source: postlfs/security/mitkrb.xml@ 6a2bce2

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 6a2bce2 was 6a2bce2, checked in by Randy McMurchy <randy@…>, 17 years ago

Cleaned up indexing tags (should all be correct now)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3292 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
8 <!ENTITY mitkrb-download-ftp " ">
9 <!ENTITY mitkrb-size "6.3 MB">
10 <!ENTITY mitkrb-buildsize "64 MB">
11 <!ENTITY mitkrb-time "2.55 SBU">
12]>
13
14<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
15<sect1info>
16<othername>$LastChangedBy$</othername>
17<date>$Date$</date>
18</sect1info>
19<?dbhtml filename="mitkrb.html"?>
20<title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
21<indexterm zone="mitkrb">
22<primary sortas="a-Kerberos-MIT">Kerberos5(MIT)</primary></indexterm>
23
24<sect2>
25<title>Introduction to <application><acronym>MIT</acronym>
26krb5</application></title>
27
28<para>
29<application><acronym>MIT</acronym> krb5</application> is a free
30implementation of Kerberos 5. Kerberos is a network authentication
31protocol. It centralizes the authentication database and uses kerberized
32applications to work with servers or services that support Kerberos
33allowing single logins and encrypted communication over internal
34networks or the Internet.
35</para>
36
37<sect3><title>Package information</title>
38<itemizedlist spacing='compact'>
39<listitem><para>Download (HTTP):
40<ulink url="&mitkrb-download-http;"/></para></listitem>
41<listitem><para>Download (FTP):
42<ulink url="&mitkrb-download-ftp;"/></para></listitem>
43<listitem><para>Download size: &mitkrb-size;</para></listitem>
44<listitem><para>Estimated disk space required:
45&mitkrb-buildsize;</para></listitem>
46<listitem><para>Estimated build time:
47&mitkrb-time;</para></listitem></itemizedlist>
48</sect3>
49
50<sect3><title><application><acronym>MIT</acronym> krb5</application>
51dependencies</title>
52<sect4><title>Optional</title>
53<para>
54<xref linkend="xinetd"/> (services servers only),
55<xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
56<xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
57password database)
58</para>
59
60<note><para>
61Some sort of time synchronization facility on your system (like
62<xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
63is a time difference between a kerberized client and the
64<acronym>KDC</acronym> server.</para></note>
65</sect4>
66
67</sect3>
68
69</sect2>
70
71<sect2>
72<title>Installation of <application><acronym>MIT</acronym>
73krb5</application></title>
74
75<para>
76<application><acronym>MIT</acronym> krb5</application> is distributed in a
77<acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
78package and a detached <acronym>PGP</acronym>
79<filename class="extension">ASC</filename> file.
80</para>
81
82<para>
83If you have installed <xref linkend="gnupg"/>, you can
84authenticate the package with the following command:
85</para>
86
87<screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc krb5-&mitkrb-version;.tar.gz</command></userinput></screen>
88
89<para>
90Build <application><acronym>MIT</acronym> krb5</application> by running the
91following commands:
92</para>
93
94<screen><userinput><command>cd src &amp;&amp;
95./configure --prefix=/usr --sysconfdir=/etc \
96 --localstatedir=/var/lib --enable-dns \
97 --enable-shared --mandir=/usr/share/man &amp;&amp;
98make</command></userinput></screen>
99
100<para>
101Install <application><acronym>MIT</acronym> krb5</application> by
102running the following commands as root:
103</para>
104
105<screen><userinput><command>make install &amp;&amp;
106mv /bin/login /bin/login.shadow &amp;&amp;
107cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
108mv /usr/bin/ksu /bin &amp;&amp;
109mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
110mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
111mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
112mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
113mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
114ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &amp;&amp;
115ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &amp;&amp;
116ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &amp;&amp;
117ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &amp;&amp;
118ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &amp;&amp;
119ldconfig</command></userinput></screen>
120
121</sect2>
122
123<sect2>
124<title>Command explanations</title>
125
126<para>
127<parameter>--enable-dns</parameter>: This switch allows realms to
128be resolved using the <acronym>DNS</acronym> server.
129</para>
130
131<para>
132<screen><command>mv /bin/login /bin/login.shadow
133cp /usr/sbin/login.krb5 /bin/login
134mv /usr/bin/ksu /bin</command></screen>
135Preserves <application>Shadow</application>'s <command>login</command>
136command, moves <command>ksu</command> and <command>login</command> to
137the <filename class="directory">/bin</filename> directory.
138</para>
139
140<para>
141<screen><command>mv /usr/lib/libkrb5.so.3* /lib
142mv /usr/lib/libkrb4.so.2* /lib
143mv /usr/lib/libdes425.so.3* /lib
144mv /usr/lib/libk5crypto.so.3* /lib
145mv /usr/lib/libcom_err.so.3* /lib
146ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
147ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
148ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
149ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
150ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
151The <command>login</command> and <command>ksu</command> programs
152are linked against these libraries, therefore we move these libraries to
153<filename class="directory">/lib</filename> to allow logins without mounting
154<filename class="directory">/usr</filename>.
155</para>
156
157</sect2>
158
159<sect2>
160<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
161
162<sect3 id="krb5-config"><title>Config files</title>
163<para>
164<filename>/etc/krb5.conf</filename> and
165<filename>/var/lib/krb5kdc/kdc.conf</filename>
166</para>
167<indexterm zone="mitkrb krb5-config">
168<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary></indexterm>
169<indexterm zone="mitkrb krb5-config">
170<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
171</indexterm>
172</sect3>
173
174<sect3><title>Configuration Information</title>
175
176<sect4><title>Kerberos Configuration</title>
177<para>
178Create the Kerberos configuration file with the following command:
179</para>
180
181<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
182# Begin /etc/krb5.conf
183
184[libdefaults]
185 default_realm = <replaceable>[LFS.ORG]</replaceable>
186 encrypt = true
187
188[realms]
189 <replaceable>[LFS.ORG]</replaceable> = {
190 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
191 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
192 }
193
194[domain_realm]
195 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
196
197[logging]
198 kdc = SYSLOG[:INFO[:AUTH]]
199 admin_server = SYSLOG[INFO[:AUTH]]
200 default = SYSLOG[[:SYS]]
201
202# End /etc/krb5.conf
203<command>EOF</command></userinput></screen>
204
205<para>
206You will need to substitute your domain and proper hostname for the
207occurances of the <replaceable>[belgarath]</replaceable> and
208<replaceable>[lfs.org]</replaceable> names.
209</para>
210
211<para>
212<userinput>default_realm</userinput> should be the name of your domain changed
213to ALL CAPS. This isn't required, but both <application>Heimdal</application>
214and <acronym>MIT</acronym> recommend it.
215</para>
216
217<para>
218<userinput>encrypt = true</userinput> provides encryption of all traffic
219between kerberized clients and servers. It's not necessary and can be left
220off. If you leave it off, you can encrypt all traffic from the client to the
221server using a switch on the client program instead.
222</para>
223
224<para>
225The <userinput>[realms]</userinput> parameters tell the client programs where
226to look for the <acronym>KDC</acronym> authentication services.
227</para>
228
229<para>
230The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
231</para>
232
233<para>
234Create the <acronym>KDC</acronym> database:
235</para>
236
237<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
238
239<para>
240Now you should populate the database with principles (users). For now,
241just use your regular login name or root.
242</para>
243
244<screen><userinput><command>kadmin.local</command></userinput>
245<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
246
247<para>
248The <acronym>KDC</acronym> server and any machine running kerberized
249server daemons must have a host key installed:
250</para>
251
252<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
253
254<para>
255After choosing the defaults when prompted, you will have to export the
256data to a keytab file:
257</para>
258
259<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
260
261<para>
262This should have created a file in <filename class="directory">/etc</filename>
263named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
264(root rw only) permissions. Keeping the keytab files from public access
265is crucial to the overall security of the Kerberos installation.
266</para>
267
268<para>
269Eventually, you'll want to add server daemon principles to the database
270and extract them to the keytab file. You do this in the same way you
271created the host principles. Below is an example:
272</para>
273
274<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
275<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
276
277<para>
278Exit the <command>kadmin</command> program (use <command>quit</command>
279or <command>exit</command>) and return back to the shell prompt. Start
280the <acronym>KDC</acronym> daemon manually, just to test out the
281installation:
282</para>
283
284<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
285
286<para>
287Attempt to get a ticket with the following command:
288</para>
289
290<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
291
292<para>
293You will be prompted for the password you created. After you get your
294ticket, you can list it with the following command:
295</para>
296
297<screen><userinput><command>klist</command></userinput></screen>
298
299<para>
300Information about the ticket should be displayed on the screen.
301</para>
302
303<para>
304To test the functionality of the keytab file, issue the following
305command:
306</para>
307
308<screen><userinput><command>ktutil</command></userinput>
309<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
310<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
311
312<para>
313This should dump a list of the host principal, along with the encryption
314methods used to access the principal.
315</para>
316
317<para>
318At this point, if everything has been successful so far, you can feel
319fairly confident in the installation and configuration of the package.
320</para>
321
322<para>
323Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
324included in the <xref linkend="intro-important-bootscripts"/> package.
325</para>
326
327<screen><userinput><command>make install-kerberos</command></userinput></screen>
328
329</sect4>
330
331<sect4><title>Using Kerberized Client Programs</title>
332
333<para>
334To use the kerberized client programs (<command>telnet</command>,
335<command>ftp</command>, <command>rsh</command>,
336<command>rcp</command>, <command>rlogin</command>), you first must get
337an authentication ticket. Use the <command>kinit</command> program to
338get the ticket. After you've acquired the ticket, you can use the
339kerberized programs to connect to any kerberized server on the network.
340You will not be prompted for authentication until your ticket expires
341(default is one day), unless you specify a different user as a command
342line argument to the program.
343</para>
344
345<para>
346The kerberized programs will connect to non kerberized daemons, warning
347you that authentication is not encrypted.
348</para>
349</sect4>
350
351<sect4><title>Using Kerberized Server Programs</title>
352<para>
353Using kerberized server programs (<command>telnetd</command>,
354<command>kpropd</command>, <command>klogind</command> and
355<command>kshd</command>) requires two additional configuration steps.
356First the <filename>/etc/services</filename> file must be updated to
357include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
358or <filename>xinetd.conf</filename> must be modified for each server that will
359be activated, usually replacing the server from <xref linkend="inetutils"/>.
360</para>
361</sect4>
362
363<sect4><title>Additional Information</title>
364<para>
365For additional information consult <ulink
366url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
367for krb-&mitkrb-version;</ulink> on which the above instructions are based.
368</para>
369
370</sect4>
371
372</sect3>
373
374</sect2>
375
376<sect2>
377<title>Contents</title>
378
379<para>
380The <application>MIT krb5</application> package contains
381<command>compile-et</command>,
382<command>ftp</command>,
383<command>ftpd</command>,
384<command>gss-client</command>,
385<command>gss-server</command>,
386<command>k5srvutil</command>,
387<command>kadmin</command>,
388<command>kadmin.local</command>,
389<command>kadmind</command>,
390<command>kadmind4</command>,
391<command>kdb5_util</command>
392<command>kdestroy</command>,
393<command>kinit</command>,
394<command>klist</command>,
395<command>klogind</command>,
396<command>kpasswd</command>,
397<command>kprop</command>,
398<command>kpropd</command>,
399<command>krb5-send-pr</command>,
400<command>krb5-config</command>,
401<command>krb524d</command>,
402<command>krb524init</command>,
403<command>krb5kdc</command>,
404<command>kshd</command>,
405<command>ksu</command>,
406<command>ktutil</command>,
407<command>kvno</command>,
408<command>login.krb5</command>,
409<command>rcp</command>,
410<command>rlogin</command>,
411<command>rsh</command>,
412<command>rshd</command>,
413<command>rxtelnet</command>,
414<command>rxterm</command>,
415<command>sclient</command>,
416<command>sim_client</command>,
417<command>sim_server</command>,
418<command>sserver</command>,
419<command>telnet</command>,
420<command>telnetd</command>,
421<command>uuclient</command>,
422<command>uuserver</command>,
423<command>v5passwd</command>,
424<command>v5passwdd</command>,
425<filename class="libraryfile">libcom_err</filename>,
426<filename class="libraryfile">libdes425</filename>,
427<filename class="libraryfile">libgssapi</filename>,
428<filename class="libraryfile">libgssrpc</filename>,
429<filename class="libraryfile">lib5crypto</filename>,
430<filename class="libraryfile">libkadm5clnt</filename>,
431<filename class="libraryfile">libkadm5srv</filename>,
432<filename class="libraryfile">libkdb5</filename>,
433<filename class="libraryfile">libkrb4</filename> and
434<filename class="libraryfile">libkrb5</filename>.
435</para>
436
437</sect2>
438
439<sect2><title>Description</title>
440
441<sect3><title>compile_et</title>
442<para>
443<command>compile_et</command> converts the table listing
444error-code names into a <application>C</application> source file.
445</para>
446</sect3>
447
448<sect3><title>k5srvutil</title>
449<para>
450<command>k5srvutil</command> is a host keytable manipulation utility.
451</para>
452</sect3>
453
454<sect3><title>kadmin</title>
455<para>
456<command>kadmin</command> is an utility used to make modifications
457to the Kerberos database.
458</para>
459</sect3>
460
461<sect3><title>kadmind</title>
462<para>
463<command>kadmind</command> is a server for administrative access
464to a Kerberos database.
465</para>
466</sect3>
467
468<sect3><title>kinit</title>
469<para>
470<command>kinit</command> is used to authenticate to the Kerberos server as
471a principal and acquire a ticket granting ticket that can later be used to
472obtain tickets for other services.
473</para>
474</sect3>
475
476<sect3><title>krb5kdc</title>
477<para>
478<command>krb5kdc</command> is a Kerberos 5 server.
479</para>
480</sect3>
481
482<sect3><title>kdestroy</title>
483<para>
484<command>kdestroy</command> removes the current set of tickets.
485</para>
486</sect3>
487
488<sect3><title>kdb5_util</title>
489<para>
490<command>kdb5_util</command> is the <acronym>KDC</acronym> database utility.
491</para>
492</sect3>
493
494<sect3><title>klist</title>
495<para>
496<command>klist</command> reads and displays the current tickets in
497the credential cache.
498</para>
499</sect3>
500
501<sect3><title>klogind</title>
502<para>
503<command>klogind</command> is the server that responds to
504<command>rlogin</command> requests.
505</para>
506</sect3>
507
508<sect3><title>kpasswd</title>
509<para>
510<command>kpasswd</command> is a program for changing Kerberos 5 passwords.
511</para>
512</sect3>
513
514<sect3><title>kprop</title>
515<para>
516<command>kprop</command> takes a principal database in a specified
517format and converts it into a stream of database
518records.
519</para>
520</sect3>
521
522<sect3><title>kpropd</title>
523<para>
524<command>kpropd</command> receives a database sent by
525<command>hprop</command> and writes it as a local database.
526</para>
527</sect3>
528
529<sect3><title>krb5-config</title>
530<para>
531<command>krb5-config</command> gives information on how to link
532programs against libraries.
533</para>
534</sect3>
535
536<sect3><title>ksu</title>
537<para>
538<command>ksu</command> is the super user program using Kerberos protocol.
539Requires a properly configured
540<filename class="directory">/etc/shells</filename> and
541<filename>~/.k5login</filename> containing principals authorized to
542become super users.
543</para>
544</sect3>
545
546<sect3><title>ktutil</title>
547<para>
548<command>ktutil</command> is a program for managing Kerberos keytabs.
549</para>
550</sect3>
551
552<sect3><title>kvno</title>
553<para>
554<command>kvno</command> prints keyversion numbers of Kerberos principals.
555</para>
556</sect3>
557
558</sect2>
559
560</sect1>
Note: See TracBrowser for help on using the repository browser.