source: postlfs/security/mitkrb.xml@ 0cd6d67

10.0 10.1 11.0 11.1 11.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules plabs/python-mods qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 0cd6d67 was 0cd6d67, checked in by Randy McMurchy <randy@…>, 18 years ago

Modified configuration file index sorting tags in various packages so that the index is sorted properly

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3265 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
8 <!ENTITY mitkrb-download-ftp " ">
9 <!ENTITY mitkrb-size "6.3 MB">
10 <!ENTITY mitkrb-buildsize "64 MB">
11 <!ENTITY mitkrb-time "2.55 SBU">
12]>
13
14<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
15<sect1info>
16<othername>$LastChangedBy$</othername>
17<date>$Date$</date>
18</sect1info>
19<?dbhtml filename="mitkrb.html"?>
20<title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
21<indexterm zone="mitkrb">
22<primary sortas="a-kerberos-MIT">Kerberos5(MIT)</primary></indexterm>
23
24
25<sect2>
26<title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
27
28<para>
29<application><acronym>MIT</acronym> krb5</application> is a free
30implementation of Kerberos 5. Kerberos is a network authentication
31protocol. It centralizes the authentication database and uses kerberized
32applications to work with servers or services that support Kerberos
33allowing single logins and encrypted communication over internal
34networks or the Internet.
35</para>
36
37<sect3><title>Package information</title>
38<itemizedlist spacing='compact'>
39<listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
40<listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
41<listitem><para>Download size: &mitkrb-size;</para></listitem>
42<listitem><para>Estimated disk space required: &mitkrb-buildsize;</para></listitem>
43<listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
44</sect3>
45
46<sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
47<sect4><title>Optional</title>
48<para>
49<xref linkend="xinetd"/> (services servers only),
50<xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
51<xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
52password database)
53</para>
54
55<note><para>
56Some sort of time synchronization facility on your system (like
57<xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
58is a time difference between a kerberized client and the
59<acronym>KDC</acronym> server.</para></note>
60</sect4>
61
62</sect3>
63
64</sect2>
65
66<sect2>
67<title>Installation of <application><acronym>MIT</acronym> krb5</application></title>
68
69<para>
70<application><acronym>MIT</acronym> krb5</application> is distributed in a
71<acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
72package and a detached <acronym>PGP</acronym>
73<filename class="extension">ASC</filename> file.
74</para>
75
76<para>
77If you have installed <xref linkend="gnupg"/>, you can
78authenticate the package with the following command:
79</para>
80
81<screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc krb5-&mitkrb-version;.tar.gz</command></userinput></screen>
82
83<para>
84Build <application><acronym>MIT</acronym> krb5</application> by running the
85following commands:
86</para>
87
88<screen><userinput><command>cd src &amp;&amp;
89./configure --prefix=/usr --sysconfdir=/etc \
90 --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &amp;&amp;
91make</command></userinput></screen>
92
93<para>
94Install <application><acronym>MIT</acronym> krb5</application> by
95running the following commands as root:
96</para>
97
98<screen><userinput><command>make install &amp;&amp;
99mv /bin/login /bin/login.shadow &amp;&amp;
100cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
101mv /usr/bin/ksu /bin &amp;&amp;
102mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
103mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
104mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
105mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
106mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
107ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &amp;&amp;
108ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &amp;&amp;
109ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &amp;&amp;
110ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &amp;&amp;
111ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &amp;&amp;
112ldconfig</command></userinput></screen>
113
114</sect2>
115
116<sect2>
117<title>Command explanations</title>
118
119<para>
120<parameter>--enable-dns</parameter>: This switch allows realms to
121be resolved using the <acronym>DNS</acronym> server.
122</para>
123
124<para>
125<screen><command>mv /bin/login /bin/login.shadow
126cp /usr/sbin/login.krb5 /bin/login
127mv /usr/bin/ksu /bin</command></screen>
128Preserves <application>Shadow</application>'s <command>login</command>
129command, moves <command>ksu</command> and <command>login</command> to
130the <filename class="directory">/bin</filename> directory.
131</para>
132
133<para>
134<screen><command>mv /usr/lib/libkrb5.so.3* /lib
135mv /usr/lib/libkrb4.so.2* /lib
136mv /usr/lib/libdes425.so.3* /lib
137mv /usr/lib/libk5crypto.so.3* /lib
138mv /usr/lib/libcom_err.so.3* /lib
139ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
140ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
141ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
142ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
143ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
144The <command>login</command> and <command>ksu</command> programs
145are linked against these libraries, therefore we move these libraries to
146<filename class="directory">/lib</filename> to allow logins without mounting
147<filename class="directory">/usr</filename>.
148</para>
149
150</sect2>
151
152<sect2>
153<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
154
155<sect3 id="krb5-config"><title>Config files</title>
156<para>
157<filename>/etc/krb5.conf</filename> and
158<filename>/var/lib/krb5kdc/kdc.conf</filename>
159</para>
160<indexterm zone="mitkrb krb5-config">
161<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary></indexterm>
162<indexterm zone="mitkrb krb5-config">
163<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
164</indexterm>
165</sect3>
166
167<sect3><title>Configuration Information</title>
168
169<sect4><title>Kerberos Configuration</title>
170
171<para>
172Create the Kerberos configuration file with the following command:
173</para>
174
175<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
176# Begin /etc/krb5.conf
177
178[libdefaults]
179 default_realm = <replaceable>[LFS.ORG]</replaceable>
180 encrypt = true
181
182[realms]
183 <replaceable>[LFS.ORG]</replaceable> = {
184 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
185 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
186 }
187
188[domain_realm]
189 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
190
191[logging]
192 kdc = SYSLOG[:INFO[:AUTH]]
193 admin_server = SYSLOG[INFO[:AUTH]]
194 default = SYSLOG[[:SYS]]
195
196# End /etc/krb5.conf
197<command>EOF</command></userinput></screen>
198
199<para>
200You will need to substitute your domain and proper hostname for the
201occurances of the <replaceable>[belgarath]</replaceable> and
202<replaceable>[lfs.org]</replaceable> names.
203</para>
204
205<para>
206<userinput>default_realm</userinput> should be the name of your domain changed
207to ALL CAPS. This isn't required, but both <application>Heimdal</application>
208and <acronym>MIT</acronym> recommend it.
209</para>
210
211<para>
212<userinput>encrypt = true</userinput> provides encryption of all traffic
213between kerberized clients and servers. It's not necessary and can be left
214off. If you leave it off, you can encrypt all traffic from the client to the
215server using a switch on the client program instead.
216</para>
217
218<para>
219The <userinput>[realms]</userinput> parameters tell the client programs where
220to look for the <acronym>KDC</acronym> authentication services.
221</para>
222
223<para>
224The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
225</para>
226
227<para>
228Create the <acronym>KDC</acronym> database:
229</para>
230
231<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
232
233<para>
234Now you should populate the database with principles (users). For now,
235just use your regular login name or root.
236</para>
237
238<screen><userinput><command>kadmin.local</command></userinput>
239<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
240
241<para>
242The <acronym>KDC</acronym> server and any machine running kerberized
243server daemons must have a host key installed:
244</para>
245
246<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
247
248<para>
249After choosing the defaults when prompted, you will have to export the
250data to a keytab file:
251</para>
252
253<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
254
255<para>
256This should have created a file in <filename class="directory">/etc</filename>
257named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
258(root rw only) permissions. Keeping the keytab files from public access
259is crucial to the overall security of the Kerberos installation.
260</para>
261
262<para>
263Eventually, you'll want to add server daemon principles to the database
264and extract them to the keytab file. You do this in the same way you
265created the host principles. Below is an example:
266</para>
267
268<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
269<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
270
271<para>
272Exit the <command>kadmin</command> program (use <command>quit</command>
273or <command>exit</command>) and return back to the shell prompt. Start
274the <acronym>KDC</acronym> daemon manually, just to test out the
275installation:
276</para>
277
278<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
279
280<para>
281Attempt to get a ticket with the following command:
282</para>
283
284<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
285
286<para>
287You will be prompted for the password you created. After you get your
288ticket, you can list it with the following command:
289</para>
290
291<screen><userinput><command>klist</command></userinput></screen>
292
293<para>
294Information about the ticket should be displayed on the screen.
295</para>
296
297<para>
298To test the functionality of the keytab file, issue the following
299command:
300</para>
301
302<screen><userinput><command>ktutil</command></userinput>
303<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
304<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
305
306<para>
307This should dump a list of the host principal, along with the encryption
308methods used to access the principal.
309</para>
310
311<para>
312At this point, if everything has been successful so far, you can feel
313fairly confident in the installation and configuration of the package.
314</para>
315
316<para>
317Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
318included in the <xref linkend="intro-important-bootscripts"/> package.
319</para>
320
321<screen><userinput><command>make install-kerberos</command></userinput></screen>
322
323</sect4>
324
325<sect4><title>Using Kerberized Client Programs</title>
326
327<para>
328To use the kerberized client programs (<command>telnet</command>,
329<command>ftp</command>, <command>rsh</command>,
330<command>rcp</command>, <command>rlogin</command>), you first must get
331an authentication ticket. Use the <command>kinit</command> program to
332get the ticket. After you've acquired the ticket, you can use the
333kerberized programs to connect to any kerberized server on the network.
334You will not be prompted for authentication until your ticket expires
335(default is one day), unless you specify a different user as a command
336line argument to the program.
337</para>
338
339<para>
340The kerberized programs will connect to non kerberized daemons, warning
341you that authentication is not encrypted.
342</para>
343</sect4>
344
345<sect4><title>Using Kerberized Server Programs</title>
346<para>
347Using kerberized server programs (<command>telnetd</command>,
348<command>kpropd</command>, <command>klogind</command> and
349<command>kshd</command>) requires two additional configuration steps.
350First the <filename>/etc/services</filename> file must be updated to
351include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
352or <filename>xinetd.conf</filename> must be modified for each server that will
353be activated, usually replacing the server from <xref linkend="inetutils"/>.
354</para>
355</sect4>
356
357<sect4><title>Additional Information</title>
358<para>
359For additional information consult <ulink
360url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
361for krb-&mitkrb-version;</ulink> on which the above instructions are based.
362</para>
363
364</sect4>
365
366</sect3>
367
368</sect2>
369
370<sect2>
371<title>Contents</title>
372
373<para>
374The <application>MIT krb5</application> package contains
375<command>compile-et</command>,
376<command>ftp</command>,
377<command>ftpd</command>,
378<command>gss-client</command>,
379<command>gss-server</command>,
380<command>k5srvutil</command>,
381<command>kadmin</command>,
382<command>kadmin.local</command>,
383<command>kadmind</command>,
384<command>kadmind4</command>,
385<command>kdb5_util</command>
386<command>kdestroy</command>,
387<command>kinit</command>,
388<command>klist</command>,
389<command>klogind</command>,
390<command>kpasswd</command>,
391<command>kprop</command>,
392<command>kpropd</command>,
393<command>krb5-send-pr</command>,
394<command>krb5-config</command>,
395<command>krb524d</command>,
396<command>krb524init</command>,
397<command>krb5kdc</command>,
398<command>kshd</command>,
399<command>ksu</command>,
400<command>ktutil</command>,
401<command>kvno</command>,
402<command>login.krb5</command>,
403<command>rcp</command>,
404<command>rlogin</command>,
405<command>rsh</command>,
406<command>rshd</command>,
407<command>rxtelnet</command>,
408<command>rxterm</command>,
409<command>sclient</command>,
410<command>sim_client</command>,
411<command>sim_server</command>,
412<command>sserver</command>,
413<command>telnet</command>,
414<command>telnetd</command>,
415<command>uuclient</command>,
416<command>uuserver</command>,
417<command>v5passwd</command>,
418<command>v5passwdd</command>,
419<filename class="libraryfile">libcom_err</filename>,
420<filename class="libraryfile">libdes425</filename>,
421<filename class="libraryfile">libgssapi</filename>,
422<filename class="libraryfile">libgssrpc</filename>,
423<filename class="libraryfile">lib5crypto</filename>,
424<filename class="libraryfile">libkadm5clnt</filename>,
425<filename class="libraryfile">libkadm5srv</filename>,
426<filename class="libraryfile">libkdb5</filename>,
427<filename class="libraryfile">libkrb4</filename> and
428<filename class="libraryfile">libkrb5</filename>.
429</para>
430
431</sect2>
432
433<sect2><title>Description</title>
434
435<sect3><title>compile_et</title>
436<para>
437<command>compile_et</command> converts the table listing
438error-code names into a <application>C</application> source file.
439</para>
440</sect3>
441
442<sect3><title>k5srvutil</title>
443<para>
444<command>k5srvutil</command> is a host keytable manipulation utility.
445</para>
446</sect3>
447
448<sect3><title>kadmin</title>
449<para>
450<command>kadmin</command> is an utility used to make modifications
451to the Kerberos database.
452</para>
453</sect3>
454
455<sect3><title>kadmind</title>
456<para>
457<command>kadmind</command> is a server for administrative access
458to a Kerberos database.
459</para>
460</sect3>
461
462<sect3><title>kinit</title>
463<para>
464<command>kinit</command> is used to authenticate to the Kerberos server as
465a principal and acquire a ticket granting ticket that can later be used to
466obtain tickets for other services.
467</para>
468</sect3>
469
470<sect3><title>krb5kdc</title>
471<para>
472<command>krb5kdc</command> is a Kerberos 5 server.
473</para>
474</sect3>
475
476<sect3><title>kdestroy</title>
477<para>
478<command>kdestroy</command> removes the current set of tickets.
479</para>
480</sect3>
481
482<sect3><title>kdb5_util</title>
483<para>
484<command>kdb5_util</command> is the <acronym>KDC</acronym> database utility.
485</para>
486</sect3>
487
488<sect3><title>klist</title>
489<para>
490<command>klist</command> reads and displays the current tickets in
491the credential cache.
492</para>
493</sect3>
494
495<sect3><title>klogind</title>
496<para>
497<command>klogind</command> is the server that responds to
498<command>rlogin</command> requests.
499</para>
500</sect3>
501
502<sect3><title>kpasswd</title>
503<para>
504<command>kpasswd</command> is a program for changing Kerberos 5 passwords.
505</para>
506</sect3>
507
508<sect3><title>kprop</title>
509<para>
510<command>kprop</command> takes a principal database in a specified
511format and converts it into a stream of database
512records.
513</para>
514</sect3>
515
516<sect3><title>kpropd</title>
517<para>
518<command>kpropd</command> receives a database sent by
519<command>hprop</command> and writes it as a local database.
520</para>
521</sect3>
522
523<sect3><title>krb5-config</title>
524<para>
525<command>krb5-config</command> gives information on how to link
526programs against libraries.
527</para>
528</sect3>
529
530<sect3><title>ksu</title>
531<para>
532<command>ksu</command> is the super user program using Kerberos protocol.
533Requires a properly configured
534<filename class="directory">/etc/shells</filename> and
535<filename>~/.k5login</filename> containing principals authorized to
536become super users.
537</para>
538</sect3>
539
540<sect3><title>ktutil</title>
541<para>
542<command>ktutil</command> is a program for managing Kerberos keytabs.
543</para>
544</sect3>
545
546<sect3><title>kvno</title>
547<para>
548<command>kvno</command> prints keyversion numbers of Kerberos principals.
549</para>
550</sect3>
551
552</sect2>
553
554</sect1>
Note: See TracBrowser for help on using the repository browser.