Changeset 84418e6 for postlfs/security/heimdal.xml
- Timestamp:
- 05/13/2005 11:36:47 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 3493b1f
- Parents:
- 07d11f5
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/heimdal.xml
r07d11f5 r84418e6 14 14 15 15 <sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;"> 16 <sect1info> 17 <othername>$LastChangedBy$</othername> 18 <date>$Date$</date> 19 </sect1info> 20 <?dbhtml filename="heimdal.html"?> 21 <title>Heimdal-&heimdal-version;</title> 22 <indexterm zone="heimdal"> 23 <primary sortas="a-Heimdal">Heimdal</primary> 24 </indexterm> 25 26 <sect2> 27 <title>Introduction to <application>Heimdal</application></title> 28 29 <para><application>Heimdal</application> is a free implementation of Kerberos 30 5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards 31 compatible with krb4. Kerberos is a network authentication protocol. Basically 32 it preserves the integrity of passwords in any untrusted network (like the 33 Internet). Kerberized applications work hand-in-hand with sites that support 34 Kerberos to ensure that passwords cannot be stolen. A Kerberos installation 35 will make changes to the authentication mechanisms on your network and will 36 overwrite several programs and daemons from the 37 <application>Coreutils</application>, <application>Inetutils</application>, 38 <application>Qpopper</application> and <application>Shadow</application> 39 packages.</para> 40 41 <sect3><title>Package information</title> 42 <itemizedlist spacing='compact'> 43 <listitem><para>Download (HTTP): 44 <ulink url="&heimdal-download-http;"/></para></listitem> 45 <listitem><para>Download (FTP): 46 <ulink url="&heimdal-download-ftp;"/></para></listitem> 47 <listitem><para>Download MD5 sum: &heimdal-md5sum;</para></listitem> 48 <listitem><para>Download size: &heimdal-size;</para></listitem> 49 <listitem><para>Estimated disk space required: 50 &heimdal-buildsize;</para></listitem> 51 <listitem><para>Estimated build time: 52 &heimdal-time;</para></listitem></itemizedlist> 53 </sect3> 54 55 <sect3><title>Additional downloads</title> 56 <itemizedlist spacing='compact'> 57 <listitem><para>Required Patch: <ulink 58 url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para> 59 </listitem> 60 <listitem><para>Required patch for cracklib: <ulink 61 url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para> 62 </listitem> 63 </itemizedlist> 64 65 </sect3> 66 67 <sect3><title><application>Heimdal</application> dependencies</title> 68 <sect4><title>Required</title> 69 <para><xref linkend="openssl"/> and 70 <xref linkend="db"/></para> 71 </sect4> 72 73 <sect4><title>Optional</title> 74 <para><xref linkend="Linux_PAM"/>, 75 <xref linkend="openldap"/>, 76 X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>), 77 <xref linkend="cracklib"/> and 78 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para> 79 80 <note><para>Some sort of time synchronization facility on your system (like 81 <xref linkend="ntp"/>) is required since Kerberos won't authenticate if the 82 time differential between a kerberized client and the 83 <acronym>KDC</acronym> server is more than 5 minutes.</para></note> 84 </sect4> 85 86 </sect3> 87 88 </sect2> 89 90 <sect2> 91 <title>Installation of <application>Heimdal</application></title> 92 93 <para>Before installing the package, you may want to preserve the 94 <command>ftp</command> program from the <application>Inetutils</application> 95 package. This is because using the <application>Heimdal</application> 96 <command>ftp</command> program to connect to non-kerberized ftp servers may 97 not work properly. It will allow you to connect (letting you know that 98 transmission of the password is clear text) but will have problems doing puts 99 and gets. Issue the following command as the root user.</para> 100 101 <screen><userinput role='root'><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen> 102 103 <para>If you wish the <application>Heimdal</application> package to link 104 against the <application>cracklib</application> library, you must apply a 105 patch:</para> 106 107 <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen> 108 109 <para>Install <application>Heimdal</application> by running the following 110 commands:</para> 111 112 <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch && 16 <?dbhtml filename="heimdal.html"?> 17 18 <sect1info> 19 <othername>$LastChangedBy$</othername> 20 <date>$Date$</date> 21 </sect1info> 22 23 <title>Heimdal-&heimdal-version;</title> 24 25 <indexterm zone="heimdal"> 26 <primary sortas="a-Heimdal">Heimdal</primary> 27 </indexterm> 28 29 <sect2 role="package"> 30 <title>Introduction to Heimdal</title> 31 32 <para><application>Heimdal</application> is a free implementation 33 of Kerberos 5, that aims to be compatible with MIT krb5 and is 34 backwards compatible with krb4. Kerberos is a network authentication 35 protocol. Basically it preserves the integrity of passwords in any 36 untrusted network (like the Internet). Kerberized applications work 37 hand-in-hand with sites that support Kerberos to ensure that passwords 38 cannot be stolen. A Kerberos installation will make changes to the 39 authentication mechanisms on your network and will overwrite several 40 programs and daemons from the <application>Coreutils</application>, 41 <application>Inetutils</application>, <application>Qpopper</application> 42 and <application>Shadow</application> packages.</para> 43 44 <bridgehead renderas="sect3">Package Information</bridgehead> 45 <itemizedlist spacing="compact"> 46 <listitem> 47 <para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para> 48 </listitem> 49 <listitem> 50 <para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para> 51 </listitem> 52 <listitem> 53 <para>Download MD5 sum: &heimdal-md5sum;</para> 54 </listitem> 55 <listitem> 56 <para>Download size: &heimdal-size;</para> 57 </listitem> 58 <listitem> 59 <para>Estimated disk space required: &heimdal-buildsize;</para> 60 </listitem> 61 <listitem> 62 <para>Estimated build time: &heimdal-time;</para> 63 </listitem> 64 </itemizedlist> 65 66 <bridgehead renderas="sect3">Additional Downloads</bridgehead> 67 <itemizedlist spacing='compact'> 68 <listitem> 69 <para>Required Patch: <ulink 70 url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para> 71 </listitem> 72 <listitem> 73 <para>Required patch for <application>cracklib</application>: <ulink 74 url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para> 75 </listitem> 76 </itemizedlist> 77 78 <bridgehead renderas="sect3">Heimdal Dependencies</bridgehead> 79 80 <bridgehead renderas="sect4">Required</bridgehead> 81 <para><xref linkend="openssl"/> and 82 <xref linkend="db"/></para> 83 84 <bridgehead renderas="sect4">Optional</bridgehead> 85 <para><xref linkend="Linux_PAM"/>, 86 <xref linkend="openldap"/>, 87 X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>), 88 <xref linkend="cracklib"/> and 89 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para> 90 91 <note> 92 <para>Some sort of time synchronization facility on your system 93 (like <xref linkend="ntp"/>) is required since Kerberos won't 94 authenticate if the time differential between a kerberized client 95 and the KDC server is more than 5 minutes.</para> 96 </note> 97 98 </sect2> 99 100 <sect2 role="installation"> 101 <title>Installation of Heimdal</title> 102 103 <para>Before installing the package, you may want to preserve the 104 <command>ftp</command> program from the <application>Inetutils</application> 105 package. This is because using the <application>Heimdal</application> 106 <command>ftp</command> program to connect to non-kerberized ftp servers may 107 not work properly. It will allow you to connect (letting you know that 108 transmission of the password is clear text) but will have problems doing puts 109 and gets. Issue the following command as the <systemitem 110 class="username">root</systemitem> user.</para> 111 112 <screen role="root"><userinput>mv -v /usr/bin/ftp /usr/bin/ftpn</userinput></screen> 113 114 <para>If you wish the <application>Heimdal</application> package to 115 link against the <application>cracklib</application> library, you 116 must apply a patch:</para> 117 118 <screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</userinput></screen> 119 120 <para>Install <application>Heimdal</application> by running the following 121 commands:</para> 122 123 <screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch && 113 124 ./configure --prefix=/usr --sysconfdir=/etc/heimdal \ 114 125 --datadir=/var/lib/heimdal --localstatedir=/var/lib/heimdal \ 115 126 --libexecdir=/usr/sbin --enable-shared \ 116 127 --with-openssl=/usr --with-readline=/usr && 117 make</ command></userinput></screen>118 119 <para>Now, as the rootuser:</para>120 121 <screen ><userinput role='root'><command>make install &&122 mv /bin/login /bin/login.shadow &&123 mv /bin/su /bin/su.shadow &&124 mv /usr/bin/{login,su} /bin &&125 ln - sf ../../bin/login /usr/bin &&126 mv /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \128 make</userinput></screen> 129 130 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 131 132 <screen role="root"><userinput>make install && 133 mv -v /bin/login /bin/login.shadow && 134 mv -v /bin/su /bin/su.shadow && 135 mv -v /usr/bin/{login,su} /bin && 136 ln -v -sf ../../bin/login /usr/bin && 137 mv -v /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \ 127 138 /usr/lib/lib{roken.so.16*,crypto.so.0*,db-4.3.so} /lib && 128 ln - sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \139 ln -v -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \ 129 140 /usr/lib && 130 ln - sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \141 ln -v -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \ 131 142 /usr/lib && 132 ln - sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \143 ln -v -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \ 133 144 /usr/lib && 134 ldconfig</command></userinput></screen> 135 136 </sect2> 137 138 <sect2> 139 <title>Command explanations</title> 140 141 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the 142 daemon programs into <filename class="directory">/usr/sbin</filename>. 143 </para> 144 145 <note><para> 146 If you want to preserve all your existing <application>Inetutils</application> 147 package daemons, install the <application>Heimdal</application> daemons into 148 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever you 149 want). Since these programs will be called from <command>(x)inetd</command> or 150 <filename>rc</filename> scripts, it really doesn't matter where they are 151 installed, as long as they are correctly specified in the 152 <filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename> 153 scripts. If you choose something other than 154 <filename class="directory">/usr/sbin</filename>, you may want to move some of 155 the user programs (such as <command>kadmin</command>) to 156 <filename class="directory">/usr/sbin</filename> manually so they'll be in the 157 privileged user's default path.</para></note> 158 159 <para><command>mv ... .shadow; mv ... /bin; ln -sf ../../bin...</command>: The 160 <command>login</command> and <command>su</command> programs installed by 161 <application>Heimdal</application> belong in the 162 <filename class="directory">/bin</filename> directory. The 163 <command>login</command> program is symlinked because 164 <application>Heimdal</application> is expecting to find it in 165 <filename class="directory">/usr/bin</filename>. The old executables are 166 preserved before the move to keep things sane should breaks occur.</para> 167 168 <para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: The 169 <command>login</command> and <command>su</command> programs installed by 170 <application>Heimdal</application> link against 171 <application>Heimdal</application> libraries as well as libraries provided by 172 the <application>Open<acronym>SSL</acronym></application> and 173 <application>Berkeley <acronym>DB</acronym></application> packages. These 174 libraries are moved to <filename class="directory">/lib</filename> to be 175 <acronym>FHS</acronym> compliant and also in case 176 <filename class="directory">/usr</filename> is located on a separate partition 177 which may not always be mounted.</para> 178 179 </sect2> 180 181 <sect2> 182 <title>Configuring <application>Heimdal</application></title> 183 184 <sect3 id="heimdal-config"><title>Config files</title> 185 <para><filename>/etc/heimdal/*</filename></para> 186 <indexterm zone="heimdal heimdal-config"> 187 <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary> 188 </indexterm> 189 </sect3> 190 191 <sect3><title>Configuration Information</title> 192 193 <sect4><title>Master <acronym>KDC</acronym> Server Configuration</title> 194 195 <para>Create the Kerberos configuration file with the following 196 commands:</para> 197 198 <screen><userinput role='root'><command>install -d /etc/heimdal && 199 cat > /etc/heimdal/krb5.conf << "EOF"</command> 200 # Begin /etc/heimdal/krb5.conf 145 ldconfig</userinput></screen> 146 147 </sect2> 148 149 <sect2 role="commands"> 150 <title>Command Explanations</title> 151 152 <para><parameter>--libexecdir=/usr/sbin</parameter>: This switch 153 puts the daemon programs into 154 <filename class="directory">/usr/sbin</filename>.</para> 155 156 <note> 157 <para>If you want to preserve all your existing 158 <application>Inetutils</application> package daemons, install the 159 <application>Heimdal</application> daemons into 160 <filename class="directory">/usr/sbin/heimdal</filename> (or wherever 161 you want). Since these programs will be called from 162 <command>(x)inetd</command> or <filename>rc</filename> scripts, it 163 really doesn't matter where they are installed, as long as they are 164 correctly specified in the <filename>/etc/(x)inetd.conf</filename> file 165 and <filename>rc</filename> scripts. If you choose something other than 166 <filename class="directory">/usr/sbin</filename>, you may want to move 167 some of the user programs (such as <command>kadmin</command>) to 168 <filename class="directory">/usr/sbin</filename> manually so they'll be 169 in the privileged user's default path.</para> 170 </note> 171 172 <para><command>mv ... .shadow; mv ... /bin; ln -v -sf ../../bin...</command>: 173 The <command>login</command> and <command>su</command> programs installed by 174 <application>Heimdal</application> belong in the 175 <filename class="directory">/bin</filename> directory. The 176 <command>login</command> program is symlinked because 177 <application>Heimdal</application> is expecting to find it in 178 <filename class="directory">/usr/bin</filename>. The old executables are 179 preserved before the move to keep things sane should breaks occur.</para> 180 181 <para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: 182 The <command>login</command> and <command>su</command> programs installed 183 by <application>Heimdal</application> link against 184 <application>Heimdal</application> libraries as well as libraries provided 185 by the <application>OpenSSL</application> and 186 <application>Berkeley DB</application> packages. These 187 libraries are moved to <filename class="directory">/lib</filename> to be 188 FHS compliant and also in case 189 <filename class="directory">/usr</filename> is located on a separate partition 190 which may not always be mounted.</para> 191 192 </sect2> 193 194 <sect2 role="configuration"> 195 <title>Configuring Heimdal</title> 196 197 <sect3 id="heimdal-config"> 198 <title>Config Files</title> 199 200 <para><filename>/etc/heimdal/*</filename></para> 201 202 <indexterm zone="heimdal heimdal-config"> 203 <primary sortas="e-etc-heimdal">/etc/heimdal/*</primary> 204 </indexterm> 205 206 </sect3> 207 208 <sect3> 209 <title>Configuration Information</title> 210 211 <sect4> 212 <title>Master KDC Server Configuration</title> 213 214 <para>Create the Kerberos configuration file with the 215 following commands:</para> 216 217 <screen role="root"><userinput>install -v -d /etc/heimdal && 218 cat > /etc/heimdal/krb5.conf << "EOF" 219 <literal># Begin /etc/heimdal/krb5.conf 201 220 202 221 [libdefaults] … … 219 238 default = FILE:/var/log/krb.log 220 239 221 # End /etc/heimdal/krb5.conf 222 <command>EOF</command></userinput></screen> 223 224 <para>You will need to substitute your domain and proper hostname for the 225 occurrences of the <replaceable>[hostname]</replaceable> and 226 <replaceable>[EXAMPLE.COM]</replaceable> names.</para> 227 228 <para><userinput>default_realm</userinput> should be the name of your domain 229 changed to ALL CAPS. This isn't required, but both 230 <application>Heimdal</application> and <application><acronym>MIT</acronym> 231 krb5</application> recommend it.</para> 232 233 <para><userinput>encrypt = true</userinput> provides encryption of all traffic 234 between kerberized clients and servers. It's not necessary and can be left 235 off. If you leave it off, you can encrypt all traffic from the client to the 236 server using a switch on the client program instead.</para> 237 238 <para>The <userinput>[realms]</userinput> parameters tell the client programs 239 where to look for the <acronym>KDC</acronym> authentication services.</para> 240 241 <para>The <userinput>[domain_realm]</userinput> section maps a domain to a 242 realm.</para> 243 244 <para>Store the master password in a key file using the following 245 commands:</para> 246 247 <screen><userinput role='root'><command>install -d -m 755 /var/lib/heimdal && 248 kstash</command></userinput></screen> 249 250 <para>Create the <acronym>KDC</acronym> database:</para> 251 252 <screen><userinput role='root'><command>kadmin -l</command></userinput></screen> 253 254 <para>Choose the defaults for now. You can go in later and change the 255 defaults, should you feel the need. At the 256 <userinput>kadmin></userinput> prompt, issue the following statement:</para> 257 258 <screen><userinput role='root'><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen> 259 260 <para>The database must now be populated with at least one principle (user). 261 For now, just use your regular login name or root. You may create as few, or 262 as many principles as you wish using the following statement:</para> 263 264 <screen><userinput role='root'><command>add <replaceable>[loginname]</replaceable></command></userinput></screen> 265 266 <para>The <acronym>KDC</acronym> server and any machine running kerberized 267 server daemons must have a host key installed:</para> 268 269 <screen><userinput role='root'><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 270 271 <para>After choosing the defaults when prompted, you will have to export the 272 data to a keytab file:</para> 273 274 <screen><userinput role='root'><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 275 276 <para>This should have created two files in 277 <filename class="directory">/etc/heimdal</filename>: 278 <filename>krb5.keytab</filename> (Kerberos 5) and 279 <filename>srvtab</filename> (Kerberos 4). Both files should have 600 280 (root rw only) permissions. Keeping the keytab files from public access 281 is crucial to the overall security of the Kerberos installation.</para> 282 283 <para>Eventually, you'll want to add server daemon principles to the database 284 and extract them to the keytab file. You do this in the same way you created 285 the host principles. Below is an example:</para> 286 287 <screen><userinput role='root'><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 288 289 <para>(choose the defaults)</para> 290 291 <screen><userinput role='root'><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen> 292 293 <para>Exit the <command>kadmin</command> program (use <command>quit</command> 294 or <command>exit</command>) and return back to the shell prompt. Start 295 the <acronym>KDC</acronym> daemon manually, just to test out the 296 installation:</para> 297 298 <screen><userinput role='root'><command>/usr/sbin/kdc &</command></userinput></screen> 299 300 <para>Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with 301 the following command:</para> 302 303 <screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen> 304 305 <para>You will be prompted for the password you created. After you get your 306 ticket, you should list it with the following command:</para> 307 308 <screen><userinput><command>klist</command></userinput></screen> 309 310 <para>Information about the ticket should be displayed on the screen.</para> 311 312 <para>To test the functionality of the keytab file, issue the following 313 command:</para> 314 315 <screen><userinput><command>ktutil list</command></userinput></screen> 316 317 <para>This should dump a list of the host principals, along with the encryption 318 methods used to access the principals.</para> 319 320 <para>At this point, if everything has been successful so far, you can feel 321 fairly confident in the installation and configuration of the package.</para> 322 323 <para id="heimdal-init">Install the 324 <filename>/etc/rc.d/init.d/heimdal</filename> init script included in the 325 <xref linkend="intro-important-bootscripts"/> package:</para> 326 <indexterm zone="heimdal heimdal-init"> 327 <primary sortas="f-heimdal">heimdal</primary> 328 </indexterm> 329 330 <screen><userinput role='root'><command>make install-heimdal</command></userinput></screen> 331 </sect4> 332 333 <sect4><title>Using Kerberized Client Programs</title> 334 335 <para>To use the kerberized client programs (<command>telnet</command>, 336 <command>ftp</command>, <command>rsh</command>, 337 <command>rxterm</command>, <command>rxtelnet</command>, 338 <command>rcp</command>, <command>xnlock</command>), you first must get 339 a <acronym>TGT</acronym>. Use the <command>kinit</command> program to 340 get the ticket. After you've acquired the ticket, you can use the 341 kerberized programs to connect to any kerberized server on the network. 342 You will not be prompted for authentication until your ticket expires 343 (default is one day), unless you specify a different user as a command 344 line argument to the program.</para> 345 346 <para>The kerberized programs will connect to non-kerberized daemons, warning 347 you that authentication is not encrypted. As mentioned earlier, only the 348 <command>ftp</command> program gives any trouble connecting to 349 non-kerberized daemons.</para> 350 351 <para>In order to use the <application>Heimdal</application> 352 <application>X</application> programs, you'll need to add a service port 353 entry to the <filename>/etc/services</filename> file for the 354 <command>kxd</command> server. There is no 'standardized port number' for 355 the 'kx' service in the <acronym>IANA</acronym> database, so you'll have to 356 pick an unused port number. Add an entry to the <filename>services</filename> 357 file similar to the entry below (substitute your chosen port number for 358 <replaceable>[49150]</replaceable>):</para> 359 360 <screen><userinput role='root'>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X 361 kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</userinput></screen> 362 363 <para>For additional information consult <ulink 364 url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the 365 Heimdal hint</ulink> on which the above instructions are based.</para> 366 </sect4> 367 </sect3> 368 369 </sect2> 370 371 <sect2> 372 <title>Contents</title> 373 374 <segmentedlist> 375 <segtitle>Installed Programs</segtitle> 376 <segtitle>Installed Libraries</segtitle> 377 <segtitle>Installed Directories</segtitle> 378 379 <seglistitem> 380 <seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave, 381 kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist, 382 kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp, 383 otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet, 384 rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log, 385 verify_krb5_conf and xnlock</seg> 386 <seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a], 387 libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a], 388 libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]</seg> 389 <seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss and 390 /var/lib/heimdal</seg> 391 </seglistitem> 392 </segmentedlist> 393 394 <variablelist> 395 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 396 <?dbfo list-presentation="list"?> 397 398 <varlistentry id="afslog"> 399 <term><command>afslog</command></term> 400 <listitem><para>obtains <acronym>AFS</acronym> tokens for a number of 401 cells.</para> 402 <indexterm zone="heimdal afslog"> 403 <primary sortas="b-afslog">afslog</primary> 404 </indexterm></listitem> 405 </varlistentry> 406 407 <varlistentry id="ftp"> 408 <term><command>ftp</command></term> 409 <listitem><para>is a kerberized <acronym>FTP</acronym> client.</para> 410 <indexterm zone="heimdal ftp"> 411 <primary sortas="b-ftp">ftp</primary> 412 </indexterm></listitem> 413 </varlistentry> 414 415 <varlistentry id="ftpd"> 416 <term><command>ftpd</command></term> 417 <listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para> 418 <indexterm zone="heimdal ftpd"> 419 <primary sortas="b-ftpd">ftpd</primary> 420 </indexterm></listitem> 421 </varlistentry> 422 423 <varlistentry id="hprop"> 424 <term><command>hprop</command></term> 425 <listitem><para> takes a principal database in a specified format and converts 426 it into a stream of <application>Heimdal</application> database records.</para> 427 <indexterm zone="heimdal hprop"> 428 <primary sortas="b-hprop">hprop</primary> 429 </indexterm></listitem> 430 </varlistentry> 431 432 <varlistentry id="hpropd"> 433 <term><command>hpropd</command></term> 434 <listitem><para>is a server that receives a database sent by 435 <command>hprop</command> and writes it as a local database.</para> 436 <indexterm zone="heimdal hpropd"> 437 <primary sortas="b-hpropd">hpropd</primary> 438 </indexterm></listitem> 439 </varlistentry> 440 441 <varlistentry id="ipropd-master"> 442 <term><command>ipropd-master</command></term> 443 <listitem><para>is a daemon which runs on the master <acronym>KDC</acronym> 444 server which incrementally propogates changes to the <acronym>KDC</acronym> 445 database to the slave <acronym>KDC</acronym> servers.</para> 446 <indexterm zone="heimdal ipropd-master"> 447 <primary sortas="b-ipropd-master">ipropd-master</primary> 448 </indexterm></listitem> 449 </varlistentry> 450 451 <varlistentry id="ipropd-slave"> 452 <term><command>ipropd-slave</command></term> 453 <listitem><para>is a daemon which runs on the slave <acronym>KDC</acronym> 454 servers which incrementally propogates changes to the <acronym>KDC</acronym> 455 database from the master <acronym>KDC</acronym> server.</para> 456 <indexterm zone="heimdal ipropd-slave"> 457 <primary sortas="b-ipropd-slave">ipropd-slave</primary> 458 </indexterm></listitem> 459 </varlistentry> 460 461 <varlistentry id="kadmin"> 462 <term><command>kadmin</command></term> 463 <listitem><para>is a utility used to make modifications to the Kerberos 464 database.</para> 465 <indexterm zone="heimdal kadmin"> 466 <primary sortas="b-kadmin">kadmin</primary> 467 </indexterm></listitem> 468 </varlistentry> 469 470 <varlistentry id="kadmind"> 471 <term><command>kadmind</command></term> 472 <listitem><para>is a server for administrative access to the Kerberos 473 database.</para> 474 <indexterm zone="heimdal kadmind"> 475 <primary sortas="b-kadmind">kadmind</primary> 476 </indexterm></listitem> 477 </varlistentry> 478 479 <varlistentry id="kauth"> 480 <term><command>kauth</command></term> 481 <listitem><para>is a symbolic link to the <command>kinit</command> 482 program.</para> 483 <indexterm zone="heimdal kauth"> 484 <primary sortas="g-kauth">kauth</primary> 485 </indexterm></listitem> 486 </varlistentry> 487 488 <varlistentry id="kdc"> 489 <term><command>kdc</command></term> 490 <listitem><para>is a Kerberos 5 server.</para> 491 <indexterm zone="heimdal kdc"> 492 <primary sortas="b-kdc">kdc</primary> 493 </indexterm></listitem> 494 </varlistentry> 495 496 <varlistentry id="kdestroy"> 497 <term><command>kdestroy</command></term> 498 <listitem><para>removes a principle's current set of tickets.</para> 499 <indexterm zone="heimdal kdestroy"> 500 <primary sortas="b-kdestroy">kdestroy</primary> 501 </indexterm></listitem> 502 </varlistentry> 503 504 <varlistentry id="kf"> 505 <term><command>kf</command></term> 506 <listitem><para>is a program which forwards tickets to a remote host through 507 an authenticated and encrypted stream.</para> 508 <indexterm zone="heimdal kf"> 509 <primary sortas="b-kf">kf</primary> 510 </indexterm></listitem> 511 </varlistentry> 512 513 <varlistentry id="kfd"> 514 <term><command>kfd</command></term> 515 <listitem><para>is a server used to receive forwarded tickets.</para> 516 <indexterm zone="heimdal kfd"> 517 <primary sortas="b-kfd">kfd</primary> 518 </indexterm></listitem> 519 </varlistentry> 520 521 <varlistentry id="kgetcred"> 522 <term><command>kgetcred</command></term> 523 <listitem><para>obtains a ticket for a service.</para> 524 <indexterm zone="heimdal kgetcred"> 525 <primary sortas="b-kgetcred">kgetcred</primary> 526 </indexterm></listitem> 527 </varlistentry> 528 529 <varlistentry id="kinit"> 530 <term><command>kinit</command></term> 531 <listitem><para>is used to authenticate to the Kerberos server as a principal 532 and acquire a ticket granting ticket that can later be used to obtain tickets 533 for other services.</para> 534 <indexterm zone="heimdal kinit"> 535 <primary sortas="b-kinit">kinit</primary> 536 </indexterm></listitem> 537 </varlistentry> 538 539 <varlistentry id="klist"> 540 <term><command>klist</command></term> 541 <listitem><para>reads and displays the current tickets in the credential 542 cache.</para> 543 <indexterm zone="heimdal klist"> 544 <primary sortas="b-klist">klist</primary> 545 </indexterm></listitem> 546 </varlistentry> 547 548 <varlistentry id="kpasswd"> 549 <term><command>kpasswd</command></term> 550 <listitem><para>is a program for changing Kerberos 5 passwords.</para> 551 <indexterm zone="heimdal kpasswd"> 552 <primary sortas="b-kpasswd">kpasswd</primary> 553 </indexterm></listitem> 554 </varlistentry> 555 556 <varlistentry id="kpasswdd"> 557 <term><command>kpasswdd</command></term> 558 <listitem><para>is a Kerberos 5 password changing server.</para> 559 <indexterm zone="heimdal kpasswdd"> 560 <primary sortas="b-kpasswdd">kpasswdd</primary> 561 </indexterm></listitem> 562 </varlistentry> 563 564 <varlistentry id="krb5-config-prog"> 565 <term><command>krb5-config</command></term> 566 <listitem><para>gives information on how to link programs against 567 <application>Heimdal</application> libraries.</para> 568 <indexterm zone="heimdal krb5-config-prog"> 569 <primary sortas="b-krb5-config">krb5-config</primary> 570 </indexterm></listitem> 571 </varlistentry> 572 573 <varlistentry id="kstash"> 574 <term><command>kstash</command></term> 575 <listitem><para>stores the <acronym>KDC</acronym> master password in a 576 file.</para> 577 <indexterm zone="heimdal kstash"> 578 <primary sortas="b-kstash">kstash</primary> 579 </indexterm></listitem> 580 </varlistentry> 581 582 <varlistentry id="ktutil"> 583 <term><command>ktutil</command></term> 584 <listitem><para>is a program for managing Kerberos keytabs.</para> 585 <indexterm zone="heimdal ktutil"> 586 <primary sortas="b-ktutil">ktutil</primary> 587 </indexterm></listitem> 588 </varlistentry> 589 590 <varlistentry id="kx"> 591 <term><command>kx</command></term> 592 <listitem><para>is a program which securely forwards 593 <application>X</application> connections.</para> 594 <indexterm zone="heimdal kx"> 595 <primary sortas="b-kx">kx</primary> 596 </indexterm></listitem> 597 </varlistentry> 598 599 <varlistentry id="kxd"> 600 <term><command>kxd</command></term> 601 <listitem><para>is the daemon for <command>kx</command>.</para> 602 <indexterm zone="heimdal kxd"> 603 <primary sortas="b-kxd">kxd</primary> 604 </indexterm></listitem> 605 </varlistentry> 606 607 <varlistentry id="login"> 608 <term><command>login</command></term> 609 <listitem><para>is a kerberized login program.</para> 610 <indexterm zone="heimdal login"> 611 <primary sortas="b-login">login</primary> 612 </indexterm></listitem> 613 </varlistentry> 614 615 <varlistentry id="otp"> 616 <term><command>otp</command></term> 617 <listitem><para>manages one-time passwords.</para> 618 <indexterm zone="heimdal otp"> 619 <primary sortas="b-otp">otp</primary> 620 </indexterm></listitem> 621 </varlistentry> 622 623 <varlistentry id="otpprint"> 624 <term><command>otpprint</command></term> 625 <listitem><para>prints lists of one-time passwords.</para> 626 <indexterm zone="heimdal otpprint"> 627 <primary sortas="b-otpprint">otpprint</primary> 628 </indexterm></listitem> 629 </varlistentry> 630 631 <varlistentry id="pfrom"> 632 <term><command>pfrom</command></term> 633 <listitem><para>is a script that runs <command>push --from</command>.</para> 634 <indexterm zone="heimdal pfrom"> 635 <primary sortas="b-pfrom">pfrom</primary> 636 </indexterm></listitem> 637 </varlistentry> 638 639 <varlistentry id="popper"> 640 <term><command>popper</command></term> 641 <listitem><para>is a kerberized <acronym>POP</acronym>-3 server.</para> 642 <indexterm zone="heimdal popper"> 643 <primary sortas="b-popper">popper</primary> 644 </indexterm></listitem> 645 </varlistentry> 646 647 <varlistentry id="push"> 648 <term><command>push</command></term> 649 <listitem><para>is a kerberized <acronym>POP</acronym> mail retreival 650 client.</para> 651 <indexterm zone="heimdal push"> 652 <primary sortas="b-push">push</primary> 653 </indexterm></listitem> 654 </varlistentry> 655 656 <varlistentry id="rcp"> 657 <term><command>rcp</command></term> 658 <listitem><para>is a kerberized rcp client program.</para> 659 <indexterm zone="heimdal rcp"> 660 <primary sortas="b-rcp">rcp</primary> 661 </indexterm></listitem> 662 </varlistentry> 663 664 <varlistentry id="rsh"> 665 <term><command>rsh</command></term> 666 <listitem><para>is a kerberized rsh client program.</para> 667 <indexterm zone="heimdal rsh"> 668 <primary sortas="b-rsh">rsh</primary> 669 </indexterm></listitem> 670 </varlistentry> 671 672 <varlistentry id="rshd"> 673 <term><command>rshd</command></term> 674 <listitem><para>is a kerberized rsh server.</para> 675 <indexterm zone="heimdal rshd"> 676 <primary sortas="b-rshd">rshd</primary> 677 </indexterm></listitem> 678 </varlistentry> 679 680 <varlistentry id="rxtelnet"> 681 <term><command>rxtelnet</command></term> 682 <listitem><para>starts a secure <command>xterm</command> window with a 683 <command>telnet</command> to a given host and forwards 684 <application>X</application> connections.</para> 685 <indexterm zone="heimdal rxtelnet"> 686 <primary sortas="b-rxtelnet">rxtelnet</primary> 687 </indexterm></listitem> 688 </varlistentry> 689 690 <varlistentry id="rxterm"> 691 <term><command>rxterm</command></term> 692 <listitem><para>starts a secure remote <command>xterm</command>.</para> 693 <indexterm zone="heimdal rxterm"> 694 <primary sortas="b-rxterm">rxterm</primary> 695 </indexterm></listitem> 696 </varlistentry> 697 698 <varlistentry id="string2key"> 699 <term><command>string2key</command></term> 700 <listitem><para>maps a password into a key.</para> 701 <indexterm zone="heimdal string2key"> 702 <primary sortas="b-string2key">string2key</primary> 703 </indexterm></listitem> 704 </varlistentry> 705 706 <varlistentry id="su"> 707 <term><command>su</command></term> 708 <listitem><para>is a kerberized su client program.</para> 709 <indexterm zone="heimdal su"> 710 <primary sortas="b-su">su</primary> 711 </indexterm></listitem> 712 </varlistentry> 713 714 <varlistentry id="telnet"> 715 <term><command>telnet</command></term> 716 <listitem><para>is a kerberized telnet client program.</para> 717 <indexterm zone="heimdal telnet"> 718 <primary sortas="b-telnet">telnet</primary> 719 </indexterm></listitem> 720 </varlistentry> 721 722 <varlistentry id="telnetd"> 723 <term><command>telnetd</command></term> 724 <listitem><para>is a kerberized telnet server.</para> 725 <indexterm zone="heimdal telnetd"> 726 <primary sortas="b-telnetd">telnetd</primary> 727 </indexterm></listitem> 728 </varlistentry> 729 730 <varlistentry id="tenletxr"> 731 <term><command>tenletxr</command></term> 732 <listitem><para>forwards <application>X</application> connections 733 backwards.</para> 734 <indexterm zone="heimdal tenletxr"> 735 <primary sortas="b-tenletxr">tenletxr</primary> 736 </indexterm></listitem> 737 </varlistentry> 738 739 <varlistentry id="verify_krb5_conf"> 740 <term><command>verify_krb5_conf</command></term> 741 <listitem><para>checks <filename>krb5.conf</filename> file for obvious 742 errors.</para> 743 <indexterm zone="heimdal verify_krb5_conf"> 744 <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary> 745 </indexterm></listitem> 746 </varlistentry> 747 748 <varlistentry id="xnlock"> 749 <term><command>xnlock</command></term> 750 <listitem><para>is a program that acts as a secure screen saver for 751 workstations running <application>X</application>.</para> 752 <indexterm zone="heimdal xnlock"> 753 <primary sortas="b-xnlock">xnlock</primary> 754 </indexterm></listitem> 755 </varlistentry> 756 757 <varlistentry id="libasn1"> 758 <term><filename class='libraryfile'>libasn1.[so,a]</filename></term> 759 <listitem><para>provides the ASN.1 and DER functions to encode and decode 760 the Kerberos TGTs.</para> 761 <indexterm zone="heimdal libasn1"> 762 <primary sortas="c-libasn1">libasn1.[so,a]</primary> 763 </indexterm></listitem> 764 </varlistentry> 765 766 <varlistentry id="libeditline"> 767 <term><filename class='libraryfile'>libeditline.a</filename></term> 768 <listitem><para>is a command-line editing library with history.</para> 769 <indexterm zone="heimdal libeditline"> 770 <primary sortas="c-libeditline">libeditline.a</primary> 771 </indexterm></listitem> 772 </varlistentry> 773 774 <varlistentry id="libgssapi"> 775 <term><filename class='libraryfile'>libgssapi.[so,a]</filename></term> 776 <listitem><para>contain the Generic Security Service Application Programming 777 Interface (<acronym>GSSAPI</acronym>) functions which provides security 778 services to callers in a generic fashion, supportable with a range of 779 underlying mechanisms and technologies and hence allowing source-level 780 portability of applications to different environments.</para> 781 <indexterm zone="heimdal libgssapi"> 782 <primary sortas="c-libgssapi">libgssapi.[so,a]</primary> 783 </indexterm></listitem> 784 </varlistentry> 785 786 <varlistentry id="libhdb"> 787 <term><filename class='libraryfile'>libhdb.[so,a]</filename></term> 788 <listitem><para>is a <application>Heimdal</application> Kerberos 5 789 authentication/authorization database access library.</para> 790 <indexterm zone="heimdal libhdb"> 791 <primary sortas="c-libhdb">libhdb.[so,a]</primary> 792 </indexterm></listitem> 793 </varlistentry> 794 795 <varlistentry id="libkadm5clnt"> 796 <term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term> 797 <listitem><para>contains the administrative authentication and password 798 checking functions required by Kerberos 5 client-side programs.</para> 799 <indexterm zone="heimdal libkadm5clnt"> 800 <primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary> 801 </indexterm></listitem> 802 </varlistentry> 803 804 <varlistentry id="libkadm5srv"> 805 <term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term> 806 <listitem><para>contain the administrative authentication and password 807 checking functions required by Kerberos 5 servers.</para> 808 <indexterm zone="heimdal libkadm5srv"> 809 <primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary> 810 </indexterm></listitem> 811 </varlistentry> 812 813 <varlistentry id="libkafs"> 814 <term><filename class='libraryfile'>libkafs.[so,a]</filename></term> 815 <listitem><para>contains the functions required to authenticated to AFS.</para> 816 <indexterm zone="heimdal libkafs"> 817 <primary sortas="c-libkafs">libkafs.[so,a]</primary> 818 </indexterm></listitem> 819 </varlistentry> 820 821 <varlistentry id="libkrb5"> 822 <term><filename class='libraryfile'>libkrb5.[so,a]</filename></term> 823 <listitem><para>is an all-purpose Kerberos 5 library.</para> 824 <indexterm zone="heimdal libkrb5"> 825 <primary sortas="c-libkrb5">libkrb5.[so,a]</primary> 826 </indexterm></listitem> 827 </varlistentry> 828 829 <varlistentry id="libotp"> 830 <term><filename class='libraryfile'>libotp.[so,a]</filename></term> 831 <listitem><para>contains the functions required to handle authenticating 832 one time passwords.</para> 833 <indexterm zone="heimdal libotp"> 834 <primary sortas="c-libotp">libotp.[so,a]</primary> 835 </indexterm></listitem> 836 </varlistentry> 837 838 <varlistentry id="libroken"> 839 <term><filename class='libraryfile'>libroken.[so,a]</filename></term> 840 <listitem><para>is a library containing Kerberos 5 compatibility 841 functions.</para> 842 <indexterm zone="heimdal libroken"> 843 <primary sortas="c-libroken">libroken.[so,a]</primary> 844 </indexterm></listitem> 845 </varlistentry> 846 847 </variablelist> 848 849 </sect2> 240 # End /etc/heimdal/krb5.conf</literal> 241 EOF</userinput></screen> 242 243 <para>You will need to substitute your domain and proper hostname 244 for the occurrences of the <replaceable>[hostname]</replaceable> 245 and <replaceable>[EXAMPLE.COM]</replaceable> names.</para> 246 247 <para><option>default_realm</option> should be the name of your 248 domain changed to ALL CAPS. This isn't required, but both 249 <application>Heimdal</application> and <application>MIT 250 krb5</application> recommend it.</para> 251 252 <para><option>encrypt = true</option> provides encryption of all 253 traffic between kerberized clients and servers. It's not necessary 254 and can be left off. If you leave it off, you can encrypt all traffic 255 from the client to the server using a switch on the client program 256 instead.</para> 257 258 <para>The <option>[realms]</option> parameters tell the client 259 programs where to look for the KDC authentication services.</para> 260 261 <para>The <option>[domain_realm]</option> section maps a domain 262 to a realm.</para> 263 264 <para>Store the master password in a key file using the following 265 commands:</para> 266 267 <screen role="root"><userinput>install -d -m 755 /var/lib/heimdal && 268 kstash</userinput></screen> 269 270 <para>Create the KDC database:</para> 271 272 <screen role="root"><userinput>kadmin -l</userinput></screen> 273 274 <para>Choose the defaults for now. You can go in later and change the 275 defaults, should you feel the need. At the <prompt>kadmin></prompt> 276 prompt, issue the following statement:</para> 277 278 <screen role="root"><userinput>init <replaceable>[EXAMPLE.COM]</replaceable></userinput></screen> 279 280 <para>The database must now be populated with at least one principle 281 (user). For now, just use your regular login name or root. You may 282 create as few, or as many principles as you wish using the following 283 statement:</para> 284 285 <screen role="root"><userinput>add <replaceable>[loginname]</replaceable></userinput></screen> 286 287 <para>The KDC server and any machine running kerberized 288 server daemons must have a host key installed:</para> 289 290 <screen role="root"><userinput>add --random-key host/<replaceable>[hostname.example.com]</replaceable></userinput></screen> 291 292 <para>After choosing the defaults when prompted, you will have to 293 export the data to a keytab file:</para> 294 295 <screen role="root"><userinput>ext host/<replaceable>[hostname.example.com]</replaceable></userinput></screen> 296 297 <para>This should have created two files in 298 <filename class="directory">/etc/heimdal</filename>: 299 <filename>krb5.keytab</filename> (Kerberos 5) and 300 <filename>srvtab</filename> (Kerberos 4). Both files should have 600 301 (root rw only) permissions. Keeping the keytab files from public access 302 is crucial to the overall security of the Kerberos installation.</para> 303 304 <para>Eventually, you'll want to add server daemon principles to the 305 database and extract them to the keytab file. You do this in the same 306 way you created the host principles. Below is an example:</para> 307 308 <screen role="root"><userinput>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></userinput></screen> 309 310 <para>(choose the defaults)</para> 311 312 <screen role="root"><userinput>ext ftp/<replaceable>[hostname.example.com]</replaceable></userinput></screen> 313 314 <para>Exit the <command>kadmin</command> program (use 315 <command>quit</command> or <command>exit</command>) and return back 316 to the shell prompt. Start the KDC daemon manually, just to test out 317 the installation:</para> 318 319 <screen role="root"><userinput>/usr/sbin/kdc &</userinput></screen> 320 321 <para>Attempt to get a TGT (ticket granting ticket) with 322 the following command:</para> 323 324 <screen><userinput>kinit <replaceable>[loginname]</replaceable></userinput></screen> 325 326 <para>You will be prompted for the password you created. After you get 327 your ticket, you should list it with the following command:</para> 328 329 <screen><userinput>klist</userinput></screen> 330 331 <para>Information about the ticket should be displayed on 332 the screen.</para> 333 334 <para>To test the functionality of the <filename>keytab</filename> file, 335 issue the following command:</para> 336 337 <screen><userinput>ktutil list</userinput></screen> 338 339 <para>This should dump a list of the host principals, along with the 340 encryption methods used to access the principals.</para> 341 342 <para>At this point, if everything has been successful so far, you 343 can feel fairly confident in the installation and configuration of 344 the package.</para> 345 346 <para id="heimdal-init">Install the 347 <filename>/etc/rc.d/init.d/heimdal</filename> init script included 348 in the <xref linkend="intro-important-bootscripts"/> package:</para> 349 350 <indexterm zone="heimdal heimdal-init"> 351 <primary sortas="f-heimdal">heimdal</primary> 352 </indexterm> 353 354 <screen role="root"><userinput>make install-heimdal</userinput></screen> 355 356 </sect4> 357 358 <sect4> 359 <title>Using Kerberized Client Programs</title> 360 361 <para>To use the kerberized client programs (<command>telnet</command>, 362 <command>ftp</command>, <command>rsh</command>, 363 <command>rxterm</command>, <command>rxtelnet</command>, 364 <command>rcp</command>, <command>xnlock</command>), you first must get 365 a TGT. Use the <command>kinit</command> program to get the ticket. 366 After you've acquired the ticket, you can use the kerberized programs 367 to connect to any kerberized server on the network. You will not be 368 prompted for authentication until your ticket expires (default is one 369 day), unless you specify a different user as a command line argument 370 to the program.</para> 371 372 <para>The kerberized programs will connect to non-kerberized daemons, 373 warning you that authentication is not encrypted. As mentioned earlier, 374 only the <command>ftp</command> program gives any trouble connecting to 375 non-kerberized daemons.</para> 376 377 <para>In order to use the <application>Heimdal</application> 378 <application>X</application> programs, you'll need to add a service 379 port entry to the <filename>/etc/services</filename> file for the 380 <command>kxd</command> server. There is no 'standardized port number' 381 for the 'kx' service in the IANA database, so you'll have to pick an 382 unused port number. Add an entry to the <filename>services</filename> 383 file similar to the entry below (substitute your chosen port number 384 for <replaceable>[49150]</replaceable>):</para> 385 386 <screen><literal>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X 387 kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</literal></screen> 388 389 <para>For additional information consult <ulink 390 url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the 391 Heimdal hint</ulink> on which the above instructions are based.</para> 392 393 </sect4> 394 395 </sect3> 396 397 </sect2> 398 399 <sect2 role="content"> 400 <title>Contents</title> 401 402 <segmentedlist> 403 <segtitle>Installed Programs</segtitle> 404 <segtitle>Installed Libraries</segtitle> 405 <segtitle>Installed Directories</segtitle> 406 407 <seglistitem> 408 <seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, 409 ipropd-slave, kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, 410 kinit, klist, kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, 411 login, mk_cmds, otp, otpprint, pagsh, pfrom, popper, push, rcp, 412 replay_log, rsh, rshd, rxtelnet, rxterm, string2key, su, telnet, 413 telnetd, tenletxr, truncate-log, verify_krb5_conf, and xnlock</seg> 414 <seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a], 415 libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a], 416 libotp.[so,a], libroken.[so,a], libsl.[so,a], and libss.[so,a]</seg> 417 <seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss, and 418 /var/lib/heimdal</seg> 419 </seglistitem> 420 </segmentedlist> 421 422 <variablelist> 423 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 424 <?dbfo list-presentation="list"?> 425 <?dbhtml list-presentation="table"?> 426 427 <varlistentry id="afslog"> 428 <term><command>afslog</command></term> 429 <listitem> 430 <para>obtains AFS tokens for a number of cells.</para> 431 <indexterm zone="heimdal afslog"> 432 <primary sortas="b-afslog">afslog</primary> 433 </indexterm> 434 </listitem> 435 </varlistentry> 436 437 <varlistentry id="ftp"> 438 <term><command>ftp</command></term> 439 <listitem> 440 <para>is a kerberized FTP client.</para> 441 <indexterm zone="heimdal ftp"> 442 <primary sortas="b-ftp">ftp</primary> 443 </indexterm> 444 </listitem> 445 </varlistentry> 446 447 <varlistentry id="ftpd"> 448 <term><command>ftpd</command></term> 449 <listitem> 450 <para>is a kerberized FTP daemon.</para> 451 <indexterm zone="heimdal ftpd"> 452 <primary sortas="b-ftpd">ftpd</primary> 453 </indexterm> 454 </listitem> 455 </varlistentry> 456 457 <varlistentry id="hprop"> 458 <term><command>hprop</command></term> 459 <listitem> 460 <para> takes a principal database in a specified format and converts 461 it into a stream of <application>Heimdal</application> database 462 records.</para> 463 <indexterm zone="heimdal hprop"> 464 <primary sortas="b-hprop">hprop</primary> 465 </indexterm> 466 </listitem> 467 </varlistentry> 468 469 <varlistentry id="hpropd"> 470 <term><command>hpropd</command></term> 471 <listitem> 472 <para>is a server that receives a database sent by 473 <command>hprop</command> and writes it as a local database.</para> 474 <indexterm zone="heimdal hpropd"> 475 <primary sortas="b-hpropd">hpropd</primary> 476 </indexterm> 477 </listitem> 478 </varlistentry> 479 480 <varlistentry id="ipropd-master"> 481 <term><command>ipropd-master</command></term> 482 <listitem> 483 <para>is a daemon which runs on the master KDC 484 server which incrementally propogates changes to the KDC 485 database to the slave KDC servers.</para> 486 <indexterm zone="heimdal ipropd-master"> 487 <primary sortas="b-ipropd-master">ipropd-master</primary> 488 </indexterm> 489 </listitem> 490 </varlistentry> 491 492 <varlistentry id="ipropd-slave"> 493 <term><command>ipropd-slave</command></term> 494 <listitem> 495 <para>is a daemon which runs on the slave KDC 496 servers which incrementally propogates changes to the KDC 497 database from the master KDC server.</para> 498 <indexterm zone="heimdal ipropd-slave"> 499 <primary sortas="b-ipropd-slave">ipropd-slave</primary> 500 </indexterm> 501 </listitem> 502 </varlistentry> 503 504 <varlistentry id="kadmin"> 505 <term><command>kadmin</command></term> 506 <listitem> 507 <para>is a utility used to make modifications to the Kerberos 508 database.</para> 509 <indexterm zone="heimdal kadmin"> 510 <primary sortas="b-kadmin">kadmin</primary> 511 </indexterm> 512 </listitem> 513 </varlistentry> 514 515 <varlistentry id="kadmind"> 516 <term><command>kadmind</command></term> 517 <listitem> 518 <para>is a server for administrative access to the Kerberos 519 database.</para> 520 <indexterm zone="heimdal kadmind"> 521 <primary sortas="b-kadmind">kadmind</primary> 522 </indexterm> 523 </listitem> 524 </varlistentry> 525 526 <varlistentry id="kauth"> 527 <term><command>kauth</command></term> 528 <listitem> 529 <para>is a symbolic link to the <command>kinit</command> program.</para> 530 <indexterm zone="heimdal kauth"> 531 <primary sortas="g-kauth">kauth</primary> 532 </indexterm> 533 </listitem> 534 </varlistentry> 535 536 <varlistentry id="kdc"> 537 <term><command>kdc</command></term> 538 <listitem> 539 <para>is a Kerberos 5 server.</para> 540 <indexterm zone="heimdal kdc"> 541 <primary sortas="b-kdc">kdc</primary> 542 </indexterm> 543 </listitem> 544 </varlistentry> 545 546 <varlistentry id="kdestroy"> 547 <term><command>kdestroy</command></term> 548 <listitem> 549 <para>removes a principle's current set of tickets.</para> 550 <indexterm zone="heimdal kdestroy"> 551 <primary sortas="b-kdestroy">kdestroy</primary> 552 </indexterm> 553 </listitem> 554 </varlistentry> 555 556 <varlistentry id="kf"> 557 <term><command>kf</command></term> 558 <listitem> 559 <para>is a program which forwards tickets to a remote host through 560 an authenticated and encrypted stream.</para> 561 <indexterm zone="heimdal kf"> 562 <primary sortas="b-kf">kf</primary> 563 </indexterm> 564 </listitem> 565 </varlistentry> 566 567 <varlistentry id="kfd"> 568 <term><command>kfd</command></term> 569 <listitem> 570 <para>is a server used to receive forwarded tickets.</para> 571 <indexterm zone="heimdal kfd"> 572 <primary sortas="b-kfd">kfd</primary> 573 </indexterm> 574 </listitem> 575 </varlistentry> 576 577 <varlistentry id="kgetcred"> 578 <term><command>kgetcred</command></term> 579 <listitem> 580 <para>obtains a ticket for a service.</para> 581 <indexterm zone="heimdal kgetcred"> 582 <primary sortas="b-kgetcred">kgetcred</primary> 583 </indexterm> 584 </listitem> 585 </varlistentry> 586 587 <varlistentry id="kinit"> 588 <term><command>kinit</command></term> 589 <listitem> 590 <para>is used to authenticate to the Kerberos server as a principal 591 and acquire a ticket granting ticket that can later be used to obtain 592 tickets for other services.</para> 593 <indexterm zone="heimdal kinit"> 594 <primary sortas="b-kinit">kinit</primary> 595 </indexterm> 596 </listitem> 597 </varlistentry> 598 599 <varlistentry id="klist"> 600 <term><command>klist</command></term> 601 <listitem> 602 <para>reads and displays the current tickets in the credential 603 cache.</para> 604 <indexterm zone="heimdal klist"> 605 <primary sortas="b-klist">klist</primary> 606 </indexterm> 607 </listitem> 608 </varlistentry> 609 610 <varlistentry id="kpasswd"> 611 <term><command>kpasswd</command></term> 612 <listitem> 613 <para>is a program for changing Kerberos 5 passwords.</para> 614 <indexterm zone="heimdal kpasswd"> 615 <primary sortas="b-kpasswd">kpasswd</primary> 616 </indexterm> 617 </listitem> 618 </varlistentry> 619 620 <varlistentry id="kpasswdd"> 621 <term><command>kpasswdd</command></term> 622 <listitem> 623 <para>is a Kerberos 5 password changing server.</para> 624 <indexterm zone="heimdal kpasswdd"> 625 <primary sortas="b-kpasswdd">kpasswdd</primary> 626 </indexterm> 627 </listitem> 628 </varlistentry> 629 630 <varlistentry id="krb5-config-prog"> 631 <term><command>krb5-config</command></term> 632 <listitem> 633 <para>gives information on how to link programs against 634 <application>Heimdal</application> libraries.</para> 635 <indexterm zone="heimdal krb5-config-prog"> 636 <primary sortas="b-krb5-config">krb5-config</primary> 637 </indexterm> 638 </listitem> 639 </varlistentry> 640 641 <varlistentry id="kstash"> 642 <term><command>kstash</command></term> 643 <listitem> 644 <para>stores the KDC master password in a file.</para> 645 <indexterm zone="heimdal kstash"> 646 <primary sortas="b-kstash">kstash</primary> 647 </indexterm> 648 </listitem> 649 </varlistentry> 650 651 <varlistentry id="ktutil"> 652 <term><command>ktutil</command></term> 653 <listitem> 654 <para>is a program for managing Kerberos keytabs.</para> 655 <indexterm zone="heimdal ktutil"> 656 <primary sortas="b-ktutil">ktutil</primary> 657 </indexterm> 658 </listitem> 659 </varlistentry> 660 661 <varlistentry id="kx"> 662 <term><command>kx</command></term> 663 <listitem> 664 <para>is a program which securely forwards 665 <application>X</application> connections.</para> 666 <indexterm zone="heimdal kx"> 667 <primary sortas="b-kx">kx</primary> 668 </indexterm> 669 </listitem> 670 </varlistentry> 671 672 <varlistentry id="kxd"> 673 <term><command>kxd</command></term> 674 <listitem> 675 <para>is the daemon for <command>kx</command>.</para> 676 <indexterm zone="heimdal kxd"> 677 <primary sortas="b-kxd">kxd</primary> 678 </indexterm> 679 </listitem> 680 </varlistentry> 681 682 <varlistentry id="login"> 683 <term><command>login</command></term> 684 <listitem> 685 <para>is a kerberized login program.</para> 686 <indexterm zone="heimdal login"> 687 <primary sortas="b-login">login</primary> 688 </indexterm> 689 </listitem> 690 </varlistentry> 691 692 <varlistentry id="otp"> 693 <term><command>otp</command></term> 694 <listitem> 695 <para>manages one-time passwords.</para> 696 <indexterm zone="heimdal otp"> 697 <primary sortas="b-otp">otp</primary> 698 </indexterm> 699 </listitem> 700 </varlistentry> 701 702 <varlistentry id="otpprint"> 703 <term><command>otpprint</command></term> 704 <listitem> 705 <para>prints lists of one-time passwords.</para> 706 <indexterm zone="heimdal otpprint"> 707 <primary sortas="b-otpprint">otpprint</primary> 708 </indexterm> 709 </listitem> 710 </varlistentry> 711 712 <varlistentry id="pfrom"> 713 <term><command>pfrom</command></term> 714 <listitem> 715 <para>is a script that runs <command>push --from</command>.</para> 716 <indexterm zone="heimdal pfrom"> 717 <primary sortas="b-pfrom">pfrom</primary> 718 </indexterm> 719 </listitem> 720 </varlistentry> 721 722 <varlistentry id="popper"> 723 <term><command>popper</command></term> 724 <listitem> 725 <para>is a kerberized POP-3 server.</para> 726 <indexterm zone="heimdal popper"> 727 <primary sortas="b-popper">popper</primary> 728 </indexterm> 729 </listitem> 730 </varlistentry> 731 732 <varlistentry id="push"> 733 <term><command>push</command></term> 734 <listitem> 735 <para>is a kerberized POP mail retreival client.</para> 736 <indexterm zone="heimdal push"> 737 <primary sortas="b-push">push</primary> 738 </indexterm> 739 </listitem> 740 </varlistentry> 741 742 <varlistentry id="rcp"> 743 <term><command>rcp</command></term> 744 <listitem> 745 <para>is a kerberized rcp client program.</para> 746 <indexterm zone="heimdal rcp"> 747 <primary sortas="b-rcp">rcp</primary> 748 </indexterm> 749 </listitem> 750 </varlistentry> 751 752 <varlistentry id="rsh"> 753 <term><command>rsh</command></term> 754 <listitem> 755 <para>is a kerberized rsh client program.</para> 756 <indexterm zone="heimdal rsh"> 757 <primary sortas="b-rsh">rsh</primary> 758 </indexterm> 759 </listitem> 760 </varlistentry> 761 762 <varlistentry id="rshd"> 763 <term><command>rshd</command></term> 764 <listitem> 765 <para>is a kerberized rsh server.</para> 766 <indexterm zone="heimdal rshd"> 767 <primary sortas="b-rshd">rshd</primary> 768 </indexterm> 769 </listitem> 770 </varlistentry> 771 772 <varlistentry id="rxtelnet"> 773 <term><command>rxtelnet</command></term> 774 <listitem> 775 <para>starts a secure <command>xterm</command> window with a 776 <command>telnet</command> to a given host and forwards 777 <application>X</application> connections.</para> 778 <indexterm zone="heimdal rxtelnet"> 779 <primary sortas="b-rxtelnet">rxtelnet</primary> 780 </indexterm> 781 </listitem> 782 </varlistentry> 783 784 <varlistentry id="rxterm"> 785 <term><command>rxterm</command></term> 786 <listitem> 787 <para>starts a secure remote <command>xterm</command>.</para> 788 <indexterm zone="heimdal rxterm"> 789 <primary sortas="b-rxterm">rxterm</primary> 790 </indexterm> 791 </listitem> 792 </varlistentry> 793 794 <varlistentry id="string2key"> 795 <term><command>string2key</command></term> 796 <listitem> 797 <para>maps a password into a key.</para> 798 <indexterm zone="heimdal string2key"> 799 <primary sortas="b-string2key">string2key</primary> 800 </indexterm> 801 </listitem> 802 </varlistentry> 803 804 <varlistentry id="su"> 805 <term><command>su</command></term> 806 <listitem> 807 <para>is a kerberized su client program.</para> 808 <indexterm zone="heimdal su"> 809 <primary sortas="b-su">su</primary> 810 </indexterm> 811 </listitem> 812 </varlistentry> 813 814 <varlistentry id="telnet"> 815 <term><command>telnet</command></term> 816 <listitem> 817 <para>is a kerberized telnet client program.</para> 818 <indexterm zone="heimdal telnet"> 819 <primary sortas="b-telnet">telnet</primary> 820 </indexterm> 821 </listitem> 822 </varlistentry> 823 824 <varlistentry id="telnetd"> 825 <term><command>telnetd</command></term> 826 <listitem> 827 <para>is a kerberized telnet server.</para> 828 <indexterm zone="heimdal telnetd"> 829 <primary sortas="b-telnetd">telnetd</primary> 830 </indexterm> 831 </listitem> 832 </varlistentry> 833 834 <varlistentry id="tenletxr"> 835 <term><command>tenletxr</command></term> 836 <listitem> 837 <para>forwards <application>X</application> connections 838 backwards.</para> 839 <indexterm zone="heimdal tenletxr"> 840 <primary sortas="b-tenletxr">tenletxr</primary> 841 </indexterm> 842 </listitem> 843 </varlistentry> 844 845 <varlistentry id="verify_krb5_conf"> 846 <term><command>verify_krb5_conf</command></term> 847 <listitem> 848 <para>checks <filename>krb5.conf</filename> file for obvious 849 errors.</para> 850 <indexterm zone="heimdal verify_krb5_conf"> 851 <primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary> 852 </indexterm> 853 </listitem> 854 </varlistentry> 855 856 <varlistentry id="xnlock"> 857 <term><command>xnlock</command></term> 858 <listitem> 859 <para>is a program that acts as a secure screen saver for 860 workstations running <application>X</application>.</para> 861 <indexterm zone="heimdal xnlock"> 862 <primary sortas="b-xnlock">xnlock</primary> 863 </indexterm> 864 </listitem> 865 </varlistentry> 866 867 <varlistentry id="libasn1"> 868 <term><filename class='libraryfile'>libasn1.[so,a]</filename></term> 869 <listitem> 870 <para>provides the ASN.1 and DER functions to encode and decode 871 the Kerberos TGTs.</para> 872 <indexterm zone="heimdal libasn1"> 873 <primary sortas="c-libasn1">libasn1.[so,a]</primary> 874 </indexterm> 875 </listitem> 876 </varlistentry> 877 878 <varlistentry id="libeditline"> 879 <term><filename class='libraryfile'>libeditline.a</filename></term> 880 <listitem> 881 <para>is a command-line editing library with history.</para> 882 <indexterm zone="heimdal libeditline"> 883 <primary sortas="c-libeditline">libeditline.a</primary> 884 </indexterm> 885 </listitem> 886 </varlistentry> 887 888 <varlistentry id="libgssapi"> 889 <term><filename class='libraryfile'>libgssapi.[so,a]</filename></term> 890 <listitem> 891 <para>contain the Generic Security Service Application Programming 892 Interface (GSSAPI) functions which provides security 893 services to callers in a generic fashion, supportable with a range of 894 underlying mechanisms and technologies and hence allowing source-level 895 portability of applications to different environments.</para> 896 <indexterm zone="heimdal libgssapi"> 897 <primary sortas="c-libgssapi">libgssapi.[so,a]</primary> 898 </indexterm> 899 </listitem> 900 </varlistentry> 901 902 <varlistentry id="libhdb"> 903 <term><filename class='libraryfile'>libhdb.[so,a]</filename></term> 904 <listitem> 905 <para>is a <application>Heimdal</application> Kerberos 5 906 authentication/authorization database access library.</para> 907 <indexterm zone="heimdal libhdb"> 908 <primary sortas="c-libhdb">libhdb.[so,a]</primary> 909 </indexterm> 910 </listitem> 911 </varlistentry> 912 913 <varlistentry id="libkadm5clnt"> 914 <term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term> 915 <listitem> 916 <para>contains the administrative authentication and password 917 checking functions required by Kerberos 5 client-side programs.</para> 918 <indexterm zone="heimdal libkadm5clnt"> 919 <primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary> 920 </indexterm> 921 </listitem> 922 </varlistentry> 923 924 <varlistentry id="libkadm5srv"> 925 <term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term> 926 <listitem> 927 <para>contain the administrative authentication and password 928 checking functions required by Kerberos 5 servers.</para> 929 <indexterm zone="heimdal libkadm5srv"> 930 <primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary> 931 </indexterm> 932 </listitem> 933 </varlistentry> 934 935 <varlistentry id="libkafs"> 936 <term><filename class='libraryfile'>libkafs.[so,a]</filename></term> 937 <listitem> 938 <para>contains the functions required to authenticated to AFS.</para> 939 <indexterm zone="heimdal libkafs"> 940 <primary sortas="c-libkafs">libkafs.[so,a]</primary> 941 </indexterm> 942 </listitem> 943 </varlistentry> 944 945 <varlistentry id="libkrb5"> 946 <term><filename class='libraryfile'>libkrb5.[so,a]</filename></term> 947 <listitem> 948 <para>is an all-purpose Kerberos 5 library.</para> 949 <indexterm zone="heimdal libkrb5"> 950 <primary sortas="c-libkrb5">libkrb5.[so,a]</primary> 951 </indexterm> 952 </listitem> 953 </varlistentry> 954 955 <varlistentry id="libotp"> 956 <term><filename class='libraryfile'>libotp.[so,a]</filename></term> 957 <listitem> 958 <para>contains the functions required to handle authenticating 959 one time passwords.</para> 960 <indexterm zone="heimdal libotp"> 961 <primary sortas="c-libotp">libotp.[so,a]</primary> 962 </indexterm> 963 </listitem> 964 </varlistentry> 965 966 <varlistentry id="libroken"> 967 <term><filename class='libraryfile'>libroken.[so,a]</filename></term> 968 <listitem> 969 <para>is a library containing Kerberos 5 compatibility 970 functions.</para> 971 <indexterm zone="heimdal libroken"> 972 <primary sortas="c-libroken">libroken.[so,a]</primary> 973 </indexterm> 974 </listitem> 975 </varlistentry> 976 977 </variablelist> 978 979 </sect2> 850 980 851 981 </sect1>
Note:
See TracChangeset
for help on using the changeset viewer.