Context Navigation

-              re40cb61
+              r359e1043
 <title>Introduction to <application>Heimdal</application></title>
 <para> <application>Heimdal</application> is a free implementation of Kerberos
+<para><application>Heimdal</application> is a free implementation of Kerberos
 , that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
 compatible with krb4. Kerberos is a network authentication protocol. Basically
 …
 Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
 will make changes to the authentication mechanisms on your network and will
+overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper
+and Shadow packages.  </para>
+overwrite several programs and daemons from the
+<application>Coreutils</application>, <application>Inetutils</application>,
+<application>Qpopper</application> and <application>Shadow</application>
+packages.</para>
 <sect3><title>Package information</title>
 …
 <para>
 Before installing the package, you may want to preserve the
+<command>ftp</command> program from the Inetutils package. This is
+because using the Heimdal <command>ftp</command> program to connect to
+non kerberized ftp servers may not work properly. It will allow you to
+connect (letting you know that transmission of the password is clear
+text) but will have problems doing puts and gets.
+<command>ftp</command> program from the <application>Inetutils</application>
+package. This is because using the <application>Heimdal</application>
+<command>ftp</command> program to connect to non-kerberized ftp servers may
+not work properly. It will allow you to connect (letting you know that
+transmission of the password is clear text) but will have problems doing puts
+and gets.
 </para>
 …
 <para>
 If you wish the Heimdal package to link against the cracklib library,
 you must apply a patch:
+If you wish the <application>Heimdal</application> package to link against the
+<application>cracklib</application> library, you must apply a patch:
 </para>
 …
 <title>Command explanations</title>
+<para><parameter>--libexecdir=/usr/sbin</parameter>:
+This switch puts the daemon programs into <filename
+class="directory">/usr/sbin</filename>.
+<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the
+daemon programs into <filename class="directory">/usr/sbin</filename>.
 </para>
 <note><para>
 If you want to preserve all your existing Inetutils package daemons,
+install the Heimdal daemons into <filename
 class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
+If you want to preserve all your existing <application>Inetutils</application>
+package daemons, install the <application>Heimdal</application> daemons into
+<filename class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
 Since these programs will be called from <command>(x)inetd</command> or
 <command>rc</command> scripts, it really doesn't matter where they live,
 as long as they are correctly specified in the
 <filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
 scripts. If you choose something other than <filename
+class="directory">/usr/sbin</filename>, you may want to move some of the
+user programs (such as <command>kadmin</command>) to <filename
+class="directory">/usr/sbin</filename> manually.
 </para></note>
+<filename>rc</filename> scripts, it really doesn't matter where they are
+installed, as long as they are correctly specified in the
+<filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename>
+scripts. If you choose something other than
+<filename class="directory">/usr/sbin</filename>, you may want to move some of
+the user programs (such as <command>kadmin</command>) to
+<filename class="directory">/usr/sbin</filename> manually so they'll be in the
+privileged user's default path.</para></note>
 <para>
 …
 mv /usr/bin/{login,su} /bin
 ln -sf ../../bin/login /usr/bin</command></screen>
+The <command>login</command> and <command>su</command> programs
+installed by Heimdal belong in the <filename
+class="directory">/bin</filename> directory. The
+<command>login</command> program is symlinked because Heimdal is expecting
+to find it in <filename class="directory">/usr/bin</filename>. We
+preserve the old executables before the move to keep things sane should
+breaks occur.
+The <command>login</command> and <command>su</command> programs installed by
+<application>Heimdal</application> belong in the
+<filename class="directory">/bin</filename> directory. The
+<command>login</command> program is symlinked because
+<application>Heimdal</application> is expecting to find it in
+<filename class="directory">/usr/bin</filename>. The old executables are
+preserved before the move to keep things sane should breaks occur.
 </para>
 …
 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
 ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen>
 The <command>login</command> and <command>su</command> programs
+installed by Heimdal link against Heimdal libraries as well as crypto
+and db libraries. We move these libraries to <filename
+class="directory">/lib</filename> to be <acronym>FHS</acronym>
+compliant and in case when <filename
+class="directory">/usr</filename> is located on a separate partition which
+may not always be mounted.
+installed by <application>Heimdal</application> link against
+<application>Heimdal</application> libraries as well as libraries provided by
+the <application>OpenSSL</application>, <application>Berkeley DB</application>
+and <application>E2fsprogs</application> packages. These libraries are moved
+to <filename class="directory">/lib</filename> to be <acronym>FHS</acronym>
+compliant and also in case <filename class="directory">/usr</filename> is
+located on a separate partition which may not always be mounted.
 </para>
 …
 <sect2>
 <title>Configuring Heimdal</title>
+<title>Configuring <application>Heimdal</application></title>
 <sect3><title>Config files</title>
 …
 <sect3><title>Configuration Information</title>
 <sect4><title>Master KDC Server Configuration</title>
 <para>
 Create the Kerberos configuration file with the following command:
+<sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>
+<para>
+Create the Kerberos configuration file with the following commands:
 </para>
 …
 [libdefaults]
     default_realm = <replaceable>[LFS.ORG]</replaceable>
+    default_realm = <replaceable>[EXAMPLE.COM]</replaceable>
     encrypt = true
 [realms]
     <replaceable>[LFS.ORG]</replaceable> = {
         kdc = <replaceable>[belgarath.lfs.org]</replaceable>
         admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
         kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
+    <replaceable>[EXAMPLE.COM]</replaceable> = {
+        kdc = <replaceable>[hostname.example.com]</replaceable>
+        admin_server = <replaceable>[hostname.example.com]</replaceable>
+        kpasswd_server = <replaceable>[hostname.example.com]</replaceable>
+    }
 [domain_realm]
     .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
+    .<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable>
 [logging]
 …
 <para>
+You will need to substitute your domain and proper hostname for the
+occurances of the belgarath and lfs.org names.
+</para>
+<para>
+<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
+This isn't required, but both Heimdal and <acronym>MIT</acronym>
+recommend it.
+</para>
+<para>
+<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
+clients and servers. It's not necessary and can be left off. If you
+leave it off, you can encrypt all traffic from the client to the server
+using a switch on the client program instead.
+</para>
+<para>
+The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
+<acronym>KDC</acronym> authentication services.
+You will need to substitute your domain and proper hostname for the
+occurrences of the <replaceable>[hostname]</replaceable> and
+<replaceable>[EXAMPLE.COM]</replaceable> names.
+</para>
+<para>
+<userinput>default_realm</userinput> should be the name of your domain changed
+to ALL CAPS. This isn't required, but both <application>Heimdal</application>
+and <application><acronym>MIT</acronym> krb5</application> recommend it.
+</para>
+<para>
+<userinput>encrypt = true</userinput> provides encryption of all traffic
+between kerberized clients and servers. It's not necessary and can be left
+off. If you leave it off, you can encrypt all traffic from the client to the
+server using a switch on the client program instead.
+</para>
+<para>
+The <userinput>[realms]</userinput> parameters tell the client programs where
+to look for the <acronym>KDC</acronym> authentication services.
 </para>
 …
 </para>
+<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
+<para>
+Now we need to populate the database with principles (users). For now,
+just use your regular login name or root.
+<screen><userinput><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>
+<para>
+The database must now be populated with at least one principle (user). For now,
+just use your regular login name or root. You may create as few, or as many
+principles as you wish using the following statement:
 </para>
 …
 </para>
 <screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<screen><userinput><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 <para>
 …
 </para>
 <screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<screen><userinput><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 <para>
 This should have created two files in
 <filename class="directory">/etc/heimdal</filename>;
+<filename class="directory">/etc/heimdal</filename>:
 <filename>krb5.keytab</filename> (Kerberos 5) and
 <filename>srvtab</filename> (Kerberos 4). Both files should have 600
 …
 </para>
 <screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<screen><userinput><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 <para>
 …
 </para>
 <screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
+<screen><userinput><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 <para>
 …
 <para>
+To test the functionality of the keytab file, issue the following
+command:
+To test the functionality of the keytab file, issue the following command:
 </para>
 …
 <para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
 included in the <xref linkend="intro-important-bootscripts"/>
 package.</para>
+package:</para>
 <screen><userinput><command>make install-heimdal</command></userinput></screen>
 …
 <para>
 The kerberized programs will connect to non kerberized daemons, warning
+The kerberized programs will connect to non-kerberized daemons, warning
 you that authentication is not encrypted. As mentioned earlier, only the
+<command>ftp</command> program gives any trouble connecting to non
+kerberized daemons.
+</para>
+<command>ftp</command> program gives any trouble connecting to
+non-kerberized daemons.
+</para>
+<para>In order to use the <application>Heimdal</application>
+<application>X</application> programs, you'll need to add a service port
+entry to the <filename>/etc/services</filename> file for the
+<command>kxd</command> server. There is no 'standardized port number' for
+the 'kx' service in the IANA database, so you'll have to pick an unused port
+number. Add an entry to the <filename>services</filename> file similar to the
+entry below (substitute your chosen port number for
+<replaceable>[49150]</replaceable>):</para>
+<screen><userinput>kx              <replaceable>[49150]</replaceable>/tcp   # Heimdal kerberos X
+kx              <replaceable>[49150]</replaceable>/udp   # Heimdal kerberos X</userinput></screen>
 <para>
 …
 <filename class="libraryfile">libsl</filename> and
 <filename class="libraryfile">libss</filename>.
 </para>
 …
 <sect3><title>afslog</title>
 <para><command>afslog</command> obtains AFS tokens for a number of
 cells.</para></sect3>
+<para><command>afslog</command> obtains <acronym>AFS</acronym> tokens for a
+number of cells.</para></sect3>
 <sect3><title>hprop</title>
 <para><command>hprop</command> takes a principal database in a specified
 format and converts it into a stream of Heimdal database
 records.</para></sect3>
+format and converts it into a stream of <application>Heimdal</application>
+database records.</para></sect3>
 <sect3><title>hpropd</title>
 <para><command>hpropd</command> receives a database sent by
+<command>hprop</command> and writes it as a local
+database.</para></sect3>
+<command>hprop</command> and writes it as a local database.</para></sect3>
 <sect3><title>kadmin</title>
 <para><command>kadmin</command> is an utility used to make modifications
+<para><command>kadmin</command> is a utility used to make modifications
 to the Kerberos database.</para></sect3>
 <sect3><title>kadmind</title>
 <para><command>kadmind</command> is a server for administrative access
 to Kerberos database.</para></sect3>
+to the Kerberos database.</para></sect3>
 <sect3><title>kauth, kinit</title>
 <para><command>kauth</command> and <command>kinit</command> are used to
 authenticate to the Kerberos server as principal and acquire a ticket
+authenticate to the Kerberos server as a principal and acquire a ticket
 granting ticket that can later be used to obtain tickets for other
 services.</para></sect3>
 …
 <sect3><title>kdestroy</title>
 <para><command>kdestroy</command> removes the current set of
+<para><command>kdestroy</command> removes a principle's current set of
 tickets.</para></sect3>
 …
 <sect3><title>krb5-config</title>
 <para><command>krb5-config</command> gives information on how to link
 programs against Heimdal libraries.</para></sect3>
+programs against <application>Heimdal</application> libraries.</para></sect3>
 <sect3><title>kstash</title>
 …
 <sect3><title>kx</title>
 <para><command>kx</command> is a program which securely forwards X
 connections.</para></sect3>
+<para><command>kx</command> is a program which securely forwards
+<application>X</application> connections.</para></sect3>
 <sect3><title>kxd</title>
 …
 <sect3><title>rxtelnet</title>
 <para><command>rxtelnet</command> program starts an
 <command>xterm</command> window with a telnet to given host and forwards
 X connections.</para></sect3>
+<para><command>rxtelnet</command> starts an <command>xterm</command>
+window with a telnet to a given host and forwards
+<application>X</application> connections.</para></sect3>
 <sect3><title>rxterm</title>
 …
 <sect3><title>tenletxr</title>
 <para><command>tenletxr</command> forwards X connections
 backwards.</para></sect3>
+<para><command>tenletxr</command> forwards <application>X</application>
+connections backwards.</para></sect3>
 <sect3><title>verify_krb5_conf</title>
 …
 <sect3><title>xnlock</title>
 <para><command>xnlock</command> is a program that acts as a secure screen
 saver for workstations running X.</para></sect3>
+saver for workstations running <application>X</application>.</para></sect3>
 </sect2>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 359e1043 for postlfs/security

Legend:

postlfs/security/heimdal.xml

Download in other formats: