+ Creating the initial database
+
+ This is done on the Kerberos server only. First make sure that your
+ don't have any old Kerberos databases around. You should change to the
+ directory /etc/kerberosIV and check that only the following
+ files are present:
-mideon# cd /etc/kerberosIV
-mideon# ls
-README krb.conf krb.realms register_keys
-
+grunt# cd /etc/kerberosIV
+grunt# ls
+README krb.conf krb.realms
+
- If any additional files (such as principal.dir) exist,
- then use the kdb_destroy command to destroy the
- old kerberos database.
+
If any additional files (such as principal.* or
+ master_key) exist, then use the kdb_destroy
+ command to destroy the old Kerberos database, of if Kerberos
+ is not running, simply delete the extra files with rm.
-
You should now edit the krb.conf and
- krb.realms files to define your kerberos realm.
- In this case the realm will be BSC.NO and the
- server is mideon.bsc.no. We would edit the
- krb.conf file to be as follows:
+ You should now edit the krb.conf and krb.realms
+ files to define your Kerberos realm. In this case the realm will
+ be GRONDAR.ZA and the server is grunt.grondar.za.
+ We edit or create the krb.conf file:
-mideon# cat krb.conf
-BSC.NO
-BSC.NO mideon.bsc.no admin server
+grunt# cat krb.conf
+GRONDAR.ZA
+GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
-
+
+
+
In this case, the other realms do not need to be there.
+ They are here as an example of how a machine may be made aware
+ of multiple realms. You may wish to not include them for simplicity.
-
Now we have to add mideon.bsc.no to the
- BSC.NO realm and also add an entry to put all
- hosts in the .bsc.no domain in the
- BSC.NO realm. The krb.realms file
- would be updated as follows:
+ The first line names the realm in which this system works. The other
+ lines contain realm/host entries. The first item on a line is a realm,
+ and the second is a host in that realm that is acting as a ``key
+ distribution centre''. The words ``admin server'' following a hosts
+ name means that host also provides an administrative database server.
+ For further explanation of these terms, please consult the Kerberos
+ man pages.
+
+ Now we have to add grunt.grondar.za to the GRONDAR.ZA
+ realm and also add an entry to put all hosts in the .grondar.za
+ domain in the GRONDAR.ZA realm. The krb.realms file
+ would be updated as follows:
- mideon# cat krb.realms
- mideon.bsc.no BSC.NO
- .bsc.no BSC.NO
- .berkeley.edu CS.BERKELEY.EDU
- .MIT.EDU ATHENA.MIT.EDU
- .mit.edu ATHENA.MIT.EDU
+ grunt# cat krb.realms
+ grunt.grondar.za GRONDAR.ZA
+ .grondar.za GRONDAR.ZA
+ .berkeley.edu CS.BERKELEY.EDU
+ .MIT.EDU ATHENA.MIT.EDU
+ .mit.edu ATHENA.MIT.EDU
-
Now we're ready to create the database, issue the
- kdb_init command to do this:
+
Again, the other realms do not need to be there.
+ They are here as an example of how a machine may be made aware
+ of multiple realms. You may wish to remove them to simplify things.
+
+ The first line puts the specific system into the named
+ realm. The rest of the lines show how to default systems of a
+ particular subdomain to a named realm.
+
+ Now we're ready to create the database. This only needs to run on
+ the Kerberos server (or Key Distribution Centre). Issue the
+ kdb_init command to do this:
-mideon# kdb_init
-Realm name [default CS.BERKELEY.EDU ]: BSC.NO
+grunt# kdb_init
+Realm name [default ATHENA.MIT.EDU ]: GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:
-
+
-
Now we have to save the key so that servers on the local
- machine can pick it up. Use the kstash command to
- do this.
+
Now we have to save the key so that servers on the local
+ machine can pick it up. Use the kstash command to
+ do this.
-mideon# kstash
+grunt# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
-
+
+
+
This saves the encrypted master password in
+ /etc/kerberosIV/master_key.
-
- Populating the database
+
+ Making it all run
- We now have to add some entries into the database.
- First lets create an entry for the user md. Use
- the kdb_edit command to do this:
+
Two principals need to be added to the database for each
+ system that will be secured with Kerberos. Their names are
+ kpasswd and rcmd These two principals are
+ made for each system, with the instance being the name of the
+ individual system.
+
+ These daemons, kpasswd and rcmd allow other systems
+ to change Kerberos passwords and run commands like rcp,
+ rlogin and rsh.
+
+ Now lets add these entries:
-mideon# kdb_edit
+grunt# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
-Principal name: md
-Instance:
-md. not found, Create [y] ?
-Principal: md, Instance: , kdc_key_ver: 1
-New Password:
-New Password:
+Principal name: passwd
+Instance: grunt
-Principal's new key version = 1
-Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
-Max ticket lifetime (*5 minutes) [ 255 ] ? 100
-Attributes [ 0 ] ?
-Edit O.K.
-
+, Create [y] ? y
- Now lets add an entry for the password changing daemon,
- kpasswd. The principal name must be kpasswd and
- the instance must be the name of the local machine,
- mideon in this case. Similarily, we must also
- add an entry for the principal rcmd with an
- instance equal to the hostname of the local machine.
+Principal: passwd, Instance: grunt, kdc_key_ver: 1
+New Password: <---- enter RANDOM here
+Verifying password
-
-Principal name: kpasswd
-Instance: mideon
-kpasswd.mideon not found, Create [y] ?
-Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
-New Password: <---- enter RANDOM here
-New Password: <---- and here
-Random password [y] ?
+New Password: <---- enter RANDOM here
+
+Random password [y] ? y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: rcmd
-Instance: mideon
-rcmd.mideon not found, Create [y] ?
-Principal: rcmd, Instance: mideon, kdc_key_ver: 1
-New Password: <---- enter RANDOM here
-New Password: <---- and here
+Instance: grunt
+
+, Create [y] ?
+
+Principal: rcmd, Instance: grunt, kdc_key_ver: 1
+New Password: <---- enter RANDOM here
+Verifying password
+
+New Password: <---- enter RANDOM here
+
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
-Principal name: <---- null entry here will cause an exit
-
+Principal name: <---- null entry here will cause an exit
+
-
- Creating the server file
+
+ Creating the server file
- We now have to extract all the instances which define
- the services on this machine. For this we use the
- ext_srvtab command.
+
We now have to extract all the instances which define the services
+ on each machine. For this we use the ext_srvtab command.
+ This will create a file which must be copied or moved by secure
+ means to each Kerberos client's /etc/kerberosIV directory. This
+ file must be present on each server and client, and is crucial to the
+ operation of Kerberos.
-mideon# ext_srvtab mideon
+grunt# ext_srvtab grunt
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
-Generating 'mideon-new-srvtab'....
-
+Generating 'grunt-new-srvtab'....
+
+
+
Now, this command only generates a temporary file
+ which must be renamed to srvtab so that all the
+ server can pick it up. Use the mv command to move it
+ into place on the original system:
+
+
+grunt# mv grunt-new-srvtab srvtab
+
-
Now, this command only generates a temporary file
- which must be renamed to srvtab so that all the
- server can pick it up. Use the mv command to move it
- into place:
+
If the file is for a client system, and the network is not
+ deemed safe, then copy the <client>-new-srvtab to
+ removeable media and transport it by secure physical means. Be
+ sure to rename it to srvtab in the client's
+ /etc/kerberosIV directory, and make sure it is mode 600:
-mideon# mv mideon-new-srvtab srvtab
-
+grumble# mv grumble-new-srvtab srvtab
+grumble# chmod 600 srvtab
+
-
- Testing it all out
+
+ Populating the database
- First we have to start the kerberos daemon:
+
We now have to add some user entries into the database.
+ First lets create an entry for the user jane. Use
+ the kdb_edit command to do this:
-mideon# kerberos &
-[1] 774
-mideon# Kerberos server starting
+grunt# kdb_edit
+Opening database...
+
+Enter Kerberos master key:
+
+Current Kerberos master key version is 1.
+
+Master key entered. BEWARE!
+Previous or default values are in [brackets] ,
+enter return to leave the same, or new value.
+
+Principal name: jane
+Instance:
+
+, Create [y] ? y
+
+Principal: jane, Instance: , kdc_key_ver: 1
+New Password: <---- enter a secure password here
+Verifying password
+
+New Password: <---- re-enter the password here
+
+Principal's new key version = 1
+Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
+Max ticket lifetime (*5 minutes) [ 255 ] ?
+Attributes [ 0 ] ?
+Edit O.K.
+Principal name: <---- null entry here will cause an exit
+
+
+
+ Testing it all out
+
+ First we have to start the Kerberos daemons. NOTE that if you have
+ correctly edited your /etc/sysconfig then this will happen
+ automatically when you reboot. This is only necessary on the Kerberos
+ server. Kerberos clients will automagically get what they need from
+ the /etc/kerberosIV directory.
+
+
+grunt# kerberos &
+grunt# Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
-Local realm: BSC.NO
-
+Local realm: GRONDAR.ZA
+grunt# kadmin -n &
+grunt# KADM Server KADM0.0A initializing
+Please do not use 'kill -9' to kill this job, use a
+regular kill instead
- Now we can try using the kinit command to get
- tokens for the id md that we created above:
+Current Kerberos master key version is 1.
+
+Master key entered. BEWARE!
+
+
+
Now we can try using the kinit command to get a ticket for
+ the id jane that we created above:
-mideon# kinit md
-Kerberos Initialization for "md"
-Kerberos Password:
-
+grunt$ kinit jane
+MIT Project Athena (grunt.grondar.za)
+Kerberos Initialization for "jane"
+Password:
+
- Try listing the tokens using klist to see if we
- really have them:
+
Try listing the tokens using klist to see if we really have them:
-mideon# klist
-Ticket file: /tmp/tkt0
-Principal: md@BSC.NO
+grunt$ klist
+Ticket file: /tmp/tkt245
+Principal: jane@GRONDAR.ZA
Issued Expires Principal
-Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO
-
+Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZA
+
- And now try changing the password using passwd
- to check if the kpasswd daemon can get authorisation to
- the kerberos database:
+
Now try changing the password using passwd to check if the
+ kpasswd daemon can get authorisation to the Kerberos database:
-mideon# passwd md
-Changing Kerberos password for md.@BSC.NO.
-Old Kerberos password:
-New Kerberos password:
-Retype new Kerberos password:
-Update complete.
-
-
-
- Adding su priviledges
-
- We should now add an id which is authorised to su to
- root. This is controlled by having an instance of
- root associated with a principal. Using
- kdb_edit we can create the entry
- md.root in the kerberos database:
+grunt$ passwd
+realm GRONDAR.ZA
+Old password for jane:
+New Password for jane:
+Verifying password
+New Password for jane:
+Password changed.
+
+
+
+ Adding su privileges
+
+ Kerberos allows us to give each user who needs root
+ privileges their own separate supassword. We
+ could now add an id which is authorised to su to root.
+ This is controlled by having an instance of root associated
+ with a principal. Using kdb_edit we can create the entry
+ jane.root in the Kerberos database:
-mideon# kdb_edit
+grunt# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
-Principal name: md
+Principal name: jane
Instance: root
-md.admin not found, Create [y] ?
-Principal: md, Instance: admin, kdc_key_ver: 1
-New Password:
-New Password:
+
+, Create [y] ? y
+
+Principal: jane, Instance: root, kdc_key_ver: 1
+New Password: <---- enter a SECURE password here
+Verifying password
+
+New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
-Max ticket lifetime (*5 minutes) [ 255 ] ? 12
+Max ticket lifetime (*5 minutes) [ 255 ] ? 12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
-Principal name:
-
+Principal name: <---- null entry here will cause an exit
+
+
+
Now try getting tokens for it to make sure it works:
+
+
+grunt# kinit jane.root
+MIT Project Athena (grunt.grondar.za)
+Kerberos Initialization for "jane.root"
+Password:
+
- Now try getting tokens for it to make sure it works:
+
Now we need to add the user to root's .klogin file:
-mideon# kinit md.root
-Kerberos Initialization for "md.root"
-Kerberos Password:
-
+grunt# cat /root/.klogin
+jane.root@GRONDAR.ZA
+
- And list them to check expiry times:
+
Now try doing the su:
-mideon# klist
-Ticket file: /tmp/tkt0
-Principal: md.root@BSC.NO
+[jane@grunt 10407] su
+Password:
+grunt#
+
+
+ and take a look at what tokens we have:
+
+
+grunt# klist
+Ticket file: /tmp/tkt_root_245
+Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
-Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO
-mideon#
-
+May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZA
+
+
+
+ Using other commands
+
+ In an earlier example, we created a principal called jane
+ with an instance root. This was based on a user with the
+ same name as the principal, and this is a Kerberos default; that a
+ <principal>.<instance> of the form
+ <username>.root will allow that
+ <username> to su to root if the necessary
+ entries are in the .klogin file in root's home
+ directory:
- Now we need to add the user to root's .klogin file:
+
+grunt# cat /root/.klogin
+jane.root@GRONDAR.ZA
+
+
+
Likewise, if a user has in their own home directory lines of the
+ form:
-mideon# cat /root/.klogin
-md.root@BSC.NO
-
+[jane@grunt 10543] cat ~/.klogin
+jane@GRONDAR.ZA
+jack@GRONDAR.ZA
+
+
+
This allows anyone in the GRONDAR.ZA realm who has
+ authenticated themselves to jane or jack (via
+ kinit, see above) access to rlogin to jane's
+ account or files on this system (grunt) via rlogin,
+ rsh or rcp.
- Now try doing the su:
+ For example, Jane now logs into another system, using Kerberos:
-[md@mideon.bsc.no 10407] su
-Kerberos Password:
-Warning: tgt not verified.
-
+[jane@grumble 573] kinit
+MIT Project Athena (grunt.grondar.za)
+Password:
+[jane@grumble 574] rlogin grunt
+Last login: Mon May 1 21:14:47 from grumble
+Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
+ The Regents of the University of California. All rights reserved.
- and take a look at what tokens we have:
+FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
+
+[jane@grunt 10567]
+
+
+
Or Jack logs into Jane's account on the same machine (Jane having set up
+ the .klogin file as above, and the person in charge of Kerberos
+ having set up principal jack with a null instance:
-mideon# klist
-Ticket file: /tmp/tkt_root_1250
-Principal: md.root@BSC.NO
+[jack@grumble 573] kinit
+[jack@grumble 574] rlogin grunt -l jane
+MIT Project Athena (grunt.grondar.za)
+Password:
+Last login: Mon May 1 21:16:55 from grumble
+Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
+ The Regents of the University of California. All rights reserved.
- Issued Expires Principal
-Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO
-mideon#
-
-
- Notice that with this setup each user has their own entry
- for su'ing to root (the user.root entry
- in kerberos). This can allow you to give root access to
- multiple users without the need to share a common root
- password.
+FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
+
+[jane@grunt 10578]
+