MIT krb5

From CBLFS
Revision as of 08:51, 23 December 2006 by Jciccone (talk | contribs)
Jump to navigationJump to search
Download Source: http://web.mit.edu/kerberos/www/dist/krb5/1.7/krb5-1.7-signed.tar

Introduction to MIT Krb5

MIT krb5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.

Dependencies

Optional

  • xinetd (services servers only)
  • Linux-PAM (for xdm based logins)
  • OpenLDAP (alternative for krb5kdc password database)
Note:
A time synchronization facility of some sort (like NTP) is needed on your system
if you're going to be using Kerberos. Kerberos won't authenticate if the time
differential between a kerberized client and the KDC server is more than 5 minutes.
And since you'll probably want Kerberos to be able to authenticate, you'll want
to synchronize the time between teh client and the server.

Non-Multilib

Build the packge:

cd src
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib
   --enable-dns --enable-static --mandir=/usr/share/man
make

Install the package:

make install
mv -v /usr/lib/libdes425.so.3* /lib
mv -v /usr/lib/libk5crypto.so.3* /lib
mv -v /usr/lib/libkrb5.so.3* /lib
mv -v /usr/lib/libkrb4.so.2* /lib
mv -v /usr/lib/libcom_err.so.3* /lib
mv -v /usr/bin/ksu /bin
ln -v -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so
ln -v -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
ldconfig
Warning:
login.krb5 does not support shadow passwords. So, when the Kerberos
server is unavailable, the default use of /etc/password will not work
because the passwords are now in /etc/shadow (where they were put while
building CLFS). Entering the following commands without moving the passwords back
to /etc/password could prevent any logins.

If you understand the above warning and Linux-PAM is not installed, the following commands can be used:

mv -v /bin/login /bin/login.shadow &&
cp -v /usr/sbin/login.krb5 /bin/login

If CrackLib is installed, or if any word list has been put in /usr/share/dict, the following commands should be used:

ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict

Command Explanations

--enable-dns: This switch allows realms to be resolved using the DNS server.

--enable-static: This switch builds static libraries in addition to the shared libraries.

mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login && mv -v /usr/bin/ksu /bin: Preserves Shadow's login command, moves ksu and login by moving them to the /bin directory.

mv -v ... /lib and ln -v -sf ...: The login and ksu programs are linked against these libraries, so these libraries are moved to /lib in order to allow logins without mounting /usr.

Multilib

32Bit

TODO....

N32

TODO....

64Bit

TODO....

Configuring

See BLFS' MIT krb5 page for how to configure Kerberos.

For additional information, take a look at Documentation for krb-1.4.1.

Contents

Installed Programs: compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist, klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d, krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, uuclient, uuserver, v5passwd, and v5passwdd
Installed Libraries: libcom_err.{so,a}, libdes425.{so,a}, libgssapi.{so,a}, libgssrpc.{so,a}, libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkdb5.{so,a}, libkrb5.{so,a}, and libkrb4.{so,a}
Installed Directory: /usr/include/kerberosIV and /var/lib/krb5kdc

Short Descriptions

compile_et converts the table listing error-code names into a C source file.
ftp is a kerberized FTP client.
ftpd is a kerberized FTP daemon.
k5srvutil is a host keytable manipulation utility.
kadmin is an utility used to make modifications to the Kerberos database.
kadmind is a server for administrative access to a Kerberos database.
kdb5_util is the KDC database utility.
kdestroy removes the current set of tickets.
kinit is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
klist reads and displays the current tickets in the credential cache.
klogind is the server that responds to rlogin requests.
kpasswd is a program for changing Kerberos 5 passwords.
kprop takes a principal database in a specified format and converts it into a stream of database records.
kpropd receives a database sent by kprop and writes it as a local database.
krb5-config gives information on how to link programs against libraries.
krb5kdc is a Kerberos 5 server.
kshd is the server that responds to rsh requests.
ksu is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users.
ktutil is a program for managing Kerberos keytabs.
kvno prints keyversion numbers of Kerberos principals.
login.krb5 is a kerberized login program.
rcp is a kerberized rcp client program.
rlogin is a kerberized rlogin client program.
rsh is a kerberized rsh client program.
telnet is a kerberized telnet client program.
telnetd is a kerberized telnet server.
libcom_err.{so,a} implements the Kerberos library error code.
libgssapi.{so,a} contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.
libkadm5clnt.{so,a} contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs.
libkadm5srv.{so,a} contain the administrative authentication and password checking functions required by Kerberos 5 servers.
libkdb5.{so,a} is a Kerberos 5 authentication/authorization database access library.
libkrb5.{so,a} is an all-purpose Kerberos 5 library.
Retrieved from "?title=MIT_krb5&oldid=6123"