| 1 | <sect2>
|
|---|
| 2 | <title>Configuring Heimdal</title>
|
|---|
| 3 |
|
|---|
| 4 | <sect3><title>Config files</title>
|
|---|
| 5 | <para><filename>/etc/heimdal/*</filename></para>
|
|---|
| 6 | </sect3>
|
|---|
| 7 |
|
|---|
| 8 | <sect3><title>Configuration Information</title>
|
|---|
| 9 |
|
|---|
| 10 | <para>
|
|---|
| 11 | Create the Kerberos configuration file with the following command:
|
|---|
| 12 | </para>
|
|---|
| 13 |
|
|---|
| 14 | <screen><userinput><command>cat > /etc/heimdal/krb5.conf << "EOF"</command>
|
|---|
| 15 | # Begin /etc/heimdal/krb5.conf
|
|---|
| 16 |
|
|---|
| 17 | [libdefaults]
|
|---|
| 18 | default_realm = LFS.ORG
|
|---|
| 19 | encrypt = true
|
|---|
| 20 |
|
|---|
| 21 | [realms]
|
|---|
| 22 | LFS.ORG = {
|
|---|
| 23 | kdc = belgarath.lfs.org
|
|---|
| 24 | admin_server = belgarath.lfs.org
|
|---|
| 25 | }
|
|---|
| 26 |
|
|---|
| 27 | [domain_realm]
|
|---|
| 28 | .lfs.org = LFS.ORG
|
|---|
| 29 |
|
|---|
| 30 | [logging]
|
|---|
| 31 | kdc = FILE:/var/log/kdc.log
|
|---|
| 32 | admin_server = FILE:/var/log/kadmin.log
|
|---|
| 33 | default = FILE:/var/log/krb.log
|
|---|
| 34 |
|
|---|
| 35 | # End /etc/heimdal/krb5.conf
|
|---|
| 36 | <command>EOF</command></userinput></screen>
|
|---|
| 37 |
|
|---|
| 38 | <para>
|
|---|
| 39 | You will need to substitute your domain and proper hostname for the
|
|---|
| 40 | occurances of the belgarath and lfs.org names.
|
|---|
| 41 | </para>
|
|---|
| 42 |
|
|---|
| 43 | <para>
|
|---|
| 44 | <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
|
|---|
| 45 | This isn't required, but both Heimdal and <acronym>MIT</acronym>
|
|---|
| 46 | recommend it.
|
|---|
| 47 | </para>
|
|---|
| 48 |
|
|---|
| 49 | <para>
|
|---|
| 50 | <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
|
|---|
| 51 | clients and servers. It's not necessary and can be left off. If you
|
|---|
| 52 | leave it off, you can encrypt all traffic from the client to the server
|
|---|
| 53 | using a switch on the client program instead.
|
|---|
| 54 | </para>
|
|---|
| 55 |
|
|---|
| 56 | <para>
|
|---|
| 57 | The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
|
|---|
| 58 | <acronym>KDC</acronym> authentication services.
|
|---|
| 59 | </para>
|
|---|
| 60 |
|
|---|
| 61 | <para>
|
|---|
| 62 | The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
|
|---|
| 63 | </para>
|
|---|
| 64 |
|
|---|
| 65 | <para>
|
|---|
| 66 | Store the master password in a key file using the following commands:
|
|---|
| 67 | </para>
|
|---|
| 68 |
|
|---|
| 69 | <screen><userinput><command>install -d -m 755 /var/lib/heimdal &&
|
|---|
| 70 | kstash</command></userinput></screen>
|
|---|
| 71 |
|
|---|
| 72 | <para>
|
|---|
| 73 | Create the <acronym>KDC</acronym> database:
|
|---|
| 74 | </para>
|
|---|
| 75 |
|
|---|
| 76 | <screen><userinput><command>kadmin -l</command></userinput></screen>
|
|---|
| 77 |
|
|---|
| 78 | <para>
|
|---|
| 79 | Choose the defaults for now. You can go in later and change the
|
|---|
| 80 | defaults, should you feel the need. At the
|
|---|
| 81 | <userinput>kadmin></userinput> prompt, issue the following statement:
|
|---|
| 82 | </para>
|
|---|
| 83 |
|
|---|
| 84 | <screen><userinput><command>init LFS.ORG</command></userinput></screen>
|
|---|
| 85 |
|
|---|
| 86 | <para>
|
|---|
| 87 | Now we need to populate the database with principles (users). For now,
|
|---|
| 88 | just use your regular login name or root.
|
|---|
| 89 | </para>
|
|---|
| 90 |
|
|---|
| 91 | <screen><userinput><command>add loginname</command></userinput></screen>
|
|---|
| 92 |
|
|---|
| 93 | <para>
|
|---|
| 94 | The <acronym>KDC</acronym> server and any machine running kerberized
|
|---|
| 95 | server daemons must have a host key installed:
|
|---|
| 96 | </para>
|
|---|
| 97 |
|
|---|
| 98 | <screen><userinput><command>add --random-key host/belgarath.lfs.org</command></userinput></screen>
|
|---|
| 99 |
|
|---|
| 100 | <para>
|
|---|
| 101 | After choosing the defaults when prompted, you will have to export the
|
|---|
| 102 | data to a keytab file:
|
|---|
| 103 | </para>
|
|---|
| 104 |
|
|---|
| 105 | <screen><userinput><command>ext host/belgarath.lfs.org</command></userinput></screen>
|
|---|
| 106 |
|
|---|
| 107 | <para>
|
|---|
| 108 | This should have created two files in
|
|---|
| 109 | <filename class="directory">/etc/heimdal</filename>;
|
|---|
| 110 | <filename>krb5.keytab</filename> (Kerberos 5) and
|
|---|
| 111 | <filename>srvtab</filename> (Kerberos 4). Both files should have 600
|
|---|
| 112 | (root rw only) permissions. Keeping the keytab files from public access
|
|---|
| 113 | is crucial to the overall security of the Kerberos installation.
|
|---|
| 114 | </para>
|
|---|
| 115 |
|
|---|
| 116 | <para>
|
|---|
| 117 | Eventually, you'll want to add server daemon principles to the database
|
|---|
| 118 | and extract them to the keytab file. You do this in the same way you
|
|---|
| 119 | created the host principles. Below is an example:
|
|---|
| 120 | </para>
|
|---|
| 121 |
|
|---|
| 122 | <screen><userinput><command>add --random-key ftp/belgarath.lfs.org</command></userinput></screen>
|
|---|
| 123 |
|
|---|
| 124 | <para>
|
|---|
| 125 | (choose the defaults)
|
|---|
| 126 | </para>
|
|---|
| 127 |
|
|---|
| 128 | <screen><userinput><command>ext ftp/belgarath.lfs.org</command></userinput></screen>
|
|---|
| 129 |
|
|---|
| 130 | <para>
|
|---|
| 131 | Exit the <command>kadmin</command> program (use <command>quit</command>
|
|---|
| 132 | or <command>exit</command>) and return back to the shell prompt. Start
|
|---|
| 133 | the <acronym>KDC</acronym> daemon manually, just to test out the
|
|---|
| 134 | installation:
|
|---|
| 135 | </para>
|
|---|
| 136 |
|
|---|
| 137 | <screen><userinput><command>/usr/sbin/kdc &</command></userinput></screen>
|
|---|
| 138 |
|
|---|
| 139 | <para>
|
|---|
| 140 | Attempt to get a ticket with the following command:
|
|---|
| 141 | </para>
|
|---|
| 142 |
|
|---|
| 143 | <screen><userinput><command>kinit loginname</command></userinput></screen>
|
|---|
| 144 |
|
|---|
| 145 | <para>
|
|---|
| 146 | You will be prompted for the password you created. After you get your
|
|---|
| 147 | ticket, you can list it with the following command:
|
|---|
| 148 | </para>
|
|---|
| 149 |
|
|---|
| 150 | <screen><userinput><command>klist</command></userinput></screen>
|
|---|
| 151 |
|
|---|
| 152 | <para>
|
|---|
| 153 | Information about the ticket should be displayed on the screen.
|
|---|
| 154 | </para>
|
|---|
| 155 |
|
|---|
| 156 | <para>
|
|---|
| 157 | To test the functionality of the keytab file, issue the following
|
|---|
| 158 | command:
|
|---|
| 159 | </para>
|
|---|
| 160 |
|
|---|
| 161 | <screen><userinput><command>ktutil list</command></userinput></screen>
|
|---|
| 162 |
|
|---|
| 163 | <para>
|
|---|
| 164 | This should dump a list of the host principal, along with the encryption
|
|---|
| 165 | methods used to access the principal.
|
|---|
| 166 | </para>
|
|---|
| 167 |
|
|---|
| 168 | <para>
|
|---|
| 169 | At this point, if everything has been successful so far, you can feel
|
|---|
| 170 | fairly confident in the installation and configuration of the package.
|
|---|
| 171 | </para>
|
|---|
| 172 |
|
|---|
| 173 | <para>Install <filename>/etc/rc.d/init.d/heimdal</filename> init script
|
|---|
| 174 | included in the <xref linkend="intro-important-bootscripts"/>
|
|---|
| 175 | package.</para>
|
|---|
| 176 |
|
|---|
| 177 | <screen><userinput><command>make install-heimdal</command></userinput></screen>
|
|---|
| 178 |
|
|---|
| 179 | </sect3>
|
|---|
| 180 |
|
|---|
| 181 | </sect2>
|
|---|
