summaryrefslogtreecommitdiffstats
path: root/share/FAQ/kerberos_setup.latex
blob: fa2e81e1ac4f492d72bf82ecdea78286d70c4ed6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
%% \documentstyle[11pt,a4]{article}
\documentstyle[11pt]{article}
%% \pagestyle{headings}
%% \pagestyle{empty}
\setlength{\textwidth}{6.5in}
\setlength{\parindent}{0in}
%% \setlength{\parskip}{\medskipamount}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
%% \setlength{\footskip}{0.2cm}
\begin{document}

\begin{center}
{\LARGE {\bf Configuring Kerberos IV on 4.4 BSD}} \\
{\it Mark Dapoz} \\
{\it $<$md@bsc.no$>$} \\
{\it Bergen Scientific Centre} \\
{\it Bergen, Norway} \\
{\it April 4th, 1994} \\
\end{center}

\section{Introduction}

The following instructions can be used as a quick guide on how to set up
kerberos as distributed in 4.4 BSD.  However, you should refer to the
original Athena documentation for a complete description.


\section{Creating the initial database}

First make sure that you don't have any old kerberos databases around.  You
should change to the directory {\bf /etc/kerberosIV} and check that only the
following files are present:

\begin{verbatim}
mideon# cd /etc/kerberosIV
mideon# ls
README          krb.conf        krb.realms      register_keys
\end{verbatim}

If any additional files (such as principal.dir) exist, then use the
{\bf kdb\_destroy} command to destroy the old kerberos database.\\

You should now edit the {\bf krb.conf} and {\bf krb.realms} files to define
your kerberos realm.  In this case the realm will be {\it BSC.NO} and
the server is {\it mideon.bsc.no}.  We would edit the {\bf krb.conf}
file to be as follows:

\begin{verbatim}
mideon# cat krb.conf
BSC.NO
BSC.NO mideon.bsc.no admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
\end{verbatim}

Now we have to add mideon.bsc.no to the BSC.NO realm and also add an entry
to put all hosts in the .bsc.no domain in the BSC.NO realm.  The 
{\bf krb.realms} file would be updated as follows:

\begin{verbatim}
mideon# cat krb.realms
mideon.bsc.no   BSC.NO
.bsc.no         BSC.NO
.berkeley.edu   CS.BERKELEY.EDU
.MIT.EDU        ATHENA.MIT.EDU
.mit.edu        ATHENA.MIT.EDU
\end{verbatim}

Now we're ready to create the database, issue the {\bf kdb\_init} command
to do this:

\begin{verbatim}
mideon# kdb_init
Realm name [default  CS.BERKELEY.EDU ]: BSC.NO
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

Enter Kerberos master key: 
\end{verbatim}

Now we have to save the key so that servers on the local machine can pick
it up.  Use the {\bf kstash} command to do this.

\begin{verbatim}
mideon# kstash

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
\end{verbatim}

\section{Populating the database}

We now have to add some entries into the database.  First lets create an
entry for the user {\it md}.  Use the {\bf kdb\_edit} command to do this:

\begin{verbatim}
mideon# kdb_edit
Opening database...

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: md
Instance: 
md. not found, Create [y] ? 
Principal: md, Instance: , kdc_key_ver: 1
New Password: 
New Password: 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 100
Attributes [ 0 ] ? 
Edit O.K.
\end{verbatim}

Now lets add an entry for the password changing daemon, kpasswd.  The
principal name must be {\it kpasswd} and the instance must be the name of
the local machine, {\it mideon} in this case.  Similarily, we must also add
an entry for the principal {\it rcmd} with an instance equal to the
hostname of the local machine.

\begin{verbatim}
Principal name: kpasswd
Instance: mideon
kpasswd.mideon not found, Create [y] ? 
Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
New Password:                   <---- enter RANDOM here
New Password:                   <---- and here
Random password [y] ? 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 
Attributes [ 0 ] ? 
Edit O.K.
Principal name: rcmd
Instance: mideon
rcmd.mideon not found, Create [y] ? 
Principal: rcmd, Instance: mideon, kdc_key_ver: 1
New Password:                   <---- enter RANDOM here
New Password:                   <---- and here
Random password [y] ? 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 
Attributes [ 0 ] ? 
Edit O.K.
Principal name:                 <---- null entry here will cause an exit
\end{verbatim}

\section{Creating the server file}

We now have to extract all the instances which define the services on this
machine.  For this we use the {\bf ext\_srvtab} command.

\begin{verbatim}
mideon# ext_srvtab mideon

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Generating 'mideon-new-srvtab'....
\end{verbatim}

Now, this command only generates a temporary file which must be renamed
to {\bf srvtab} so that all the server can pick it up.  Use the mv command to
move it into place:

\begin{verbatim}
mideon# mv mideon-new-srvtab srvtab
\end{verbatim}

\section{Testing it all out}

First we have to start the kerberos daemon:

\begin{verbatim}
mideon# kerberos &
[1] 774
mideon# Kerberos server starting
        Sleep forever on error
        Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.

Master key entered.  BEWARE!

Current Kerberos master key version is 1
Local realm: BSC.NO
\end{verbatim}

Now we can try using the {\bf kinit} command to get tokens for the id 
{\it md} that we created above:

\begin{verbatim}
mideon# kinit md
Kerberos Initialization for "md"
Kerberos Password: 
\end{verbatim}

Try listing the tokens using {\bf klist} to see if we really have them:

\begin{verbatim}
mideon# klist
Ticket file:    /tmp/tkt0
Principal:      md@BSC.NO

  Issued           Expires          Principal
Mar 23 21:06:52  Mar 24 05:06:52  krbtgt.BSC.NO@BSC.NO
\end{verbatim}

And now try changing the password using {\bf passwd} to check if the 
kpasswd daemon can get authorisation to the kerberos database:

\begin{verbatim}
mideon# passwd md
Changing Kerberos password for md.@BSC.NO.
Old Kerberos password:
New Kerberos password:
Retype new Kerberos password:
Update complete.
\end{verbatim}

\section{Adding su priviledges}

We should now add an id which is authorised to su to root.  This is
controlled by having an instance of {\it root} associated with a principal.
Using {\bf kdb\_edit} we can create the entry {\it md.root} in the kerberos
database:

\begin{verbatim}
mideon# kdb_edit
Opening database...

Enter Kerberos master key: 

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: md
Instance: root
md.admin not found, Create [y] ? 
Principal: md, Instance: admin, kdc_key_ver: 1
New Password: 
New Password: 

Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? 
Max ticket lifetime (*5 minutes) [ 255 ] ? 12
Attributes [ 0 ] ? 
Edit O.K.
Principal name: 
\end{verbatim}

Now try getting tokens for it to make sure it works:

\begin{verbatim}
mideon# kinit md.root
Kerberos Initialization for "md.root"
Kerberos Password: 
\end{verbatim}

And list them to check expiry times:

\begin{verbatim}
mideon# klist
Ticket file:    /tmp/tkt0
Principal:      md.root@BSC.NO

  Issued           Expires          Principal
Mar 23 21:08:47  Mar 23 22:08:47  krbtgt.BSC.NO@BSC.NO
mideon# 
\end{verbatim}

Now we need to add the user to root's {\bf .klogin} file:

\begin{verbatim}
mideon# cat /root/.klogin
md.root@BSC.NO
\end{verbatim}

Now try doing the su:

\begin{verbatim}
[md@mideon.bsc.no 10407] su
Kerberos Password: 
Warning: tgt not verified.
\end{verbatim}

and take a look at what tokens we have:

\begin{verbatim}
mideon# klist
Ticket file:    /tmp/tkt_root_1250
Principal:      md.root@BSC.NO

  Issued           Expires          Principal
Mar 23 22:09:59  Mar 23 22:19:59  krbtgt.BSC.NO@BSC.NO
mideon# 
\end{verbatim}

Notice that with this setup each user has their own entry for su'ing to
root (the {\it user}.root entry in kerberos).  This can allow you to give root
access to multiple users without the need to share a common root password.
\end{document}
OpenPOWER on IntegriCloud