Changeset 597a2890
- Timestamp:
- 03/08/2012 06:03:59 PM (12 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 10909a2
- Parents:
- 3229ccc
- Files:
-
- 2 edited
-
general.ent (modified) (1 diff)
-
postlfs/security/mitkrb.xml (modified) (21 diffs)
Legend:
- Unmodified
- Added
- Removed
-
general.ent
r3229ccc r597a2890 124 124 <!ENTITY libcap2-version "2.22"> 125 125 <!ENTITY liboauth-version "0.9.4"> 126 <!ENTITY mitkrb-version "1. 6">126 <!ENTITY mitkrb-version "1.10"> 127 127 <!ENTITY nettle-version "2.4"> 128 128 <!ENTITY nss-version "3.13.3"> -
postlfs/security/mitkrb.xml
r3229ccc r597a2890 5 5 %general-entities; 6 6 7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1. 6/krb5-&mitkrb-version;-signed.tar">7 <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.10/krb5-&mitkrb-version;-signed.tar"> 8 8 <!ENTITY mitkrb-download-ftp " "> 9 <!ENTITY mitkrb-md5sum " a365e39ff7d39639556c2797a0e1c3f4">10 <!ENTITY mitkrb-size "1 2.0 MB">11 <!ENTITY mitkrb-buildsize "1 24MB">12 <!ENTITY mitkrb-time "1. 4SBU">9 <!ENTITY mitkrb-md5sum "0b2c8366468f74c6bb8e11a5417645c1"> 10 <!ENTITY mitkrb-size "10 MB"> 11 <!ENTITY mitkrb-buildsize "100 MB"> 12 <!ENTITY mitkrb-time "1.0 SBU"> 13 13 ]> 14 14 … … 37 37 networks or the Internet.</para> 38 38 39 &lfs70_checked; 40 39 41 <bridgehead renderas="sect3">Package Information</bridgehead> 40 42 <itemizedlist spacing="compact"> … … 42 44 <para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para> 43 45 </listitem> 44 <listitem>46 <!-- <listitem> 45 47 <para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para> 46 </listitem> 48 </listitem>--> 47 49 <listitem> 48 50 <para>Download MD5 sum: &mitkrb-md5sum;</para> … … 62 64 63 65 <bridgehead renderas="sect4">Optional</bridgehead> 64 <para role="optional"><xref linkend="linux-pam"/> 65 (for <command>xdm</command> based logins), 66 <para role="optional"><xref linkend="keyutils"/>, 66 67 <xref linkend="openldap"/>, and 67 68 <xref linkend="dejagnu"/> (required to run the test suite)</para> … … 100 101 ./configure CPPFLAGS="-I/usr/include/et -I/usr/include/ss" \ 101 102 --prefix=/usr \ 102 --sysconfdir=/etc/krb5 \103 103 --localstatedir=/var/lib \ 104 104 --with-system-et \ 105 105 --with-system-ss \ 106 --enable-dns-for-realm \ 107 --mandir=/usr/share/man && 106 --enable-dns-for-realm && 108 107 make</userinput></screen> 109 108 … … 123 122 ln -v -sf ../../lib/libkrb5.so.3.3 /usr/lib/libkrb5.so && 124 123 ln -v -sf ../../lib/libk5crypto.so.3.1 /usr/lib/libk5crypto.so && 125 ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &&126 127 install -m644 -v ../doc/*.info */usr/share/info &&128 for INFOFILE in 4255-admin 5-install 5-user; do124 ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so && 125 126 install -m644 -v ../doc/*.info /usr/share/info && 127 for INFOFILE in 5-admin 5-install 5-user; do 129 128 install-info --info-dir=/usr/share/info \ 130 129 /usr/share/info/krb$INFOFILE.info 131 rm ../doc/krb$INFOFILE.info *130 rm ../doc/krb$INFOFILE.info 132 131 done && 133 132 134 133 install -m755 -v -d /usr/share/doc/krb5-&mitkrb-version; && 135 134 cp -Rv ../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen> 136 137 <warning>138 <para><command>login.krb5</command> does not support139 <application>Shadow</application> passwords. As a result, when the140 Kerberos server is unavailable, the default fall through to141 <filename>/etc/passwd</filename> will not work because142 the passwords have been moved to <filename>/etc/shadow</filename> during143 the LFS build process. Entering the following144 commands without moving the passwords back to145 <filename>/etc/passwd</filename> could prevent any logins.</para>146 </warning>147 148 <para>After considering (and understanding) the above warning, the149 following commands can be entered as the150 <systemitem class="username">root</systemitem> user to replace the151 existing <command>login</command> program with the Kerberized152 version (after preserving the original) and move the support libraries153 to a location available when the154 <filename class='directory'>/usr</filename> filesystem is155 not mounted:</para>156 157 <screen role="root"><userinput>mv -v /bin/login /bin/login.shadow &&158 install -m755 -v /usr/sbin/login.krb5 /bin/login &&159 160 mv -v /usr/lib/libdes425.so.3* /lib &&161 mv -v /usr/lib/libkrb4.so.2* /lib &&162 163 ln -v -sf ../../lib/libdes425.so.3.0 /usr/lib/libdes425.so &&164 ln -v -sf ../../lib/libkrb4.so.2.0 /usr/lib/libkrb4.so &&165 166 ldconfig</userinput></screen>167 135 168 136 <!-- … … 208 176 <filename class='directory'>/usr/var</filename>.</para> 209 177 210 <!-- <para><parameter>- -enable-static</parameter>: This switch builds static 211 libraries in addition to the shared libraries.</para> --> 212 213 <para><command>mv -v /usr/bin/ksu /bin</command>: Moves the 214 <command>ksu</command> program to the 215 <filename class="directory">/bin</filename> directory so that it is 216 available when the <filename class="directory">/usr</filename> 178 <para><parameter>mv -v /usr/bin/ksu /bin</parameter>: Moves the ksu 179 program to the /bin directory so that it is available when the /usr 217 180 filesystem is not mounted.</para> 218 181 219 <para><command>mv -v ... /lib && ln -v -sf ...</command>: 220 These libraries are moved to <filename class="directory">/lib</filename> so 221 they are available when the <filename class="directory">/usr</filename> 222 filesystem is not mounted.</para> 182 <para><parameter>--with-ldap</parameter>: This parameter enables building 183 of OpenLDAP database backend module</para> 223 184 224 185 </sect2> … … 230 191 <title>Config Files</title> 231 192 232 <para><filename>/etc/krb5 /krb5.conf</filename> and193 <para><filename>/etc/krb5.conf</filename> and 233 194 <filename>/var/lib/krb5kdc/kdc.conf</filename></para> 234 195 235 196 <indexterm zone="mitkrb krb5-config"> 236 <primary sortas="e-etc-krb5 -krb5.conf">/etc/krb5/krb5.conf</primary>197 <primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary> 237 198 </indexterm> 238 199 … … 263 224 user:</para> 264 225 265 <screen role="root"><userinput>install -v -m755 -d /etc/krb5 && 266 cat > /etc/krb5/krb5.conf << "EOF" 267 <literal># Begin /etc/krb5/krb5.conf 226 <screen role="root"><userinput>cat > /etc/krb5.conf << "EOF" 227 <literal># Begin /etc/krb5.conf 268 228 269 229 [libdefaults] … … 286 246 default = SYSLOG[[:SYS]] 287 247 288 # End /etc/krb5 /krb5.conf</literal>248 # End /etc/krb5.conf</literal> 289 249 EOF</userinput></screen> 290 250 … … 332 292 333 293 <para>This should have created a file in 334 <filename class="directory">/etc /krb5</filename> named294 <filename class="directory">/etc</filename> named 335 295 <filename>krb5.keytab</filename> (Kerberos 5). This file should 336 296 have 600 (<systemitem class="username">root</systemitem> rw only) … … 338 298 to the overall security of the Kerberos installation.</para> 339 299 340 <para>Eventually, you'll want to add server daemon principles to the341 database and extract them to the keytab file. You do this in the same342 way you created the host principles. Below is an example:</para>343 344 <screen role='root'><userinput><prompt>kadmin:</prompt> addprinc -randkey ftp/<replaceable><belgarath.lfs.org></replaceable>345 <prompt>kadmin:</prompt> ktadd ftp/<replaceable><belgarath.lfs.org></replaceable></userinput></screen>346 347 300 <para>Exit the <command>kadmin</command> program (use 348 301 <command>quit</command> or <command>exit</command>) and return … … 350 303 test out the installation:</para> 351 304 352 <screen role='root'><userinput>/usr/sbin/krb5kdc &</userinput></screen>305 <screen role='root'><userinput>/usr/sbin/krb5kdc</userinput></screen> 353 306 354 307 <para>Attempt to get a ticket with the following command:</para> … … 368 321 369 322 <screen><userinput>ktutil 370 <prompt>ktutil:</prompt> rkt /etc/krb5 /krb5.keytab323 <prompt>ktutil:</prompt> rkt /etc/krb5.keytab 371 324 <prompt>ktutil:</prompt> l</userinput></screen> 372 325 … … 387 340 388 341 <sect4> 389 <title>Using Kerberized Client Programs</title>390 391 <para>To use the kerberized client programs (<command>telnet</command>,392 <command>ftp</command>, <command>rsh</command>, <command>rcp</command>,393 <command>rlogin</command>), you first must get an authentication ticket.394 Use the <command>kinit</command> program to get the ticket. After you've395 acquired the ticket, you can use the kerberized programs to connect to396 any kerberized server on the network. You will not be prompted for397 authentication until your ticket expires (default is one day), unless398 you specify a different user as a command line argument to the399 program.</para>400 401 <para>The kerberized programs will connect to non kerberized daemons,402 warning you that authentication is not encrypted.</para>403 404 </sect4>405 406 <sect4>407 <title>Using Kerberized Server Programs</title>408 409 <para>Using kerberized server programs (<command>telnetd</command>,410 <command>kpropd</command>, <command>klogind</command> and411 <command>kshd</command>) requires two additional configuration steps.412 First the <filename>/etc/services</filename> file must be updated to413 include eklogin and krb5_prop. Second, the414 <filename>inetd.conf</filename> <!--or <filename>xinetd.conf</filename>--> file415 must be modified for each server that will be activated<!--, usually416 replacing the server from <xref linkend="inetutils"/>-->.</para>417 418 </sect4>419 420 <sect4>421 342 <title>Additional Information</title> 422 343 423 344 <para>For additional information consult <ulink 424 url="http://web.mit.edu/kerberos/www/krb5-1. 6/#documentation">345 url="http://web.mit.edu/kerberos/www/krb5-1.10/#documentation"> 425 346 Documentation for krb-&mitkrb-version;</ulink> on which the above 426 347 instructions are based.</para> … … 442 363 443 364 <seglistitem> 444 <seg>ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, 445 kadmin.local, kadmind, kdb5_ldap_util, kdb5_util, kdestroy, kinit, klist, 446 klogind, kpasswd, kprop, kpropd, krb5-config, krb5-send-pr, krb524d, 447 krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, 448 rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, 449 uuclient, uuserver and v4rcp</seg> 450 <seg>libdes425.so, libgssapi_krb5.so, 451 libgssrpc.so, libk5crypto.so, libkadm5clnt.so, libkadm5srv.so, 452 libkdb5.so, libkdb_ldap.so, libkrb4.so, libkrb5.so and 453 libkrb5support.so</seg> 454 <seg>/etc/krb5, /usr/include/{gssapi,gssrpc,kerberosIV,krb5}, 455 /usr/lib/krb5, /usr/share/{doc/krb5-&mitkrb-version;,examples,gnats} 365 <seg>gss-client, gss-server, k5srvutil, kadmin, kadmin.local, 366 kadmind, kdb5_ldap_util, kdb5_util, kdestroy, kinit, klist, 367 kpasswd, kprop, kpropd, krb5-config, krb5kdc, krb5-send-pr, 368 ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server, 369 sserver, uuclient, and uuserver</seg> 370 <seg>libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, 371 libkadm5clnt.so, libkadm5srv.so, libkdb5.so, libkdb_ldap.so, 372 libkrb5.so, libkrb5support.so, libverto-k5ev.so and 373 libverto.so</seg> 374 <seg>/usr/include/{gssapi,gssrpc,kadm5,krb5}, /usr/lib/krb5, 375 /usr/share/{doc/krb5-&mitkrb-version;,examples/krb5,gnats} 456 376 and /var/lib/krb5kdc</seg> 457 377 </seglistitem> … … 462 382 <?dbfo list-presentation="list"?> 463 383 <?dbhtml list-presentation="table"?> 464 465 <varlistentry id="ftp-mitkrb">466 <term><command>ftp</command></term>467 <listitem>468 <para>is a kerberized FTP client.</para>469 <indexterm zone="mitkrb ftp-mitkrb">470 <primary sortas="b-ftp">ftp</primary>471 </indexterm>472 </listitem>473 </varlistentry>474 475 <varlistentry id="ftpd-mitkrb">476 <term><command>ftpd</command></term>477 <listitem>478 <para>is a kerberized FTP daemon.</para>479 <indexterm zone="mitkrb ftpd-mitkrb">480 <primary sortas="b-ftpd">ftpd</primary>481 </indexterm>482 </listitem>483 </varlistentry>484 384 485 385 <varlistentry id="k5srvutil"> … … 558 458 </varlistentry> 559 459 560 <varlistentry id="klogind">561 <term><command>klogind</command></term>562 <listitem>563 <para>is the server that responds to <command>rlogin</command>564 requests.</para>565 <indexterm zone="mitkrb klogind">566 <primary sortas="b-klogind">klogind</primary>567 </indexterm>568 </listitem>569 </varlistentry>570 571 460 <varlistentry id="kpasswd-mitkrb"> 572 461 <term><command>kpasswd</command></term> … … 618 507 <indexterm zone="mitkrb krb5kdc"> 619 508 <primary sortas="b-krb5kdc">krb5kdc</primary> 620 </indexterm>621 </listitem>622 </varlistentry>623 624 <varlistentry id="kshd">625 <term><command>kshd</command></term>626 <listitem>627 <para>is the server that responds to <command>rsh</command>628 requests.</para>629 <indexterm zone="mitkrb kshd">630 <primary sortas="b-kshd">kshd</primary>631 509 </indexterm> 632 510 </listitem> … … 647 525 </varlistentry> 648 526 527 <varlistentry id="kswitch"> 528 <term><command>kswitch</command></term> 529 <listitem> 530 <para>makes the specified credential cache the 531 primary cache for the collection, if a cache 532 collection is available.</para> 533 <indexterm zone="mitkrb kswitch"> 534 <primary sortas="b-kswitch">kswitch</primary> 535 </indexterm> 536 </listitem> 537 </varlistentry> 538 649 539 <varlistentry id="ktutil-mitkrb"> 650 540 <term><command>ktutil</command></term> … … 667 557 </varlistentry> 668 558 669 <varlistentry id="login.krb5"> 670 <term><command>login.krb5</command></term> 671 <listitem> 672 <para>is a kerberized login program.</para> 673 <indexterm zone="mitkrb login"> 674 <primary sortas="b-login.krb5">login.krb5</primary> 675 </indexterm> 676 </listitem> 677 </varlistentry> 678 679 <varlistentry id="rcp-mitkrb"> 680 <term><command>rcp</command></term> 681 <listitem> 682 <para>is a kerberized rcp client program.</para> 683 <indexterm zone="mitkrb rcp-mitkrb"> 684 <primary sortas="b-rcp">rcp</primary> 685 </indexterm> 686 </listitem> 687 </varlistentry> 688 689 <varlistentry id="rlogin"> 690 <term><command>rlogin</command></term> 691 <listitem> 692 <para>is a kerberized rlogin client program.</para> 693 <indexterm zone="mitkrb rlogin"> 694 <primary sortas="b-rlogin">rlogin</primary> 695 </indexterm> 696 </listitem> 697 </varlistentry> 698 699 <varlistentry id="rsh-mitkrb"> 700 <term><command>rsh</command></term> 701 <listitem> 702 <para>is a kerberized rsh client program.</para> 703 <indexterm zone="mitkrb rsh-mitkrb"> 704 <primary sortas="b-rsh">rsh</primary> 705 </indexterm> 706 </listitem> 707 </varlistentry> 708 709 <varlistentry id="telnet-mitkrb"> 710 <term><command>telnet</command></term> 711 <listitem> 712 <para>is a kerberized telnet client program.</para> 713 <indexterm zone="mitkrb telnet-mitkrb"> 714 <primary sortas="b-telnet">telnet</primary> 715 </indexterm> 716 </listitem> 717 </varlistentry> 718 719 <varlistentry id="telnetd-mitkrb"> 720 <term><command>telnetd</command></term> 721 <listitem> 722 <para>is a kerberized telnet server.</para> 723 <indexterm zone="mitkrb telnetd-mitkrb"> 724 <primary sortas="b-telnetd">telnetd</primary> 559 <varlistentry id="sclient"> 560 <term><command>sclient</command></term> 561 <listitem> 562 <para>used to contact a sample server and authenticate to it 563 using Kerberos version 5 tickets, then display the server's 564 response.</para> 565 <indexterm zone="mitkrb sclient"> 566 <primary sortas="b-sclient">sclient</primary> 567 </indexterm> 568 </listitem> 569 </varlistentry> 570 571 <varlistentry id="sserver"> 572 <term><command>sserver</command></term> 573 <listitem> 574 <para>sample Kerberos version 5 server.</para> 575 <indexterm zone="mitkrb sserver"> 576 <primary sortas="b-sserver">sserver</primary> 725 577 </indexterm> 726 578 </listitem>
Note:
See TracChangeset
for help on using the changeset viewer.
