source: postlfs/security/mitkrb.xml@ b4b71892

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since b4b71892 was b4b71892, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 15.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
8 <!ENTITY mitkrb-download-ftp " ">
9 <!ENTITY mitkrb-size "6.2 MB">
10 <!ENTITY mitkrb-buildsize "137.4 MB">
11 <!ENTITY mitkrb-time "2.55 SBU">
12]>
13
14
15<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
16<?dbhtml filename="mitkrb.html"?>
17<title>MIT krb5-&mitkrb-version;</title>
18
19<sect2>
20<title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
21
22<para>
23<application>MIT krb5</application> is a free implementation of Kerberos
245. Kerberos is a network authentication protocol. It centralizes the
25authentication database and uses kerberized applications to work with
26servers or services that support Kerberos allowing single logins and
27encrypted communication over internal networks or the Internet.</para>
28
29<sect3><title>Package information</title>
30<itemizedlist spacing='compact'>
31<listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
32<listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
33<listitem><para>Download size: &mitkrb-size;</para></listitem>
34<listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem>
35<listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
36</sect3>
37
38<sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
39<sect4><title>Optional</title>
40<para>
41<xref linkend="xinetd"/> (services servers only),
42<xref linkend="Linux_PAM"/> (for xdm based logins) and
43<xref linkend="openldap"/> (alternative for krb5kdc password database)
44</para>
45
46<note><para>
47Some sort of time synchronization facility on your system (like <xref
48linkend="ntp"/>) is required since Kerberos won't authenticate if there
49is a time difference between a kerberized client and the
50<acronym>KDC</acronym> server.</para></note>
51</sect4>
52
53</sect3>
54
55</sect2>
56
57<sect2>
58<title>Installation of <application>MIT krb5</application></title>
59
60<para>Install <application>MIT krb5</application> by running the following commands:</para>
61
62<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
63 --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &amp;&amp;
64make &amp;&amp;
65make install &amp;&amp;
66mv /bin/login /bin/login.shadow &amp;&amp;
67cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
68mv /usr/bin/ksu /bin &amp;&amp;
69mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
70mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
71mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
72mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
73mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
74ln -sf ../../lib/libkrb5.so /usr/lib &amp;&amp;
75ln -sf ../../lib/libkrb4.so /usr/lib &amp;&amp;
76ln -sf ../../lib/libdes425.so /usr/lib &amp;&amp;
77ln -sf ../../lib/libk5crypto.so /usr/lib &amp;&amp;
78ln -sf ../../lib/libcom_err.so /usr/lib &amp;&amp;
79ldconfig</command></userinput></screen>
80
81</sect2>
82
83<sect2>
84<title>Command explanations</title>
85
86<para><parameter>--enable-dns</parameter>: This switch allows realms to
87be resolved using the <acronym>DNS</acronym> server.</para>
88
89<para><screen><command>mv /bin/login /bin/login.shadow
90cp /usr/sbin/login.krb5 /bin/login
91mv /usr/bin/ksu /bin</command></screen>
92Preserves <application>Shadow</application>'s <command>login</command>
93command, moves <command>ksu</command> and <command>login</command> to
94the <filename class="directory">/bin</filename> directory.</para>
95
96<para><screen><command>mv /usr/lib/libkrb5.so.3* /lib
97mv /usr/lib/libkrb4.so.2* /lib
98mv /usr/lib/libdes425.so.3* /lib
99mv /usr/lib/libk5crypto.so.3* /lib
100mv /usr/lib/libcom_err.so.3* /lib
101ln -sf ../../lib/libkrb5.so /usr/lib
102ln -sf ../../lib/libkrb4.so /usr/lib
103ln -sf ../../lib/libdes425.so /usr/lib
104ln -sf ../../lib/libk5crypto.so /usr/lib
105ln -sf ../../lib/libcom_err.so /usr/lib</command></screen>
106The <command>login</command> and <command>ksu</command> programs
107are linked against these libraries, therefore we move these libraries to
108<filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>.</para>
109
110</sect2>
111
112<sect2>
113<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
114
115<sect3><title>Config files</title>
116<para><filename>/etc/krb5.conf</filename> and
117<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
118</sect3>
119
120<sect3><title>Configuration Information</title>
121
122<sect4><title>Kerberos Configuration</title>
123
124<para>
125Create the Kerberos configuration file with the following command:
126</para>
127
128<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
129# Begin /etc/krb5.conf
130
131[libdefaults]
132 default_realm = <replaceable>[LFS.ORG]</replaceable>
133 encrypt = true
134
135[realms]
136 <replaceable>[LFS.ORG]</replaceable> = {
137 kdc = <replaceable>[belgarath.lfs.org]</replaceable>
138 admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
139 }
140
141[domain_realm]
142 .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
143
144[logging]
145 kdc = SYSLOG[:INFO[:AUTH]]
146 admin_server = SYSLOG[INFO[:AUTH]]
147 default = SYSLOG[[:SYS]]
148
149# End /etc/krb5.conf
150<command>EOF</command></userinput></screen>
151
152<para>
153You will need to substitute your domain and proper hostname for the
154occurances of the belgarath and lfs.org names.
155</para>
156
157<para>
158<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
159This isn't required, but both Heimdal and <acronym>MIT</acronym>
160recommend it.
161</para>
162
163<para>
164<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
165clients and servers. It's not necessary and can be left off. If you
166leave it off, you can encrypt all traffic from the client to the server
167using a switch on the client program instead.
168</para>
169
170<para>
171The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
172<acronym>KDC</acronym> authentication services.
173</para>
174
175<para>
176The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
177</para>
178
179<para>
180Create the <acronym>KDC</acronym> database:
181</para>
182
183<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
184
185<para>
186Now we need to populate the database with principles (users). For now,
187just use your regular login name or root.
188</para>
189
190<screen><userinput><command>kadmin.local</command></userinput>
191<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
192
193<para>
194The <acronym>KDC</acronym> server and any machine running kerberized
195server daemons must have a host key installed:
196</para>
197
198<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
199
200<para>
201After choosing the defaults when prompted, you will have to export the
202data to a keytab file:
203</para>
204
205<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
206
207<para>
208This should have created a file in
209<filename class="directory">/etc</filename> named
210<filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
211(root rw only) permissions. Keeping the keytab files from public access
212is crucial to the overall security of the Kerberos installation.
213</para>
214
215<para>
216Eventually, you'll want to add server daemon principles to the database
217and extract them to the keytab file. You do this in the same way you
218created the host principles. Below is an example:
219</para>
220
221<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
222<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
223
224<para>
225Exit the <command>kadmin</command> program (use <command>quit</command>
226or <command>exit</command>) and return back to the shell prompt. Start
227the <acronym>KDC</acronym> daemon manually, just to test out the
228installation:
229</para>
230
231<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
232
233<para>
234Attempt to get a ticket with the following command:
235</para>
236
237<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
238
239<para>
240You will be prompted for the password you created. After you get your
241ticket, you can list it with the following command:
242</para>
243
244<screen><userinput><command>klist</command></userinput></screen>
245
246<para>
247Information about the ticket should be displayed on the screen.
248</para>
249
250<para>
251To test the functionality of the keytab file, issue the following
252command:
253</para>
254
255<screen><userinput><command>ktutil</command></userinput>
256<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
257<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
258
259<para>
260This should dump a list of the host principal, along with the encryption
261methods used to access the principal.
262</para>
263
264<para>
265At this point, if everything has been successful so far, you can feel
266fairly confident in the installation and configuration of the package.
267</para>
268
269<para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
270included in the <xref linkend="intro-important-bootscripts"/>
271package.</para>
272
273<screen><userinput><command>make install-kerberos</command></userinput></screen>
274
275</sect4>
276
277<sect4><title>Using Kerberized Client Programs</title>
278
279<para>
280To use the kerberized client programs (<command>telnet</command>,
281<command>ftp</command>, <command>rsh</command>,
282<command>rcp</command>, <command>rlogin</command>), you first must get
283an authentication ticket. Use the <command>kinit</command> program to
284get the ticket. After you've acquired the ticket, you can use the
285kerberized programs to connect to any kerberized server on the network.
286You will not be prompted for authentication until your ticket expires
287(default is one day), unless you specify a different user as a command
288line argument to the program.
289</para>
290
291<para>
292The kerberized programs will connect to non kerberized daemons, warning
293you that authentication is not encrypted.</para></sect4>
294
295
296<sect4><title>Using Kerberized Server Programs</title>
297
298<para>Using kerberized server programs (<command>telnetd</command>,
299<command>kpropd</command>,
300<command>klogind</command> and <command>kshd</command>) requires two additional configuration steps.
301First the <filename>/etc/services</filename> file must be updated to
302include eklogin and krb5_prop. Second, the
303<filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must
304be modified for each server that will be activated, usually replacing
305the server from <application>inetutils</application>.</para></sect4>
306
307<sect4><title>Additional Information</title>
308<para>
309For additional information consult <ulink
310url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
311for krb-&mitkrb-version;</ulink> on which the above instructions are based.
312</para>
313
314</sect4>
315
316</sect3>
317
318</sect2>
319
320<sect2>
321<title>Contents</title>
322
323<para>The <application>MIT krb5</application> package contains
324<command>compile-et</command>,
325<command>ftp</command>,
326<command>ftpd</command>,
327<command>gss-client</command>,
328<command>gss-server</command>,
329<command>k5srvutil</command>,
330<command>kadmin</command>,
331<command>kadmin.local</command>,
332<command>kadmind</command>,
333<command>kadmind4</command>,
334<command>kdb5_util</command>
335<command>kdestroy</command>,
336<command>kinit</command>,
337<command>klist</command>,
338<command>klogind</command>,
339<command>kpasswd</command>,
340<command>kprop</command>,
341<command>kpropd</command>,
342<command>krb5-send-pr</command>,
343<command>krb5-config</command>,
344<command>krb524d</command>,
345<command>krb524init</command>,
346<command>krb5kdc</command>,
347<command>kshd</command>,
348<command>ksu</command>,
349<command>ktutil</command>,
350<command>kvno</command>,
351<command>login.krb5</command>,
352<command>rcp</command>,
353<command>rlogin</command>,
354<command>rsh</command>,
355<command>rshd</command>,
356<command>rxtelnet</command>,
357<command>rxterm</command>,
358<command>sclient</command>,
359<command>sim_client</command>,
360<command>sim_server</command>,
361<command>sserver</command>,
362<command>telnet</command>,
363<command>telnetd</command>,
364<command>uuclient</command>,
365<command>uuserver</command>,
366<command>v5passwd</command>,
367<command>v5passwdd</command>,
368<filename class="libraryfile">libcom_err</filename>,
369<filename class="libraryfile">libdes425</filename>,
370<filename class="libraryfile">libgssapi</filename>,
371<filename class="libraryfile">libgssrpc</filename>,
372<filename class="libraryfile">lib5crypto</filename>,
373<filename class="libraryfile">libkadm5clnt</filename>,
374<filename class="libraryfile">libkadm5srv</filename>,
375<filename class="libraryfile">libkdb5</filename>,
376<filename class="libraryfile">libkrb4</filename>,
377<filename class="libraryfile">libkrb5</filename>.</para>
378
379</sect2>
380
381<sect2><title>Description</title>
382
383<sect3><title>compile_et</title>
384<para><command>compile_et</command> converts the table listing
385error-code names into a <application>C</application> source file.</para></sect3>
386
387<sect3><title>k5srvutil</title>
388<para><command>k5srvutil</command> is a host keytable manipulation
389utility.</para></sect3>
390
391<sect3><title>kadmin</title>
392<para><command>kadmin</command> is an utility used to make modifications
393to the Kerberos database.</para></sect3>
394
395<sect3><title>kadmind</title>
396<para><command>kadmind</command> is a server for administrative access
397to Kerberos database.</para></sect3>
398
399<sect3><title>kinit</title>
400<para><command>kinit</command> is used to
401authenticate to the Kerberos server as principal and acquire a ticket
402granting ticket that can later be used to obtain tickets for other
403services.</para></sect3>
404
405<sect3><title>krb5kdc</title>
406<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
407
408<sect3><title>kdestroy</title>
409<para><command>kdestroy</command> removes the current set of
410tickets.</para></sect3>
411
412<sect3><title>kdb5_util</title>
413<para><command>kdb5_util</command> is the <acronym>KDC</acronym>
414database utility.</para></sect3>
415
416<sect3><title>klist</title>
417<para><command>klist</command> reads and displays the current tickets in
418the credential cache.</para></sect3>
419
420<sect3><title>klogind</title>
421<para><command>klogind</command> is the server that responds to rlogin
422requests.</para></sect3>
423
424<sect3><title>kpasswd</title>
425<para><command>kpasswd</command> is a program for changing Kerberos 5
426passwords.</para></sect3>
427
428<sect3><title>kprop</title>
429<para><command>kprop</command> takes a principal database in a specified
430format and converts it into a stream of database
431records.</para></sect3>
432
433<sect3><title>kpropd</title>
434<para><command>kpropd</command> receives a database sent by
435<command>hprop</command> and writes it as a local
436database.</para></sect3>
437
438<sect3><title>krb5-config</title>
439<para><command>krb5-config</command> gives information on how to link
440programs against libraries.</para></sect3>
441
442<sect3><title>ksu</title>
443<para><command>ksu</command> is the super user program using Kerberos
444protocol. Requires a properly configured
445<filename>/etc/shells</filename> and <filename>~/.k5login</filename>
446containing principals authorized to become super users.</para></sect3>
447
448<sect3><title>ktutil</title>
449<para><command>ktutil</command> is a program for managing Kerberos
450keytabs.</para></sect3>
451
452<sect3><title>kvno</title>
453<para><command>kvno</command> prints keyversion numbers of Kerberos
454principals.</para></sect3>
455
456
457</sect2>
458
459</sect1>
Note: See TracBrowser for help on using the repository browser.