source: postlfs/security/heimdal/heimdal-config.xml@ add4a24

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since add4a24 was add4a24, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

Misc grammar corrections

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2284 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 6.7 KB
Line 
1<sect2>
2<title>Configuring Heimdal</title>
3
4<sect3><title>Config files</title>
5<para><filename>/etc/heimdal/*</filename></para>
6</sect3>
7
8<sect3><title>Configuration Information</title>
9
10<sect4><title>Master KDC Server Configuration</title>
11
12<para>
13Create the Kerberos configuration file with the following command:
14</para>
15
16<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
17cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
18# Begin /etc/heimdal/krb5.conf
19
20[libdefaults]
21 default_realm = <replaceable>[LFS.ORG]</replaceable>
22 encrypt = true
23
24[realms]
25 <replaceable>[LFS.ORG]</replaceable> = {
26 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
27 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
28 kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
29 }
30
31[domain_realm]
32 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
33
34[logging]
35 kdc = FILE:/var/log/kdc.log
36 admin_server = FILE:/var/log/kadmin.log
37 default = FILE:/var/log/krb.log
38
39# End /etc/heimdal/krb5.conf
40<command>EOF</command></userinput></screen>
41
42<para>
43You will need to substitute your domain and proper hostname for the
44occurances of the belgarath and lfs.org names.
45</para>
46
47<para>
48<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
49This isn't required, but both Heimdal and <acronym>MIT</acronym>
50recommend it.
51</para>
52
53<para>
54<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
55clients and servers. It's not necessary and can be left off. If you
56leave it off, you can encrypt all traffic from the client to the server
57using a switch on the client program instead.
58</para>
59
60<para>
61The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
62<acronym>KDC</acronym> authentication services.
63</para>
64
65<para>
66The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
67</para>
68
69<para>
70Store the master password in a key file using the following commands:
71</para>
72
73<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
74kstash</command></userinput></screen>
75
76<para>
77Create the <acronym>KDC</acronym> database:
78</para>
79
80<screen><userinput><command>kadmin -l</command></userinput></screen>
81
82<para>
83Choose the defaults for now. You can go in later and change the
84defaults, should you feel the need. At the
85<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
86</para>
87
88<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
89
90<para>
91Now we need to populate the database with principles (users). For now,
92just use your regular login name or root.
93</para>
94
95<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
96
97<para>
98The <acronym>KDC</acronym> server and any machine running kerberized
99server daemons must have a host key installed:
100</para>
101
102<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
103
104<para>
105After choosing the defaults when prompted, you will have to export the
106data to a keytab file:
107</para>
108
109<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
110
111<para>
112This should have created two files in
113<filename class="directory">/etc/heimdal</filename>;
114<filename>krb5.keytab</filename> (Kerberos 5) and
115<filename>srvtab</filename> (Kerberos 4). Both files should have 600
116(root rw only) permissions. Keeping the keytab files from public access
117is crucial to the overall security of the Kerberos installation.
118</para>
119
120<para>
121Eventually, you'll want to add server daemon principles to the database
122and extract them to the keytab file. You do this in the same way you
123created the host principles. Below is an example:
124</para>
125
126<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
127
128<para>
129(choose the defaults)
130</para>
131
132<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
133
134<para>
135Exit the <command>kadmin</command> program (use <command>quit</command>
136or <command>exit</command>) and return back to the shell prompt. Start
137the <acronym>KDC</acronym> daemon manually, just to test out the
138installation:
139</para>
140
141<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
142
143<para>
144Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
145following command:
146</para>
147
148<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
149
150<para>
151You will be prompted for the password you created. After you get your
152ticket, you should list it with the following command:
153</para>
154
155<screen><userinput><command>klist</command></userinput></screen>
156
157<para>
158Information about the ticket should be displayed on the screen.
159</para>
160
161<para>
162To test the functionality of the keytab file, issue the following
163command:
164</para>
165
166<screen><userinput><command>ktutil list</command></userinput></screen>
167
168<para>
169This should dump a list of the host principals, along with the encryption
170methods used to access the principals.
171</para>
172
173<para>
174At this point, if everything has been successful so far, you can feel
175fairly confident in the installation and configuration of the package.
176</para>
177
178<para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
179included in the <xref linkend="intro-important-bootscripts"/>
180package.</para>
181
182<screen><userinput><command>make install-heimdal</command></userinput></screen>
183
184</sect4>
185
186<sect4><title>Using Kerberized Client Programs</title>
187
188<para>
189To use the kerberized client programs (<command>telnet</command>,
190<command>ftp</command>, <command>rsh</command>,
191<command>rxterm</command>, <command>rxtelnet</command>,
192<command>rcp</command>, <command>xnlock</command>), you first must get
193a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
194get the ticket. After you've acquired the ticket, you can use the
195kerberized programs to connect to any kerberized server on the network.
196You will not be prompted for authentication until your ticket expires
197(default is one day), unless you specify a different user as a command
198line argument to the program.
199</para>
200
201<para>
202The kerberized programs will connect to non kerberized daemons, warning
203you that authentication is not encrypted. As mentioned earlier, only the
204<command>ftp</command> program gives any trouble connecting to non
205kerberized daemons.
206</para>
207
208<para>
209For additional information consult <ulink
210url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
211Heimdal hint</ulink> on which the above instructions are based.
212</para>
213
214</sect4>
215
216</sect3>
217
218</sect2>
Note: See TracBrowser for help on using the repository browser.