freebsd-skq/share/FAQ/kerberos_setup.latex
jkh d25178b968 Add this from Mark Dapoz. It requires LaTeX to format it, but it's
sure a lot better than nothing.
Submitted by:	md
1994-10-25 13:47:17 +00:00

327 lines
8.5 KiB
Plaintext

%% \documentstyle[11pt,a4]{article}
\documentstyle[11pt]{article}
%% \pagestyle{headings}
%% \pagestyle{empty}
\setlength{\textwidth}{6.5in}
\setlength{\parindent}{0in}
%% \setlength{\parskip}{\medskipamount}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
%% \setlength{\footskip}{0.2cm}
\begin{document}
\begin{center}
{\LARGE {\bf Configuring Kerberos IV on 4.4 BSD}} \\
{\it Mark Dapoz} \\
{\it $<$md@bsc.no$>$} \\
{\it Bergen Scientific Centre} \\
{\it Bergen, Norway} \\
{\it April 4th, 1994} \\
\end{center}
\section{Introduction}
The following instructions can be used as a quick guide on how to set up
kerberos as distributed in 4.4 BSD. However, you should refer to the
original Athena documentation for a complete description.
\section{Creating the initial database}
First make sure that you don't have any old kerberos databases around. You
should change to the directory {\bf /etc/kerberosIV} and check that only the
following files are present:
\begin{verbatim}
mideon# cd /etc/kerberosIV
mideon# ls
README krb.conf krb.realms register_keys
\end{verbatim}
If any additional files (such as principal.dir) exist, then use the
{\bf kdb\_destroy} command to destroy the old kerberos database.\\
You should now edit the {\bf krb.conf} and {\bf krb.realms} files to define
your kerberos realm. In this case the realm will be {\it BSC.NO} and
the server is {\it mideon.bsc.no}. We would edit the {\bf krb.conf}
file to be as follows:
\begin{verbatim}
mideon# cat krb.conf
BSC.NO
BSC.NO mideon.bsc.no admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
\end{verbatim}
Now we have to add mideon.bsc.no to the BSC.NO realm and also add an entry
to put all hosts in the .bsc.no domain in the BSC.NO realm. The
{\bf krb.realms} file would be updated as follows:
\begin{verbatim}
mideon# cat krb.realms
mideon.bsc.no BSC.NO
.bsc.no BSC.NO
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU
\end{verbatim}
Now we're ready to create the database, issue the {\bf kdb\_init} command
to do this:
\begin{verbatim}
mideon# kdb_init
Realm name [default CS.BERKELEY.EDU ]: BSC.NO
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:
\end{verbatim}
Now we have to save the key so that servers on the local machine can pick
it up. Use the {\bf kstash} command to do this.
\begin{verbatim}
mideon# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
\end{verbatim}
\section{Populating the database}
We now have to add some entries into the database. First lets create an
entry for the user {\it md}. Use the {\bf kdb\_edit} command to do this:
\begin{verbatim}
mideon# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: md
Instance:
md. not found, Create [y] ?
Principal: md, Instance: , kdc_key_ver: 1
New Password:
New Password:
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 100
Attributes [ 0 ] ?
Edit O.K.
\end{verbatim}
Now lets add an entry for the password changing daemon, kpasswd. The
principal name must be {\it kpasswd} and the instance must be the name of
the local machine, {\it mideon} in this case. Similarily, we must also add
an entry for the principal {\it rcmd} with an instance equal to the
hostname of the local machine.
\begin{verbatim}
Principal name: kpasswd
Instance: mideon
kpasswd.mideon not found, Create [y] ?
Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
New Password: <---- enter RANDOM here
New Password: <---- and here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: rcmd
Instance: mideon
rcmd.mideon not found, Create [y] ?
Principal: rcmd, Instance: mideon, kdc_key_ver: 1
New Password: <---- enter RANDOM here
New Password: <---- and here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit
\end{verbatim}
\section{Creating the server file}
We now have to extract all the instances which define the services on this
machine. For this we use the {\bf ext\_srvtab} command.
\begin{verbatim}
mideon# ext_srvtab mideon
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'mideon-new-srvtab'....
\end{verbatim}
Now, this command only generates a temporary file which must be renamed
to {\bf srvtab} so that all the server can pick it up. Use the mv command to
move it into place:
\begin{verbatim}
mideon# mv mideon-new-srvtab srvtab
\end{verbatim}
\section{Testing it all out}
First we have to start the kerberos daemon:
\begin{verbatim}
mideon# kerberos &
[1] 774
mideon# Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: BSC.NO
\end{verbatim}
Now we can try using the {\bf kinit} command to get tokens for the id
{\it md} that we created above:
\begin{verbatim}
mideon# kinit md
Kerberos Initialization for "md"
Kerberos Password:
\end{verbatim}
Try listing the tokens using {\bf klist} to see if we really have them:
\begin{verbatim}
mideon# klist
Ticket file: /tmp/tkt0
Principal: md@BSC.NO
Issued Expires Principal
Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO
\end{verbatim}
And now try changing the password using {\bf passwd} to check if the
kpasswd daemon can get authorisation to the kerberos database:
\begin{verbatim}
mideon# passwd md
Changing Kerberos password for md.@BSC.NO.
Old Kerberos password:
New Kerberos password:
Retype new Kerberos password:
Update complete.
\end{verbatim}
\section{Adding su priviledges}
We should now add an id which is authorised to su to root. This is
controlled by having an instance of {\it root} associated with a principal.
Using {\bf kdb\_edit} we can create the entry {\it md.root} in the kerberos
database:
\begin{verbatim}
mideon# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: md
Instance: root
md.admin not found, Create [y] ?
Principal: md, Instance: admin, kdc_key_ver: 1
New Password:
New Password:
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 12
Attributes [ 0 ] ?
Edit O.K.
Principal name:
\end{verbatim}
Now try getting tokens for it to make sure it works:
\begin{verbatim}
mideon# kinit md.root
Kerberos Initialization for "md.root"
Kerberos Password:
\end{verbatim}
And list them to check expiry times:
\begin{verbatim}
mideon# klist
Ticket file: /tmp/tkt0
Principal: md.root@BSC.NO
Issued Expires Principal
Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO
mideon#
\end{verbatim}
Now we need to add the user to root's {\bf .klogin} file:
\begin{verbatim}
mideon# cat /root/.klogin
md.root@BSC.NO
\end{verbatim}
Now try doing the su:
\begin{verbatim}
[md@mideon.bsc.no 10407] su
Kerberos Password:
Warning: tgt not verified.
\end{verbatim}
and take a look at what tokens we have:
\begin{verbatim}
mideon# klist
Ticket file: /tmp/tkt_root_1250
Principal: md.root@BSC.NO
Issued Expires Principal
Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO
mideon#
\end{verbatim}
Notice that with this setup each user has their own entry for su'ing to
root (the {\it user}.root entry in kerberos). This can allow you to give root
access to multiple users without the need to share a common root password.
\end{document}