- Timestamp:
- 07/01/2004 05:03:33 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- e6f8f78
- Parents:
- e40cb61
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/heimdal.xml
re40cb61 r359e1043 19 19 <title>Introduction to <application>Heimdal</application></title> 20 20 21 <para> 21 <para><application>Heimdal</application> is a free implementation of Kerberos 22 22 5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards 23 23 compatible with krb4. Kerberos is a network authentication protocol. Basically … … 26 26 Kerberos to ensure that passwords cannot be stolen. A Kerberos installation 27 27 will make changes to the authentication mechanisms on your network and will 28 overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper 29 and Shadow packages. </para> 28 overwrite several programs and daemons from the 29 <application>Coreutils</application>, <application>Inetutils</application>, 30 <application>Qpopper</application> and <application>Shadow</application> 31 packages.</para> 30 32 31 33 <sect3><title>Package information</title> … … 82 84 <para> 83 85 Before installing the package, you may want to preserve the 84 <command>ftp</command> program from the Inetutils package. This is 85 because using the Heimdal <command>ftp</command> program to connect to 86 non kerberized ftp servers may not work properly. It will allow you to 87 connect (letting you know that transmission of the password is clear 88 text) but will have problems doing puts and gets. 86 <command>ftp</command> program from the <application>Inetutils</application> 87 package. This is because using the <application>Heimdal</application> 88 <command>ftp</command> program to connect to non-kerberized ftp servers may 89 not work properly. It will allow you to connect (letting you know that 90 transmission of the password is clear text) but will have problems doing puts 91 and gets. 89 92 </para> 90 93 … … 92 95 93 96 <para> 94 If you wish the Heimdal package to link against the cracklib library,95 you must apply a patch:97 If you wish the <application>Heimdal</application> package to link against the 98 <application>cracklib</application> library, you must apply a patch: 96 99 </para> 97 100 … … 126 129 <title>Command explanations</title> 127 130 128 <para><parameter>--libexecdir=/usr/sbin</parameter>: 129 This switch puts the daemon programs into <filename 130 class="directory">/usr/sbin</filename>. 131 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the 132 daemon programs into <filename class="directory">/usr/sbin</filename>. 131 133 </para> 132 134 133 135 <note><para> 134 If you want to preserve all your existing Inetutils package daemons,135 install the Heimdal daemons into <filename 136 class="directory">/usr/sbin/heimdal</filename> (or wherever you want).136 If you want to preserve all your existing <application>Inetutils</application> 137 package daemons, install the <application>Heimdal</application> daemons into 138 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever you want). 137 139 Since these programs will be called from <command>(x)inetd</command> or 138 < command>rc</command> scripts, it really doesn't matter where they live,139 as long as they are correctly specified in the140 <filename>/etc/(x)inetd.conf</filename> file and < command>rc</command>141 scripts. If you choose something other than <filename142 class="directory">/usr/sbin</filename>, you may want to move some of the 143 user programs (such as <command>kadmin</command>) to <filename 144 class="directory">/usr/sbin</filename> manually. 145 </para></note>140 <filename>rc</filename> scripts, it really doesn't matter where they are 141 installed, as long as they are correctly specified in the 142 <filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename> 143 scripts. If you choose something other than 144 <filename class="directory">/usr/sbin</filename>, you may want to move some of 145 the user programs (such as <command>kadmin</command>) to 146 <filename class="directory">/usr/sbin</filename> manually so they'll be in the 147 privileged user's default path.</para></note> 146 148 147 149 <para> … … 150 152 mv /usr/bin/{login,su} /bin 151 153 ln -sf ../../bin/login /usr/bin</command></screen> 152 The <command>login</command> and <command>su</command> programs 153 installed by Heimdal belong in the <filename 154 class="directory">/bin</filename> directory. The 155 <command>login</command> program is symlinked because Heimdal is expecting 156 to find it in <filename class="directory">/usr/bin</filename>. We 157 preserve the old executables before the move to keep things sane should 158 breaks occur. 154 155 The <command>login</command> and <command>su</command> programs installed by 156 <application>Heimdal</application> belong in the 157 <filename class="directory">/bin</filename> directory. The 158 <command>login</command> program is symlinked because 159 <application>Heimdal</application> is expecting to find it in 160 <filename class="directory">/usr/bin</filename>. The old executables are 161 preserved before the move to keep things sane should breaks occur. 159 162 </para> 160 163 … … 168 171 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib 169 172 ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen> 173 170 174 The <command>login</command> and <command>su</command> programs 171 installed by Heimdal link against Heimdal libraries as well as crypto 172 and db libraries. We move these libraries to <filename 173 class="directory">/lib</filename> to be <acronym>FHS</acronym> 174 compliant and in case when <filename 175 class="directory">/usr</filename> is located on a separate partition which 176 may not always be mounted. 175 installed by <application>Heimdal</application> link against 176 <application>Heimdal</application> libraries as well as libraries provided by 177 the <application>OpenSSL</application>, <application>Berkeley DB</application> 178 and <application>E2fsprogs</application> packages. These libraries are moved 179 to <filename class="directory">/lib</filename> to be <acronym>FHS</acronym> 180 compliant and also in case <filename class="directory">/usr</filename> is 181 located on a separate partition which may not always be mounted. 177 182 </para> 178 183 … … 180 185 181 186 <sect2> 182 <title>Configuring Heimdal</title>187 <title>Configuring <application>Heimdal</application></title> 183 188 184 189 <sect3><title>Config files</title> … … 188 193 <sect3><title>Configuration Information</title> 189 194 190 <sect4><title>Master KDCServer Configuration</title>191 192 <para> 193 Create the Kerberos configuration file with the following command :195 <sect4><title>Master <acronym>KDC</acronym> Server Configuration</title> 196 197 <para> 198 Create the Kerberos configuration file with the following commands: 194 199 </para> 195 200 … … 199 204 200 205 [libdefaults] 201 default_realm = <replaceable>[ LFS.ORG]</replaceable>206 default_realm = <replaceable>[EXAMPLE.COM]</replaceable> 202 207 encrypt = true 203 208 204 209 [realms] 205 <replaceable>[ LFS.ORG]</replaceable> = {206 kdc = <replaceable>[ belgarath.lfs.org]</replaceable>207 admin_server = <replaceable>[ belgarath.lfs.org]</replaceable>208 kpasswd_server = <replaceable>[ belgarath.lfs.org]</replaceable>210 <replaceable>[EXAMPLE.COM]</replaceable> = { 211 kdc = <replaceable>[hostname.example.com]</replaceable> 212 admin_server = <replaceable>[hostname.example.com]</replaceable> 213 kpasswd_server = <replaceable>[hostname.example.com]</replaceable> 209 214 } 210 215 211 216 [domain_realm] 212 .<replaceable>[ lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>217 .<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable> 213 218 214 219 [logging] … … 221 226 222 227 <para> 223 You will need to substitute your domain and proper hostname for the 224 occurances of the belgarath and lfs.org names. 225 </para> 226 227 <para> 228 <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS. 229 This isn't required, but both Heimdal and <acronym>MIT</acronym> 230 recommend it. 231 </para> 232 233 <para> 234 <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized 235 clients and servers. It's not necessary and can be left off. If you 236 leave it off, you can encrypt all traffic from the client to the server 237 using a switch on the client program instead. 238 </para> 239 240 <para> 241 The <userinput>[realms]</userinput> parameters tell the client programs where to look for the 242 <acronym>KDC</acronym> authentication services. 228 You will need to substitute your domain and proper hostname for the 229 occurrences of the <replaceable>[hostname]</replaceable> and 230 <replaceable>[EXAMPLE.COM]</replaceable> names. 231 </para> 232 233 <para> 234 <userinput>default_realm</userinput> should be the name of your domain changed 235 to ALL CAPS. This isn't required, but both <application>Heimdal</application> 236 and <application><acronym>MIT</acronym> krb5</application> recommend it. 237 </para> 238 239 <para> 240 <userinput>encrypt = true</userinput> provides encryption of all traffic 241 between kerberized clients and servers. It's not necessary and can be left 242 off. If you leave it off, you can encrypt all traffic from the client to the 243 server using a switch on the client program instead. 244 </para> 245 246 <para> 247 The <userinput>[realms]</userinput> parameters tell the client programs where 248 to look for the <acronym>KDC</acronym> authentication services. 243 249 </para> 244 250 … … 266 272 </para> 267 273 268 <screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen> 269 270 <para> 271 Now we need to populate the database with principles (users). For now, 272 just use your regular login name or root. 274 <screen><userinput><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen> 275 276 <para> 277 The database must now be populated with at least one principle (user). For now, 278 just use your regular login name or root. You may create as few, or as many 279 principles as you wish using the following statement: 273 280 </para> 274 281 … … 280 287 </para> 281 288 282 <screen><userinput><command>add --random-key host/<replaceable>[ belgarath.lfs.org]</replaceable></command></userinput></screen>289 <screen><userinput><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 283 290 284 291 <para> … … 287 294 </para> 288 295 289 <screen><userinput><command>ext host/<replaceable>[ belgarath.lfs.org]</replaceable></command></userinput></screen>296 <screen><userinput><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 290 297 291 298 <para> 292 299 This should have created two files in 293 <filename class="directory">/etc/heimdal</filename> ;300 <filename class="directory">/etc/heimdal</filename>: 294 301 <filename>krb5.keytab</filename> (Kerberos 5) and 295 302 <filename>srvtab</filename> (Kerberos 4). Both files should have 600 … … 304 311 </para> 305 312 306 <screen><userinput><command>add --random-key ftp/<replaceable>[ belgarath.lfs.org]</replaceable></command></userinput></screen>313 <screen><userinput><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 307 314 308 315 <para> … … 310 317 </para> 311 318 312 <screen><userinput><command>ext ftp/<replaceable>[ belgarath.lfs.org]</replaceable></command></userinput></screen>319 <screen><userinput><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 313 320 314 321 <para> … … 340 347 341 348 <para> 342 To test the functionality of the keytab file, issue the following 343 command: 349 To test the functionality of the keytab file, issue the following command: 344 350 </para> 345 351 … … 358 364 <para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script 359 365 included in the <xref linkend="intro-important-bootscripts"/> 360 package .</para>366 package:</para> 361 367 362 368 <screen><userinput><command>make install-heimdal</command></userinput></screen> … … 380 386 381 387 <para> 382 The kerberized programs will connect to non 388 The kerberized programs will connect to non-kerberized daemons, warning 383 389 you that authentication is not encrypted. As mentioned earlier, only the 384 <command>ftp</command> program gives any trouble connecting to non 385 kerberized daemons. 386 </para> 390 <command>ftp</command> program gives any trouble connecting to 391 non-kerberized daemons. 392 </para> 393 394 <para>In order to use the <application>Heimdal</application> 395 <application>X</application> programs, you'll need to add a service port 396 entry to the <filename>/etc/services</filename> file for the 397 <command>kxd</command> server. There is no 'standardized port number' for 398 the 'kx' service in the IANA database, so you'll have to pick an unused port 399 number. Add an entry to the <filename>services</filename> file similar to the 400 entry below (substitute your chosen port number for 401 <replaceable>[49150]</replaceable>):</para> 402 403 <screen><userinput>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X 404 kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</userinput></screen> 387 405 388 406 <para> … … 461 479 <filename class="libraryfile">libsl</filename> and 462 480 <filename class="libraryfile">libss</filename>. 463 464 481 </para> 465 482 … … 469 486 470 487 <sect3><title>afslog</title> 471 <para><command>afslog</command> obtains AFS tokens for a number of472 cells.</para></sect3>488 <para><command>afslog</command> obtains <acronym>AFS</acronym> tokens for a 489 number of cells.</para></sect3> 473 490 474 491 <sect3><title>hprop</title> 475 492 <para><command>hprop</command> takes a principal database in a specified 476 format and converts it into a stream of Heimdal database477 records.</para></sect3>493 format and converts it into a stream of <application>Heimdal</application> 494 database records.</para></sect3> 478 495 479 496 <sect3><title>hpropd</title> 480 497 <para><command>hpropd</command> receives a database sent by 481 <command>hprop</command> and writes it as a local 482 database.</para></sect3> 498 <command>hprop</command> and writes it as a local database.</para></sect3> 483 499 484 500 <sect3><title>kadmin</title> 485 <para><command>kadmin</command> is a nutility used to make modifications501 <para><command>kadmin</command> is a utility used to make modifications 486 502 to the Kerberos database.</para></sect3> 487 503 488 504 <sect3><title>kadmind</title> 489 505 <para><command>kadmind</command> is a server for administrative access 490 to Kerberos database.</para></sect3>506 to the Kerberos database.</para></sect3> 491 507 492 508 <sect3><title>kauth, kinit</title> 493 509 <para><command>kauth</command> and <command>kinit</command> are used to 494 authenticate to the Kerberos server as principal and acquire a ticket510 authenticate to the Kerberos server as a principal and acquire a ticket 495 511 granting ticket that can later be used to obtain tickets for other 496 512 services.</para></sect3> … … 500 516 501 517 <sect3><title>kdestroy</title> 502 <para><command>kdestroy</command> removes thecurrent set of518 <para><command>kdestroy</command> removes a principle's current set of 503 519 tickets.</para></sect3> 504 520 … … 529 545 <sect3><title>krb5-config</title> 530 546 <para><command>krb5-config</command> gives information on how to link 531 programs against Heimdallibraries.</para></sect3>547 programs against <application>Heimdal</application> libraries.</para></sect3> 532 548 533 549 <sect3><title>kstash</title> … … 540 556 541 557 <sect3><title>kx</title> 542 <para><command>kx</command> is a program which securely forwards X543 connections.</para></sect3>558 <para><command>kx</command> is a program which securely forwards 559 <application>X</application> connections.</para></sect3> 544 560 545 561 <sect3><title>kxd</title> … … 555 571 556 572 <sect3><title>rxtelnet</title> 557 <para><command>rxtelnet</command> program starts an558 <command>xterm</command> window with a telnet togiven host and forwards559 Xconnections.</para></sect3>573 <para><command>rxtelnet</command> starts an <command>xterm</command> 574 window with a telnet to a given host and forwards 575 <application>X</application> connections.</para></sect3> 560 576 561 577 <sect3><title>rxterm</title> … … 568 584 569 585 <sect3><title>tenletxr</title> 570 <para><command>tenletxr</command> forwards X connections571 backwards.</para></sect3>586 <para><command>tenletxr</command> forwards <application>X</application> 587 connections backwards.</para></sect3> 572 588 573 589 <sect3><title>verify_krb5_conf</title> … … 577 593 <sect3><title>xnlock</title> 578 594 <para><command>xnlock</command> is a program that acts as a secure screen 579 saver for workstations running X.</para></sect3>595 saver for workstations running <application>X</application>.</para></sect3> 580 596 581 597 </sect2>
Note:
See TracChangeset
for help on using the changeset viewer.