Heimdal

From CBLFS
Revision as of 00:49, 11 October 2006 by Manphiz (talk | contribs)
Jump to navigationJump to search
Download Source: http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-0.7.2.tar.gz
Download Patch: ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt
Download Patch: http://www.linuxfromscratch.org/patches/blfs/svn/heimdal-0.7.2-fhs_compliance-1.patch
Download Patch (for cracklib): http://www.linuxfromscratch.org/patches/blfs/svn/heimdal-0.7.2-cracklib-1.patch

Dependencies

Required

Reccomended

Optional

Non-Multilib

If you wish the Heimdal package to link against the CrackLib library to provide enforcement of strong passwords (requires CrackLib-2.8.9 installed with the heimdal patch), you must apply a patch:

patch -Np1 -i ../heimdal-0.7.2-cracklib-1.patch

Install Heimdal by running the following commands:

patch -Np1 -i ../heimdal-0.7.2-setuid-patch.txt &&
patch -Np1 -i ../heimdal-0.7.2-fhs_compliance-1.patch &&
./configure --prefix=/usr \
            --sysconfdir=/etc/heimdal \
            --libexecdir=/usr/sbin \
            --datadir=/var/lib/heimdal \
            --localstatedir=/var/lib/heimdal \
            --enable-shared \
            --with-readline=/usr &&
make

Now, as the root user(the following process requires Berkeley DB 4.5.*. Adjust the script if you didn't have Berkeley DB or using a different version):

mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.glibc &&
mv -v /usr/include/glob.h /usr/include/glob.h.glibc &&
mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs &&
mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs &&
mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs &&
make install &&
mv -v /usr/include/fnmatch.h /usr/include/fnmatch.h.heimdal &&
mv -v /usr/include/fnmatch.h.glibc /usr/include/fnmatch.h &&
mv -v /usr/include/glob.h /usr/include/glob.h.heimdal &&
mv -v /usr/include/glob.h.glibc /usr/include/glob.h &&
install -v -m755 -d /usr/share/doc/heimdal-0.7.2/standardisation &&
install -v -m644 doc/{init-creds,layman.asc} \
    /usr/share/doc/heimdal-0.7.2 &&
install -v -m644 doc/standardisation/* \
    /usr/share/doc/heimdal-0.7.2/standardisation &&
mv -v /bin/login /bin/login.shadow &&
mv -v /bin/su /bin/su.shadow &&
mv -v /usr/bin/{login,su} /bin &&
ln -v -sf ../../bin/login /usr/bin &&
mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* \
      /usr/lib/libdb-4.5.so /lib &&
ln -v -sf ../../lib/libdb-4.5.so /usr/lib/libdb.so &&
ln -v -sf ../../lib/libdb-4.5.so /usr/lib/libdb-4.so &&
mv -v /usr/lib/lib{otp,kafs,krb5,asn1,roken,crypto}.so.* /lib &&
for SYMLINK in otp.so.0.1.3  kafs.so.0.4.1   krb5.so.17.4.0 \
               asn1.so.6.1.0 roken.so.16.1.0 crypto.so.0.9.8
do
    ln -v -sf ../../lib/lib$SYMLINK \
        /usr/lib/lib`echo $SYMLINK | cut -d. -f1`.so
done
ldconfig

Multilib

TODO...

32Bit

TODO...

N32

TODO...

64Bit

TODO...

Configuration

Create the Kerberos configuration file with the following commands:

install -v -m755 -d /etc/heimdal &&
cat > /etc/heimdal/krb5.conf << "EOF"
# Begin /etc/heimdal/krb5.conf

[libdefaults]
    default_realm = <EXAMPLE.COM>
    encrypt = true

[realms]
    <EXAMPLE.COM> = {
        kdc = <hostname.example.com>
        admin_server = <hostname.example.com>
        kpasswd_server = <hostname.example.com>
    }

[domain_realm]
    .<example.com> = <EXAMPLE.COM>

[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb.log

# End /etc/heimdal/krb5.conf
EOF
chmod -v 644 /etc/heimdal/krb5.conf

You will need to substitute your domain and proper hostname for the occurrences of the <hostname> and <EXAMPLE.COM> names.

default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT krb5 recommend it.

encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.

The [realms] parameters tell the client programs where to look for the KDC authentication services.

The [domain_realm] section maps a domain to a realm.

Store the master password in a key file using the following commands:

install -v -m755 -d /var/lib/heimdal &&
kstash

Create the KDC database:

kadmin -l

The commands below will prompt you for information about the principles. Choose the defaults for now unless you know what you are doing and need to specify different values. You can go in later and change the defaults, should you feel the need. You may use the up and down arrow keys to use the history feature of kadmin in a similar manner as the bash history feature.

At the kadmin> prompt, issue the following statement:

init <EXAMPLE.COM>

The database must now be populated with at least one principle (user). For now, just use your regular login name or root. You may create as few, or as many principles as you wish using the following statement:

add <loginname>

The KDC server and any machine running kerberized server daemons must have a host key installed:

add --random-key host/<hostname.example.com>

After choosing the defaults when prompted, you will have to export the data to a keytab file:

ext host/<hostname.example.com>

This should have created two files in /etc/heimdal: krb5.keytab (Kerberos 5) and srvtab (Kerberos 4). Both files should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.

Eventually, you'll want to add server daemon principles to the database and extract them to the keytab file. You do this in the same way you created the host principles. Below is an example:

add --random-key ftp/<hostname.example.com>

(choose the defaults)

ext ftp/<hostname.example.com>

Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:

/usr/sbin/kdc &

Attempt to get a TGT (ticket granting ticket) with the following command:

kinit <loginname>

You will be prompted for the password you created. After you get your ticket, you should list it with the following command:

klist

Information about the ticket should be displayed on the screen.

To test the functionality of the keytab file, issue the following command:

ktutil list

This should dump a list of the host principals, along with the encryption methods used to access the principals.

At this point, if everything has been successful so far, you can feel fairly confident in the installation, setup and configuration of your new Heimdal Kerberos 5 installation.

Install the /etc/rc.d/init.d/heimdal init script included in the blfs-bootscripts package:

make install-heimdal
Retrieved from "?title=Heimdal&oldid=2817"