Difference between revisions of "MIT krb5"
(I cleaned up the page.) |
|||
Line 15: | Line 15: | ||
=== Optional === | === Optional === | ||
* [[xinetd]] (services servers only) | * [[xinetd]] (services servers only) | ||
− | * [[Linux- | + | * [[Linux-PAM]] (for '''xdm''' based logins) |
* [[OpenLDAP]] (alternative for '''krb5kdc''' password database) | * [[OpenLDAP]] (alternative for '''krb5kdc''' password database) | ||
Line 57: | Line 57: | ||
to '''/etc/password''' could prevent any logins. | to '''/etc/password''' could prevent any logins. | ||
− | If you understand the above warning and Linux- | + | If you understand the above warning and [[Linux-PAM]] is not installed, the following commands can be used: |
mv -v /bin/login /bin/login.shadow && | mv -v /bin/login /bin/login.shadow && |
Revision as of 08:51, 23 December 2006
Download Source: | http://web.mit.edu/kerberos/www/dist/krb5/1.7/krb5-1.7-signed.tar |
---|
Contents
Introduction to MIT Krb5
MIT krb5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.
Dependencies
Optional
- xinetd (services servers only)
- Linux-PAM (for xdm based logins)
- OpenLDAP (alternative for krb5kdc password database)
Note: A time synchronization facility of some sort (like NTP) is needed on your system if you're going to be using Kerberos. Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes. And since you'll probably want Kerberos to be able to authenticate, you'll want to synchronize the time between teh client and the server.
Non-Multilib
Build the packge:
cd src ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib --enable-dns --enable-static --mandir=/usr/share/man make
Install the package:
make install mv -v /usr/lib/libdes425.so.3* /lib mv -v /usr/lib/libk5crypto.so.3* /lib mv -v /usr/lib/libkrb5.so.3* /lib mv -v /usr/lib/libkrb4.so.2* /lib mv -v /usr/lib/libcom_err.so.3* /lib mv -v /usr/bin/ksu /bin ln -v -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so ln -v -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so ldconfig
Warning: login.krb5 does not support shadow passwords. So, when the Kerberos server is unavailable, the default use of /etc/password will not work because the passwords are now in /etc/shadow (where they were put while building CLFS). Entering the following commands without moving the passwords back to /etc/password could prevent any logins.
If you understand the above warning and Linux-PAM is not installed, the following commands can be used:
mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login
If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following commands should be used:
ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict
Command Explanations
--enable-dns: This switch allows realms to be resolved using the DNS server.
--enable-static: This switch builds static libraries in addition to the shared libraries.
mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin: Preserves Shadow's login command, moves ksu and login by moving them to the /bin directory.
mv -v ... /lib and ln -v -sf ...: The login and ksu programs are linked against these libraries, so these libraries are moved to /lib in order to allow logins without mounting /usr.
Multilib
32Bit
TODO....
N32
TODO....
64Bit
TODO....
Configuring
See BLFS' MIT krb5 page for how to configure Kerberos.
For additional information, take a look at Documentation for krb-1.4.1.
Contents
Installed Programs: | compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist, klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d, krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, uuclient, uuserver, v5passwd, and v5passwdd |
---|---|
Installed Libraries: | libcom_err.{so,a}, libdes425.{so,a}, libgssapi.{so,a}, libgssrpc.{so,a}, libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkdb5.{so,a}, libkrb5.{so,a}, and libkrb4.{so,a} |
Installed Directory: | /usr/include/kerberosIV and /var/lib/krb5kdc |
Short Descriptions
compile_et | converts the table listing error-code names into a C source file. |
---|---|
ftp | is a kerberized FTP client. |
ftpd | is a kerberized FTP daemon. |
k5srvutil | is a host keytable manipulation utility. |
kadmin | is an utility used to make modifications to the Kerberos database. |
kadmind | is a server for administrative access to a Kerberos database. |
kdb5_util | is the KDC database utility. |
kdestroy | removes the current set of tickets. |
kinit | is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services. |
klist | reads and displays the current tickets in the credential cache. |
klogind | is the server that responds to rlogin requests. |
kpasswd | is a program for changing Kerberos 5 passwords. |
kprop | takes a principal database in a specified format and converts it into a stream of database records. |
kpropd | receives a database sent by kprop and writes it as a local database. |
krb5-config | gives information on how to link programs against libraries. |
krb5kdc | is a Kerberos 5 server. |
kshd | is the server that responds to rsh requests. |
ksu | is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users. |
ktutil | is a program for managing Kerberos keytabs. |
kvno | prints keyversion numbers of Kerberos principals. |
login.krb5 | is a kerberized login program. |
rcp | is a kerberized rcp client program. |
rlogin | is a kerberized rlogin client program. |
rsh | is a kerberized rsh client program. |
telnet | is a kerberized telnet client program. |
telnetd | is a kerberized telnet server. |
libcom_err.{so,a} | implements the Kerberos library error code. |
libgssapi.{so,a} | contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. |
libkadm5clnt.{so,a} | contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs. |
libkadm5srv.{so,a} | contain the administrative authentication and password checking functions required by Kerberos 5 servers. |
libkdb5.{so,a} | is a Kerberos 5 authentication/authorization database access library. |
libkrb5.{so,a} | is an all-purpose Kerberos 5 library. |