Difference between revisions of "MIT krb5"
(I cleaned up the page.) |
|||
Line 19: | Line 19: | ||
'''Note:''' | '''Note:''' | ||
− | + | A time synchronization facility of some sort (like [[NTP]]) is needed on your system | |
− | + | if you're going to be using Kerberos. Kerberos won't authenticate if the time | |
− | between a kerberized client and the KDC server is more than 5 minutes. | + | differential between a kerberized client and the KDC server is more than 5 minutes. |
+ | And since you'll probably want Kerberos to be able to authenticate, you'll want | ||
+ | to synchronize the time between teh client and the server. | ||
== Non-Multilib == | == Non-Multilib == | ||
− | + | Build the packge: | |
− | + | cd src | |
− | + | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib | |
− | + | --enable-dns --enable-static --mandir=/usr/share/man | |
− | |||
− | |||
− | |||
− | cd src | ||
− | ./configure --prefix=/usr --sysconfdir=/etc | ||
− | |||
− | |||
make | make | ||
Install the package: | Install the package: | ||
− | make install | + | make install |
− | mv -v /usr/ | + | mv -v /usr/lib/libdes425.so.3* /lib |
− | mv -v /usr/lib/ | + | mv -v /usr/lib/libk5crypto.so.3* /lib |
− | mv -v /usr/lib/ | + | mv -v /usr/lib/libkrb5.so.3* /lib |
− | mv -v /usr/lib/ | + | mv -v /usr/lib/libkrb4.so.2* /lib |
− | mv -v /usr/lib/ | + | mv -v /usr/lib/libcom_err.so.3* /lib |
− | mv -v /usr/ | + | mv -v /usr/bin/ksu /bin |
− | ln -v -sf ../../lib/ | + | ln -v -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so |
− | ln -v -sf ../../lib/ | + | ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so |
− | ln -v -sf ../../lib/ | + | ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so |
− | ln -v -sf ../../lib/ | + | ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so |
− | ln -v -sf ../../lib/ | + | ln -v -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so |
ldconfig | ldconfig | ||
<font color=red>'''Warning:'''</font> | <font color=red>'''Warning:'''</font> | ||
− | '''login.krb5''' does not support shadow passwords. | + | '''login.krb5''' does not support shadow passwords. So, when the Kerberos |
− | server is unavailable, the default | + | server is unavailable, the default use of '''/etc/password''' will not work |
− | because the passwords | + | because the passwords are now in '''/etc/shadow''' (where they were put while |
− | + | building CLFS). Entering the following commands without moving the passwords back | |
to '''/etc/password''' could prevent any logins. | to '''/etc/password''' could prevent any logins. | ||
− | If Linux-Pam is not installed | + | If you understand the above warning and Linux-Pam is not installed, the following commands can be used: |
mv -v /bin/login /bin/login.shadow && | mv -v /bin/login /bin/login.shadow && | ||
cp -v /usr/sbin/login.krb5 /bin/login | cp -v /usr/sbin/login.krb5 /bin/login | ||
− | If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following should be | + | If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following commands should be used: |
ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict | ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict | ||
Line 77: | Line 72: | ||
--enable-static: This switch builds static libraries in addition to the shared libraries. | --enable-static: This switch builds static libraries in addition to the shared libraries. | ||
− | '''mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin''': Preserves Shadow's '''login''' command, moves '''ksu''' and '''login''' to the /bin directory. | + | '''mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin''': Preserves Shadow's '''login''' command, moves '''ksu''' and '''login''' by moving them to the /bin directory. |
− | '''mv -v ... /lib | + | '''mv -v ... /lib''' and '''ln -v -sf ...''': The '''login''' and '''ksu''' programs are linked against these libraries, so these libraries are moved to /lib in order to allow logins without mounting /usr. |
== Multilib == | == Multilib == | ||
Line 97: | Line 92: | ||
== Configuring == | == Configuring == | ||
− | + | See [http://www.linuxfromscratch.org/blfs/view/svn/postlfs/mitkrb.html#krb5-config BLFS' MIT krb5 page] for how to configure Kerberos. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | For additional information | + | For additional information, take a look at [http://web.mit.edu/kerberos/www/krb5-1.4/#documentation Documentation for krb-1.4.1]. |
= Contents = | = Contents = |
Revision as of 22:18, 16 December 2006
Download Source: | http://web.mit.edu/kerberos/www/dist/krb5/1.7/krb5-1.7-signed.tar |
---|
Contents
Introduction to MIT Krb5
MIT krb5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.
Dependencies
Optional
- xinetd (services servers only)
- Linux-Pam (for xdm based logins)
- OpenLDAP (alternative for krb5kdc password database)
Note: A time synchronization facility of some sort (like NTP) is needed on your system if you're going to be using Kerberos. Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes. And since you'll probably want Kerberos to be able to authenticate, you'll want to synchronize the time between teh client and the server.
Non-Multilib
Build the packge:
cd src ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib --enable-dns --enable-static --mandir=/usr/share/man make
Install the package:
make install mv -v /usr/lib/libdes425.so.3* /lib mv -v /usr/lib/libk5crypto.so.3* /lib mv -v /usr/lib/libkrb5.so.3* /lib mv -v /usr/lib/libkrb4.so.2* /lib mv -v /usr/lib/libcom_err.so.3* /lib mv -v /usr/bin/ksu /bin ln -v -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so ln -v -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so ldconfig
Warning: login.krb5 does not support shadow passwords. So, when the Kerberos server is unavailable, the default use of /etc/password will not work because the passwords are now in /etc/shadow (where they were put while building CLFS). Entering the following commands without moving the passwords back to /etc/password could prevent any logins.
If you understand the above warning and Linux-Pam is not installed, the following commands can be used:
mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login
If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following commands should be used:
ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict
Command Explanations
--enable-dns: This switch allows realms to be resolved using the DNS server.
--enable-static: This switch builds static libraries in addition to the shared libraries.
mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin: Preserves Shadow's login command, moves ksu and login by moving them to the /bin directory.
mv -v ... /lib and ln -v -sf ...: The login and ksu programs are linked against these libraries, so these libraries are moved to /lib in order to allow logins without mounting /usr.
Multilib
32Bit
TODO....
N32
TODO....
64Bit
TODO....
Configuring
See BLFS' MIT krb5 page for how to configure Kerberos.
For additional information, take a look at Documentation for krb-1.4.1.
Contents
Installed Programs: | compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist, klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d, krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, uuclient, uuserver, v5passwd, and v5passwdd |
---|---|
Installed Libraries: | libcom_err.{so,a}, libdes425.{so,a}, libgssapi.{so,a}, libgssrpc.{so,a}, libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkdb5.{so,a}, libkrb5.{so,a}, and libkrb4.{so,a} |
Installed Directory: | /usr/include/kerberosIV and /var/lib/krb5kdc |
Short Descriptions
compile_et | converts the table listing error-code names into a C source file. |
---|---|
ftp | is a kerberized FTP client. |
ftpd | is a kerberized FTP daemon. |
k5srvutil | is a host keytable manipulation utility. |
kadmin | is an utility used to make modifications to the Kerberos database. |
kadmind | is a server for administrative access to a Kerberos database. |
kdb5_util | is the KDC database utility. |
kdestroy | removes the current set of tickets. |
kinit | is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services. |
klist | reads and displays the current tickets in the credential cache. |
klogind | is the server that responds to rlogin requests. |
kpasswd | is a program for changing Kerberos 5 passwords. |
kprop | takes a principal database in a specified format and converts it into a stream of database records. |
kpropd | receives a database sent by kprop and writes it as a local database. |
krb5-config | gives information on how to link programs against libraries. |
krb5kdc | is a Kerberos 5 server. |
kshd | is the server that responds to rsh requests. |
ksu | is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users. |
ktutil | is a program for managing Kerberos keytabs. |
kvno | prints keyversion numbers of Kerberos principals. |
login.krb5 | is a kerberized login program. |
rcp | is a kerberized rcp client program. |
rlogin | is a kerberized rlogin client program. |
rsh | is a kerberized rsh client program. |
telnet | is a kerberized telnet client program. |
telnetd | is a kerberized telnet server. |
libcom_err.{so,a} | implements the Kerberos library error code. |
libgssapi.{so,a} | contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. |
libkadm5clnt.{so,a} | contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs. |
libkadm5srv.{so,a} | contain the administrative authentication and password checking functions required by Kerberos 5 servers. |
libkdb5.{so,a} | is a Kerberos 5 authentication/authorization database access library. |
libkrb5.{so,a} | is an all-purpose Kerberos 5 library. |