MIT krb5

From CBLFS
Revision as of 07:34, 10 November 2007 by Jciccone (talk | contribs)
Jump to navigationJump to search
Download Source: http://web.mit.edu/kerberos/www/dist/krb5/1.7/krb5-1.7-signed.tar

Introduction to MIT krb5

Project Homepage: Unknown

Dependencies

Optional

  • xinetd (services servers only)
  • Linux-PAM (for xdm based logins)
  • OpenLDAP (alternative for krb5kdc password database)
Caution.png

Note

A time synchronization facility of some sort (like NTP) is needed on your system if you're going to be using Kerberos. Kerberos won't authenticate if the time differential between a kerberized client and the KDC server is more than 5 minutes. And since you'll probably want Kerberos to be able to authenticate, you'll want to synchronize the time between teh client and the server.

Non-Multilib

Build the packge: 

cd src &&
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \
   --enable-dns --mandir=/usr/share/man &&
make

Install the package: 

make install &&
chmod -v 755 /usr/lib/libcom_err.so.3* &&
chmod -v 755 /usr/lib/libdes425.so.3* &&
chmod -v 755 /usr/lib/libgssapi_krb5.so.2* &&
chmod -v 755 /usr/lib/libgssrpc.so.4* &&
chmod -v 755 /usr/lib/libk5crypto.so.3* &&
chmod -v 755 /usr/lib/libkadm5clnt.so.5* &&
chmod -v 755 /usr/lib/libkadm5srv.so.5* &&
chmod -v 755 /usr/lib/libkdb5.so.4* &&
chmod -v 755 /usr/lib/libkrb4.so.2* &&
chmod -v 755 /usr/lib/libkrb5.so.3* &&
chmod -v 755 /usr/lib/libkrb5support.so.0* &&
mv -v /usr/lib/libdes425.so.3* /lib &&
mv -v /usr/lib/libk5crypto.so.3* /lib &&
mv -v /usr/lib/libkrb5.so.3* /lib &&
mv -v /usr/lib/libkrb4.so.2* /lib &&
mv -v /usr/lib/libcom_err.so.3* /lib &&
mv -v /usr/lib/libgssapi_krb5.so.2* /lib &&
mv -v /usr/lib/libkrb5support.so.0* /lib &&
ln -v -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &&
ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &&
ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &&
ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &&
ln -v -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &&
ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so &&
ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so &&
mv -v /usr/bin/ksu /bin &&
ldconfig

Warning:
login.krb5 does not support shadow passwords. So, when the Kerberos
server is unavailable, the default use of /etc/password will not work
because the passwords are now in /etc/shadow (where they were put while
building CLFS). Entering the following commands without moving the passwords back
to /etc/password could prevent any logins.

If you understand the above warning and Linux-PAM is not installed, the following commands can be used: 

mv -v /bin/login /bin/login.shadow &&
cp -v /usr/sbin/login.krb5 /bin/login

If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following commands should be used: 

ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict

Command Explanations

--enable-dns: This switch allows realms to be resolved using the DNS server.

mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin: Preserves Shadow's login command, moves ksu and login by moving them to the /bin directory.

mv -v ... /lib and ln -v -sf ...: The login and ksu programs are linked against these libraries, so these libraries are moved to /lib in order to allow logins without mounting /usr.

Multilib

32Bit

TODO....

N32

TODO....

64Bit

TODO....

Configuring

See BLFS' MIT krb5 page for how to configure Kerberos.

For additional information, take a look at Documentation for krb-1.4.1.

Contents

Installed Programs: compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist, klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d, krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, uuclient, uuserver, v5passwd, and v5passwdd
Installed Libraries: libcom_err.{so,a}, libdes425.{so,a}, libgssapi.{so,a}, libgssrpc.{so,a}, libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkdb5.{so,a}, libkrb5.{so,a}, and libkrb4.{so,a}
Installed Directory: /usr/include/kerberosIV and /var/lib/krb5kdc

Short Descriptions

compile_et converts the table listing error-code names into a C source file.
ftp is a kerberized FTP client.
ftpd is a kerberized FTP daemon.
k5srvutil is a host keytable manipulation utility.
kadmin is an utility used to make modifications to the Kerberos database.
kadmind is a server for administrative access to a Kerberos database.
kdb5_util is the KDC database utility.
kdestroy removes the current set of tickets.
kinit is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
klist reads and displays the current tickets in the credential cache.
klogind is the server that responds to rlogin requests.
kpasswd is a program for changing Kerberos 5 passwords.
kprop takes a principal database in a specified format and converts it into a stream of database records.
kpropd receives a database sent by kprop and writes it as a local database.
krb5-config gives information on how to link programs against libraries.
krb5kdc is a Kerberos 5 server.
kshd is the server that responds to rsh requests.
ksu is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users.
ktutil is a program for managing Kerberos keytabs.
kvno prints keyversion numbers of Kerberos principals.
login.krb5 is a kerberized login program.
rcp is a kerberized rcp client program.
rlogin is a kerberized rlogin client program.
rsh is a kerberized rsh client program.
telnet is a kerberized telnet client program.
telnetd is a kerberized telnet server.
libcom_err.{so,a} implements the Kerberos library error code.
libgssapi.{so,a} contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.
libkadm5clnt.{so,a} contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs.
libkadm5srv.{so,a} contain the administrative authentication and password checking functions required by Kerberos 5 servers.
libkdb5.{so,a} is a Kerberos 5 authentication/authorization database access library.
libkrb5.{so,a} is an all-purpose Kerberos 5 library.
Retrieved from "?title=MIT_krb5&oldid=11987"