Add this from Mark Dapoz. It requires LaTeX to format it, but it's

sure a lot better than nothing. Submitted by: md
1994-10-25 13:47:17 +00:00 · 1994-10-25 13:47:17 +00:00 · b92776661f
commit b92776661f
parent 1f967df0a4
1 changed files with 326 additions and 0 deletions
--- a/share/FAQ/kerberos_setup.latex
+++ b/share/FAQ/kerberos_setup.latex
@ -0,0 +1,326 @@
+%% \documentstyle[11pt,a4]{article}
+\documentstyle[11pt]{article}
+%% \pagestyle{headings}
+%% \pagestyle{empty}
+\setlength{\textwidth}{6.5in}
+\setlength{\parindent}{0in}
+%% \setlength{\parskip}{\medskipamount}
+\setlength{\oddsidemargin}{0in}
+\setlength{\evensidemargin}{0in}
+%% \setlength{\footskip}{0.2cm}
+\begin{document}
+
+\begin{center}
+{\LARGE {\bf Configuring Kerberos IV on 4.4 BSD}} \\
+{\it Mark Dapoz} \\
+{\it $<$md@bsc.no$>$} \\
+{\it Bergen Scientific Centre} \\
+{\it Bergen, Norway} \\
+{\it April 4th, 1994} \\
+\end{center}
+
+\section{Introduction}
+
+The following instructions can be used as a quick guide on how to set up
+kerberos as distributed in 4.4 BSD.  However, you should refer to the
+original Athena documentation for a complete description.
+
+
+\section{Creating the initial database}
+
+First make sure that you don't have any old kerberos databases around.  You
+should change to the directory {\bf /etc/kerberosIV} and check that only the
+following files are present:
+
+\begin{verbatim}
+mideon# cd /etc/kerberosIV
+mideon# ls
+README          krb.conf        krb.realms      register_keys
+\end{verbatim}
+
+If any additional files (such as principal.dir) exist, then use the
+{\bf kdb\_destroy} command to destroy the old kerberos database.\\
+
+You should now edit the {\bf krb.conf} and {\bf krb.realms} files to define
+your kerberos realm.  In this case the realm will be {\it BSC.NO} and
+the server is {\it mideon.bsc.no}.  We would edit the {\bf krb.conf}
+file to be as follows:
+
+\begin{verbatim}
+mideon# cat krb.conf
+BSC.NO
+BSC.NO mideon.bsc.no admin server
+CS.BERKELEY.EDU okeeffe.berkeley.edu
+ATHENA.MIT.EDU kerberos.mit.edu
+ATHENA.MIT.EDU kerberos-1.mit.edu
+ATHENA.MIT.EDU kerberos-2.mit.edu
+ATHENA.MIT.EDU kerberos-3.mit.edu
+LCS.MIT.EDU kerberos.lcs.mit.edu
+TELECOM.MIT.EDU bitsy.mit.edu
+ARC.NASA.GOV trident.arc.nasa.gov
+\end{verbatim}
+
+Now we have to add mideon.bsc.no to the BSC.NO realm and also add an entry
+to put all hosts in the .bsc.no domain in the BSC.NO realm.  The 
+{\bf krb.realms} file would be updated as follows:
+
+\begin{verbatim}
+mideon# cat krb.realms
+mideon.bsc.no   BSC.NO
+.bsc.no         BSC.NO
+.berkeley.edu   CS.BERKELEY.EDU
+.MIT.EDU        ATHENA.MIT.EDU
+.mit.edu        ATHENA.MIT.EDU
+\end{verbatim}
+
+Now we're ready to create the database, issue the {\bf kdb\_init} command
+to do this:
+
+\begin{verbatim}
+mideon# kdb_init
+Realm name [default  CS.BERKELEY.EDU ]: BSC.NO
+You will be prompted for the database Master Password.
+It is important that you NOT FORGET this password.
+
+Enter Kerberos master key: 
+\end{verbatim}
+
+Now we have to save the key so that servers on the local machine can pick
+it up.  Use the {\bf kstash} command to do this.
+
+\begin{verbatim}
+mideon# kstash
+
+Enter Kerberos master key: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+\end{verbatim}
+
+\section{Populating the database}
+
+We now have to add some entries into the database.  First lets create an
+entry for the user {\it md}.  Use the {\bf kdb\_edit} command to do this:
+
+\begin{verbatim}
+mideon# kdb_edit
+Opening database...
+
+Enter Kerberos master key: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: md
+Instance: 
+md. not found, Create [y] ? 
+Principal: md, Instance: , kdc_key_ver: 1
+New Password: 
+New Password: 
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
+Max ticket lifetime (*5 minutes) [ 255 ] ? 100
+Attributes [ 0 ] ? 
+Edit O.K.
+\end{verbatim}
+
+Now lets add an entry for the password changing daemon, kpasswd.  The
+principal name must be {\it kpasswd} and the instance must be the name of
+the local machine, {\it mideon} in this case.  Similarily, we must also add
+an entry for the principal {\it rcmd} with an instance equal to the
+hostname of the local machine.
+
+\begin{verbatim}
+Principal name: kpasswd
+Instance: mideon
+kpasswd.mideon not found, Create [y] ? 
+Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
+New Password:                   <---- enter RANDOM here
+New Password:                   <---- and here
+Random password [y] ? 
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
+Max ticket lifetime (*5 minutes) [ 255 ] ? 
+Attributes [ 0 ] ? 
+Edit O.K.
+Principal name: rcmd
+Instance: mideon
+rcmd.mideon not found, Create [y] ? 
+Principal: rcmd, Instance: mideon, kdc_key_ver: 1
+New Password:                   <---- enter RANDOM here
+New Password:                   <---- and here
+Random password [y] ? 
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
+Max ticket lifetime (*5 minutes) [ 255 ] ? 
+Attributes [ 0 ] ? 
+Edit O.K.
+Principal name:                 <---- null entry here will cause an exit
+\end{verbatim}
+
+\section{Creating the server file}
+
+We now have to extract all the instances which define the services on this
+machine.  For this we use the {\bf ext\_srvtab} command.
+
+\begin{verbatim}
+mideon# ext_srvtab mideon
+
+Enter Kerberos master key: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Generating 'mideon-new-srvtab'....
+\end{verbatim}
+
+Now, this command only generates a temporary file which must be renamed
+to {\bf srvtab} so that all the server can pick it up.  Use the mv command to
+move it into place:
+
+\begin{verbatim}
+mideon# mv mideon-new-srvtab srvtab
+\end{verbatim}
+
+\section{Testing it all out}
+
+First we have to start the kerberos daemon:
+
+\begin{verbatim}
+mideon# kerberos &
+[1] 774
+mideon# Kerberos server starting
+        Sleep forever on error
+        Log file is /var/log/kerberos.log
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+
+Current Kerberos master key version is 1
+Local realm: BSC.NO
+\end{verbatim}
+
+Now we can try using the {\bf kinit} command to get tokens for the id 
+{\it md} that we created above:
+
+\begin{verbatim}
+mideon# kinit md
+Kerberos Initialization for "md"
+Kerberos Password: 
+\end{verbatim}
+
+Try listing the tokens using {\bf klist} to see if we really have them:
+
+\begin{verbatim}
+mideon# klist
+Ticket file:    /tmp/tkt0
+Principal:      md@BSC.NO
+
+  Issued           Expires          Principal
+Mar 23 21:06:52  Mar 24 05:06:52  krbtgt.BSC.NO@BSC.NO
+\end{verbatim}
+
+And now try changing the password using {\bf passwd} to check if the 
+kpasswd daemon can get authorisation to the kerberos database:
+
+\begin{verbatim}
+mideon# passwd md
+Changing Kerberos password for md.@BSC.NO.
+Old Kerberos password:
+New Kerberos password:
+Retype new Kerberos password:
+Update complete.
+\end{verbatim}
+
+\section{Adding su priviledges}
+
+We should now add an id which is authorised to su to root.  This is
+controlled by having an instance of {\it root} associated with a principal.
+Using {\bf kdb\_edit} we can create the entry {\it md.root} in the kerberos
+database:
+
+\begin{verbatim}
+mideon# kdb_edit
+Opening database...
+
+Enter Kerberos master key: 
+
+Current Kerberos master key version is 1.
+
+Master key entered.  BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: md
+Instance: root
+md.admin not found, Create [y] ? 
+Principal: md, Instance: admin, kdc_key_ver: 1
+New Password: 
+New Password: 
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
+Max ticket lifetime (*5 minutes) [ 255 ] ? 12
+Attributes [ 0 ] ? 
+Edit O.K.
+Principal name: 
+\end{verbatim}
+
+Now try getting tokens for it to make sure it works:
+
+\begin{verbatim}
+mideon# kinit md.root
+Kerberos Initialization for "md.root"
+Kerberos Password: 
+\end{verbatim}
+
+And list them to check expiry times:
+
+\begin{verbatim}
+mideon# klist
+Ticket file:    /tmp/tkt0
+Principal:      md.root@BSC.NO
+
+  Issued           Expires          Principal
+Mar 23 21:08:47  Mar 23 22:08:47  krbtgt.BSC.NO@BSC.NO
+mideon# 
+\end{verbatim}
+
+Now we need to add the user to root's {\bf .klogin} file:
+
+\begin{verbatim}
+mideon# cat /root/.klogin
+md.root@BSC.NO
+\end{verbatim}
+
+Now try doing the su:
+
+\begin{verbatim}
+[md@mideon.bsc.no 10407] su
+Kerberos Password: 
+Warning: tgt not verified.
+\end{verbatim}
+
+and take a look at what tokens we have:
+
+\begin{verbatim}
+mideon# klist
+Ticket file:    /tmp/tkt_root_1250
+Principal:      md.root@BSC.NO
+
+  Issued           Expires          Principal
+Mar 23 22:09:59  Mar 23 22:19:59  krbtgt.BSC.NO@BSC.NO
+mideon# 
+\end{verbatim}
+
+Notice that with this setup each user has their own entry for su'ing to
+root (the {\it user}.root entry in kerberos).  This can allow you to give root
+access to multiple users without the need to share a common root password.
+\end{document}