source: postlfs/security/mitkrb.xml@ 8d9eb0f

10.0 10.1 11.0 11.1 11.2 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 krejzi/svn lazarus nosym perl-modules plabs/python-mods qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 8d9eb0f was 8d9eb0f, checked in by Randy McMurchy <randy@…>, 18 years ago

Shortened line lengths in various package instructions so that the instructions fit into the PDF viewable area (through page 250)

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3274 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 17.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
8 <!ENTITY mitkrb-download-ftp " ">
9 <!ENTITY mitkrb-size "6.3 MB">
10 <!ENTITY mitkrb-buildsize "64 MB">
11 <!ENTITY mitkrb-time "2.55 SBU">
12]>
13
14<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
15<sect1info>
16<othername>$LastChangedBy$</othername>
17<date>$Date$</date>
18</sect1info>
19<?dbhtml filename="mitkrb.html"?>
20<title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
21<indexterm zone="mitkrb">
22<primary sortas="a-kerberos-MIT">Kerberos5(MIT)</primary></indexterm>
23
24<sect2>
25<title>Introduction to <application><acronym>MIT</acronym>
26krb5</application></title>
27
28<para>
29<application><acronym>MIT</acronym> krb5</application> is a free
30implementation of Kerberos 5. Kerberos is a network authentication
31protocol. It centralizes the authentication database and uses kerberized
32applications to work with servers or services that support Kerberos
33allowing single logins and encrypted communication over internal
34networks or the Internet.
35</para>
36
37<sect3><title>Package information</title>
38<itemizedlist spacing='compact'>
39<listitem><para>Download (HTTP):
40<ulink url="&mitkrb-download-http;"/></para></listitem>
41<listitem><para>Download (FTP):
42<ulink url="&mitkrb-download-ftp;"/></para></listitem>
43<listitem><para>Download size: &mitkrb-size;</para></listitem>
44<listitem><para>Estimated disk space required:
45&mitkrb-buildsize;</para></listitem>
46<listitem><para>Estimated build time:
47&mitkrb-time;</para></listitem></itemizedlist>
48</sect3>
49
50<sect3><title><application><acronym>MIT</acronym> krb5</application>
51dependencies</title>
52<sect4><title>Optional</title>
53<para>
54<xref linkend="xinetd"/> (services servers only),
55<xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
56<xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
57password database)
58</para>
59
60<note><para>
61Some sort of time synchronization facility on your system (like
62<xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
63is a time difference between a kerberized client and the
64<acronym>KDC</acronym> server.</para></note>
65</sect4>
66
67</sect3>
68
69</sect2>
70
71<sect2>
72<title>Installation of <application><acronym>MIT</acronym>
73krb5</application></title>
74
75<para>
76<application><acronym>MIT</acronym> krb5</application> is distributed in a
77<acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
78package and a detached <acronym>PGP</acronym>
79<filename class="extension">ASC</filename> file.
80</para>
81
82<para>
83If you have installed <xref linkend="gnupg"/>, you can
84authenticate the package with the following command:
85</para>
86
87<screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc krb5-&mitkrb-version;.tar.gz</command></userinput></screen>
88
89<para>
90Build <application><acronym>MIT</acronym> krb5</application> by running the
91following commands:
92</para>
93
94<screen><userinput><command>cd src &amp;&amp;
95./configure --prefix=/usr --sysconfdir=/etc \
96 --localstatedir=/var/lib --enable-dns \
97 --enable-shared --mandir=/usr/share/man &amp;&amp;
98make</command></userinput></screen>
99
100<para>
101Install <application><acronym>MIT</acronym> krb5</application> by
102running the following commands as root:
103</para>
104
105<screen><userinput><command>make install &amp;&amp;
106mv /bin/login /bin/login.shadow &amp;&amp;
107cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
108mv /usr/bin/ksu /bin &amp;&amp;
109mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
110mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
111mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
112mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
113mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
114ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &amp;&amp;
115ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &amp;&amp;
116ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &amp;&amp;
117ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &amp;&amp;
118ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &amp;&amp;
119ldconfig</command></userinput></screen>
120
121</sect2>
122
123<sect2>
124<title>Command explanations</title>
125
126<para>
127<parameter>--enable-dns</parameter>: This switch allows realms to
128be resolved using the <acronym>DNS</acronym> server.
129</para>
130
131<para>
132<screen><command>mv /bin/login /bin/login.shadow
133cp /usr/sbin/login.krb5 /bin/login
134mv /usr/bin/ksu /bin</command></screen>
135Preserves <application>Shadow</application>'s <command>login</command>
136command, moves <command>ksu</command> and <command>login</command> to
137the <filename class="directory">/bin</filename> directory.
138</para>
139
140<para>
141<screen><command>mv /usr/lib/libkrb5.so.3* /lib
142mv /usr/lib/libkrb4.so.2* /lib
143mv /usr/lib/libdes425.so.3* /lib
144mv /usr/lib/libk5crypto.so.3* /lib
145mv /usr/lib/libcom_err.so.3* /lib
146ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
147ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
148ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
149ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
150ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
151The <command>login</command> and <command>ksu</command> programs
152are linked against these libraries, therefore we move these libraries to
153<filename class="directory">/lib</filename> to allow logins without mounting
154<filename class="directory">/usr</filename>.
155</para>
156
157</sect2>
158
159<sect2>
160<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
161
162<sect3 id="krb5-config"><title>Config files</title>
163<para>
164<filename>/etc/krb5.conf</filename> and
165<filename>/var/lib/krb5kdc/kdc.conf</filename>
166</para>
167<indexterm zone="mitkrb krb5-config">
168<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary></indexterm>
169<indexterm zone="mitkrb krb5-config">
170<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
171</indexterm>
172</sect3>
173
174<sect3><title>Configuration Information</title>
175
176<sect4><title>Kerberos Configuration</title>
177
178<para>
179Create the Kerberos configuration file with the following command:
180</para>
181
182<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
183# Begin /etc/krb5.conf
184
185[libdefaults]
186 default_realm = <replaceable>[LFS.ORG]</replaceable>
187 encrypt = true
188
189[realms]
190 <replaceable>[LFS.ORG]</replaceable> = {
191 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
192 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
193 }
194
195[domain_realm]
196 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
197
198[logging]
199 kdc = SYSLOG[:INFO[:AUTH]]
200 admin_server = SYSLOG[INFO[:AUTH]]
201 default = SYSLOG[[:SYS]]
202
203# End /etc/krb5.conf
204<command>EOF</command></userinput></screen>
205
206<para>
207You will need to substitute your domain and proper hostname for the
208occurances of the <replaceable>[belgarath]</replaceable> and
209<replaceable>[lfs.org]</replaceable> names.
210</para>
211
212<para>
213<userinput>default_realm</userinput> should be the name of your domain changed
214to ALL CAPS. This isn't required, but both <application>Heimdal</application>
215and <acronym>MIT</acronym> recommend it.
216</para>
217
218<para>
219<userinput>encrypt = true</userinput> provides encryption of all traffic
220between kerberized clients and servers. It's not necessary and can be left
221off. If you leave it off, you can encrypt all traffic from the client to the
222server using a switch on the client program instead.
223</para>
224
225<para>
226The <userinput>[realms]</userinput> parameters tell the client programs where
227to look for the <acronym>KDC</acronym> authentication services.
228</para>
229
230<para>
231The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
232</para>
233
234<para>
235Create the <acronym>KDC</acronym> database:
236</para>
237
238<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
239
240<para>
241Now you should populate the database with principles (users). For now,
242just use your regular login name or root.
243</para>
244
245<screen><userinput><command>kadmin.local</command></userinput>
246<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
247
248<para>
249The <acronym>KDC</acronym> server and any machine running kerberized
250server daemons must have a host key installed:
251</para>
252
253<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
254
255<para>
256After choosing the defaults when prompted, you will have to export the
257data to a keytab file:
258</para>
259
260<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
261
262<para>
263This should have created a file in <filename class="directory">/etc</filename>
264named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
265(root rw only) permissions. Keeping the keytab files from public access
266is crucial to the overall security of the Kerberos installation.
267</para>
268
269<para>
270Eventually, you'll want to add server daemon principles to the database
271and extract them to the keytab file. You do this in the same way you
272created the host principles. Below is an example:
273</para>
274
275<screen><prompt>kadmin:</prompt><userinput><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
276<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
277
278<para>
279Exit the <command>kadmin</command> program (use <command>quit</command>
280or <command>exit</command>) and return back to the shell prompt. Start
281the <acronym>KDC</acronym> daemon manually, just to test out the
282installation:
283</para>
284
285<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
286
287<para>
288Attempt to get a ticket with the following command:
289</para>
290
291<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
292
293<para>
294You will be prompted for the password you created. After you get your
295ticket, you can list it with the following command:
296</para>
297
298<screen><userinput><command>klist</command></userinput></screen>
299
300<para>
301Information about the ticket should be displayed on the screen.
302</para>
303
304<para>
305To test the functionality of the keytab file, issue the following
306command:
307</para>
308
309<screen><userinput><command>ktutil</command></userinput>
310<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
311<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
312
313<para>
314This should dump a list of the host principal, along with the encryption
315methods used to access the principal.
316</para>
317
318<para>
319At this point, if everything has been successful so far, you can feel
320fairly confident in the installation and configuration of the package.
321</para>
322
323<para>
324Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
325included in the <xref linkend="intro-important-bootscripts"/> package.
326</para>
327
328<screen><userinput><command>make install-kerberos</command></userinput></screen>
329
330</sect4>
331
332<sect4><title>Using Kerberized Client Programs</title>
333
334<para>
335To use the kerberized client programs (<command>telnet</command>,
336<command>ftp</command>, <command>rsh</command>,
337<command>rcp</command>, <command>rlogin</command>), you first must get
338an authentication ticket. Use the <command>kinit</command> program to
339get the ticket. After you've acquired the ticket, you can use the
340kerberized programs to connect to any kerberized server on the network.
341You will not be prompted for authentication until your ticket expires
342(default is one day), unless you specify a different user as a command
343line argument to the program.
344</para>
345
346<para>
347The kerberized programs will connect to non kerberized daemons, warning
348you that authentication is not encrypted.
349</para>
350</sect4>
351
352<sect4><title>Using Kerberized Server Programs</title>
353<para>
354Using kerberized server programs (<command>telnetd</command>,
355<command>kpropd</command>, <command>klogind</command> and
356<command>kshd</command>) requires two additional configuration steps.
357First the <filename>/etc/services</filename> file must be updated to
358include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
359or <filename>xinetd.conf</filename> must be modified for each server that will
360be activated, usually replacing the server from <xref linkend="inetutils"/>.
361</para>
362</sect4>
363
364<sect4><title>Additional Information</title>
365<para>
366For additional information consult <ulink
367url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
368for krb-&mitkrb-version;</ulink> on which the above instructions are based.
369</para>
370
371</sect4>
372
373</sect3>
374
375</sect2>
376
377<sect2>
378<title>Contents</title>
379
380<para>
381The <application>MIT krb5</application> package contains
382<command>compile-et</command>,
383<command>ftp</command>,
384<command>ftpd</command>,
385<command>gss-client</command>,
386<command>gss-server</command>,
387<command>k5srvutil</command>,
388<command>kadmin</command>,
389<command>kadmin.local</command>,
390<command>kadmind</command>,
391<command>kadmind4</command>,
392<command>kdb5_util</command>
393<command>kdestroy</command>,
394<command>kinit</command>,
395<command>klist</command>,
396<command>klogind</command>,
397<command>kpasswd</command>,
398<command>kprop</command>,
399<command>kpropd</command>,
400<command>krb5-send-pr</command>,
401<command>krb5-config</command>,
402<command>krb524d</command>,
403<command>krb524init</command>,
404<command>krb5kdc</command>,
405<command>kshd</command>,
406<command>ksu</command>,
407<command>ktutil</command>,
408<command>kvno</command>,
409<command>login.krb5</command>,
410<command>rcp</command>,
411<command>rlogin</command>,
412<command>rsh</command>,
413<command>rshd</command>,
414<command>rxtelnet</command>,
415<command>rxterm</command>,
416<command>sclient</command>,
417<command>sim_client</command>,
418<command>sim_server</command>,
419<command>sserver</command>,
420<command>telnet</command>,
421<command>telnetd</command>,
422<command>uuclient</command>,
423<command>uuserver</command>,
424<command>v5passwd</command>,
425<command>v5passwdd</command>,
426<filename class="libraryfile">libcom_err</filename>,
427<filename class="libraryfile">libdes425</filename>,
428<filename class="libraryfile">libgssapi</filename>,
429<filename class="libraryfile">libgssrpc</filename>,
430<filename class="libraryfile">lib5crypto</filename>,
431<filename class="libraryfile">libkadm5clnt</filename>,
432<filename class="libraryfile">libkadm5srv</filename>,
433<filename class="libraryfile">libkdb5</filename>,
434<filename class="libraryfile">libkrb4</filename> and
435<filename class="libraryfile">libkrb5</filename>.
436</para>
437
438</sect2>
439
440<sect2><title>Description</title>
441
442<sect3><title>compile_et</title>
443<para>
444<command>compile_et</command> converts the table listing
445error-code names into a <application>C</application> source file.
446</para>
447</sect3>
448
449<sect3><title>k5srvutil</title>
450<para>
451<command>k5srvutil</command> is a host keytable manipulation utility.
452</para>
453</sect3>
454
455<sect3><title>kadmin</title>
456<para>
457<command>kadmin</command> is an utility used to make modifications
458to the Kerberos database.
459</para>
460</sect3>
461
462<sect3><title>kadmind</title>
463<para>
464<command>kadmind</command> is a server for administrative access
465to a Kerberos database.
466</para>
467</sect3>
468
469<sect3><title>kinit</title>
470<para>
471<command>kinit</command> is used to authenticate to the Kerberos server as
472a principal and acquire a ticket granting ticket that can later be used to
473obtain tickets for other services.
474</para>
475</sect3>
476
477<sect3><title>krb5kdc</title>
478<para>
479<command>krb5kdc</command> is a Kerberos 5 server.
480</para>
481</sect3>
482
483<sect3><title>kdestroy</title>
484<para>
485<command>kdestroy</command> removes the current set of tickets.
486</para>
487</sect3>
488
489<sect3><title>kdb5_util</title>
490<para>
491<command>kdb5_util</command> is the <acronym>KDC</acronym> database utility.
492</para>
493</sect3>
494
495<sect3><title>klist</title>
496<para>
497<command>klist</command> reads and displays the current tickets in
498the credential cache.
499</para>
500</sect3>
501
502<sect3><title>klogind</title>
503<para>
504<command>klogind</command> is the server that responds to
505<command>rlogin</command> requests.
506</para>
507</sect3>
508
509<sect3><title>kpasswd</title>
510<para>
511<command>kpasswd</command> is a program for changing Kerberos 5 passwords.
512</para>
513</sect3>
514
515<sect3><title>kprop</title>
516<para>
517<command>kprop</command> takes a principal database in a specified
518format and converts it into a stream of database
519records.
520</para>
521</sect3>
522
523<sect3><title>kpropd</title>
524<para>
525<command>kpropd</command> receives a database sent by
526<command>hprop</command> and writes it as a local database.
527</para>
528</sect3>
529
530<sect3><title>krb5-config</title>
531<para>
532<command>krb5-config</command> gives information on how to link
533programs against libraries.
534</para>
535</sect3>
536
537<sect3><title>ksu</title>
538<para>
539<command>ksu</command> is the super user program using Kerberos protocol.
540Requires a properly configured
541<filename class="directory">/etc/shells</filename> and
542<filename>~/.k5login</filename> containing principals authorized to
543become super users.
544</para>
545</sect3>
546
547<sect3><title>ktutil</title>
548<para>
549<command>ktutil</command> is a program for managing Kerberos keytabs.
550</para>
551</sect3>
552
553<sect3><title>kvno</title>
554<para>
555<command>kvno</command> prints keyversion numbers of Kerberos principals.
556</para>
557</sect3>
558
559</sect2>
560
561</sect1>
Note: See TracBrowser for help on using the repository browser.