) and return back to the shell prompt. Start
|
---|
137 | the <acronym>KDC</acronym> daemon manually, just to test out the
|
---|
138 | installation:
|
---|
139 | </para>
|
---|
140 |
|
---|
141 | <screen><userinput><command>/usr/sbin/kdc &</command></userinput></screen>
|
---|
142 |
|
---|
143 | <para>
|
---|
144 | Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
|
---|
145 | following command:
|
---|
146 | </para>
|
---|
147 |
|
---|
148 | <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
149 |
|
---|
150 | <para>
|
---|
151 | You will be prompted for the password you created. After you get your
|
---|
152 | ticket, you should list it with the following command:
|
---|
153 | </para>
|
---|
154 |
|
---|
155 | <screen><userinput><command>klist</command></userinput></screen>
|
---|
156 |
|
---|
157 | <para>
|
---|
158 | Information about the ticket should be displayed on the screen.
|
---|
159 | </para>
|
---|
160 |
|
---|
161 | <para>
|
---|
162 | To test the functionality of the keytab file, issue the following
|
---|
163 | command:
|
---|
164 | </para>
|
---|
165 |
|
---|
166 | <screen><userinput><command>ktutil list</command></userinput></screen>
|
---|
167 |
|
---|
168 | <para>
|
---|
169 | This should dump a list of the host principals, along with the encryption
|
---|
170 | methods used to access the principals.
|
---|
171 | </para>
|
---|
172 |
|
---|
173 | <para>
|
---|
174 | At this point, if everything has been successful so far, you can feel
|
---|
175 | fairly confident in the installation and configuration of the package.
|
---|
176 | </para>
|
---|
177 |
|
---|
178 | <!--
|
---|
179 | <para>Install <filename>/etc/rc.d/init.d/heimdal</filename> init script
|
---|
180 | included in the <xref linkend="intro-important-bootscripts"/>
|
---|
181 | package.</para>
|
---|
182 |
|
---|
183 | <screen><userinput><command>make install-heimdal</command></userinput></screen>
|
---|
184 | -->
|
---|
185 |
|
---|
186 | <para>
|
---|
187 | To automate the running of Kerberos server and
|
---|
188 | <command>kpasswdd</command> daemon, use the following command to create
|
---|
189 | the init.d script:
|
---|
190 | </para>
|
---|
191 |
|
---|
192 | <screen><userinput><command>cat >etc/rc.d/init.d/heimdal << "EOF"</command>
|
---|
193 | #!/bin/sh
|
---|
194 | # Begin $rc_base/init.d/heimdal
|
---|
195 |
|
---|
196 | # Based on sysklogd script from LFS-3.1 and earlier.
|
---|
197 | # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
|
---|
198 | # Heimdal bootscript submitted by Randy McMurchy <LFS-User_at_mcmurchy_dot_com>
|
---|
199 |
|
---|
200 | . /etc/sysconfig/rc
|
---|
201 | . $rc_functions
|
---|
202 |
|
---|
203 | case "$1" in
|
---|
204 | start)
|
---|
205 | echo "Starting KDC Server Daemon..."
|
---|
206 | if test -f "/var/run/kdc.pid"
|
---|
207 | then
|
---|
208 | print_status warning running
|
---|
209 | else
|
---|
210 | /usr/sbin/kdc &
|
---|
211 | sleep 1
|
---|
212 | if test -f "/var/run/kdc.pid"
|
---|
213 | then
|
---|
214 | print_status success
|
---|
215 | else
|
---|
216 | print_status failure
|
---|
217 | fi
|
---|
218 | fi
|
---|
219 | echo "Starting KDC kpasswdd Daemon..."
|
---|
220 | if test -f "/var/run/kpasswdd.pid"
|
---|
221 | then
|
---|
222 | print_status warning running
|
---|
223 | else
|
---|
224 | /usr/sbin/kpasswdd &
|
---|
225 | sleep 1
|
---|
226 | if test -f "/var/run/kpasswdd.pid"
|
---|
227 | then
|
---|
228 | print_status success
|
---|
229 | else
|
---|
230 | print_status failure
|
---|
231 | fi
|
---|
232 | fi
|
---|
233 | ;;
|
---|
234 |
|
---|
235 | stop)
|
---|
236 | echo "Stopping KDC kpasswdd Daemon..."
|
---|
237 | killproc /usr/sbin/kpasswdd
|
---|
238 | echo "Stopping KDC Server Daemon..."
|
---|
239 | killproc /usr/sbin/kdc
|
---|
240 | ;;
|
---|
241 |
|
---|
242 | restart)
|
---|
243 | $0 stop
|
---|
244 | sleep 1
|
---|
245 | $0 start
|
---|
246 | ;;
|
---|
247 |
|
---|
248 | status)
|
---|
249 | statusproc /usr/sbin/kdc
|
---|
250 | statusproc /usr/sbin/kpasswdd
|
---|
251 | ;;
|
---|
252 |
|
---|
253 | *)
|
---|
254 | echo "Usage: $0 {start|stop|restart|status}"
|
---|
255 | exit 1
|
---|
256 | ;;
|
---|
257 | esac
|
---|
258 |
|
---|
259 | # End $rc_base/init.d/heimdal
|
---|
260 | <command>EOF
|
---|
261 | chmod 754 /etc/rc.d/init.d/heimdal</command></userinput></screen>
|
---|
262 |
|
---|
263 | <para>
|
---|
264 | Create the symbolic links to this file in the relevant <filename
|
---|
265 | class="directory">rc.d</filename> directory with the following commands:
|
---|
266 | </para>
|
---|
267 |
|
---|
268 | <screen><userinput><command>cd /etc/rc.d/init.d &&
|
---|
269 | ln -sf ../init.d/heimdal ../rc0.d/K42heimdal &&
|
---|
270 | ln -sf ../init.d/heimdal ../rc1.d/K42heimdal &&
|
---|
271 | ln -sf ../init.d/heimdal ../rc2.d/K42heimdal &&
|
---|
272 | ln -sf ../init.d/heimdal ../rc3.d/S28heimdal &&
|
---|
273 | ln -sf ../init.d/heimdal ../rc4.d/S28heimdal &&
|
---|
274 | ln -sf ../init.d/heimdal ../rc5.d/S28heimdal &&
|
---|
275 | ln -sf ../init.d/heimdal ../rc6.d/K42heimdal</command></userinput></screen>
|
---|
276 |
|
---|
277 | </sect4>
|
---|
278 |
|
---|
279 | <sect4><title>Using Kerberized Client Programs</title>
|
---|
280 |
|
---|
281 | <para>
|
---|
282 | To use the kerberized client programs (<command>telnet</command>,
|
---|
283 | <command>ftp</command>, <command>rsh</command>,
|
---|
284 | <command>rxterm</command>, <command>rxtelnet</command>,
|
---|
285 | <command>rcp</command>, <command>xnlock</command>), you first must get
|
---|
286 | a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
|
---|
287 | get the ticket. After you've acquired the ticket, you can use the
|
---|
288 | kerberized programs to connect to any kerberized server on the network.
|
---|
289 | You will not be prompted for authentication until your ticket expires
|
---|
290 | (default is one day), unless you specify a different user as a command
|
---|
291 | line argument to the program.
|
---|
292 | </para>
|
---|
293 |
|
---|
294 | <para>
|
---|
295 | The kerberized programs will connect to non kerberized daemons, warning
|
---|
296 | you that authentication is not encrypted. As mentioned earlier, only the
|
---|
297 | <command>ftp</command> program gives any trouble connecting to non
|
---|
298 | kerberized daemons.
|
---|
299 | </para>
|
---|
300 |
|
---|
301 | <para>
|
---|
302 | For additional information consult <ulink
|
---|
303 | url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
|
---|
304 | Heimdal hint</ulink> on which the above instructions are based.
|
---|
305 | </para>
|
---|
306 |
|
---|
307 | </sect4>
|
---|
308 |
|
---|
309 | </sect3>
|
---|
310 |
|
---|
311 | </sect2>
|
---|