[8788] | 1 | \input texinfo @c -*-texinfo-*- |
---|
| 2 | |
---|
| 3 | @finalout |
---|
| 4 | @setfilename kerb-inst-man |
---|
| 5 | |
---|
| 6 | @ifinfo |
---|
| 7 | |
---|
| 8 | @emph{Cygnus Network Security |
---|
| 9 | Installation Notes} |
---|
| 10 | January 1995 |
---|
| 11 | |
---|
| 12 | John Gilmore |
---|
| 13 | Pat McGregor |
---|
| 14 | Cygnus Support |
---|
| 15 | |
---|
| 16 | CNS includes documentation and software developed at the Massachusetts |
---|
| 17 | Institute of Technology, which includes this copyright information: |
---|
| 18 | |
---|
| 19 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
| 20 | |
---|
| 21 | @quotation |
---|
| 22 | Export of software employing encryption from the United States of |
---|
| 23 | America is assumed to require a specific license from the United States |
---|
| 24 | Government. It is the responsibility of any person or organization |
---|
| 25 | contemplating export to obtain such a license before exporting. |
---|
| 26 | @end quotation |
---|
| 27 | |
---|
| 28 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
| 29 | this software and its documentation for any purpose and without fee is |
---|
| 30 | hereby granted, provided that the above copyright notice appear in all |
---|
| 31 | copies and that both that copyright notice and this permission notice |
---|
| 32 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
| 33 | used in advertising or publicity pertaining to distribution of the |
---|
| 34 | software without specific, written prior permission. M.I.T. makes no |
---|
| 35 | representations about the suitability of this software for any purpose. |
---|
| 36 | It is provided ``as is'' without express or implied warranty. |
---|
| 37 | |
---|
| 38 | Copyright @copyright{} 1993, 1994, 1995 Cygnus Support. |
---|
| 39 | |
---|
| 40 | Permission is granted to make and distribute verbatim copies of |
---|
| 41 | this manual provided the copyright notice and this permission notice |
---|
| 42 | are preserved on all copies. |
---|
| 43 | |
---|
| 44 | @ignore |
---|
| 45 | Permission is granted to process this file through TeX and print the |
---|
| 46 | results, provided the printed document carries a copying permission |
---|
| 47 | notice identical to this one except for the removal of this paragraph |
---|
| 48 | (this paragraph not being relevant to the printed manual). |
---|
| 49 | @end ignore |
---|
| 50 | |
---|
| 51 | Permission is granted to copy and distribute modified versions of this |
---|
| 52 | manual under the conditions for verbatim copying, provided also that |
---|
| 53 | the entire resulting derived work is distributed under the terms of a |
---|
| 54 | permission notice identical to this one. |
---|
| 55 | |
---|
| 56 | Permission is granted to copy and distribute translations of this manual |
---|
| 57 | into another language, under the above conditions for modified versions. |
---|
| 58 | |
---|
| 59 | @end ifinfo |
---|
| 60 | |
---|
| 61 | @setchapternewpage odd |
---|
| 62 | @settitle Cygnus Network Security |
---|
| 63 | @titlepage |
---|
| 64 | @title Cygnus Network Security |
---|
| 65 | @subtitle Installation Notes |
---|
| 66 | @sp 2 |
---|
| 67 | @subtitle January 1995 |
---|
| 68 | @vfill |
---|
| 69 | @author Mark Eichin |
---|
| 70 | @author Pat McGregor |
---|
| 71 | @author Cygnus Support |
---|
| 72 | |
---|
| 73 | @page |
---|
| 74 | |
---|
| 75 | @vskip 0pt plus 1filll |
---|
| 76 | |
---|
| 77 | CNS includes documentation and software developed at the Massachusetts |
---|
| 78 | Institute of Technology, which includes this copyright information: |
---|
| 79 | |
---|
| 80 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
| 81 | |
---|
| 82 | @quotation |
---|
| 83 | Export of software employing encryption from the United States of |
---|
| 84 | America is assumed to require a specific license from the United States |
---|
| 85 | Government. It is the responsibility of any person or organization |
---|
| 86 | contemplating export to obtain such a license before exporting. |
---|
| 87 | @end quotation |
---|
| 88 | |
---|
| 89 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
| 90 | this software and its documentation for any purpose and without fee is |
---|
| 91 | hereby granted, provided that the above copyright notice appear in all |
---|
| 92 | copies and that both that copyright notice and this permission notice |
---|
| 93 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
| 94 | used in advertising or publicity pertaining to distribution of the |
---|
| 95 | software without specific, written prior permission. M.I.T. makes no |
---|
| 96 | representations about the suitability of this software for any purpose. |
---|
| 97 | It is provided ``as is'' without express or implied warranty. |
---|
| 98 | |
---|
| 99 | Copyright @copyright{} 1993, 1994, 1995 Cygnus Support. |
---|
| 100 | |
---|
| 101 | Permission is granted to make and distribute verbatim copies of |
---|
| 102 | this manual provided the copyright notice and this permission notice |
---|
| 103 | are preserved on all copies. |
---|
| 104 | |
---|
| 105 | Permission is granted to copy and distribute modified versions of this |
---|
| 106 | manual under the conditions for verbatim copying, provided also that |
---|
| 107 | the entire resulting derived work is distributed under the terms of a |
---|
| 108 | permission notice identical to this one. |
---|
| 109 | |
---|
| 110 | Permission is granted to copy and distribute translations of this manual |
---|
| 111 | into another language, under the above conditions for modified versions. |
---|
| 112 | @end titlepage |
---|
| 113 | |
---|
| 114 | @ifinfo |
---|
| 115 | @node Top, Installing CNS, (dir), (dir) |
---|
| 116 | @top Cygnus Network Security |
---|
| 117 | |
---|
| 118 | @menu |
---|
| 119 | * Installing CNS:: Installing CNS at Your Site |
---|
| 120 | * Choosing a Realm Name:: Choosing a Kerberos Realm Name |
---|
| 121 | * Installation overview:: CNS Installation Overview |
---|
| 122 | * Installation on any machine:: Installation on any machine |
---|
| 123 | * Configuring the KDC:: Configuring the Key Distribution Center |
---|
| 124 | * Application server configuration:: Configuring an Application Server |
---|
| 125 | * Adding users:: Adding users to the Kerberos database |
---|
| 126 | @end menu |
---|
| 127 | @end ifinfo |
---|
| 128 | |
---|
| 129 | @node Installing CNS, Choosing a Realm Name, Top, Top |
---|
| 130 | @chapter Installing CNS at Your Site |
---|
| 131 | |
---|
| 132 | Cygnus Support developed Cygnus Network Security (CNS) to provide strong |
---|
| 133 | system access security, with minimal impact on users' ease of access. |
---|
| 134 | Using Kerberos Version 4 encryption and client-server technology, CNS |
---|
| 135 | assures that user identities can be checked securely without |
---|
| 136 | transmitting passwords in clear over the Net. CNS is useful in closing |
---|
| 137 | up several large security holes: eavesdroppers recording login names and |
---|
| 138 | passwords as your users log in from remote locations; and active attacks |
---|
| 139 | based on providing a fake TCP/IP source address (IP address spoofing). |
---|
| 140 | |
---|
| 141 | Introducing CNS to an existing site involves more planning and execution |
---|
| 142 | than installing the average software package. CNS software is required |
---|
| 143 | on both ends of the remote login connections, and remote users must |
---|
| 144 | change their habits. |
---|
| 145 | |
---|
| 146 | To install CNS and make it useful, you have to: |
---|
| 147 | |
---|
| 148 | @itemize @bullet |
---|
| 149 | @item |
---|
| 150 | Install and configure the CNS software on the machines at your site. |
---|
| 151 | @item |
---|
| 152 | Set up a CNS Key Distribution Center server machine. |
---|
| 153 | @item |
---|
| 154 | [Optional] Set up one or more slave servers for reliability. |
---|
| 155 | @item |
---|
| 156 | Install and configure CNS client software on the machines from which |
---|
| 157 | your remote users log in. |
---|
| 158 | @item |
---|
| 159 | Add users and their passwords to your CNS server. |
---|
| 160 | @item |
---|
| 161 | Inform your users about CNS. |
---|
| 162 | @item |
---|
| 163 | [Optional] Turn off ordinary @code{rlogin}, @code{telnet}, and |
---|
| 164 | @code{rsh} services so that users are @emph{required} to use CNS rather |
---|
| 165 | than potentially exposing their passwords. |
---|
| 166 | @end itemize |
---|
| 167 | |
---|
| 168 | This manual covers only basic installation and configuration of the CNS |
---|
| 169 | software. See the @ref{Top,,Administration Tools,kerbman,Cygnus Network |
---|
| 170 | Security User and Administrator Documentation for CNS Version 1}, manual |
---|
| 171 | for more detailed information. |
---|
| 172 | |
---|
| 173 | @node Choosing a Realm Name, Installation overview, Installing CNS, Top |
---|
| 174 | @chapter Choosing a Realm Name |
---|
| 175 | |
---|
| 176 | You must chose a Kerberos realm name for your site. Although your realm |
---|
| 177 | name can be any string, there are certain conventions. The @sc{CNS} |
---|
| 178 | programs follow these conventions by default, so if you follow them as |
---|
| 179 | well you have to put less information in the @file{krb.conf} and |
---|
| 180 | @file{krb.realms} configuration files (these configuration files are |
---|
| 181 | described below). |
---|
| 182 | |
---|
| 183 | @itemize @bullet |
---|
| 184 | @item |
---|
| 185 | Realm names are always upper case strings. |
---|
| 186 | @item |
---|
| 187 | For a host named @samp{xxx.yyy}, the conventional Kerberos realm is |
---|
| 188 | @samp{XXX.YYY}. |
---|
| 189 | @item |
---|
| 190 | For a host named @samp{xxx.yyy.zzz}, the conventional Kerberos realm is |
---|
| 191 | @samp{YYY.ZZZ}. |
---|
| 192 | @item |
---|
| 193 | For a host named @samp{www.xxx.yyy.zzz}, the conventional Kerberos realm |
---|
| 194 | is @samp{XXX.YYY.ZZZ}, and so forth for additional levels in the host |
---|
| 195 | name. |
---|
| 196 | @end itemize |
---|
| 197 | |
---|
| 198 | @node Installation overview, Installation on any machine, Choosing a Realm Name, Top |
---|
| 199 | @chapter CNS Installation Overview |
---|
| 200 | |
---|
| 201 | A machine running CNS may act in three roles. A single machine can act |
---|
| 202 | simultaneously in any combination of these three roles: |
---|
| 203 | |
---|
| 204 | @itemize @bullet |
---|
| 205 | @item |
---|
| 206 | Kerberos Key Distribution Center server (providing password checking |
---|
| 207 | service) |
---|
| 208 | @item |
---|
| 209 | User Client (providing programs to let users login to Kerberized |
---|
| 210 | application servers) |
---|
| 211 | @item |
---|
| 212 | Application server (providing @code{rlogin}, @code{telnet}, @code{rsh}, |
---|
| 213 | and @code{rcp} services for client machines) |
---|
| 214 | @end itemize |
---|
| 215 | |
---|
| 216 | To use CNS, you need a main Key Distribution server and, preferably, one |
---|
| 217 | or more backups. Backups make it possible for your site to function |
---|
| 218 | even if the main server machine is unavailable. |
---|
| 219 | |
---|
| 220 | If possible, you should make @file{kerberos.@var{REALM}} be an alias for |
---|
| 221 | your main server machine. For example, the main server of the realm |
---|
| 222 | CYGNUS.COM is known as @file{kerberos.cygnus.com}. When the CNS |
---|
| 223 | binaries need to contact a Key Distribution Center server for a |
---|
| 224 | particular realm, they contact the machine named @samp{kerberos} by |
---|
| 225 | default. The @file{krb.conf} file may be used to override this default, |
---|
| 226 | as well as to name additional backup servers for a realm. The |
---|
| 227 | @file{krb.conf} file is described below. |
---|
| 228 | |
---|
| 229 | You should normally set up all machines at your site as application |
---|
| 230 | servers. This permits users to log into them directly using the CNS |
---|
| 231 | programs. |
---|
| 232 | |
---|
| 233 | You should set up all machines from which your users log in, as CNS |
---|
| 234 | clients. This normally includes all machines at your site. |
---|
| 235 | |
---|
| 236 | The following sections of this manual tell how to set up each CNS role. |
---|
| 237 | |
---|
| 238 | @node Installation on any machine, Configuring the KDC, Installation overview, Top |
---|
| 239 | @chapter Installation on any Machine |
---|
| 240 | |
---|
| 241 | @menu |
---|
| 242 | * Background:: Background Information |
---|
| 243 | * Instructions:: Installation Instructions |
---|
| 244 | @end menu |
---|
| 245 | |
---|
| 246 | @node Background, Instructions, Installation on any machine, Installation on any machine |
---|
| 247 | @section Background Information |
---|
| 248 | |
---|
| 249 | On all platforms, please use the instructions in the following section |
---|
| 250 | to install the binary software and perform the initial configuration. |
---|
| 251 | (If you need to compile the software from source code, see the |
---|
| 252 | @file{README} file in the source code.) |
---|
| 253 | |
---|
| 254 | You need to be operating as the @samp{root} user in order to create the |
---|
| 255 | @file{/usr/kerberos} directory, where the CNS package is being |
---|
| 256 | installed. You also need to be @samp{root} when running various steps |
---|
| 257 | of the configuration procedures. |
---|
| 258 | |
---|
| 259 | Your system's security is only as good as the security of your |
---|
| 260 | @samp{root} password. Please take other precautions to protect your |
---|
| 261 | system security in addition to installing CNS. CNS cannot protect you |
---|
| 262 | from someone who is able to steal @samp{root} privileges. CNS also does |
---|
| 263 | not protect you from break-ins caused by bugs in your daemons (e.g., |
---|
| 264 | @code{fingerd} or @code{sendmail}). On almost all Unix systems, if |
---|
| 265 | intruders can break in as an ordinary users, they can become root by |
---|
| 266 | exploiting bugs or imperfect configuration files. |
---|
| 267 | |
---|
| 268 | CNS installation is partially automated, but you must do some steps by |
---|
| 269 | hand. Please read through the installation instructions completely |
---|
| 270 | before you begin the installation. If you find unfamiliar concepts or |
---|
| 271 | words, please consult the glossary in @ref{Glossary,,Administration |
---|
| 272 | Tools,,Cygnus Network Security User and Administrator Documentation for |
---|
| 273 | CNS Version 1}. |
---|
| 274 | |
---|
| 275 | @node Instructions, , Background, Installation on any machine |
---|
| 276 | @section Installation Instructions |
---|
| 277 | |
---|
| 278 | These installation instructions are for the installation of pre-compiled |
---|
| 279 | binaries. Be sure you run this as @samp{root}. |
---|
| 280 | |
---|
| 281 | These directions install CNS under @file{/usr/kerberos}. This version |
---|
| 282 | of the software is not easily installed in other places. However, if |
---|
| 283 | you want to install it elsewhere, you can do so by making a symbolic |
---|
| 284 | link in @file{/usr/kerberos}. We recommend that for machines that act |
---|
| 285 | as CNS Kerberos Key Distribution Center servers, you place the files on |
---|
| 286 | a local disk. This prevents failures due to a file server being down or |
---|
| 287 | unreachable. |
---|
| 288 | |
---|
| 289 | The entire CNS Kerberos tree can be safely shared among machines of the |
---|
| 290 | same architecture. @file{/etc/krb-srvtab} is the only machine-dependent |
---|
| 291 | file. |
---|
| 292 | |
---|
| 293 | @enumerate |
---|
| 294 | @item If you wish to put the files somewhere other than @file{/usr/kerberos}, |
---|
| 295 | create a symbolic link as follows: |
---|
| 296 | @example |
---|
| 297 | ln -s /where/ever/you/want /usr/kerberos |
---|
| 298 | @end example |
---|
| 299 | All the directories in the @file{/where/ever/you/want} path must exist, |
---|
| 300 | with the possible exception of last one, which is automatically created |
---|
| 301 | when you unpack the distribution software. |
---|
| 302 | |
---|
| 303 | @item If CNS is not currently installed on this machine, it is |
---|
| 304 | simplest to unpack the tape directly into @file{/usr/kerberos}. Change |
---|
| 305 | directory to @file{/}. |
---|
| 306 | |
---|
| 307 | @item If CNS is already installed on this machine, it is best to |
---|
| 308 | unpack the tape in a directory other than @file{/usr/kerberos}. The |
---|
| 309 | installation procedure copies the binaries into place safely, without |
---|
| 310 | disturbing any running programs. Change directory to a directory with |
---|
| 311 | enough room to hold the CNS binaries. They unpack into the subdirectory |
---|
| 312 | @file{usr/kerberos}. |
---|
| 313 | |
---|
| 314 | @item If you are using a FTP'ed distribution, unpack the binaries using |
---|
| 315 | the command @code{uncompress < @var{machine-type}.tar.Z | tar xvf -}. |
---|
| 316 | The source code is available as a separate tar file, which may be |
---|
| 317 | unpacked using the corresponding command @code{uncompress < src.tar.Z | |
---|
| 318 | tar xvf -}. |
---|
| 319 | |
---|
| 320 | @item If your distribution is on tape, unpack the tape using the |
---|
| 321 | @code{tar xv} command. You may have to use @code{tar xvf @var{TAPE}}, |
---|
| 322 | where @var{TAPE} is the name of the tape drive you are using. |
---|
| 323 | |
---|
| 324 | The source code is stored as a second file on the same tape. To unpack |
---|
| 325 | the source code, you must skip the first file on the tape, and then |
---|
| 326 | unpack the sources using @code{tar xvf} just as you unpacked the |
---|
| 327 | binaries. To skip the first file on the tape, on most systems use |
---|
| 328 | @code{mt -f @var{TAPE} fsf}. On systems such as HP/UX or Irix 4, you |
---|
| 329 | must use @code{mt -t @var{TAPE} fsf} (i.e., use the option @samp{-t} |
---|
| 330 | rather than @samp{-f}). On SCO or SVR4 systems, use the command |
---|
| 331 | @samp{tape fsf @var{TAPE}}. Check the man pages for @samp{mt} or |
---|
| 332 | @samp{tape} on your system. |
---|
| 333 | |
---|
| 334 | @item Run @code{usr/kerberos/install/configure}. |
---|
| 335 | @itemize @bullet |
---|
| 336 | @item The configure script prompts: |
---|
| 337 | @smallexample |
---|
| 338 | If you've unpacked the tape in @var{DIR}, |
---|
| 339 | just press @kbd{RETURN}; |
---|
| 340 | If you've installed it below some other directory, |
---|
| 341 | enter it now. |
---|
| 342 | @end smallexample |
---|
| 343 | |
---|
| 344 | @noindent |
---|
| 345 | The configure script tries to determine the directory where you have |
---|
| 346 | unpacked the tape. If the reported directory is correct, just press |
---|
| 347 | @kbd{RETURN}. Otherwise, enter the name of the directory where you |
---|
| 348 | unpacked the tape. If you have not unpacked the tape under @file{/}, |
---|
| 349 | the script automatically copies the new binaries into |
---|
| 350 | @file{/usr/kerberos} without overwriting the existing binaries. |
---|
| 351 | |
---|
| 352 | @item The CNS configuration script automatically fixes the |
---|
| 353 | permissions on the CNS binaries, and it automatically checks that |
---|
| 354 | appropriate entries have been added to the @file{/etc/services} file. |
---|
| 355 | If any errors occur doing these steps, the script exits with an error |
---|
| 356 | message. |
---|
| 357 | |
---|
| 358 | @item If the file @file{/usr/kerberos/lib/krb.conf} exists, the |
---|
| 359 | configuration script assumes that CNS was already installed. It prints |
---|
| 360 | @smallexample |
---|
| 361 | Existing configuration for realm REALM preserved. |
---|
| 362 | To reconfigure it, delete /usr/kerberos/lib/krb.conf |
---|
| 363 | and re-run configure. |
---|
| 364 | @end smallexample |
---|
| 365 | |
---|
| 366 | @item If the file @file{/usr/kerberos/lib/krb.conf} does not exist, CNS |
---|
| 367 | prompts: |
---|
| 368 | @smallexample |
---|
| 369 | Enter name of local realm (for example, CYGNUS.COM): |
---|
| 370 | @end smallexample |
---|
| 371 | |
---|
| 372 | @noindent |
---|
| 373 | Enter the name you wish to use for your realm, all in uppercase. For |
---|
| 374 | one-host sites, the realm name is the normally the same as the host name |
---|
| 375 | (in capital letters). At larger sites, the realm name is usually the |
---|
| 376 | capitalized name of the main Internet domain (e.g. CYGNUS.COM or |
---|
| 377 | EFF.ORG). At large sites, there may be several realms (e.g. ENG.SUN.COM |
---|
| 378 | and MKTG.SUN.COM). |
---|
| 379 | @end itemize |
---|
| 380 | |
---|
| 381 | @item If you are updating an existing CNS installation on this machine, |
---|
| 382 | you are almost finished. You should test the new client programs, such as |
---|
| 383 | @code{kinit} and @code{rlogin}, to make sure they continue to work as |
---|
| 384 | expected. If this is machine is a Key Distribution Center, you should |
---|
| 385 | reboot it to start running the updated CNS server software. If this |
---|
| 386 | machine is an application server, you should skip to |
---|
| 387 | @ref{Application server configuration, Configuring an Application Server, |
---|
| 388 | Configuring an Application Server}, to consider turning off non-CNS |
---|
| 389 | access and to turn on the new @code{ftp} and @code{telnet} daemons. |
---|
| 390 | |
---|
| 391 | If this is a new CNS installation, you should continue following the |
---|
| 392 | installation instructions. |
---|
| 393 | |
---|
| 394 | @item If your realm name is different from your full Internet |
---|
| 395 | hostname with the first component stripped off, you must tell CNS how to |
---|
| 396 | map your hostname to your realm name. For example, if your hostname is |
---|
| 397 | @file{bogon.company.org}, CNS programs assume that your realm is |
---|
| 398 | @code{COMPANY.ORG} by default. If you pick any other realm name |
---|
| 399 | (perhaps @code{MKTG.COMPANY.ORG}), you have to edit the file |
---|
| 400 | @file{/usr/kerberos/lib/krb.realms}. Add two lines to the file to |
---|
| 401 | specify your domain name suffix, a space, and your realm name. One line |
---|
| 402 | should start with an initial dot, the other should not have it. |
---|
| 403 | Example: |
---|
| 404 | @example |
---|
| 405 | company.org MKTG.COMPANY.ORG |
---|
| 406 | .company.org MKTG.COMPANY.ORG |
---|
| 407 | @end example |
---|
| 408 | |
---|
| 409 | If you add your domain name to @file{krb.realms}, make sure that all |
---|
| 410 | your local and remote machines running CNS have the same entries in |
---|
| 411 | their local @file{krb.realms} files. |
---|
| 412 | |
---|
| 413 | @item When a CNS client program retrieves a ticket for a realm, it |
---|
| 414 | needs to know the hostname of the Key Distribution Center for that |
---|
| 415 | realm. The default server host name is @file{kerberos.@var{REALM}}. |
---|
| 416 | For example, the server for the realm @file{CYGNUS.COM} is |
---|
| 417 | @file{kerberos.cygnus.com}. If your users access realms which do not |
---|
| 418 | follow this convention, or if you want to specify more than one Key |
---|
| 419 | Distribution Center for a given realm, you must modify the file |
---|
| 420 | @file{/usr/kerberos/lib/krb.conf}. If you make changes to |
---|
| 421 | @file{krb.conf}, you must make sure that the versions on all user |
---|
| 422 | clients correspond. |
---|
| 423 | |
---|
| 424 | For each CNS Key Distribution Center or backup center, add a line to the file |
---|
| 425 | @file{/usr/kerberos/lib/krb.conf} that contains the realm name, followed |
---|
| 426 | by a space or tab, and the hostname of one of the Key Distribution |
---|
| 427 | Centers for that realm. If the realm has multiple key distribution |
---|
| 428 | centers, use multiple lines. On the line that refers to the master |
---|
| 429 | server (which also runs the @code{kadmind} daemon), add the words |
---|
| 430 | ``admin server'' to the end of the line. Example: |
---|
| 431 | @example |
---|
| 432 | MKTG.CORP.ORG kerberos.corp.org admin server |
---|
| 433 | MKTG.CORP.ORG backupserver.corp.org |
---|
| 434 | PODUNK.UNIVERSITY.EDU kerberos.podunk.edu admin server |
---|
| 435 | NEAR.NET kerberos.near.net |
---|
| 436 | @end example |
---|
| 437 | |
---|
| 438 | @noindent |
---|
| 439 | In this example, the last line is not actually necessary, because |
---|
| 440 | @file{kerberos.near.net} is the default server for realm |
---|
| 441 | @file{NEAR.NET}. |
---|
| 442 | |
---|
| 443 | The first line of the @file{krb.conf} file is special: it specifies the |
---|
| 444 | name of the default realm on this machine. Do not change it. |
---|
| 445 | |
---|
| 446 | @item @emph{If this is the first time you have installed CNS on your systems, |
---|
| 447 | go on to @ref{Configuring the KDC, Configuring the Key Distribution |
---|
| 448 | Center, Configuring the Key Distribution Center}. If this is not the |
---|
| 449 | first time you have installed CNS, go to the next step.} |
---|
| 450 | |
---|
| 451 | @item If this is a client-only installation, test the installation |
---|
| 452 | by running @code{/usr/kerberos/bin/kinit}. It should prompt you for a |
---|
| 453 | ``Kerberos name,'' by which it means your CNS Kerberos user name. Enter |
---|
| 454 | your user name in the default realm. You should get a @code{Password:} |
---|
| 455 | prompt. If you do not, your client programs cannot find a key |
---|
| 456 | distribution center for that realm; recheck your @file{krb.conf} file. |
---|
| 457 | If you are not running Domain Name Service, also check your @file{/etc/hosts} |
---|
| 458 | file. If you do get the @code{Password:} prompt, enter your password in |
---|
| 459 | this realm. @code{Kinit} should exit without any error messages, and |
---|
| 460 | @code{klist} should show a single ticket whose Principal is |
---|
| 461 | ``krbtgt.REALM@@REALM.'' You can now test the application programs from |
---|
| 462 | @file{/usr/kerberos/bin} (such as @code{rlogin}), or you can just type |
---|
| 463 | @code{kdestroy} to destroy that ticket. |
---|
| 464 | |
---|
| 465 | If your users access multiple realms, test each realm in turn, by typing |
---|
| 466 | @code{kinit -r} and @kbd{RETURN}, entering the user name as above, and |
---|
| 467 | then entering the realm name at the @file{Kerberos realm:} prompt. |
---|
| 468 | |
---|
| 469 | @end enumerate |
---|
| 470 | |
---|
| 471 | If you are only installing CNS client services, your installation is |
---|
| 472 | complete. Congratulations. You and your users should add |
---|
| 473 | @code{/usr/kerberos/bin} to the path used to find programs. |
---|
| 474 | |
---|
| 475 | @node Configuring the KDC, Application server configuration, Installation on any machine, Top |
---|
| 476 | @chapter Configuring the Key Distribution Center |
---|
| 477 | |
---|
| 478 | This section describes how to configure the Key Distribution Center |
---|
| 479 | (KDC) server machine. You must have at least one KDC in your realm. |
---|
| 480 | You may also set up backup servers; see @ref{Top,,Administration |
---|
| 481 | Tools,kerbman,Cygnus Network Security User and Administrator |
---|
| 482 | Documentation for CNS Version 1}. |
---|
| 483 | |
---|
| 484 | @enumerate |
---|
| 485 | |
---|
| 486 | @item Log on to the server machine as @samp{root}. |
---|
| 487 | |
---|
| 488 | @item Add @file{/usr/kerberos/bin} and @file{/usr/kerberos/etc} to the |
---|
| 489 | working path. |
---|
| 490 | |
---|
| 491 | @item Run @code{kdb_init} to create the initial CNS Kerberos |
---|
| 492 | password database. Enter the realm name, and make up a good master |
---|
| 493 | password. For effective system security, it is important to choose a |
---|
| 494 | password that cannot easily be guessed or discovered. This password is |
---|
| 495 | used to encrypt the database on disk, so that it can be safely included |
---|
| 496 | in normal backup procedures; it is not used for any network operation. |
---|
| 497 | You @emph{must not forget} this password. Example: |
---|
| 498 | @smallexample |
---|
| 499 | sample# kdb_init |
---|
| 500 | Realm name [default error-default-realm ]: @file{COMPANY.ORG} |
---|
| 501 | You will be prompted for the database Master Password. |
---|
| 502 | It is important that you NOT FORGET this password. |
---|
| 503 | |
---|
| 504 | Kerberos master key: @emph{password does not echo} |
---|
| 505 | Verifying, please re-enter Kerberos master key: @emph{reenter password} |
---|
| 506 | |
---|
| 507 | @end smallexample |
---|
| 508 | |
---|
| 509 | @item Store the master password in @file{/.k} for convenience or unattended |
---|
| 510 | operation. (If you do not do this, you must type the master password |
---|
| 511 | each time the system reboots.) Run @code{kstash}, giving it the master |
---|
| 512 | password: |
---|
| 513 | @smallexample |
---|
| 514 | sample# kstash |
---|
| 515 | |
---|
| 516 | Kerberos master key: @emph{password does not echo} |
---|
| 517 | |
---|
| 518 | Current Kerberos master key version is 1. |
---|
| 519 | |
---|
| 520 | Master key entered. |
---|
| 521 | @end smallexample |
---|
| 522 | |
---|
| 523 | @item Set up the database entries for the first user---yourself. |
---|
| 524 | Run @code{kdb_edit}, and enter the master key when prompted. When it |
---|
| 525 | asks for @code{Principal name:}, enter your user name. At |
---|
| 526 | @code{Instance:}, just press @kbd{RETURN}. @code{kdb_edit} tells you |
---|
| 527 | that this entry is not found, and ask whether to create it. Type |
---|
| 528 | @kbd{y}. |
---|
| 529 | |
---|
| 530 | When prompted for the initial password for the user (yourself), enter a |
---|
| 531 | short, easy to remember password. This will be changed in a few |
---|
| 532 | minutes, so keep it simple. You are prompted to enter it twice. Press |
---|
| 533 | @kbd{RETURN} for all the other questions. |
---|
| 534 | |
---|
| 535 | When @code{kdb_edit} prompts again for @code{Principal name:}, enter |
---|
| 536 | your user name again, but for @code{Instance:}, type @code{admin}. This |
---|
| 537 | creates an admin instance that you can later use to add new users and |
---|
| 538 | change user passwords. |
---|
| 539 | |
---|
| 540 | To exit @code{kdb_edit}, just press @kbd{RETURN} at the @code{Principal |
---|
| 541 | name:} prompt. |
---|
| 542 | |
---|
| 543 | Example: |
---|
| 544 | |
---|
| 545 | @smallexample |
---|
| 546 | sample# kdb_edit |
---|
| 547 | Opening database... |
---|
| 548 | |
---|
| 549 | Kerberos master key: @emph{password does not echo} |
---|
| 550 | |
---|
| 551 | Current Kerberos master key version is 1. |
---|
| 552 | |
---|
| 553 | Master key entered. Previous or default values are |
---|
| 554 | in [brackets] |
---|
| 555 | enter @kbd{RETURN} to leave the same, or new value. |
---|
| 556 | |
---|
| 557 | Principal name: jis |
---|
| 558 | Instance: |
---|
| 559 | |
---|
| 560 | <Not found>, Create [y] ? y |
---|
| 561 | |
---|
| 562 | Principal: jis, Instance: , kdc_key_ver: 1 |
---|
| 563 | New Password: @emph{user's password will not echo} |
---|
| 564 | Verifying, please re-enter |
---|
| 565 | New Password: @emph{user's password will not echo} |
---|
| 566 | |
---|
| 567 | Principal's new key version = 1 |
---|
| 568 | Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? |
---|
| 569 | Max ticket lifetime (*5 minutes) [ 255 ] ? |
---|
| 570 | Attributes [ 0 ] ? |
---|
| 571 | Edit O.K. |
---|
| 572 | Principal name: jis |
---|
| 573 | Instance: admin |
---|
| 574 | |
---|
| 575 | <Not found>, Create [y] ? y |
---|
| 576 | |
---|
| 577 | Principal: jis, Instance: admin, kdc_key_ver: 1 |
---|
| 578 | New Password: @emph{user's admin password will not echo} |
---|
| 579 | Verifying, please re-enter |
---|
| 580 | New Password: @emph{user's admin password will not echo} |
---|
| 581 | |
---|
| 582 | Principal's new key version = 1 |
---|
| 583 | Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? |
---|
| 584 | Max ticket lifetime (*5 minutes) [ 255 ] ? |
---|
| 585 | Attributes [ 0 ] ? |
---|
| 586 | Edit O.K. |
---|
| 587 | Principal name: @emph{press @kbd{RETURN} to exit} |
---|
| 588 | |
---|
| 589 | @end smallexample |
---|
| 590 | |
---|
| 591 | @item Run @code{kerberos &} to start the Key Distribution Center |
---|
| 592 | server (the @code{&} runs the server in the background). You should |
---|
| 593 | see: |
---|
| 594 | @smallexample |
---|
| 595 | sample# kerberos & |
---|
| 596 | [1] 22630 |
---|
| 597 | sample# Kerberos server starting |
---|
| 598 | Sleep forever on error |
---|
| 599 | Log file is /usr/kerberos/database/kerberos.log |
---|
| 600 | Current Kerberos master key version is 1. |
---|
| 601 | |
---|
| 602 | Master key entered. |
---|
| 603 | |
---|
| 604 | Current Kerberos master key version is 1 |
---|
| 605 | Local realm: COMPANY.ORG |
---|
| 606 | @end smallexample |
---|
| 607 | |
---|
| 608 | @item Test the Key Distribution Center server. Run @code{kinit} |
---|
| 609 | with your username as argument (e.g., @code{kinit jis}). If you get a |
---|
| 610 | password prompt, the network is okay, and everything is configured |
---|
| 611 | properly for this host to find the server. Type your password (this is |
---|
| 612 | the password you just entered using @code{kdb_edit}). |
---|
| 613 | |
---|
| 614 | If you get @samp{send_to_kdc: retry count exceeded}, then @code{kinit} |
---|
| 615 | could not reach the server for some reason. Make sure that any entry |
---|
| 616 | for your realm in @file{/usr/kerberos/lib/krb.conf} has the right |
---|
| 617 | machine name. If there is no entry, make sure that the server machine |
---|
| 618 | can be reached using the alias @file{kerberos.@var{REALM}}. Try |
---|
| 619 | contacting the machine using @code{telnet} or @code{ping}. Also, check |
---|
| 620 | that the @code{Kerberos} process is actually running. |
---|
| 621 | |
---|
| 622 | If you get an immediate @samp{kinit: Can't send request (send_to_kdc)} |
---|
| 623 | the most likely cause is that @code{kinit} can't find or read the |
---|
| 624 | @file{krb.conf} file, or can't find any entries for the selected realm |
---|
| 625 | in that file. If there is a delay before the message, it is more likely |
---|
| 626 | that the file was found but there was some problem communicating with |
---|
| 627 | the server. |
---|
| 628 | |
---|
| 629 | @emph{Special note for Solaris 2 users:} Solaris 2 includes a partial |
---|
| 630 | installation of kerberos, consisting of @code{kinit} and little |
---|
| 631 | else. Since the Solaris @code{kinit} is in @file{/usr/bin}, it may |
---|
| 632 | appear in your path ahead of the @file{/usr/kerberos/bin} version that |
---|
| 633 | you've just installed, leading to errors similar to those above. While |
---|
| 634 | the Solaris @code{kinit} will work with CNS Kerberos, it looks in |
---|
| 635 | @file{/etc/krb.conf} instead of @file{/usr/kerberos/lib/krb.conf} and |
---|
| 636 | thus won't find the information you'd expect it to. Since users will |
---|
| 637 | normally have @file{/usr/kerberos/bin} near the front of their path in |
---|
| 638 | order to get the CNS Kerberos @code{rlogin}, @code{rsh}, @code{telnet}, |
---|
| 639 | and @code{ftp} instead of the regular (non-Kerberos) versions, they will |
---|
| 640 | also get the correct version of @code{kinit} but this can be a source of |
---|
| 641 | difficulty in an initial installation. |
---|
| 642 | |
---|
| 643 | @item Authorize yourself to use the @code{kadmin} program to make |
---|
| 644 | administrative changes to the CNS Kerberos database. Using a text |
---|
| 645 | editor, create four files in @file{/usr/kerberos/database}: |
---|
| 646 | @file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.mod}, and |
---|
| 647 | @file{admin_acl.del}. |
---|
| 648 | These files should all have identical contents. They should each |
---|
| 649 | contain one line---your username, a period, and @code{admin}. If you |
---|
| 650 | want to set up multiple administrators, you can add additional lines to |
---|
| 651 | these files now or later. (You also need to add their username and |
---|
| 652 | password to the CNS Kerberos database using @code{kadmin}---as shown |
---|
| 653 | later---or @code{kdb_edit}.) Example: |
---|
| 654 | @example |
---|
| 655 | sample# cd /usr/kerberos/database |
---|
| 656 | sample# cat >admin_acl.add |
---|
| 657 | jis.admin |
---|
| 658 | ^D |
---|
| 659 | sample# cp admin_acl.add admin_acl.get |
---|
| 660 | sample# cp admin_acl.add admin_acl.mod |
---|
| 661 | sample# cp admin_acl.add admin_acl.del |
---|
| 662 | @end example |
---|
| 663 | |
---|
| 664 | If sometime later, while running @code{kadmin}, you get the error |
---|
| 665 | message, ``Insufficient access to perform requested operation,'' it |
---|
| 666 | indicates you have successfully contacted the Admin Server, but your |
---|
| 667 | name was not found in the relevant @file{admin_acl} file. Look in |
---|
| 668 | @file{/usr/kerberos/database/admin_server.syslog} to find the audit |
---|
| 669 | trail of administrative requests failures marked with @samp{WARNING}. |
---|
| 670 | |
---|
| 671 | @item Run @code{kadmind -n &} to start the Admin Server, which handles |
---|
| 672 | administrative requests and password changes. |
---|
| 673 | @smallexample |
---|
| 674 | sample# kadmind -n & |
---|
| 675 | KADM Server KADM0.0A initializing |
---|
| 676 | Please do not use 'kill -9' to kill this job, use a |
---|
| 677 | regular kill instead |
---|
| 678 | |
---|
| 679 | KADM Server starting in NON-FASCIST mode for the purposes |
---|
| 680 | for password changing |
---|
| 681 | |
---|
| 682 | Current Kerberos master key version is 1. |
---|
| 683 | |
---|
| 684 | Master key entered. |
---|
| 685 | @end smallexample |
---|
| 686 | |
---|
| 687 | @item Test the Admin Server by using @code{kadmin} to change your |
---|
| 688 | password. You must either first log in as yourself, or use the |
---|
| 689 | @samp{-u} argument to @code{kadmin} to provide your user ID. |
---|
| 690 | @smallexample |
---|
| 691 | sample# kadmin -u jis |
---|
| 692 | Welcome to the Kerberos Administration Program, version 2 |
---|
| 693 | Type @kbd{help} if you need it. |
---|
| 694 | admin: cpw jis |
---|
| 695 | Admin password: |
---|
| 696 | @emph{the admin password you assigned yourself above} |
---|
| 697 | New password for jis: @emph{invent and remember a good one} |
---|
| 698 | Verifying, please re-enter |
---|
| 699 | New password for jis: @emph{type the same one} |
---|
| 700 | Password changed for jis. |
---|
| 701 | admin: quit |
---|
| 702 | Cleaning up and exiting. |
---|
| 703 | sample# |
---|
| 704 | @end smallexample |
---|
| 705 | Be sure that you remember your new password. If you forget it, you |
---|
| 706 | cannot use the system. |
---|
| 707 | |
---|
| 708 | @item Run @code{kdestroy} to destroy the tickets used in testing. |
---|
| 709 | |
---|
| 710 | @item Update your @file{/etc/rc} file, or equivalent, so that these two |
---|
| 711 | daemons are run each time the system reboots: |
---|
| 712 | @example |
---|
| 713 | /usr/kerberos/etc/kerberos & |
---|
| 714 | /usr/kerberos/etc/kadmind -n & |
---|
| 715 | @end example |
---|
| 716 | |
---|
| 717 | These should be started early in the boot process---after the file |
---|
| 718 | systems are mounted, but before the portmapper starts up. The admin |
---|
| 719 | daemon uses an unofficial port number which the portmapper may acquire |
---|
| 720 | if portmapper is started first. |
---|
| 721 | |
---|
| 722 | If your system initializes using files in a directory like |
---|
| 723 | @file{/etc/rc2.d}, look for the script which starts @code{portmap}, and |
---|
| 724 | make sure that the daemons are started earlier. This can be done by |
---|
| 725 | starting them earlier in the same script, or by creating a new script |
---|
| 726 | with a lower number. On the other hand, make sure that the daemons are |
---|
| 727 | not started until the network has been initialized. |
---|
| 728 | |
---|
| 729 | @item @emph{Special note for HP/UX startup}: Under HP/UX |
---|
| 730 | the commands mentioned above should be placed in a seperate file, and |
---|
| 731 | that file should be run from the @code{localrc()} function in the |
---|
| 732 | @file{/etc/rc} file. Placing the commands directly in @code{localrc()} |
---|
| 733 | may cause them to be terminated immediately after @file{/etc/rc} finishes. |
---|
| 734 | |
---|
| 735 | @item Reboot your system, examine its messages while it boots, and |
---|
| 736 | rerun the tests, to make sure that the daemons both start successfully. |
---|
| 737 | @end enumerate |
---|
| 738 | |
---|
| 739 | @node Application server configuration, Adding users, Configuring the KDC, Top |
---|
| 740 | @chapter Configuring an Application Server |
---|
| 741 | |
---|
| 742 | To configure a machine to provide @code{rlogin} and @code{rsh} service, |
---|
| 743 | you need to create a secret key for that machine in the CNS database and |
---|
| 744 | on the host itself. |
---|
| 745 | |
---|
| 746 | (If you are upgrading from an existing CNS release to this release, you |
---|
| 747 | have already set up your machine's secret key. Skip down to the step |
---|
| 748 | ``Test your CNS services'', and do the rest of the procedure.) |
---|
| 749 | |
---|
| 750 | The master database contains entries for all network services that |
---|
| 751 | require CNS Kerberos authentication. If, for example, you want to offer |
---|
| 752 | @code{rlogin} service from the machine @file{trickster}, you need to |
---|
| 753 | register @file{trickster} in the master database. |
---|
| 754 | |
---|
| 755 | CNS does not recognize full domain names. Therefore, use the first |
---|
| 756 | component of the DNS hostname (e.g., @file{trickster} for |
---|
| 757 | @file{trickster.company.org}). |
---|
| 758 | |
---|
| 759 | @enumerate |
---|
| 760 | @c 1 |
---|
| 761 | @item From as account for which you created an admin instance, |
---|
| 762 | run @code{kadmin}. At the prompt, type: |
---|
| 763 | @smallexample |
---|
| 764 | ank rcmd.@var{hostname} |
---|
| 765 | @end smallexample |
---|
| 766 | @noindent |
---|
| 767 | @code{ank} means ``add new key'' and you are telling it to add a service |
---|
| 768 | key for the @code{rcmd} service on machine @var{hostname}. |
---|
| 769 | |
---|
| 770 | @smallexample |
---|
| 771 | sample# kadmin |
---|
| 772 | Welcome to the Kerberos Administration Program, version 2 |
---|
| 773 | Type @kbd{help} if you need it. |
---|
| 774 | admin: ank rcmd.trickster |
---|
| 775 | Admin password: |
---|
| 776 | @emph{the jis.admin password you created with kdb_edit} |
---|
| 777 | Password for rcmd.trickster: @emph{some short easy password} |
---|
| 778 | Verifying, please re-enter |
---|
| 779 | Password for rcmd.trickster: @emph{Re-enter.} |
---|
| 780 | rcmd.trickster added to database. |
---|
| 781 | admin: quit |
---|
| 782 | |
---|
| 783 | @end smallexample |
---|
| 784 | |
---|
| 785 | @noindent |
---|
| 786 | Note: You use this same process to add any other new users to the |
---|
| 787 | database, except that you use their username as the argument to the |
---|
| 788 | @code{ank} command. Remind your users to change their CNS passwords |
---|
| 789 | once they have begun to use CNS, so you do not know what their passwords |
---|
| 790 | are. |
---|
| 791 | |
---|
| 792 | @c 2 |
---|
| 793 | @item On the application server, as root, run @code{ksrvutil add}. This |
---|
| 794 | creates the srvtab file, @file{/etc/krb-srvtab}. |
---|
| 795 | |
---|
| 796 | @smallexample |
---|
| 797 | # ksrvutil add |
---|
| 798 | Name: rcmd |
---|
| 799 | Instance: trickster |
---|
| 800 | Realm: COMPANY.ORG @emph{remember to use uppercase here!} |
---|
| 801 | Version number: 1 |
---|
| 802 | New principal: rcmd.trickster@@COMPANY.ORG; version 1 |
---|
| 803 | Is this correct? (y,n) [y] y |
---|
| 804 | Password: @emph{Give the easy password} |
---|
| 805 | Verifying, please re-enter Password: @emph{do it again} |
---|
| 806 | Key successfully added. |
---|
| 807 | Would you like to add another key? (y,n) [y] n |
---|
| 808 | Old keyfile in /etc/krb-srvtab.old. |
---|
| 809 | @end smallexample |
---|
| 810 | |
---|
| 811 | You must give the same password here that you gave to @code{kadmin} in |
---|
| 812 | the @code{ank} (add new key) process. |
---|
| 813 | |
---|
| 814 | @c 3 |
---|
| 815 | @item Run @code{ksrvutil change}. This updates the key to a new one, not |
---|
| 816 | known to you, in both the Kerberos database for your realm, and in the |
---|
| 817 | @file{/etc/srvtab}. |
---|
| 818 | |
---|
| 819 | Use the following list of troubleshooting suggestions if any problems |
---|
| 820 | arise at this stage: |
---|
| 821 | |
---|
| 822 | @itemize @bullet |
---|
| 823 | @c 3.1 |
---|
| 824 | @item Clocks not synchronized. The time on client machines, and all other |
---|
| 825 | machines communicating via CNS, must be within five minutes of each other. |
---|
| 826 | Synchronize all machine time settings. |
---|
| 827 | |
---|
| 828 | @item Incorrect name specification. Be sure that the file |
---|
| 829 | @file{/usr/kerberos/lib/krb.conf} has the correct realm and key server's |
---|
| 830 | hostname. |
---|
| 831 | |
---|
| 832 | @c 3.2 |
---|
| 833 | @item Password error. Type @kbd{rm /etc/krb-srvtab} and run |
---|
| 834 | @code{ksrvutil add} again. |
---|
| 835 | |
---|
| 836 | @c 3.3 |
---|
| 837 | @item Problem with @code{kinit @var{user}}. If @code{kinit @var{user}} does |
---|
| 838 | not work, debug that first, using the suggestions in the section |
---|
| 839 | @ref{Configuring the KDC,,Configuring the Key Distribution Center}. |
---|
| 840 | |
---|
| 841 | @c 3.4 |
---|
| 842 | @item Problem with @code{kinit rcmd.@var{hostname}}. If @code{kinit |
---|
| 843 | rcmd.@var{hostname}} does not work, there could be several explanations. |
---|
| 844 | |
---|
| 845 | If @code{kinit} reports @samp{principal unknown}, then go back and run |
---|
| 846 | @code{kadmin} again and correctly enter the item in the database. |
---|
| 847 | |
---|
| 848 | If @code{kinit} reports @samp{incorrect password}, then you have given a |
---|
| 849 | different password than you did originally. If you remember the correct |
---|
| 850 | password, delete @file{/etc/krb-srvtab}, then go back and run |
---|
| 851 | @code{ksrvutil add} again. If you do not remember the password, change |
---|
| 852 | the one in the database to something you will remember. To change the |
---|
| 853 | password, run @code{kadmin} again. Use @code{cpw rcmd.@var{hostname}} |
---|
| 854 | to set the password to something you will remember. Delete |
---|
| 855 | @file{/etc/krb-srvtab} and run @code{ksrvutil add} again. Run |
---|
| 856 | @code{ksrvutil change} again too. This time, it tells you that the |
---|
| 857 | version numbers of the keys do not match, and ask if you want it to fix |
---|
| 858 | this. Type @kbd{yes}. |
---|
| 859 | |
---|
| 860 | @item Problem only with @code{ksrvutil}. If @code{kinit rcmd.@var{hostname}} |
---|
| 861 | works, but @code{ksrvutil change} fails, in particular with the message |
---|
| 862 | ``Retry count exceeded (send_to_kdc)'' verify that the realm name is |
---|
| 863 | both uppercase and spelled correctly in the @file{/etc/krb-srvtab} file |
---|
| 864 | using @code{ksrvutil list}. If it isn't, follow the above procedure for |
---|
| 865 | deleting and correcting the file. |
---|
| 866 | @end itemize |
---|
| 867 | |
---|
| 868 | @c 4 |
---|
| 869 | @item Update @file{/etc/inetd.conf}. Add these lines to the file and reset |
---|
| 870 | the @code{inetd} daemon. Unless your system documentation recommends |
---|
| 871 | another procedure, use @code{kill -HUP} to reset the current daemon. |
---|
| 872 | |
---|
| 873 | @iftex |
---|
| 874 | @let@nonarrowing=@comment |
---|
| 875 | @end iftex |
---|
| 876 | @smallexample |
---|
| 877 | klogin stream tcp nowait root /usr/kerberos/etc/klogind klogind |
---|
| 878 | eklogin stream tcp nowait root /usr/kerberos/etc/klogind eklogind |
---|
| 879 | kpop stream tcp nowait root /usr/kerberos/etc/popper popper |
---|
| 880 | kshell stream tcp nowait root /usr/kerberos/etc/kshd kshd |
---|
| 881 | @end smallexample |
---|
| 882 | @iftex |
---|
| 883 | @let@nonarrowing=@relax |
---|
| 884 | @end iftex |
---|
| 885 | |
---|
| 886 | @c 5 |
---|
| 887 | @item Test your CNS services. |
---|
| 888 | (Remember to update your path to place @file{/usr/kerberos/bin} before |
---|
| 889 | @file{/usr/ucb} in your path variable.) |
---|
| 890 | |
---|
| 891 | To try @code{rlogin}: on a working client machine (possibly the same |
---|
| 892 | machine): run @code{kinit}, type your name and password, and then run |
---|
| 893 | @code{rlogin @var{app-hostname}}, supplying the hostname you just set up |
---|
| 894 | as an Application Server. If it works, try @code{rlogin @var{hostname} |
---|
| 895 | -x} to test an encrypted session; you should get a message indicating |
---|
| 896 | that @samp{DES} is being used to protect all traffic. |
---|
| 897 | |
---|
| 898 | @c 6 |
---|
| 899 | @item If you wish, turn off non-CNS access. You may want to |
---|
| 900 | restrict access to only those users who login via the CNS programs. The |
---|
| 901 | Berkeley versions of @samp{rlogin}, @samp{rsh}, and @samp{rcp} rely on |
---|
| 902 | the return address of the incoming TCP connection for authentication, so |
---|
| 903 | they can be subverted by the use of IP source-address spoofing. Turning |
---|
| 904 | them off increases your security against break-ins. To do this, look for |
---|
| 905 | lines in @file{/etc/inetd.conf} for the services @samp{shell} and |
---|
| 906 | @samp{login}. Comment them out by putting a @kbd{#} at the start of the |
---|
| 907 | line. After editing @file{/etc/inetd.conf}, you must reset the |
---|
| 908 | @code{inetd} daemon as described above. |
---|
| 909 | |
---|
| 910 | @c 7 |
---|
| 911 | @item If you wish, use the CNS @code{FTP} and/or @code{telnet} |
---|
| 912 | daemons instead of the system supplied daemons. The CNS versions |
---|
| 913 | support both the traditional password authentication, and Kerberos |
---|
| 914 | authentication. Look for lines in |
---|
| 915 | @file{/etc/inetd.conf} for the services @code{telnet} and @code{FTP}. |
---|
| 916 | Replace them with lines which look like this: |
---|
| 917 | |
---|
| 918 | @iftex |
---|
| 919 | @let@nonarrowing=@comment |
---|
| 920 | @end iftex |
---|
| 921 | @smallexample |
---|
| 922 | ftp stream tcp nowait root /usr/kerberos/etc/ftpd ftpd |
---|
| 923 | telnet stream tcp nowait root /usr/kerberos/etc/telnetd telnetd |
---|
| 924 | @end smallexample |
---|
| 925 | @iftex |
---|
| 926 | @let@nonarrowing=@relax |
---|
| 927 | @end iftex |
---|
| 928 | |
---|
| 929 | If you wish to restrict @code{FTP} access to people with valid CNS |
---|
| 930 | authentication (and to anonymous users, if your password file admits |
---|
| 931 | them), use the @samp{-a} option. This rejects FTP accesses which would |
---|
| 932 | normally involve typing a password across the network unencrypted: |
---|
| 933 | |
---|
| 934 | @iftex |
---|
| 935 | @let@nonarrowing=@comment |
---|
| 936 | @end iftex |
---|
| 937 | @smallexample |
---|
| 938 | ftp stream tcp nowait root /usr/kerberos/etc/ftpd ftpd -a |
---|
| 939 | @end smallexample |
---|
| 940 | @iftex |
---|
| 941 | @let@nonarrowing=@relax |
---|
| 942 | @end iftex |
---|
| 943 | |
---|
| 944 | If you wish to restrict @code{telnet} access to people with valid CNS |
---|
| 945 | authentication, use the @samp{-a valid} option. This rejects |
---|
| 946 | @code{telnet} connections that would normally involve typing a password |
---|
| 947 | across the network unencrypted: |
---|
| 948 | |
---|
| 949 | @iftex |
---|
| 950 | @let@nonarrowing=@comment |
---|
| 951 | @end iftex |
---|
| 952 | @smallexample |
---|
| 953 | telnet stream tcp nowait root /usr/kerberos/etc/telnetd |
---|
| 954 | telnetd -a valid |
---|
| 955 | @end smallexample |
---|
| 956 | @iftex |
---|
| 957 | @let@nonarrowing=@relax |
---|
| 958 | @end iftex |
---|
| 959 | |
---|
| 960 | (The example above should be entered all on one line; it has been broken |
---|
| 961 | into two lines for convenience in reading this manual.) |
---|
| 962 | |
---|
| 963 | After editing @file{/etc/inetd.conf}, you must reset the @code{inetd} |
---|
| 964 | daemon as described above. |
---|
| 965 | @end enumerate |
---|
| 966 | |
---|
| 967 | @node Adding users, , Application server configuration, Top |
---|
| 968 | @chapter Adding Users to the Kerberos Database |
---|
| 969 | |
---|
| 970 | Before users can use CNS, they must be added to the Kerberos database. |
---|
| 971 | |
---|
| 972 | Users are added with the @code{kadmin} program. |
---|
| 973 | |
---|
| 974 | @enumerate |
---|
| 975 | |
---|
| 976 | @item Log in as the user for whom you created an admin instance when |
---|
| 977 | you configured the Kerberos database (@pxref{Configuring the |
---|
| 978 | KDC,,Configuring the Key Distribution Center}). |
---|
| 979 | |
---|
| 980 | @item Run @code{/usr/kerberos/bin/kadmin}. |
---|
| 981 | |
---|
| 982 | @item At the prompt, type @kbd{ank @var{USER}}. When prompted, enter |
---|
| 983 | your admin password, and then enter a password for the user. |
---|
| 984 | @smallexample |
---|
| 985 | % kadmin |
---|
| 986 | Welcome to the Kerberos Administration Program, version 2 |
---|
| 987 | Type @kbd{help} if you need it. |
---|
| 988 | admin: ank @var{USER} |
---|
| 989 | Admin password: |
---|
| 990 | @emph{the admin password you created with kdb_edit} |
---|
| 991 | Password for @var{USER}: @emph{a password} |
---|
| 992 | Verifying, please re-enter |
---|
| 993 | Password for @var{USER}: @emph{Re-enter.} |
---|
| 994 | @var{USER} added to database. |
---|
| 995 | admin: quit |
---|
| 996 | % |
---|
| 997 | @end smallexample |
---|
| 998 | |
---|
| 999 | @item The user may now run @code{kinit}, giving the password you entered |
---|
| 1000 | above. Encourage the user to use @code{kpasswd} to select a personal |
---|
| 1001 | password which you do not know. If necessary, you can use the |
---|
| 1002 | @code{cpw} command in @code{kadmin} to change the user's password to a |
---|
| 1003 | known string. |
---|
| 1004 | @end enumerate |
---|
| 1005 | |
---|
| 1006 | @contents |
---|
| 1007 | @c second page break makes sure right-left page alignment works right |
---|
| 1008 | @c with a one-page toc, even though we don't have setchapternewpage odd. |
---|
| 1009 | @c end of texinfo file |
---|
| 1010 | @bye |
---|