source: postlfs/security/heimdal/heimdal-config.xml@ 3be9cf07

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 12.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gimp3 gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_1 v5_1-pre1 xry111/for-12.3 xry111/intltool xry111/llvm18 xry111/soup3 xry111/spidermonkey128 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since 3be9cf07 was 3be9cf07, checked in by Igor Živković <igor@…>, 20 years ago

applied Randy's heimdal update patch

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2128 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 9.6 KB
Line 
1<sect2>
2<title>Configuring Heimdal</title>
3
4<sect3><title>Config files</title>
5<para><filename>/etc/heimdal/*</filename></para>
6</sect3>
7
8<sect3><title>Configuration Information</title>
9
10<sect4><title>Master KDC Server Configuration</title>
11
12<para>
13Create the Kerberos configuration file with the following command:
14</para>
15
16<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
17cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
18# Begin /etc/heimdal/krb5.conf
19
20[libdefaults]
21 default_realm = <replaceable>[LFS.ORG]</replaceable>
22 encrypt = true
23
24[realms]
25 <replaceable>[LFS.ORG]</replaceable> = {
26 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
27 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
28 kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
29 }
30
31[domain_realm]
32 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
33
34[logging]
35 kdc = FILE:/var/log/kdc.log
36 admin_server = FILE:/var/log/kadmin.log
37 default = FILE:/var/log/krb.log
38
39# End /etc/heimdal/krb5.conf
40<command>EOF</command></userinput></screen>
41
42<para>
43You will need to substitute your domain and proper hostname for the
44occurances of the belgarath and lfs.org names.
45</para>
46
47<para>
48<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
49This isn't required, but both Heimdal and <acronym>MIT</acronym>
50recommend it.
51</para>
52
53<para>
54<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
55clients and servers. It's not necessary and can be left off. If you
56leave it off, you can encrypt all traffic from the client to the server
57using a switch on the client program instead.
58</para>
59
60<para>
61The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
62<acronym>KDC</acronym> authentication services.
63</para>
64
65<para>
66The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
67</para>
68
69<para>
70Store the master password in a key file using the following commands:
71</para>
72
73<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
74kstash</command></userinput></screen>
75
76<para>
77Create the <acronym>KDC</acronym> database:
78</para>
79
80<screen><userinput><command>kadmin -l</command></userinput></screen>
81
82<para>
83Choose the defaults for now. You can go in later and change the
84defaults, should you feel the need. At the
85<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
86</para>
87
88<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
89
90<para>
91Now we need to populate the database with principles (users). For now,
92just use your regular login name or root.
93</para>
94
95<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
96
97<para>
98The <acronym>KDC</acronym> server and any machine running kerberized
99server daemons must have a host key installed:
100</para>
101
102<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
103
104<para>
105After choosing the defaults when prompted, you will have to export the
106data to a keytab file:
107</para>
108
109<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
110
111<para>
112This should have created two files in
113<filename class="directory">/etc/heimdal</filename>;
114<filename>krb5.keytab</filename> (Kerberos 5) and
115<filename>srvtab</filename> (Kerberos 4). Both files should have 600
116(root rw only) permissions. Keeping the keytab files from public access
117is crucial to the overall security of the Kerberos installation.
118</para>
119
120<para>
121Eventually, you'll want to add server daemon principles to the database
122and extract them to the keytab file. You do this in the same way you
123created the host principles. Below is an example:
124</para>
125
126<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
127
128<para>
129(choose the defaults)
130</para>
131
132<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
133
134<para>
135Exit the <command>kadmin</command> program (use <command>quit</command>
136or <command>exit</command>) and return back to the shell prompt. Start
137the <acronym>KDC</acronym> daemon manually, just to test out the
138installation:
139</para>
140
141<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
142
143<para>
144Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
145following command:
146</para>
147
148<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
149
150<para>
151You will be prompted for the password you created. After you get your
152ticket, you should list it with the following command:
153</para>
154
155<screen><userinput><command>klist</command></userinput></screen>
156
157<para>
158Information about the ticket should be displayed on the screen.
159</para>
160
161<para>
162To test the functionality of the keytab file, issue the following
163command:
164</para>
165
166<screen><userinput><command>ktutil list</command></userinput></screen>
167
168<para>
169This should dump a list of the host principals, along with the encryption
170methods used to access the principals.
171</para>
172
173<para>
174At this point, if everything has been successful so far, you can feel
175fairly confident in the installation and configuration of the package.
176</para>
177
178<!--
179<para>Install <filename>/etc/rc.d/init.d/heimdal</filename> init script
180included in the <xref linkend="intro-important-bootscripts"/>
181package.</para>
182
183<screen><userinput><command>make install-heimdal</command></userinput></screen>
184-->
185
186<para>
187To automate the running of Kerberos server and
188<command>kpasswdd</command> daemon, use the following command to create
189the init.d script:
190</para>
191
192<screen><userinput><command>cat &gt;etc/rc.d/init.d/heimdal &lt;&lt; "EOF"</command>
193#!/bin/sh
194# Begin $rc_base/init.d/heimdal
195
196# Based on sysklogd script from LFS-3.1 and earlier.
197# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
198# Heimdal bootscript submitted by Randy McMurchy &lt;LFS-User_at_mcmurchy_dot_com&gt;
199
200. /etc/sysconfig/rc
201. $rc_functions
202
203case "$1" in
204 start)
205 echo "Starting KDC Server Daemon..."
206 if test -f "/var/run/kdc.pid"
207 then
208 print_status warning running
209 else
210 /usr/sbin/kdc &amp;
211 sleep 1
212 if test -f "/var/run/kdc.pid"
213 then
214 print_status success
215 else
216 print_status failure
217 fi
218 fi
219 echo "Starting KDC kpasswdd Daemon..."
220 if test -f "/var/run/kpasswdd.pid"
221 then
222 print_status warning running
223 else
224 /usr/sbin/kpasswdd &amp;
225 sleep 1
226 if test -f "/var/run/kpasswdd.pid"
227 then
228 print_status success
229 else
230 print_status failure
231 fi
232 fi
233 ;;
234
235 stop)
236 echo "Stopping KDC kpasswdd Daemon..."
237 killproc /usr/sbin/kpasswdd
238 echo "Stopping KDC Server Daemon..."
239 killproc /usr/sbin/kdc
240 ;;
241
242 restart)
243 $0 stop
244 sleep 1
245 $0 start
246 ;;
247
248 status)
249 statusproc /usr/sbin/kdc
250 statusproc /usr/sbin/kpasswdd
251 ;;
252
253 *)
254 echo "Usage: $0 {start|stop|restart|status}"
255 exit 1
256 ;;
257esac
258
259# End $rc_base/init.d/heimdal
260<command>EOF
261chmod 754 /etc/rc.d/init.d/heimdal</command></userinput></screen>
262
263<para>
264Create the symbolic links to this file in the relevant <filename
265class="directory">rc.d</filename> directory with the following commands:
266</para>
267
268<screen><userinput><command>cd /etc/rc.d/init.d &amp;&amp;
269ln -sf ../init.d/heimdal ../rc0.d/K42heimdal &amp;&amp;
270ln -sf ../init.d/heimdal ../rc1.d/K42heimdal &amp;&amp;
271ln -sf ../init.d/heimdal ../rc2.d/K42heimdal &amp;&amp;
272ln -sf ../init.d/heimdal ../rc3.d/S28heimdal &amp;&amp;
273ln -sf ../init.d/heimdal ../rc4.d/S28heimdal &amp;&amp;
274ln -sf ../init.d/heimdal ../rc5.d/S28heimdal &amp;&amp;
275ln -sf ../init.d/heimdal ../rc6.d/K42heimdal</command></userinput></screen>
276
277</sect4>
278
279<sect4><title>Using Kerberized Client Programs</title>
280
281<para>
282To use the kerberized client programs (<command>telnet</command>,
283<command>ftp</command>, <command>rsh</command>,
284<command>rxterm</command>, <command>rxtelnet</command>,
285<command>rcp</command>, <command>xnlock</command>), you first must get
286a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
287get the ticket. After you've acquired the ticket, you can use the
288kerberized programs to connect to any kerberized server on the network.
289You will not be prompted for authentication until your ticket expires
290(default is one day), unless you specify a different user as a command
291line argument to the program.
292</para>
293
294<para>
295The kerberized programs will connect to non kerberized daemons, warning
296you that authentication is not encrypted. As mentioned earlier, only the
297<command>ftp</command> program gives any trouble connecting to non
298kerberized daemons.
299</para>
300
301<para>
302For additional information consult <ulink
303url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
304Heimdal hint</ulink> on which the above instructions are based.
305</para>
306
307</sect4>
308
309</sect3>
310
311</sect2>
Note: See TracBrowser for help on using the repository browser.