aboutsummaryrefslogtreecommitdiff
path: root/handbook/kerberos.sgml
blob: 7eca30e49705a8bb2910ebd98d07fafdd55c482c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
<!-- $Id: kerberos.sgml,v 1.1.1.1 1995-04-28 16:19:59 jfieber Exp $ -->
<!-- The FreeBSD Documentation Project -->

<sect><heading>Kerberos</heading>

<p><em>Contributed by &a.md;.</em>

      <p>The following instructions can be used as a quick
	guide on how to set up kerberos as distributed in 4.4
	BSD.  However, you should refer to the original Athena
	documentation for a complete description.

    <sect1>
      <heading>Creating the initial database</heading>

      <p>First make sure that you don't have any old kerberos
	databases around.  You should change to the directory
	<tt>/etc/kerberosIV</tt> and check that only the
	following files are present:

<tscreen><verb>
mideon# cd /etc/kerberosIV
mideon# ls
README          krb.conf        krb.realms      register_keys
	  </verb></tscreen>

	If any additional files (such as <tt>principal.dir</tt>) exist,
	then use the <tt>kdb_destroy</tt> command to destroy the
	old kerberos database.

      <p>You should now edit the <tt>krb.conf</tt> and
	<tt>krb.realms</tt> files to define your kerberos realm.
	In this case the realm will be <it>BSC.NO</it> and the
	server is <it>mideon.bsc.no</it>.  We would edit the
	<tt>krb.conf</tt> file to be as follows:

<tscreen><verb>
mideon# cat krb.conf
BSC.NO
BSC.NO mideon.bsc.no admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
	  </verb></tscreen>

      <p>Now we have to add <it>mideon.bsc.no</it> to the
	<it>BSC.NO</it> realm and also add an entry to put all
	hosts in the <it>.bsc.no</it> domain in the
	<it>BSC.NO</it> realm.  The <tt>krb.realms</tt> file
	would be updated as follows:

<tscreen><verb>
 mideon# cat krb.realms
 mideon.bsc.no   BSC.NO
 .bsc.no         BSC.NO
 .berkeley.edu   CS.BERKELEY.EDU
 .MIT.EDU        ATHENA.MIT.EDU
 .mit.edu        ATHENA.MIT.EDU
</verb></tscreen>

	<p>Now we're ready to create the database, issue the
	<tt>kdb_init</tt> command to do this:

<tscreen><verb>
mideon# kdb_init
Realm name [default  CS.BERKELEY.EDU ]: BSC.NO
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

Enter Kerberos master key: 
	  </verb></tscreen>

      <p>Now we have to save the key so that servers on the local
	machine can pick it up.  Use the <tt>kstash</tt> command to
	do this.

<tscreen><verb>
mideon# kstash

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
	  </verb></tscreen>

    <sect1>
      <heading>Populating the database</heading>

      <p>We now have to add some entries into the database.
	First lets create an entry for the user <it>md</it>.  Use
	the <tt>kdb_edit</tt> command to do this:

<tscreen><verb>
mideon# kdb_edit
Opening database...

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: md
Instance: 
md. not found, Create [y] ? 
Principal: md, Instance: , kdc_key_ver: 1
New Password: 
New Password: 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 100
Attributes [ 0 ] ? 
Edit O.K.
	  </verb></tscreen>

      <p>Now lets add an entry for the password changing daemon,
	<tt>kpasswd</tt>.  The principal name must be <it>kpasswd</it> and
	the instance must be the name of the local machine,
	<it>mideon</it> in this case.  Similarily, we must also
	add an entry for the principal  <it>rcmd</it> with an
	instance equal to the hostname of the local machine.

<tscreen><verb>
Principal name: kpasswd
Instance: mideon
kpasswd.mideon not found, Create [y] ? 
Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
New Password:                   <---- enter RANDOM here
New Password:                   <---- and here
Random password [y] ? 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 
Attributes [ 0 ] ? 
Edit O.K.
Principal name: rcmd
Instance: mideon
rcmd.mideon not found, Create [y] ? 
Principal: rcmd, Instance: mideon, kdc_key_ver: 1
New Password:                   <---- enter RANDOM here
New Password:                   <---- and here
Random password [y] ? 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 
Attributes [ 0 ] ? 
Edit O.K.
Principal name:                 <---- null entry here will cause an exit
	  </verb></tscreen>

      <sect1>
	<heading>Creating the server file</heading>

	<p>We now have to extract all the instances which define
	  the services on this machine.  For this we use the
	  <tt>ext_srvtab</tt> command.

<tscreen><verb>
mideon# ext_srvtab mideon

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Generating 'mideon-new-srvtab'....
	    </verb></tscreen>

	<p>Now, this command only generates a temporary file
	  which must be renamed to <tt>srvtab</tt> so that all the
	  server can pick it up.  Use the <tt>mv</tt> command to move it
	  into place:

<tscreen><verb>
mideon# mv mideon-new-srvtab srvtab
	    </verb></tscreen>

    <sect1>
      <heading>Testing it all out</heading>

      <p>First we have to start the kerberos daemon:

<tscreen><verb>
mideon# kerberos &
[1] 774
mideon# Kerberos server starting
        Sleep forever on error
        Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.

Master key entered.  BEWARE!

Current Kerberos master key version is 1
Local realm: BSC.NO
	  </verb></tscreen>

	Now we can try using the <tt>kinit</tt> command to get
	tokens for the id <it>md</it> that we created above:

<tscreen><verb>
mideon# kinit md
Kerberos Initialization for "md"
Kerberos Password: 
	  </verb></tscreen>

	Try listing the tokens using <tt>klist</tt> to see if we
	really have them:

<tscreen><verb>
mideon# klist
Ticket file:    /tmp/tkt0
Principal:      md@BSC.NO

  Issued           Expires          Principal
Mar 23 21:06:52  Mar 24 05:06:52  krbtgt.BSC.NO@BSC.NO
	  </verb></tscreen>

	And now try changing the password using <tt>passwd</tt>
	to check if the kpasswd daemon can get authorisation to
	the kerberos database:

<tscreen><verb>
mideon# passwd md
Changing Kerberos password for md.@BSC.NO.
Old Kerberos password:
New Kerberos password:
Retype new Kerberos password:
Update complete.
	  </verb></tscreen>

    <sect1>
      <heading>Adding <tt>su</tt> priviledges</heading>

      <p>We should now add an id which is authorised to <tt>su</tt> to
	<it>root</it>.  This is controlled by having an instance of
	<it>root</it> associated with a principal.  Using
	<tt>kdb_edit</tt> we can create the entry
	<it>md.root</it> in the kerberos database:

<tscreen><verb>
mideon# kdb_edit
Opening database...

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: md
Instance: root
md.admin not found, Create [y] ? 
Principal: md, Instance: admin, kdc_key_ver: 1
New Password: 
New Password: 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 12
Attributes [ 0 ] ? 
Edit O.K.
Principal name: 
	  </verb></tscreen>

	Now try getting tokens for it to make sure it works:

<tscreen><verb>
mideon# kinit md.root
Kerberos Initialization for "md.root"
Kerberos Password: 
	  </verb></tscreen>

	And list them to check expiry times:

<tscreen><verb>
mideon# klist
Ticket file:    /tmp/tkt0
Principal:      md.root@BSC.NO

  Issued           Expires          Principal
Mar 23 21:08:47  Mar 23 22:08:47  krbtgt.BSC.NO@BSC.NO
mideon# 
	  </verb></tscreen>

	Now we need to add the user to root's <tt>.klogin</tt> file:

<tscreen><verb>
mideon# cat /root/.klogin
md.root@BSC.NO
	  </verb></tscreen>

	Now try doing the <tt>su</tt>:

<tscreen><verb>
[md@mideon.bsc.no 10407] su
Kerberos Password: 
Warning: tgt not verified.
	  </verb></tscreen>

	and take a look at what tokens we have:

<tscreen><verb>
mideon# klist
Ticket file:    /tmp/tkt_root_1250
Principal:      md.root@BSC.NO

  Issued           Expires          Principal
Mar 23 22:09:59  Mar 23 22:19:59  krbtgt.BSC.NO@BSC.NO
mideon# 
	  </verb></tscreen>

	Notice that with this setup each user has their own entry
	for <tt>su</tt>'ing to root (the <it>user</it>.root entry
	in kerberos).  This can allow you to give root access to
	multiple users without the need to share a common root
	password.