diff options
author | John Fieber <jfieber@FreeBSD.org> | 1995-04-28 16:19:59 +0000 |
---|---|---|
committer | John Fieber <jfieber@FreeBSD.org> | 1995-04-28 16:19:59 +0000 |
commit | 4776451dac895d2c78d6aa20083001d7d5c3c535 (patch) | |
tree | 501a08a088792c7d47b8001e64148f3217eab864 /handbook/kerberos.sgml | |
download | doc-4776451dac895d2c78d6aa20083001d7d5c3c535.tar.gz doc-4776451dac895d2c78d6aa20083001d7d5c3c535.zip |
The FreeBSD handbook finds a new home.
Notes
Notes:
svn path=/head/; revision=2
Diffstat (limited to 'handbook/kerberos.sgml')
-rw-r--r-- | handbook/kerberos.sgml | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/handbook/kerberos.sgml b/handbook/kerberos.sgml new file mode 100644 index 0000000000..7eca30e497 --- /dev/null +++ b/handbook/kerberos.sgml @@ -0,0 +1,329 @@ +<!-- $Id: kerberos.sgml,v 1.1.1.1 1995-04-28 16:19:59 jfieber Exp $ --> +<!-- The FreeBSD Documentation Project --> + +<sect><heading>Kerberos</heading> + +<p><em>Contributed by &a.md;.</em> + + <p>The following instructions can be used as a quick + guide on how to set up kerberos as distributed in 4.4 + BSD. However, you should refer to the original Athena + documentation for a complete description. + + <sect1> + <heading>Creating the initial database</heading> + + <p>First make sure that you don't have any old kerberos + databases around. You should change to the directory + <tt>/etc/kerberosIV</tt> and check that only the + following files are present: + +<tscreen><verb> +mideon# cd /etc/kerberosIV +mideon# ls +README krb.conf krb.realms register_keys + </verb></tscreen> + + If any additional files (such as <tt>principal.dir</tt>) exist, + then use the <tt>kdb_destroy</tt> command to destroy the + old kerberos database. + + <p>You should now edit the <tt>krb.conf</tt> and + <tt>krb.realms</tt> files to define your kerberos realm. + In this case the realm will be <it>BSC.NO</it> and the + server is <it>mideon.bsc.no</it>. We would edit the + <tt>krb.conf</tt> file to be as follows: + +<tscreen><verb> +mideon# cat krb.conf +BSC.NO +BSC.NO mideon.bsc.no admin server +CS.BERKELEY.EDU okeeffe.berkeley.edu +ATHENA.MIT.EDU kerberos.mit.edu +ATHENA.MIT.EDU kerberos-1.mit.edu +ATHENA.MIT.EDU kerberos-2.mit.edu +ATHENA.MIT.EDU kerberos-3.mit.edu +LCS.MIT.EDU kerberos.lcs.mit.edu +TELECOM.MIT.EDU bitsy.mit.edu +ARC.NASA.GOV trident.arc.nasa.gov + </verb></tscreen> + + <p>Now we have to add <it>mideon.bsc.no</it> to the + <it>BSC.NO</it> realm and also add an entry to put all + hosts in the <it>.bsc.no</it> domain in the + <it>BSC.NO</it> realm. The <tt>krb.realms</tt> file + would be updated as follows: + +<tscreen><verb> + mideon# cat krb.realms + mideon.bsc.no BSC.NO + .bsc.no BSC.NO + .berkeley.edu CS.BERKELEY.EDU + .MIT.EDU ATHENA.MIT.EDU + .mit.edu ATHENA.MIT.EDU +</verb></tscreen> + + <p>Now we're ready to create the database, issue the + <tt>kdb_init</tt> command to do this: + +<tscreen><verb> +mideon# kdb_init +Realm name [default CS.BERKELEY.EDU ]: BSC.NO +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. + +Enter Kerberos master key: + </verb></tscreen> + + <p>Now we have to save the key so that servers on the local + machine can pick it up. Use the <tt>kstash</tt> command to + do this. + +<tscreen><verb> +mideon# kstash + +Enter Kerberos master key: + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! + </verb></tscreen> + + <sect1> + <heading>Populating the database</heading> + + <p>We now have to add some entries into the database. + First lets create an entry for the user <it>md</it>. Use + the <tt>kdb_edit</tt> command to do this: + +<tscreen><verb> +mideon# kdb_edit +Opening database... + +Enter Kerberos master key: + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: md +Instance: +md. not found, Create [y] ? +Principal: md, Instance: , kdc_key_ver: 1 +New Password: +New Password: + +Principal's new key version = 1 +Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? +Max ticket lifetime (*5 minutes) [ 255 ] ? 100 +Attributes [ 0 ] ? +Edit O.K. + </verb></tscreen> + + <p>Now lets add an entry for the password changing daemon, + <tt>kpasswd</tt>. The principal name must be <it>kpasswd</it> and + the instance must be the name of the local machine, + <it>mideon</it> in this case. Similarily, we must also + add an entry for the principal <it>rcmd</it> with an + instance equal to the hostname of the local machine. + +<tscreen><verb> +Principal name: kpasswd +Instance: mideon +kpasswd.mideon not found, Create [y] ? +Principal: kpasswd, Instance: mideon, kdc_key_ver: 1 +New Password: <---- enter RANDOM here +New Password: <---- and here +Random password [y] ? + +Principal's new key version = 1 +Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? +Max ticket lifetime (*5 minutes) [ 255 ] ? +Attributes [ 0 ] ? +Edit O.K. +Principal name: rcmd +Instance: mideon +rcmd.mideon not found, Create [y] ? +Principal: rcmd, Instance: mideon, kdc_key_ver: 1 +New Password: <---- enter RANDOM here +New Password: <---- and here +Random password [y] ? + +Principal's new key version = 1 +Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? +Max ticket lifetime (*5 minutes) [ 255 ] ? +Attributes [ 0 ] ? +Edit O.K. +Principal name: <---- null entry here will cause an exit + </verb></tscreen> + + <sect1> + <heading>Creating the server file</heading> + + <p>We now have to extract all the instances which define + the services on this machine. For this we use the + <tt>ext_srvtab</tt> command. + +<tscreen><verb> +mideon# ext_srvtab mideon + +Enter Kerberos master key: + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +Generating 'mideon-new-srvtab'.... + </verb></tscreen> + + <p>Now, this command only generates a temporary file + which must be renamed to <tt>srvtab</tt> so that all the + server can pick it up. Use the <tt>mv</tt> command to move it + into place: + +<tscreen><verb> +mideon# mv mideon-new-srvtab srvtab + </verb></tscreen> + + <sect1> + <heading>Testing it all out</heading> + + <p>First we have to start the kerberos daemon: + +<tscreen><verb> +mideon# kerberos & +[1] 774 +mideon# Kerberos server starting + Sleep forever on error + Log file is /var/log/kerberos.log +Current Kerberos master key version is 1. + +Master key entered. BEWARE! + +Current Kerberos master key version is 1 +Local realm: BSC.NO + </verb></tscreen> + + Now we can try using the <tt>kinit</tt> command to get + tokens for the id <it>md</it> that we created above: + +<tscreen><verb> +mideon# kinit md +Kerberos Initialization for "md" +Kerberos Password: + </verb></tscreen> + + Try listing the tokens using <tt>klist</tt> to see if we + really have them: + +<tscreen><verb> +mideon# klist +Ticket file: /tmp/tkt0 +Principal: md@BSC.NO + + Issued Expires Principal +Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO + </verb></tscreen> + + And now try changing the password using <tt>passwd</tt> + to check if the kpasswd daemon can get authorisation to + the kerberos database: + +<tscreen><verb> +mideon# passwd md +Changing Kerberos password for md.@BSC.NO. +Old Kerberos password: +New Kerberos password: +Retype new Kerberos password: +Update complete. + </verb></tscreen> + + <sect1> + <heading>Adding <tt>su</tt> priviledges</heading> + + <p>We should now add an id which is authorised to <tt>su</tt> to + <it>root</it>. This is controlled by having an instance of + <it>root</it> associated with a principal. Using + <tt>kdb_edit</tt> we can create the entry + <it>md.root</it> in the kerberos database: + +<tscreen><verb> +mideon# kdb_edit +Opening database... + +Enter Kerberos master key: + +Current Kerberos master key version is 1. + +Master key entered. BEWARE! +Previous or default values are in [brackets] , +enter return to leave the same, or new value. + +Principal name: md +Instance: root +md.admin not found, Create [y] ? +Principal: md, Instance: admin, kdc_key_ver: 1 +New Password: +New Password: + +Principal's new key version = 1 +Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? +Max ticket lifetime (*5 minutes) [ 255 ] ? 12 +Attributes [ 0 ] ? +Edit O.K. +Principal name: + </verb></tscreen> + + Now try getting tokens for it to make sure it works: + +<tscreen><verb> +mideon# kinit md.root +Kerberos Initialization for "md.root" +Kerberos Password: + </verb></tscreen> + + And list them to check expiry times: + +<tscreen><verb> +mideon# klist +Ticket file: /tmp/tkt0 +Principal: md.root@BSC.NO + + Issued Expires Principal +Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO +mideon# + </verb></tscreen> + + Now we need to add the user to root's <tt>.klogin</tt> file: + +<tscreen><verb> +mideon# cat /root/.klogin +md.root@BSC.NO + </verb></tscreen> + + Now try doing the <tt>su</tt>: + +<tscreen><verb> +[md@mideon.bsc.no 10407] su +Kerberos Password: +Warning: tgt not verified. + </verb></tscreen> + + and take a look at what tokens we have: + +<tscreen><verb> +mideon# klist +Ticket file: /tmp/tkt_root_1250 +Principal: md.root@BSC.NO + + Issued Expires Principal +Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO +mideon# + </verb></tscreen> + + Notice that with this setup each user has their own entry + for <tt>su</tt>'ing to root (the <it>user</it>.root entry + in kerberos). This can allow you to give root access to + multiple users without the need to share a common root + password. |