Context Navigation

mitkrb-config.xml@ f08629c8

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_1 v5_1-pre1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since f08629c8 was 1dce143, checked in by Larry Lawrence <larry@…>, 20 years ago

added MIT Kerberos 5

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2092 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 8.3 KB

Rev	Line
[1dce143]	1	<sect2>
	2	<title>Configuring Heimdal</title>
	3
	4	<sect3><title>Config files</title>
	5	<para><filename>/etc/krb5.conf</filename> and
	6	<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
	7	</sect3>
	8
	9	<sect3><title>Configuration Information</title>
	10
	11	<sect4><title>Kerberos Configuration</title>
	12
	13	<para>
	14	Create the Kerberos configuration file with the following command:
	15	</para>
	16
	17	<screen><userinput><command>cat > /etc/krb5.conf << "EOF"</command>
	18	# Begin /etc/heimdal/krb5.conf
	19
	20	[libdefaults]
	21	default_realm = <replaceable>[LFS.ORG]</replaceable>
	22	encrypt = true
	23
	24	[realms]
	25	<replaceable>[LFS.ORG]</replaceable> = {
	26	kdc = <replaceable>[belgarath.lfs.org]</replaceable>
	27	admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
	28	}
	29
	30	[domain_realm]
	31	.<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
	32
	33	[logging]
	34	kdc = SYSLOG[:INFO[:AUTH]]
	35	admin_server = SYSLOG[INFO[:AUTH]]
	36	default = SYSLOG[[:SYS]]
	37
	38	# End /etc/heimdal/krb5.conf
	39	<command>EOF</command></userinput></screen>
	40
	41	<para>
	42	You will need to substitute your domain and proper hostname for the
	43	occurances of the belgarath and lfs.org names.
	44	</para>
	45
	46	<para>
	47	<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
	48	This isn't required, but both Heimdal and <acronym>MIT</acronym>
	49	recommend it.
	50	</para>
	51
	52	<para>
	53	<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
	54	clients and servers. It's not necessary and can be left off. If you
	55	leave it off, you can encrypt all traffic from the client to the server
	56	using a switch on the client program instead.
	57	</para>
	58
	59	<para>
	60	The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
	61	<acronym>KDC</acronym> authentication services.
	62	</para>
	63
	64	<para>
	65	The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
	66	</para>
	67
	68	<para>
	69	Create the <acronym>KDC</acronym> database:
	70	</para>
	71
	72	<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
	73
	74	<para>
	75	Now we need to populate the database with principles (users). For now,
	76	just use your regular login name or root.
	77	</para>
	78
	79	<screen><userinput><command>kadmin.local</command></userinput>
	80	<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
	81
	82	<para>
	83	The <acronym>KDC</acronym> server and any machine running kerberized
	84	server daemons must have a host key installed:
	85	</para>
	86
	87	<screen><prompt>kadmin:</prompt><userinput><command>addprinc --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
	88
	89	<para>
	90	After choosing the defaults when prompted, you will have to export the
	91	data to a keytab file:
	92	</para>
	93
	94	<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
	95
	96	<para>
	97	This should have created a file in
	98	<filename class="directory">/etc</filename> named
	99	<filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
	100	(root rw only) permissions. Keeping the keytab files from public access
	101	is crucial to the overall security of the Kerberos installation.
	102	</para>
	103
	104	<para>
	105	Eventually, you'll want to add server daemon principles to the database
	106	and extract them to the keytab file. You do this in the same way you
	107	created the host principles. Below is an example:
	108	</para>
	109
	110	<screen><prompt>kadmin:</prompt><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
	111	<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
	112
	113	<para>
	114	Exit the <command>kadmin</command> program (use <command>quit</command>
	115	or <command>exit</command>) and return back to the shell prompt. Start
	116	the <acronym>KDC</acronym> daemon manually, just to test out the
	117	installation:
	118	</para>
	119
	120	<screen><userinput><command>/usr/sbin/krb5kdc &</command></userinput></screen>
	121
	122	<para>
	123	Attempt to get a ticket with the following command:
	124	</para>
	125
	126	<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
	127
	128	<para>
	129	You will be prompted for the password you created. After you get your
	130	ticket, you can list it with the following command:
	131	</para>
	132
	133	<screen><userinput><command>klist</command></userinput></screen>
	134
	135	<para>
	136	Information about the ticket should be displayed on the screen.
	137	</para>
	138
	139	<para>
	140	To test the functionality of the keytab file, issue the following
	141	command:
	142	</para>
	143
	144	<screen><userinput><command>ktutil</command></userinput>
	145	<prompt>ktutil:</prompt><userinput>rkt /etc/krb5.keytab</userinput>
	146	<prompt>ktutil:</prompt><userinput>l</userinput></screen>
	147
	148	<para>
	149	This should dump a list of the host principal, along with the encryption
	150	methods used to access the principal.
	151	</para>
	152
	153	<para>
	154	At this point, if everything has been successful so far, you can feel
	155	fairly confident in the installation and configuration of the package.
	156	</para>
	157
	158	<!---
	159	<para>Install <filename>/etc/rc.d/init.d/kerberos</filename> init script
	160	included in the <xref linkend="intro-important-bootscripts"/>
	161	package.</para>
	162
	163	<screen><userinput><command>make install-heimdal</command></userinput></screen>
	164	-->
	165
	166	<para>
	167	To automate the running of Kerberos server, use the following command to create
	168	the init.d script:
	169	</para>
	170
	171	<screen><userinput><command>cat >etc/rc.d/init.d/kerberos << "EOF"</command>
	172	#!/bin/sh
	173	# Begin $rc_base/init.d/kerberos
	174
	175	# Based on sysklogd script from LFS-3.1 and earlier.
	176	# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
	177
	178	. /etc/sysconfig/rc
	179	. $rc_functions
	180
	181	case "$1" in
	182	start)
	183	echo "Starting Kerberos Authentication..."
	184	loadproc krb5kdc
	185	echo "Starting Kerberos Admin Daemon..."
	186	loadproc kadmind
	187	;;
	188
	189	stop)
	190	echo "Stopping Kerberos Authentication..."
	191	killproc krb5kdc
	192	echo "Stopping Kerberos Admin Daemon..."
	193	killproc kadmind
	194	;;
	195
	196	reload)
	197	echo "Reloading Kerberos Authentication..."
	198	reloadproc krb5kdc
	199	echo "Reloading Kerberos Admin Daemon..."
	200	reloadproc kadmind
	201	;;
	202
	203	restart)
	204	$0 stop
	205	sleep 1
	206	$0 start
	207	;;
	208
	209	status)
	210	statusproc
	211	;;
	212
	213	*)
	214	echo "Usage: $0 {start\|stop\|reload\|restart\|status}"
	215	exit 1
	216	;;
	217	esac
	218
	219	# End $rc_base/init.d/kerberos
	220	<command>EOF
	221	chmod 754 /etc/rc.d/init.d/kerberos</command></userinput></screen>
	222
	223	<para>
	224	Create the symbolic links to this file in the relevant <filename
	225	class="directory">rc.d</filename> directory with the following commands:
	226	</para>
	227
	228	<screen><userinput><command>cd /etc/rc.d/init.d &&
	229	ln -sf ../init.d/kerberos ../rc0.d/K42kerberos &&
	230	ln -sf ../init.d/kerberos ../rc1.d/K42kerberos &&
	231	ln -sf ../init.d/kerberos ../rc2.d/K42kerberos &&
	232	ln -sf ../init.d/kerberos ../rc3.d/S28kerberos &&
	233	ln -sf ../init.d/kerberos ../rc4.d/S28kerberos &&
	234	ln -sf ../init.d/kerberos ../rc5.d/S28kerberos &&
	235	ln -sf ../init.d/kerberos ../rc6.d/K42kerberos</command></userinput></screen>
	236
	237	</sect4>
	238
	239	<sect4><title>Using Kerberized Client Programs</title>
	240
	241	<para>
	242	To use the kerberized client programs (<command>telnet</command>,
	243	<command>ftp</command>, <command>rsh</command>,
	244	<command>rcp</command>, <command>rlogin</command>), you first must get
	245	an authentication ticket. Use the <command>kinit</command> program to
	246	get the ticket. After you've acquired the ticket, you can use the
	247	kerberized programs to connect to any kerberized server on the network.
	248	You will not be prompted for authentication until your ticket expires
	249	(default is one day), unless you specify a different user as a command
	250	line argument to the program.
	251	</para>
	252
	253	<para>
	254	The kerberized programs will connect to non kerberized daemons, warning
	255	you that authentication is not encrypted.</para>
	256
	257	<para>
	258	For additional information consult <ulink
	259	url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
	260	for krb-&mitkrb-version;</ulink> on which the above instructions are based.
	261	</para>
	262
	263	</sect4>
	264
	265	</sect3>
	266
	267	</sect2>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/mitkrb/mitkrb-config.xml@ f08629c8

Download in other formats: