%% \documentstyle[11pt,a4]{article} \documentstyle[11pt]{article} %% \pagestyle{headings} %% \pagestyle{empty} \setlength{\textwidth}{6.5in} \setlength{\parindent}{0in} %% \setlength{\parskip}{\medskipamount} \setlength{\oddsidemargin}{0in} \setlength{\evensidemargin}{0in} %% \setlength{\footskip}{0.2cm} \begin{document} \begin{center} {\LARGE {\bf Configuring Kerberos IV on 4.4 BSD}} \\ {\it Mark Dapoz} \\ {\it $<$md@bsc.no$>$} \\ {\it Bergen Scientific Centre} \\ {\it Bergen, Norway} \\ {\it April 4th, 1994} \\ \end{center} \section{Introduction} The following instructions can be used as a quick guide on how to set up kerberos as distributed in 4.4 BSD. However, you should refer to the original Athena documentation for a complete description. \section{Creating the initial database} First make sure that you don't have any old kerberos databases around. You should change to the directory {\bf /etc/kerberosIV} and check that only the following files are present: \begin{verbatim} mideon# cd /etc/kerberosIV mideon# ls README krb.conf krb.realms register_keys \end{verbatim} If any additional files (such as principal.dir) exist, then use the {\bf kdb\_destroy} command to destroy the old kerberos database.\\ You should now edit the {\bf krb.conf} and {\bf krb.realms} files to define your kerberos realm. In this case the realm will be {\it BSC.NO} and the server is {\it mideon.bsc.no}. We would edit the {\bf krb.conf} file to be as follows: \begin{verbatim} mideon# cat krb.conf BSC.NO BSC.NO mideon.bsc.no admin server CS.BERKELEY.EDU okeeffe.berkeley.edu ATHENA.MIT.EDU kerberos.mit.edu ATHENA.MIT.EDU kerberos-1.mit.edu ATHENA.MIT.EDU kerberos-2.mit.edu ATHENA.MIT.EDU kerberos-3.mit.edu LCS.MIT.EDU kerberos.lcs.mit.edu TELECOM.MIT.EDU bitsy.mit.edu ARC.NASA.GOV trident.arc.nasa.gov \end{verbatim} Now we have to add mideon.bsc.no to the BSC.NO realm and also add an entry to put all hosts in the .bsc.no domain in the BSC.NO realm. The {\bf krb.realms} file would be updated as follows: \begin{verbatim} mideon# cat krb.realms mideon.bsc.no BSC.NO .bsc.no BSC.NO .berkeley.edu CS.BERKELEY.EDU .MIT.EDU ATHENA.MIT.EDU .mit.edu ATHENA.MIT.EDU \end{verbatim} Now we're ready to create the database, issue the {\bf kdb\_init} command to do this: \begin{verbatim} mideon# kdb_init Realm name [default CS.BERKELEY.EDU ]: BSC.NO You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter Kerberos master key: \end{verbatim} Now we have to save the key so that servers on the local machine can pick it up. Use the {\bf kstash} command to do this. \begin{verbatim} mideon# kstash Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! \end{verbatim} \section{Populating the database} We now have to add some entries into the database. First lets create an entry for the user {\it md}. Use the {\bf kdb\_edit} command to do this: \begin{verbatim} mideon# kdb_edit Opening database... Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Previous or default values are in [brackets] , enter return to leave the same, or new value. Principal name: md Instance: md. not found, Create [y] ? Principal: md, Instance: , kdc_key_ver: 1 New Password: New Password: Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? 100 Attributes [ 0 ] ? Edit O.K. \end{verbatim} Now lets add an entry for the password changing daemon, kpasswd. The principal name must be {\it kpasswd} and the instance must be the name of the local machine, {\it mideon} in this case. Similarily, we must also add an entry for the principal {\it rcmd} with an instance equal to the hostname of the local machine. \begin{verbatim} Principal name: kpasswd Instance: mideon kpasswd.mideon not found, Create [y] ? Principal: kpasswd, Instance: mideon, kdc_key_ver: 1 New Password: <---- enter RANDOM here New Password: <---- and here Random password [y] ? Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? Attributes [ 0 ] ? Edit O.K. Principal name: rcmd Instance: mideon rcmd.mideon not found, Create [y] ? Principal: rcmd, Instance: mideon, kdc_key_ver: 1 New Password: <---- enter RANDOM here New Password: <---- and here Random password [y] ? Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? Attributes [ 0 ] ? Edit O.K. Principal name: <---- null entry here will cause an exit \end{verbatim} \section{Creating the server file} We now have to extract all the instances which define the services on this machine. For this we use the {\bf ext\_srvtab} command. \begin{verbatim} mideon# ext_srvtab mideon Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Generating 'mideon-new-srvtab'.... \end{verbatim} Now, this command only generates a temporary file which must be renamed to {\bf srvtab} so that all the server can pick it up. Use the mv command to move it into place: \begin{verbatim} mideon# mv mideon-new-srvtab srvtab \end{verbatim} \section{Testing it all out} First we have to start the kerberos daemon: \begin{verbatim} mideon# kerberos & [1] 774 mideon# Kerberos server starting Sleep forever on error Log file is /var/log/kerberos.log Current Kerberos master key version is 1. Master key entered. BEWARE! Current Kerberos master key version is 1 Local realm: BSC.NO \end{verbatim} Now we can try using the {\bf kinit} command to get tokens for the id {\it md} that we created above: \begin{verbatim} mideon# kinit md Kerberos Initialization for "md" Kerberos Password: \end{verbatim} Try listing the tokens using {\bf klist} to see if we really have them: \begin{verbatim} mideon# klist Ticket file: /tmp/tkt0 Principal: md@BSC.NO Issued Expires Principal Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO \end{verbatim} And now try changing the password using {\bf passwd} to check if the kpasswd daemon can get authorisation to the kerberos database: \begin{verbatim} mideon# passwd md Changing Kerberos password for md.@BSC.NO. Old Kerberos password: New Kerberos password: Retype new Kerberos password: Update complete. \end{verbatim} \section{Adding su priviledges} We should now add an id which is authorised to su to root. This is controlled by having an instance of {\it root} associated with a principal. Using {\bf kdb\_edit} we can create the entry {\it md.root} in the kerberos database: \begin{verbatim} mideon# kdb_edit Opening database... Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Previous or default values are in [brackets] , enter return to leave the same, or new value. Principal name: md Instance: root md.admin not found, Create [y] ? Principal: md, Instance: admin, kdc_key_ver: 1 New Password: New Password: Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? 12 Attributes [ 0 ] ? Edit O.K. Principal name: \end{verbatim} Now try getting tokens for it to make sure it works: \begin{verbatim} mideon# kinit md.root Kerberos Initialization for "md.root" Kerberos Password: \end{verbatim} And list them to check expiry times: \begin{verbatim} mideon# klist Ticket file: /tmp/tkt0 Principal: md.root@BSC.NO Issued Expires Principal Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO mideon# \end{verbatim} Now we need to add the user to root's {\bf .klogin} file: \begin{verbatim} mideon# cat /root/.klogin md.root@BSC.NO \end{verbatim} Now try doing the su: \begin{verbatim} [md@mideon.bsc.no 10407] su Kerberos Password: Warning: tgt not verified. \end{verbatim} and take a look at what tokens we have: \begin{verbatim} mideon# klist Ticket file: /tmp/tkt_root_1250 Principal: md.root@BSC.NO Issued Expires Principal Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO mideon# \end{verbatim} Notice that with this setup each user has their own entry for su'ing to root (the {\it user}.root entry in kerberos). This can allow you to give root access to multiple users without the need to share a common root password. \end{document}