Heimdal
Download Source: | http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-0.7.2.tar.gz |
---|---|
Download Patch: | ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt |
Download Patch: | http://www.linuxfromscratch.org/patches/blfs/svn/heimdal-0.7.2-fhs_compliance-1.patch |
Download Patch (for cracklib): | http://www.linuxfromscratch.org/patches/blfs/svn/heimdal-0.7.2-cracklib-1.patch |
Contents
Dependencies
Required
- Berkely DB (recommended) or GDBM
Reccomended
Optional
Non-Multilib
If you wish the Heimdal package to link against the CrackLib library to provide enforcement of strong passwords (requires CrackLib-2.8.9 installed with the heimdal patch), you must apply a patch:
patch -Np1 -i ../heimdal-0.7.2-cracklib-1.patch
Install Heimdal by running the following commands:
patch -Np1 -i ../heimdal-0.7.2-setuid-patch.txt && patch -Np1 -i ../heimdal-0.7.2-fhs_compliance-1.patch && ./configure --prefix=/usr \ --sysconfdir=/etc/heimdal \ --libexecdir=/usr/sbin \ --datadir=/var/lib/heimdal \ --localstatedir=/var/lib/heimdal \ --enable-shared \ --with-readline=/usr && make
Now, as the root user:
mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.glibc && mv -v /usr/include/glob.h /usr/include/glob.h.glibc && mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs && mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs && mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs && make install && mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.heimdal && mv -v /usr/include/fnmatch.h.glibc /usr/include/fnmatch.h && mv -v /usr/include/glob.h /usr/include/glob.h.heimdal && mv -v /usr/include/glob.h.glibc /usr/include/glob.h && install -v -m755 -d /usr/share/doc/heimdal-0.7.2/standardisation && install -v -m644 doc/{init-creds,layman.asc} \ /usr/share/doc/heimdal-0.7.2 && install -v -m644 doc/standardisation/* \ /usr/share/doc/heimdal-0.7.2/standardisation && mv -v /bin/login /bin/login.shadow && mv -v /bin/su /bin/su.shadow && mv -v /usr/bin/{login,su} /bin && ln -v -sf ../../bin/login /usr/bin && mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* /lib && for SYMLINK in otp.so.0.1.3 kafs.so.0.4.1 krb5.so.17.4.0 \ asn1.so.6.1.0 roken.so.16.1.0 crypto.so.0.9.8 do ln -v -sf ../../lib/lib$SYMLINK \ /usr/lib/lib`echo $SYMLINK | cut -d. -f1`.so done ldconfig
Multilib
TODO...
32Bit
TODO...
N32
TODO...
64Bit
TODO...
Configuration
Create the Kerberos configuration file with the following commands:
install -v -m755 -d /etc/heimdal && cat > /etc/heimdal/krb5.conf << "EOF" # Begin /etc/heimdal/krb5.conf [libdefaults] default_realm = <EXAMPLE.COM> encrypt = true [realms] <EXAMPLE.COM> = { kdc = <hostname.example.com> admin_server = <hostname.example.com> kpasswd_server = <hostname.example.com> } [domain_realm] .<example.com> = <EXAMPLE.COM> [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb.log # End /etc/heimdal/krb5.conf EOF chmod -v 644 /etc/heimdal/krb5.conf
You will need to substitute your domain and proper hostname for the occurrences of the <hostname> and <EXAMPLE.COM> names.
default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT krb5 recommend it.
encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.
The [realms] parameters tell the client programs where to look for the KDC authentication services.
The [domain_realm] section maps a domain to a realm.
Store the master password in a key file using the following commands:
install -v -m755 -d /var/lib/heimdal && kstash
Create the KDC database:
kadmin -l
The commands below will prompt you for information about the principles. Choose the defaults for now unless you know what you are doing and need to specify different values. You can go in later and change the defaults, should you feel the need. You may use the up and down arrow keys to use the history feature of kadmin in a similar manner as the bash history feature.
At the kadmin> prompt, issue the following statement:
init <EXAMPLE.COM>
The database must now be populated with at least one principle (user). For now, just use your regular login name or root. You may create as few, or as many principles as you wish using the following statement:
add <loginname>
The KDC server and any machine running kerberized server daemons must have a host key installed:
add --random-key host/<hostname.example.com>
After choosing the defaults when prompted, you will have to export the data to a keytab file:
ext host/<hostname.example.com>
This should have created two files in /etc/heimdal: krb5.keytab (Kerberos 5) and srvtab (Kerberos 4). Both files should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.
Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:
add --random-key ftp/<hostname.example.com>
(choose the defaults)
ext ftp/<hostname.example.com>
Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:
/usr/sbin/kdc &
Attempt to get a TGT (ticket granting ticket) with the following command:
kinit <loginname>
You will be prompted for the password you created. After you get your ticket, you should list it with the following command:
klist
Information about the ticket should be displayed on the screen.
To test the functionality of the keytab file, issue the following command:
ktutil list
This should dump a list of the host principals, along with the encryption methods used to access the principals.
At this point, if everything has been successful so far, you can feel fairly confident in the installation, setup and configuration of your new Heimdal Kerberos 5 installation.
Install the /etc/rc.d/init.d/heimdal init script included in the blfs-bootscripts package:
make install-heimdal