Changeset dc04b84 for postlfs/security
- Timestamp:
- 07/15/2004 05:02:31 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- ffe47ca2
- Parents:
- efb1e70f
- Location:
- postlfs/security
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/heimdal.xml
refb1e70f rdc04b84 116 116 mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib && 117 117 mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib && 118 mv /usr/lib/lib {com_err.so.2,com_err.so.2.1,db-4.1.so}/lib &&118 mv /usr/lib/libdb-4.1.so /lib && 119 119 ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib && 120 120 ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib && 121 121 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib && 122 ln -sf ../../lib/lib {com_err.so.2,com_err.so.2.1,db-4.1.so}/usr/lib &&122 ln -sf ../../lib/libdb-4.1.so /usr/lib && 123 123 ldconfig</command></userinput></screen> 124 124 … … 165 165 mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib 166 166 mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib 167 mv /usr/lib/lib {com_err.so.2,com_err.so.2.1,db-4.1.so}/lib167 mv /usr/lib/libdb-4.1.so /lib 168 168 ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib 169 169 ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib 170 170 ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib 171 ln -sf ../../lib/lib {com_err.so.2,com_err.so.2.1,db-4.1.so}/usr/lib</command></screen>171 ln -sf ../../lib/libdb-4.1.so /usr/lib</command></screen> 172 172 173 173 The <command>login</command> and <command>su</command> programs -
postlfs/security/mitkrb.xml
refb1e70f rdc04b84 11 11 <!ENTITY mitkrb-time "2.55 SBU"> 12 12 ]> 13 14 13 15 14 <sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;"> … … 42 41 <para> 43 42 <xref linkend="xinetd"/> (services servers only), 44 <xref linkend="Linux_PAM"/> (for xdm based logins) and 45 <xref linkend="openldap"/> (alternative for krb5kdc password database) 43 <xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and 44 <xref linkend="openldap"/> (alternative for <command>krb5kdc</command> 45 password database) 46 46 </para> 47 47 48 48 <note><para> 49 Some sort of time synchronization facility on your system (like <xref50 linkend="ntp"/>) is required since Kerberos won't authenticate if there49 Some sort of time synchronization facility on your system (like 50 <xref linkend="ntp"/>) is required since Kerberos won't authenticate if there 51 51 is a time difference between a kerberized client and the 52 52 <acronym>KDC</acronym> server.</para></note> … … 61 61 62 62 <para> 63 <application><acronym>MIT</acronym> krb5</application> is 64 distributed in an <acronym>TAR</acronym> file 65 containing a compressed <acronym>TAR</acronym> package and a 66 detached <acronym>PGP</acronym> <filename 67 class="extension">ASC</filename> file. 63 <application><acronym>MIT</acronym> krb5</application> is distributed in a 64 <acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym> 65 package and a detached <acronym>PGP</acronym> 66 <filename class="extension">ASC</filename> file. 68 67 </para> 69 68 … … 76 75 77 76 <para> 78 Build <application><acronym>MIT</acronym> krb5</application> by running the following commands: 77 Build <application><acronym>MIT</acronym> krb5</application> by running the 78 following commands: 79 79 </para> 80 80 … … 97 97 mv /usr/lib/libdes425.so.3* /lib && 98 98 mv /usr/lib/libk5crypto.so.3* /lib && 99 mv /usr/lib/libcom_err.so.3* /lib &&100 99 ln -sf ../../lib/libkrb5.so /usr/lib && 101 100 ln -sf ../../lib/libkrb4.so /usr/lib && 102 101 ln -sf ../../lib/libdes425.so /usr/lib && 103 102 ln -sf ../../lib/libk5crypto.so /usr/lib && 104 ln -sf ../../lib/libcom_err.so /usr/lib &&105 103 ldconfig</command></userinput></screen> 106 104 … … 129 127 mv /usr/lib/libdes425.so.3* /lib 130 128 mv /usr/lib/libk5crypto.so.3* /lib 131 mv /usr/lib/libcom_err.so.3* /lib132 129 ln -sf ../../lib/libkrb5.so /usr/lib 133 130 ln -sf ../../lib/libkrb4.so /usr/lib 134 131 ln -sf ../../lib/libdes425.so /usr/lib 135 ln -sf ../../lib/libk5crypto.so /usr/lib 136 ln -sf ../../lib/libcom_err.so /usr/lib</command></screen> 132 ln -sf ../../lib/libk5crypto.so /usr/lib</command></screen> 137 133 The <command>login</command> and <command>ksu</command> programs 138 134 are linked against these libraries, therefore we move these libraries to 139 <filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>. 135 <filename class="directory">/lib</filename> to allow logins without mounting 136 <filename class="directory">/usr</filename>. 140 137 </para> 141 138 … … 162 159 <screen><userinput><command>cat > /etc/krb5.conf << "EOF"</command> 163 160 # Begin /etc/krb5.conf 164 161 165 162 [libdefaults] 166 163 default_realm = <replaceable>[LFS.ORG]</replaceable> … … 186 183 <para> 187 184 You will need to substitute your domain and proper hostname for the 188 occurances of the belgarath and lfs.org names. 189 </para> 190 191 <para> 192 <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS. 193 This isn't required, but both Heimdal and <acronym>MIT</acronym> 194 recommend it. 195 </para> 196 197 <para> 198 <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized 199 clients and servers. It's not necessary and can be left off. If you 200 leave it off, you can encrypt all traffic from the client to the server 201 using a switch on the client program instead. 202 </para> 203 204 <para> 205 The <userinput>[realms]</userinput> parameters tell the client programs where to look for the 206 <acronym>KDC</acronym> authentication services. 185 occurances of the <replaceable>[belgarath]</replaceable> and 186 <replaceable>[lfs.org]</replaceable> names. 187 </para> 188 189 <para> 190 <userinput>default_realm</userinput> should be the name of your domain changed 191 to ALL CAPS. This isn't required, but both <application>Heimdal</application> 192 and <acronym>MIT</acronym> recommend it. 193 </para> 194 195 <para> 196 <userinput>encrypt = true</userinput> provides encryption of all traffic 197 between kerberized clients and servers. It's not necessary and can be left 198 off. If you leave it off, you can encrypt all traffic from the client to the 199 server using a switch on the client program instead. 200 </para> 201 202 <para> 203 The <userinput>[realms]</userinput> parameters tell the client programs where 204 to look for the <acronym>KDC</acronym> authentication services. 207 205 </para> 208 206 … … 218 216 219 217 <para> 220 Now we need topopulate the database with principles (users). For now,218 Now you should populate the database with principles (users). For now, 221 219 just use your regular login name or root. 222 220 </para> … … 240 238 241 239 <para> 242 This should have created a file in 243 <filename class="directory">/etc</filename> named 244 <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600 240 This should have created a file in <filename class="directory">/etc</filename> 241 named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600 245 242 (root rw only) permissions. Keeping the keytab files from public access 246 243 is crucial to the overall security of the Kerberos installation. … … 303 300 <para> 304 301 Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script 305 included in the <xref linkend="intro-important-bootscripts"/> 306 package. 302 included in the <xref linkend="intro-important-bootscripts"/> package. 307 303 </para> 308 304 … … 331 327 </sect4> 332 328 333 334 329 <sect4><title>Using Kerberized Server Programs</title> 335 330 <para> 336 331 Using kerberized server programs (<command>telnetd</command>, 337 <command>kpropd</command>, 338 <command>k logind</command> and <command>kshd</command>) requires two additional configuration steps.332 <command>kpropd</command>, <command>klogind</command> and 333 <command>kshd</command>) requires two additional configuration steps. 339 334 First the <filename>/etc/services</filename> file must be updated to 340 include eklogin and krb5_prop. Second, the 341 <filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must 342 be modified for each server that will be activated, usually replacing 343 the server from <xref linkend="inetutils"/>. 335 include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename> 336 or <filename>xinetd.conf</filename> must be modified for each server that will 337 be activated, usually replacing the server from <xref linkend="inetutils"/>. 344 338 </para> 345 339 </sect4> … … 415 409 <filename class="libraryfile">libkadm5srv</filename>, 416 410 <filename class="libraryfile">libkdb5</filename>, 417 <filename class="libraryfile">libkrb4</filename> ,411 <filename class="libraryfile">libkrb4</filename> and 418 412 <filename class="libraryfile">libkrb5</filename>. 419 413 </para> … … 432 426 <sect3><title>k5srvutil</title> 433 427 <para> 434 <command>k5srvutil</command> is a host keytable manipulation 435 utility. 428 <command>k5srvutil</command> is a host keytable manipulation utility. 436 429 </para> 437 430 </sect3> … … 447 440 <para> 448 441 <command>kadmind</command> is a server for administrative access 449 to Kerberos database.442 to a Kerberos database. 450 443 </para> 451 444 </sect3> … … 453 446 <sect3><title>kinit</title> 454 447 <para> 455 <command>kinit</command> is used to 456 authenticate to the Kerberos server as principal and acquire a ticket 457 granting ticket that can later be used to obtain tickets for other 458 services. 448 <command>kinit</command> is used to authenticate to the Kerberos server as 449 a principal and acquire a ticket granting ticket that can later be used to 450 obtain tickets for other services. 459 451 </para> 460 452 </sect3> … … 462 454 <sect3><title>krb5kdc</title> 463 455 <para> 464 <command>k dc</command> is a Kerberos 5 server.456 <command>krb5kdc</command> is a Kerberos 5 server. 465 457 </para> 466 458 </sect3> … … 468 460 <sect3><title>kdestroy</title> 469 461 <para> 470 <command>kdestroy</command> removes the current set of 471 tickets. 462 <command>kdestroy</command> removes the current set of tickets. 472 463 </para> 473 464 </sect3> … … 475 466 <sect3><title>kdb5_util</title> 476 467 <para> 477 <command>kdb5_util</command> is the <acronym>KDC</acronym> 478 database utility. 468 <command>kdb5_util</command> is the <acronym>KDC</acronym> database utility. 479 469 </para> 480 470 </sect3> … … 489 479 <sect3><title>klogind</title> 490 480 <para> 491 <command>klogind</command> is the server that responds to rlogin492 requests.481 <command>klogind</command> is the server that responds to 482 <command>rlogin</command> requests. 493 483 </para> 494 484 </sect3> … … 496 486 <sect3><title>kpasswd</title> 497 487 <para> 498 <command>kpasswd</command> is a program for changing Kerberos 5 499 passwords. 488 <command>kpasswd</command> is a program for changing Kerberos 5 passwords. 500 489 </para> 501 490 </sect3> … … 512 501 <para> 513 502 <command>kpropd</command> receives a database sent by 514 <command>hprop</command> and writes it as a local 515 database. 503 <command>hprop</command> and writes it as a local database. 516 504 </para> 517 505 </sect3> … … 526 514 <sect3><title>ksu</title> 527 515 <para> 528 <command>ksu</command> is the super user program using Kerberos 529 protocol. Requires a properly configured <filename class="directory">/etc/shells</filename> 530 and <filename>~/.k5login</filename> containing principals authorized to 516 <command>ksu</command> is the super user program using Kerberos protocol. 517 Requires a properly configured 518 <filename class="directory">/etc/shells</filename> and 519 <filename>~/.k5login</filename> containing principals authorized to 531 520 become super users. 532 521 </para> … … 535 524 <sect3><title>ktutil</title> 536 525 <para> 537 <command>ktutil</command> is a program for managing Kerberos 538 keytabs. 526 <command>ktutil</command> is a program for managing Kerberos keytabs. 539 527 </para> 540 528 </sect3> … … 542 530 <sect3><title>kvno</title> 543 531 <para> 544 <command>kvno</command> prints keyversion numbers of Kerberos 545 principals. 546 </para> 547 </sect3> 548 532 <command>kvno</command> prints keyversion numbers of Kerberos principals. 533 </para> 534 </sect3> 549 535 550 536 </sect2>
Note:
See TracChangeset
for help on using the changeset viewer.