This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
user:jbrant:csit1320:kerberos_install [2010/05/13 17:14] – jbrant | user:jbrant:csit1320:kerberos_install [2010/05/15 11:28] (current) – jbrant | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Server installation of Kerberos ====== | ||
+ | |||
+ | The server installation basically consists of just two packages | ||
+ | **apt-get install krb5-{admin-server, | ||
+ | ** | ||
+ | Default Kerberos version 5 realm? **STUDENT.LAB** | ||
+ | |||
+ | Does DNS contain pointers to your realm' | ||
+ | |||
+ | Add locations of default Kerberos servers to / | ||
+ | |||
+ | Create the Kerberos KDC configuration automatically? | ||
+ | |||
+ | Should the data be purged as well as the package files? **No** | ||
+ | |||
+ | Run the Kerberos V5 administration daemon (kadmind)? **Yes** | ||
+ | |||
+ | Kerberos servers for your realm: **vm14.student.lab** | ||
+ | |||
+ | Administrative server for your Kerberos realm: **vm14.atudent.lab** | ||
+ | |||
+ | Create the Kerberos KDC configuration automatically? | ||
+ | |||
+ | To create the Kerberos realm, invoke Debian-specific command krb5_newrealm. | ||
+ | |||
+ | **krb5_newrealm** | ||
+ | |||
+ | Enter your master password for kerberos. // | ||
+ | |||
+ | ====== Kerberos Configuration ====== | ||
+ | |||
+ | Next need to edit the Kerberos config file, / | ||
+ | / | ||
+ | |||
+ | **.student.lab = STUDENT.LAB ** | ||
+ | **student.lab = STUDENT.LAB** | ||
+ | At the bottom of the file add the logging section: | ||
+ | [logging] | ||
+ | |||
+ | **kdc = FILE:/ | ||
+ | **admin_server = FILE:/ | ||
+ | **default = FILE:/ | ||
+ | |||
+ | After editing / | ||
+ | |||
+ | next we need to edit the ”[libdefaults]” in / | ||
+ | Now we need to apply the changes we made. | ||
+ | |||
+ | **invoke-rc.d krb5-admin-server restart** \\ | ||
+ | **invoke-rc.d krb5-kdc restart ** \\ | ||
+ | Next we need to test the changes. | ||
+ | |||
+ | **kadmin.local** \\ | ||
+ | Authenticating as principal root/ | ||
+ | |||
+ | kadmin.local: | ||
+ | ** | ||
+ | < | ||
+ | K/ | ||
+ | kadmin/ | ||
+ | kadmin/ | ||
+ | kadmin/ | ||
+ | kadmin/ | ||
+ | krbtgt/ | ||
+ | </ | ||
+ | |||
+ | kadmin.local: | ||
+ | |||
+ | **vi / | ||
+ | |||
+ | Check to make sure is has the line below \\ | ||
+ | */admin * | ||
+ | |||
+ | next we need to restart the krb5-admin-server | ||
+ | ** invoke-rc.d krb5-admin-server restart** | ||
+ | |||
+ | Next we need to create four basic policies: | ||
+ | **kadmin.local**\\ | ||
+ | Authenticating as principal root/ | ||
+ | |||
+ | **kadmin.local: | ||
+ | **Kadmin kadmin.local: | ||
+ | **kadmin.local: | ||
+ | **kadmin.local: | ||
+ | |||
+ | kadmin.local: | ||
+ | |||
+ | ====== Principal creation ====== | ||
+ | |||
+ | |||
+ | Next we need to create the principal for the root kadmin.local Authenticating as principal root/ | ||
+ | |||
+ | kadmin.local: | ||
+ | |||
+ | Enter password for principal “root/ | ||
+ | Re-enter password for principal “root/ | ||
+ | Principal “root/ | ||
+ | |||
+ | kadmin.local: | ||
+ | |||
+ | Creating first unprivileged principal | ||
+ | |||
+ | Next we need add an unprivileged account.\\ | ||
+ | **kadmin -p root/ | ||
+ | Authenticating as principal root/ | ||
+ | |||
+ | Password for root/ | ||
+ | |||
+ | kadmin: **addprinc -policy user mirko** | ||
+ | |||
+ | Enter password for principal “mirko@STUDENT.LAB”: | ||
+ | Re-enter password for principal “mirko@STUDENT.LAB”: | ||
+ | Principal “mirko@STUDENT.LAB” created. | ||
+ | |||
+ | kadmin: **quit** | ||
+ | |||
+ | let check our tickets: | ||
+ | **klist -5f** | ||
+ | |||
+ | klist: No credentials cache found (ticket cache FILE:/ | ||
+ | |||
+ | kinit | ||
+ | |||
+ | Password for mirko@STUDENT.LAB: | ||
+ | **klist -5f** | ||
+ | |||
+ | Ticket cache: FILE:/ | ||
+ | Default principal: mirko@STUDENT.LAB | ||
+ | |||
+ | Valid starting | ||
+ | 04/12/2010 08:30:33 04/13/2010 08: | ||
+ | |||
+ | renew until 04/13/2010 22:30:34, Flags: FPRIA | ||
+ | |||
+ | **kdestroy** This thows away the ticket | ||
+ | |||
+ | ====== Installing krb5-rsh-server ====== | ||
+ | |||
+ | |||
+ | Next we need to install the krb5-rsh-server. | ||
+ | |||
+ | **apt-get install openbsd-inetd** \\ | ||
+ | **apt-get install krb5-rsh-server** | ||
+ | |||
+ | **update-rc.d -f openbsd-inetd remove** \\ | ||
+ | **update-rc.d openbsd-inetd defaults** | ||
+ | |||
+ | update-inetd –enable kshell update-inetd –enable eklogin | ||
+ | |||
+ | **invoke-rc.d openbsd-inetd restart** | ||
+ | |||
+ | we need to export the key to a keytab file\\ | ||
+ | **kadmin -p root/ | ||
+ | | ||
+ | |||
+ | Password for root/ | ||
+ | |||
+ | kadmin: **addprinc -policy service -randkey host/ | ||
+ | ** | ||
+ | Principal “host/ | ||
+ | |||
+ | kadmin: **addprinc -policy service -randkey host/ | ||
+ | ** | ||
+ | Principal “host/ | ||
+ | |||
+ | kadmin: **ktadd -k / | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | kadmin:** ktadd -k / | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | Entry for principal host/ | ||
+ | |||
+ | kadmin: **quit** | ||
+ | |||
+ | ====== Installing krb5-clients ====== | ||
+ | |||
+ | Let's install kerberized versions of the basic client programs: apt-get install krb5-clients | ||
+ | |||
+ | Obtain Kerberos ticket: | ||
+ | |||
+ | **kinit** | ||
+ | |||
+ | Password for USERNAME@STUDENT.LAB: | ||
+ | Connect: | ||
+ | |||
+ | krb5-rsh -x -PN VM14.STUDENT.LAB | ||
+ | |||
+ | |||
+ | |||
+ | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. | ||
+ | |||
+ | ====== Pam files Configuration ====== | ||
+ | |||
+ | **cd /etc** \\ | ||
+ | cp -a pam.d pam.d,orig | ||
+ | |||
+ | enter the below command as a safety net. | ||
+ | |||
+ | **cp -a pam.d, | ||
+ | |||
+ | We need to make sure that only the following lines are active in each of the indicated files. | ||
+ | |||
+ | **vi / | ||
+ | account sufficient pam_unix.so \\ | ||
+ | account sufficient pam_krb5.so \\ | ||
+ | account required pam_deny.so | ||
+ | |||
+ | **vi / | ||
+ | auth sufficient pam_unix.so nullok_secure \\ | ||
+ | auth sufficient pam_krb5.so use_first_pass \\ | ||
+ | auth required pam_deny.so \\ | ||
+ | |||
+ | **vi / | ||
+ | password sufficient pam_unix.so nullok obscure md5 \\ | ||
+ | password sufficient pam_krb5.so use_first_pass \\ | ||
+ | password required pam_deny.so | ||
+ | ** | ||
+ | vi / | ||
+ | session required pam_limits.so \\ | ||
+ | session optional pam_krb5.so \\ | ||
+ | session optional pam_unix.so | ||
+ | |||
+ | restart vm14.student.lab If everything is working | ||
+ | |||
+ | ====== Configuration of client systems ====== | ||
+ | |||
+ | |||
+ | log on to vm15 and vm16. Enter: | ||
+ | |||
+ | **apt-get install libpam-krb5** | ||
+ | |||
+ | **apt-get install krb5-user** | ||
+ | |||
+ | once this is done log back in to vm14.student.lab and do | ||
+ | |||
+ | **scp / | ||
+ | **scp / | ||
+ | |||
+ | |||
+ | ====== Reference ====== | ||
+ | | ||
+ | |||
+ | http:// |