[1dce143] | 1 | <sect2>
|
---|
[d8def3f] | 2 | <title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
|
---|
[1dce143] | 3 |
|
---|
| 4 | <sect3><title>Config files</title>
|
---|
| 5 | <para><filename>/etc/krb5.conf</filename> and
|
---|
| 6 | <filename>/var/lib/krb5kdc/kdc.conf</filename></para>
|
---|
| 7 | </sect3>
|
---|
| 8 |
|
---|
| 9 | <sect3><title>Configuration Information</title>
|
---|
| 10 |
|
---|
| 11 | <sect4><title>Kerberos Configuration</title>
|
---|
| 12 |
|
---|
| 13 | <para>
|
---|
| 14 | Create the Kerberos configuration file with the following command:
|
---|
| 15 | </para>
|
---|
| 16 |
|
---|
| 17 | <screen><userinput><command>cat > /etc/krb5.conf << "EOF"</command>
|
---|
[b63aae5] | 18 | # Begin /etc/krb5.conf
|
---|
[1dce143] | 19 |
|
---|
| 20 | [libdefaults]
|
---|
| 21 | default_realm = <replaceable>[LFS.ORG]</replaceable>
|
---|
| 22 | encrypt = true
|
---|
| 23 |
|
---|
| 24 | [realms]
|
---|
| 25 | <replaceable>[LFS.ORG]</replaceable> = {
|
---|
| 26 | kdc = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
| 27 | admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
|
---|
| 28 | }
|
---|
| 29 |
|
---|
| 30 | [domain_realm]
|
---|
| 31 | .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
|
---|
| 32 |
|
---|
| 33 | [logging]
|
---|
| 34 | kdc = SYSLOG[:INFO[:AUTH]]
|
---|
| 35 | admin_server = SYSLOG[INFO[:AUTH]]
|
---|
| 36 | default = SYSLOG[[:SYS]]
|
---|
| 37 |
|
---|
[b63aae5] | 38 | # End /etc/krb5.conf
|
---|
[1dce143] | 39 | <command>EOF</command></userinput></screen>
|
---|
| 40 |
|
---|
| 41 | <para>
|
---|
| 42 | You will need to substitute your domain and proper hostname for the
|
---|
| 43 | occurances of the belgarath and lfs.org names.
|
---|
| 44 | </para>
|
---|
| 45 |
|
---|
| 46 | <para>
|
---|
| 47 | <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
|
---|
| 48 | This isn't required, but both Heimdal and <acronym>MIT</acronym>
|
---|
| 49 | recommend it.
|
---|
| 50 | </para>
|
---|
| 51 |
|
---|
| 52 | <para>
|
---|
| 53 | <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
|
---|
| 54 | clients and servers. It's not necessary and can be left off. If you
|
---|
| 55 | leave it off, you can encrypt all traffic from the client to the server
|
---|
| 56 | using a switch on the client program instead.
|
---|
| 57 | </para>
|
---|
| 58 |
|
---|
| 59 | <para>
|
---|
| 60 | The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
|
---|
| 61 | <acronym>KDC</acronym> authentication services.
|
---|
| 62 | </para>
|
---|
| 63 |
|
---|
| 64 | <para>
|
---|
| 65 | The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
|
---|
| 66 | </para>
|
---|
| 67 |
|
---|
| 68 | <para>
|
---|
| 69 | Create the <acronym>KDC</acronym> database:
|
---|
| 70 | </para>
|
---|
| 71 |
|
---|
| 72 | <screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
|
---|
| 73 |
|
---|
| 74 | <para>
|
---|
| 75 | Now we need to populate the database with principles (users). For now,
|
---|
| 76 | just use your regular login name or root.
|
---|
| 77 | </para>
|
---|
| 78 |
|
---|
| 79 | <screen><userinput><command>kadmin.local</command></userinput>
|
---|
| 80 | <prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 81 |
|
---|
| 82 | <para>
|
---|
| 83 | The <acronym>KDC</acronym> server and any machine running kerberized
|
---|
| 84 | server daemons must have a host key installed:
|
---|
| 85 | </para>
|
---|
| 86 |
|
---|
[b63aae5] | 87 | <screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
[1dce143] | 88 |
|
---|
| 89 | <para>
|
---|
| 90 | After choosing the defaults when prompted, you will have to export the
|
---|
| 91 | data to a keytab file:
|
---|
| 92 | </para>
|
---|
| 93 |
|
---|
| 94 | <screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
| 95 |
|
---|
| 96 | <para>
|
---|
| 97 | This should have created a file in
|
---|
| 98 | <filename class="directory">/etc</filename> named
|
---|
| 99 | <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
|
---|
| 100 | (root rw only) permissions. Keeping the keytab files from public access
|
---|
| 101 | is crucial to the overall security of the Kerberos installation.
|
---|
| 102 | </para>
|
---|
| 103 |
|
---|
| 104 | <para>
|
---|
| 105 | Eventually, you'll want to add server daemon principles to the database
|
---|
| 106 | and extract them to the keytab file. You do this in the same way you
|
---|
| 107 | created the host principles. Below is an example:
|
---|
| 108 | </para>
|
---|
| 109 |
|
---|
[b63aae5] | 110 | <screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
|
---|
[1dce143] | 111 | <prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
|
---|
| 112 |
|
---|
| 113 | <para>
|
---|
| 114 | Exit the <command>kadmin</command> program (use <command>quit</command>
|
---|
| 115 | or <command>exit</command>) and return back to the shell prompt. Start
|
---|
| 116 | the <acronym>KDC</acronym> daemon manually, just to test out the
|
---|
| 117 | installation:
|
---|
| 118 | </para>
|
---|
| 119 |
|
---|
| 120 | <screen><userinput><command>/usr/sbin/krb5kdc &</command></userinput></screen>
|
---|
| 121 |
|
---|
| 122 | <para>
|
---|
| 123 | Attempt to get a ticket with the following command:
|
---|
| 124 | </para>
|
---|
| 125 |
|
---|
| 126 | <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
|
---|
| 127 |
|
---|
| 128 | <para>
|
---|
| 129 | You will be prompted for the password you created. After you get your
|
---|
| 130 | ticket, you can list it with the following command:
|
---|
| 131 | </para>
|
---|
| 132 |
|
---|
| 133 | <screen><userinput><command>klist</command></userinput></screen>
|
---|
| 134 |
|
---|
| 135 | <para>
|
---|
| 136 | Information about the ticket should be displayed on the screen.
|
---|
| 137 | </para>
|
---|
| 138 |
|
---|
| 139 | <para>
|
---|
| 140 | To test the functionality of the keytab file, issue the following
|
---|
| 141 | command:
|
---|
| 142 | </para>
|
---|
| 143 |
|
---|
| 144 | <screen><userinput><command>ktutil</command></userinput>
|
---|
[dc49cc8] | 145 | <prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
|
---|
| 146 | <prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
|
---|
[1dce143] | 147 |
|
---|
| 148 | <para>
|
---|
| 149 | This should dump a list of the host principal, along with the encryption
|
---|
| 150 | methods used to access the principal.
|
---|
| 151 | </para>
|
---|
| 152 |
|
---|
| 153 | <para>
|
---|
| 154 | At this point, if everything has been successful so far, you can feel
|
---|
| 155 | fairly confident in the installation and configuration of the package.
|
---|
| 156 | </para>
|
---|
| 157 |
|
---|
[add4a24] | 158 | <para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
|
---|
[1dce143] | 159 | included in the <xref linkend="intro-important-bootscripts"/>
|
---|
| 160 | package.</para>
|
---|
| 161 |
|
---|
[ccca0bd] | 162 | <screen><userinput><command>make install-kerberos</command></userinput></screen>
|
---|
[1dce143] | 163 |
|
---|
| 164 | </sect4>
|
---|
| 165 |
|
---|
| 166 | <sect4><title>Using Kerberized Client Programs</title>
|
---|
| 167 |
|
---|
| 168 | <para>
|
---|
| 169 | To use the kerberized client programs (<command>telnet</command>,
|
---|
| 170 | <command>ftp</command>, <command>rsh</command>,
|
---|
| 171 | <command>rcp</command>, <command>rlogin</command>), you first must get
|
---|
| 172 | an authentication ticket. Use the <command>kinit</command> program to
|
---|
| 173 | get the ticket. After you've acquired the ticket, you can use the
|
---|
| 174 | kerberized programs to connect to any kerberized server on the network.
|
---|
| 175 | You will not be prompted for authentication until your ticket expires
|
---|
| 176 | (default is one day), unless you specify a different user as a command
|
---|
| 177 | line argument to the program.
|
---|
| 178 | </para>
|
---|
| 179 |
|
---|
| 180 | <para>
|
---|
| 181 | The kerberized programs will connect to non kerberized daemons, warning
|
---|
[d8def3f] | 182 | you that authentication is not encrypted.</para></sect4>
|
---|
[1dce143] | 183 |
|
---|
[d8def3f] | 184 |
|
---|
| 185 | <sect4><title>Using Kerberized Server Programs</title>
|
---|
| 186 |
|
---|
| 187 | <para>Using kerberized server programs (<command>telnetd</command>,
|
---|
| 188 | <command>kpropd</command>,
|
---|
| 189 | <command>klogind</command> and <command>kshd</command>) requires two additional configuration steps.
|
---|
| 190 | First the <filename>/etc/services</filename> file must be updated to
|
---|
| 191 | include eklogin and krb5_prop. Second, the
|
---|
| 192 | <filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must
|
---|
| 193 | be modified for each server that will be activated, usually replacing
|
---|
| 194 | the server from <application>inetutils</application>.</para></sect4>
|
---|
| 195 |
|
---|
| 196 | <sect4><title>Additional Information</title>
|
---|
[1dce143] | 197 | <para>
|
---|
| 198 | For additional information consult <ulink
|
---|
| 199 | url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
|
---|
| 200 | for krb-&mitkrb-version;</ulink> on which the above instructions are based.
|
---|
| 201 | </para>
|
---|
| 202 |
|
---|
| 203 | </sect4>
|
---|
| 204 |
|
---|
| 205 | </sect3>
|
---|
| 206 |
|
---|
| 207 | </sect2>
|
---|